Skip to main content

How To Evade Job-Scam Victimization

A Job seekers Guide to Basic Digital Forensic Investigation using actual Email Phoney Job Invitation

Dear Terry,
We decided to include you in the list of potential candidates after we reviewed your resume on Jobsite. We decided to offer you the position of TS Associate in our company. This is Part-time home based role and most of the work can be done in a comfort of your own home.

We invite you to apply online on our website: http://marfigroup.com/careers/tsa/
Please include your telephone numbers along with your application and our HR staff will be back with you for telephone interview. We hope that our offer will make a positive influence on your potential career change and you will become one of our valued employees.


Thank you,

Charles Panter
HR Department

First Glance

At first glance nothing alarming stands out and 'Jobsite' does have a copy of my CV.   The mandatory unsubscribe link is there and is managed by 'Constant Contact' which, so far, all seems valid.  

Update 03/10/2014: Website no longer resolves

Second Glance

Next, let's click on the Home page link. Here we see the name is MARLIN GROUP, while the URL is marfigroup.com and the Privacy page reads Marlin Inc.  There is a phone number, but this could be a land-line rented from Skype answered by anyone and anywhere.  The News page boast some accolades, so let's investigate - "Marlin is named as UK’s best home credit company by Credit Today Awards", but a visit to the Credit Today Awards website reveals there is no such category!  The Contact form is amateurish with its outdated format revealing the address in the page source code (I hope they get SPAMMED!) - 
<form id="contact_form" method="post" action="http://marfigroup.com/wp-content/themes/Accent/lib/api.lib.php">
<input type="hidden" id="contact_email" name="contact_email" value="info@marlinmail.org"/>

Lastly, let's look at that unsubscribe link. There you will see that things tell a different story - it will unsubscribe me from US COFFEE INC list!

Conclusion

What I've revealed is an amateurish job-scam effort, but it is crafted well enough to appeal to the average job seeker to follow up on.  Further investigation  reveals the identity of the persons responsible (see WHOIS below): 
  • Head Office address reads Dublin, but site owner is a private individual with a Florida address;
  • Website is registered in US, but server's IP is traced to Netherlands (93.174.88.118) using nameserver registered in China (IP:122.226.167.10) and same for Mail server. 
  • The corporate website went live on Sept 16, 2014, but reports news going back to 2011;
  • Registrar Contact Phone number has a 86 international dialing number, which is in China;
  • There is a Marlin Group in Oregon US specializing in restaurant mergers and acquisitions (http://www.marlingroup.com/);
  • The requirement to use your own PayPal account to move money on behalf of a business is illegal in most counties - it could be used to launder money and you would be accountable! The modus operandi is most likely to get you to deposit some money in PayPal in good faith, which you would lose!  

Quick & Dirty

Two tools every Netizen should have at their disposal are:
  1. Netcraft Toolbar 
  2. Scam Adviser
These tools will help gather vital information without knowledge of command line network forensic scripts.

Domain name: marfigroup.com
Registry Domain ID:
Registrar WHOIS Server: whois.todaynic.com
Registrar URL: [link removed] Date: 2014-09-16
Creation Date: 2014-09-16 21:34:05
Registrar Registration Expiration Date: 2015-09-16
Registrar: Todaynic.com, Inc.
Registrar IANA ID: 697
Registrar Abuse Contact Phone: +86.7563810552
Domain Status:ok
Reseller:
spget domain status:
Domain Status: clientTransferProhibited
spget contacts:
Registry Registrant ID:
Registrant Name: Simon Gerbert
Registrant Organization: Simon Gerbert
Registrant Address: Green blv 34.41
Registrant City: Orlando
Registrant Province/state: FL
Registrant Country: US
Registrant Postal Code: 156244
Registrant Phone: +1.3127737950
Registrant Phone EXT: +1.3127737950
Registrant Fax: +1.3127737950
Registrant Fax EXT: +1.3127737950
Registry Admin ID: 43872769
Admin Name: Simon Gerbert
Admin Organization: Simon Gerbert
Admin Address: Green blv 3441
Admin City: Orlando
Admin Province/state: FL
Admin Country: US
Admin Postal Code: 156244
Admin Phone: +1.3127737950
Admin Phone EXT: +1.3127737950
Admin Fax: +1.3127737950
Admin Fax EXT: +1.3127737950
Registry Tech ID: 43872770
Tech Name: Simon Gerbert
Tech Organization: Simon Gerbert
Tech Address: Green blv 3441
Tech City: Orlando
Tech Province/state: FL
Tech Country: US
Tech Postal Code: 156244
Tech Phone: +1.3127737950
Tech Phone EXT: +1.3127737950
Tech Fax: +1.3127737950
Tech Fax EXT: +1.3127737950
Billing Contact:
Billing Name: Simon Gerbert
Billing Organization: Simon Gerbert
Billing Address: Green blv 3441
Billing City: Orlando
Billing Province/state: FL
Billing Country: US
Billing Postal Code: 156244
Billing Phone: +1.3127737950
Billing Phone EXT: +1.3127737950
Billing Fax: +1.3127737950
Billing Fax EXT: +1.3127737950


You are free to use this for security awareness training.

Labels:

Popular posts from this blog

SOCIAL MEDIA IN RURAL AREA: A COMMUNITY POLICE CASE STUDY

"MyPolice" proprietary social media software product, which was studied in this investigation, has not yet been deployed commercially and appears to be dormant. My conclusion that community-run rather than enterprise-run is the better method to manage this sort of social media tool might be correct, given than MyPolice seems to be dormant. Social_Media_in_Rural_Area.pdf   Abstract: Computer-Mediated Communication (CMC) has evolved from email and simple bulletin boards to live text feeds and elaborate Social Networking Sites (SNS) some of which have gained cult-like status. The pervasiveness of Social Media (SM) within the CMC landscape has inspired social-entrepreneurs and software developers to create civic-centric communication platforms for civic engagement rather than vanity-centric for personal satisfaction.  As the Internet becomes the default communication method by the will of Government the need to be connected to the world by the Ethernet increases. Bu
Read more

Infosec Blunder by Infosec Specialist (supposedly)

Seven days ago I received 'Infosec Consultant'  job prospect news from **** Recruitment by email, but did not reply;  an Infosec Consultancy wants to contract security consultants. Today I received unsolicited news update direct from ****'s client , which included the email contact details of hundreds of job seekers listed in ****'s data base including the name of ****' staff... oops!  Update: One week on, the same from a Financial Services firm!  Now the question is - who is the more stupid? 1)   Dear Terry, Please accept my apologies on behalf of **** Recruitment for this unfortunate incident. ****  has strict procedures and controls in place for sending out e-shots and electronic mailers to candidates to ensure that incidents of this nature do not occur. The recruitment consultants all receive training on their obligations under the Data Protection Act and are required to use an email maker system that ensures all recipient email addresses are blind
Read more