Scam letters: G Data is tracking down the perpetrators

01/11/2013
G DATA Blog

"Back to the roots" seems to be the approach taken by a group of perpetrators whose current campaign is targeting press offices and PR agencies. They send out paper invoices for the alleged online distribution of company press releases. Through research, the experts at G Data SecurityLabs have found out that the people behind the current scam are not newcomers or strangers.

For background information about this research, please read the German G Data press release "Zurück zu den Wurzeln: Onlinekriminelle setzen auf Briefpost

Who is behind it?

This was quite a tricky question to answer since various countries and companies are involved, but we are slowly closing in on the perpetrators:

Fact 1: the sender

The sender of the letters claims to be "Silence Media Network". The only contact details provided are a .com domain and corresponding email address as well as a phone number in England. Neither the letter nor the website provide any information about the company's address – an indicator of dubious business practices.

Fact 2: the payment

Payments to "Silence Media Network" are to be processed by a Dutch company called Euro Betaalservice BV, which is located in Amsterdam. Since payment processing requires concrete data, the company can actually be found in the Dutch register of companies.

Fact 3: the website

The website named in the letters is hosted in the USA, by Network Solutions, LLC. The domain has been reg-istered to "Silence Media Europe Ltd.". According to the information provided by this company, it has its headquarters in London (Great Britain). However, the specified British phone number bears no resemblance to the one provided in the letter. The United Kingdom's register of companies does not have any company registered under this name either. At least three more domains are registered to the name "Silence Media Europe Ltd.".

Fact 4: the place of jurisdiction and what it means

Back to the letters: according to the information in the terms and conditions on the back of the letters, the place of jurisdiction is Cyprus. The name of the company appearing as the seller here is "Silence Media Biz pages Ltd".
The company's name appears several times in the terms and conditions, but is spelled differently each time:

  • Silence Media Biz pages Ltd
  • Silcence media Biz pages Ltd
  • Silcence media Bizpages Ltd

An Internet search for these company names did not yield any results, and neither did a search of the Cypriot online register of companies.

However, the register of companies contains an entry for a company called Biz Pages Limited, which is registered in Larnaca, Cyprus.

At first, there seems to be no connection but this exact company name appeared in similar scams at the start of the millennium, which have already been reported on the Internet.

An apparent connection to older cases

The raubwirtschaft.info portal reports that Biz Pages Ltd. used be active in the field of sending out offers for registering company names in business directories and classified listings, whereby these offers also came with payment slips and thus used a very similar approach to the one currently used with the press releases.

In addition to that, there are several lawsuits from renowned companies demanding to use domains registered by Biz Pages Ltd. for their own purposes. In 2004, one of the companies who sued Biz Pages Ltd. was Deutsche Telekom AG, because the telecommunications provider wanted to register the domain 11833.net for its own directory assistance but Biz Pages Ltd. had beaten them to it. Back then, the domain had also been requested with the assistance of Network Solutions, LLC.
In June 2003, the Internet portal of Danish tabloid Ekstra Bladet reported on a certain Dane named Yassine Lazib, who used his company Biz Medien to raid, based in Paris' best areas, by sending out advertisements priced at € 296. According to this report, he made € 7 million before the French police started to investigate him for fraud.

Swedish connection or Scandinavian connection
We already know Biz Medien, or to be precise Biz Medien GmbH, through our research on the raub-wirtschaft.info portal. There, the company is associated with the so-called Swedish connection, whereby additional subsidiary and affiliated companies appear to be involved here, making the scammers’ network even wider and more obscure.
 

Conclusion:

Our research has shown that there appears to be a connection between the current case, which also targeted G DATA CyberDefense AG, and very old cases involving this and similar approaches. It appears that the perpetrators are not new to the business but hardened professionals with plenty of experience.

Anyone who receives one of these letters or emails should ignore them and under no circumstances pay any alleged moneys owing or accept any offers! Do not worry, even if you receive additional letters threatening court action or debt collection!

According to a video on subscription traps by the Bremen consumer association, there is only one exception in which persons affected have to respond: "If you receive a court order [...] you have two weeks to tick the box with 'I object to this claim'. You do not have to fill out anything else, sign [at the bottom] and return it to the court."

If appropriate, ask your lawyer but do not contact the senders of the letters/emails, do not fill out any forms and, whatever you do, do not send them any money.
And to be safe: do not visit any of the websites mentioned in the letters and emails. The fraudsters might be hiding malware or phishing traps on these websites to harm their victims in several ways at the same time!