A Tale of Two Fraud Facilitators: Ladette and Guy
The question has often been asked: How large are the scammers nests? In the previous post, From Benin: A Loan Scam Syndicate, we explored a syndicate operating from Benin, defrauding consumers mainly in Europe, the United Kingdom and Canada, having over 300 domains.
To show this is not an isolated incident and that domain fraud abusing fake domain registration details is rife, we will now look at two identified facilitators in Nigeria working in concert. First a female was identified (our alias Ladette), then a male person (we will call Guy), serially registering domains mostly for email fraud where no web content is visible.
In the process banks are being spoofed on a massive scale, likewise the regulators and even law enforcement authorities such as Interpol and the FBI.
Background
In October last year, Artists Against 419 had a “Seven days of Darkness” campaign after we exposed Ladette, a female scammer serially registering domains at numerous registrars to facilitate fraud. The issue illustrated why the internet is under threat from bad actors, with certain registrars being unreceptive to reports of fake registration details and fraud, ignoring their own obligations and slowly destroying the promise of the inetrnet. Most registrars had happily terminated the malicious domains uncovered at the time, happy with the evidence supplied and we were happy. Yet one registrar was obstructive or blissfully ignorant on what to do.
At the time ScamSurvivors has posted on the subject here: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=51755
The one registrar refused to address these, replying thus, despite evidence given of fake registration details and the user violating their own policies, with the email being titled: “AUP Violations & fake whois: numerous”.
Thank you for your email.
Please be advised that we have received your report of illegal activity. As checked, only the domain names are registered with us. It is hosted with a different provider and that we do not have a control on it.
In this case, you need to contact their hosting provider to shut the website down. You may refer to the whois information below:
https://who.is/whois-ip/ip-address/(obfuscated)
IP Whois
This is much the same type of reply seen given by the “We are only a registrar”-class of registrars, happy to accept any money, ignoring of their ICANN obligations and their own AUPs. We need to note that the much of the domain abuse is email based and only a lot of investigation can ultimately determine the usage, unlike a domain used for a website URL showing fraudulent web content.
It was up to Artists Against 419 to challenge this registrar on their supposed registrar obligations. Quiet shocking does no begin to describe the unfolding events. The initial report was met with the following reply:
Thank you for your email.
My apologies for the inconvenience this has caused you.
We have referred this to our Authentication team for further investigation. And will notify you once we get an update from them.
Regards,
Later to be followed by:
Good day!
We would like to inform you that we have received an update from Authentication team regarding the domain names. And the following domain names listed below has been suspended due to fraudulent intent:
gtbanking-ng.com: success
merchanttrustfinanceb.com: success
falconexpress-courierservices.com: success
mofepgovgh.com: success
remittancebofgh.com: success
alexanderattorney-za.com: success
alphaomegafoods.com: success
goldenstarcourier.com: success
rainbowswinners.com: success
ministerio-de-hacienda-y-economia.com: success
swiftexpresscourierservices.com: success
wxaxooilco.com: successPlease be advised that the Registrant of the following domains responded to our email sent last 20 Oct. 2016, providing us his valid ID. And we are still communicating with him and have it investigated.
dgtfb-ae.com
hsfinid.com
wwecsau.comWill get back to you once we receive and update from them.
Regards,
None of Ladette’s real known details were used. Then later:
Good day!
Please be informed that we have now received an update the registrant of the following domains below and provided us their valid ID.
gtbanking-ng.com
ministerio-de-hacienda-y-economia.com,
mofepgovgh.com
rainbowswinners.com
remittancebofgh.com
goldenstarcourier.com
alexanderattorney-za.com
alexanderattorney-za.comWe have now unsuspended those domain names. And inform them that we will suspend their domains again if they try to update the details.
If you have further concerns, please do not hesitate to email us back.
Regards,
Once again none of Ladette’s real details were used. Ironically these all these verified domain have since been host suspended again, no surprise.
So much for ICANN RAA Section 3.7.7.9:
3.7.7.9 The Registered Name Holder shall represent that, to the best of the Registered Name Holder’s knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party.
We really hope the sponsoring registrar did not expect the responsible registrant would have supplied real details, else they may be in for a shock. Knowing who the registrants are really are helps.
Fact: Scammers lie! Even registrars are not spared. Fraudsters make a living stealing other peoples’ money by producing fraudulent documents (One member of the anti-scam community was even made an ambassador to the United Nations and has the documents to prove it)! The domain names list should have run a bell, more so connected to the fake registration details.
Also so much for ICANN Advisory dated 3 March 2003, which we were assured still stands by ICANN as recently as mid last year:
On the other hand, where a registrar encounters a severe Whois inaccuracy being exploited by a registrant to evade responsibility for fraudulent activity being carried out through use of the domain name, prompt action by the registrar is appropriate. Under the approach of the Registrar Accreditation Agreement, the registrar is given discretion to act as appropriate in light of the particular circumstances of each case.
Unfortunately the registrar chose to overlook the pertinent details and use bad judgment, only concerned about registration details discrepancies, ignoring the reasons why they existed in the first place. Personally we have zero doubt that should the EFCC wish to follow up after reports from a victim and international, quite an innocent party will have some hasty explaining to do if he or she even exists. It would definitely not be the first time, this has been seen many times before. Like the Western World, West Africa has more than it’s fair share of identity theft and forged documents.
These were the original domains addressed in Ladette, now all suspended, some only at hosting level (This is by no means an ideal solution for a malicious domain – unlike a hacked website).
| Domain | Scam Name and DB link |
|---|---|
absabnk-za.com | |
adlogbaseonline.website | |
agfcbn.com | Accountant General of the Federation of Central Nigerian Bank |
alexanderattorney-za.com | |
alphaomegafoods.com | |
banconacionaldeangola.com | |
bankofamericaonlines.org | |
bankofghana-gov.com | |
banquedlaposte.com | |
bdbfinance.com | |
citibank-tw.com | |
clientonlineloginportalss.com | |
dgtfb-ae.com | |
dgtfbank-ae.com | |
douane-gov-fr.net | |
ecobktg.com | |
eif-eu.com | |
emceurope-eu.com | |
eurolabcleansa.com | |
falconexpress-courierservices.com | |
falconexpresscourierservices.com | |
financialconduct-authorityuk.com | |
firstbnkng.com | |
goldenstarcourier.com | |
goldenstarcourierservices.com | |
govrss.org | |
gtbanking-ng.com | |
halifaxbank-uk.net | |
hk-beaus.com | |
hmrc-ukgov.com | |
hoxton-venture.com | |
hoxton-ventures.com | |
hsbcindo.com | |
hsfinid.com | |
kamescapitalinvestmentinternational.com | |
lacaixabnkes.com | |
lagos-liaisonoffice.org | |
mabellivingllp.com | |
merchanttrustfinanceb.com | |
ministerio-de-hacienda-y-economia.com | |
mofepgovgh.com | |
mofepgv-gh.com | |
mtfbnk.com | |
nordeabnkab.com | |
plugonlinesafetyhttp.com | |
presidencygov-gh.net | |
rainbowswinners.com | |
regiobnknl.com | |
remittancebofgh.com | |
santanderbanklondon.com | |
santanderbnk-uk.com | |
santanderbnk.org | |
sparbanken-oresund.com | |
sunttbnk.com | |
swiftexpresscourierservice.com | |
swiftexpresscourierservices.com | |
uncc-online.com | |
unicbnk.com | |
worldwideexpresscourierservices-au.com | |
wwecs-au.com | |
wwecsau.com | |
wxaxooilco.com |
Follow up
This section expands on the previous one. In addition to more domains Ladette has since registered, we found her to be working with a another partner we will call Guy. Sometimes it’s not clear who registered the domains as the identities used to register them overlaps. The list contains some older historic domains and database entries, allowing us to join the dots to map the syndicate.
Since October, the syndicate has been regrouping and trying to make up for the suspended domains used in fraud.
Once again in cooperation with ScamSurvivors, we have done some in depth research and the domains listed can also be found discussed at https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=56114
So how big are these nests? Here we see 268 + 62 = 330 domains abused in just one syndicate recently. We will be mitigating this nest as to protect consumers. Documentation is being prepared.
Sadly it also gets much bigger. One party has been identified to be responsible for in excess of over 1400 fraudulent domains!