Saturday, December 04, 2021

Online Shopping Reminder: If It Looks Too Good To Be True ...

As we look towards the Christmas holiday, 'tis the season for freaking out and making poor decisions with regards to online shopping. Tonight a friend reached out to get my help in convincing his family that an incredible laptop sale they saw on laptop was not real.
That's the ad they saw on Facebook.  "Due to special reasons" the company has decided to "sell the last batch of laptops." If you click the Shop Now button, it takes you to the website "maxwellplaceonhudson[.]com"



Now, I'm not saying that everyone who re-uses an image is a scammer, but John J. Rogers and MaxwellPlaceHudson are using a photo from a 2019 Mainichi News article in Japan about the fact that computers were piling up in warehouses in China.  Doesn't that look familiar?  

https://mainichi.jp/english/articles/20191223/p2g/00m/0bu/050000c

John J. Rogers is being an extremely helpful and interactive salesperson as people are asking him how long it takes to ship the laptops.  He's giving recommendations on which model to order, and estimates on shipping time.




But How Do We Know It's Real?  ... Testimonials!

Just look at all the happy customers! "Sdhuy Fhabn" says "This is a quality built and spec'd laptop! Very satisfied!"
Strange that all of the comments on Sdhuy's page are in Filipino.  Even stranger? Someone named Tonie Pomintel thanked the computer seller "Memasabe" for a laptop using exactly the same words!

Mandy also loves his new laptop.  "Mine has arrived, this is an unexpected laptop, it even has a touch screen, I like it very much!" he gushes.

Mandy lives in Quezon City, Philippines, which does make it seem odd that he would be mail-ordering a laptop from New Jersey.  Even stranger?  "Ams Minang" shared exactly the same image to thank "Memasabe" for her new laptop!



MD tells us "So far so good, works great, looks great!" 
But then, for MD, people who look like John J. Rogers are kind of "his type."
I'm sure that Mandy and Sdhuy are fine people.  But let me tell you friends, MD, he's a Scammer!
MD Sajjad is a fake account that is giving a fake testimonial.

Take a look at his Facebook "Likes" -- 

He likes John J. Rogers, Noah Robert, Oliver Noah, Sean M Hemming, Debra Carter, Gerry R Frederickson, George S Krebs, and RiodiJanero ... who surprisingly all have the same two profile pictures!

Romance Scam and Online Fraud expert "FireFly" at www.scamsurvivors.com let us know that one of these men is the model "Michael Justin."  The profile picture is swiped from a 16MAY2019 post by Instagram user @themichaeljustin: 
https://www.instagram.com/p/Bxizn4iFWXy/ (@themichaeljustin)

The other primary profile picture is from a photo sales site and is entitled "businessman with laptop thinking at night office." 
https://photodune.net/item/businessman-with-laptop-thinking-at-night-office/20174205



Let's look at what else they have in common!


Noah Robert is a "Computer Company" ... oh gee! On November 25th "due to special reasons" he starting selling computers from his website "ajakubowski[.]com"

You may be surprised to know that ajakubowski's website is IDENTICAL to  MaxwellPlaceHudson's website!

His telephone number is in Afghanistan. (+93 is international dialing code for Afghanistan.)

Email ioiw7nkrvs@claimab.com

https://www.facebook.com/Noah-Robert-103879551585935/

Oliver Noah is a Computer Company. You'll never guess! Due to Special Reasons, he's selling the last batch of his laptops! 

His website, "utoal[.]com" strangely looks EXACTLY like John's website!

Sort of odd that he has an Afghanistan telephone number (+93)

Email n7x1z325fk@thrubay.com

https://www.facebook.com/Oliver-Noah-100751858389405/

Sean M Hemming is a Computer Company . Guess what! Due to Special Reasons, he's selling the last batch of his laptops! 

He has an Afghanistan telephone number and his website is MarbleTownGreen[.]com. (But it's closed down now.)

https://www.facebook.com/Sean-M-Hemming-769171696455694/

Facebook tells us the Page Manager location is Bangladesh


Debra G. Carter is a Computer Company. Guess what! Due to Special Reasons, he's selling the last batch of his laptops. He has a +93 Afghani telephone number and his website is "teamlse[.]com"

https://www.facebook.com/Debra-G-Carter-746064202423878/

Facebook tells us the Page Managers are in Indonesia, Liberia, Saint Vincent, and the Grenadines.


You might already be able to guess on this next one.

Gerry R Fredericksen is a Computer Company. 

Due to Special Reasons, he's selling the last batch of his laptops. 

He has a +93 Afghani telephone number and 

His website is "legeb[.]com" is currently disabled.

https://www.facebook.com/Gerry-R-Fredericksen-104079251980543/


George S Krebs is a Computer Company. 

Due to Special Reasons, he's selling the last batch of his laptops. 

His email is "esi01uo8d15@claimab.com" 

His website is "highlyacceleratedstresstest[.]com" is offline.

https://www.facebook.com/wo.kya.hoti/


RiodiJanero is a Computer Company. 

Due to Special Reasons, he's selling the last batch of his laptops.

His email is xdwdseiwb6@linshiyouxiang.net

His website is PineappleHillDesigns[.]com is offline.

He has a +93 Afghani telephone number.




So, getting back to the original question:  

Actually, I'm thinking that you may not really be able to buy a $2,600 laptop for $79 and have it delivered anywhere in the world in time for Christmas.  But then, my friends all tell me that I'm paranoid.

And there's so many more ... 

 
another Fake testimonial account: https://www.facebook.com/ams.minang.5/likes 

https://www.facebook.com/antonia.pomintel.5/likes_all

  • Helen Z Picket
    • https://www.facebook.com/Helen-Z-Pickett-111752013985708/
    • http://andaluciapropertyservices.com/
    • (216) 755-9391
  • Jackie K Freund
    • https://www.facebook.com/Jackie-K-Freund-448774108917513/
    • http://affordablegreensystems.com/
  • Andrew H Doyle
    • https://www.facebook.com/Andrew-H-Doyle-105266824762892/
    • http://affordablegreensystems.com/
    • +93212-307-8110
  • Memasabe
    • https://www.facebook.com/Memasabe-103806308164677/
    • http://snvpL.com/
    • +93803-520-1898
  • Fernando
    • https://www.facebook.com/Fernando-1894457434202054/
    • http://caughtfromabove.com/
    • 6trmfvuo2sh@thrubay.com
    • +93704-927-4239
  • Anne P Dudley
    • https://www.facebook.com/Anne-P-Dudley-141541912968147/
    • http://fricade.com/
    • y38msxh8zps@claimab.com
  • Dean B Vigil
    • https://www.facebook.com/Dean-B-Vigil-116775383783140/
    • http://fmpcms.com/ (live) 
    • +93816-539-3967
    • shhk60jhpng@claimab.com
  • A Addawd
    • https://www.facebook.com/A-addawd-100571795787651/
    • http://schoolbackpackstore.com/ (live) 
  • Criative
    • https://www.facebook.com/criativcalcad/
    • http://fourteenkaratomaha.com/
    • 5c992xqncjc@thrubay.com
  • My House 
    • https://www.facebook.com/My-House-100743925704289/
    • https://konamitech.com/ nbsp;(live) 
    • +213717-630-6321
    • gv2q360p9q@claimab.com
  • Helen T Lewis
    • https://www.facebook.com/Hector-T-Lewis-106551108311154
    • http://stevestoyboxny.com/
    • +93304-763-9483
    • ftxwy0rlela@linshiyouxiang.net
  • Leonia D Hill
    • https://www.facebook.com/Leonia-D-Hill-107212691802456/
    • https://chealyjean.com/
    • +93361-299-6243
    • ioiw7rnkrvs@claimab.com
  • Kermit
    • https://www.facebook.com/Kermit-119766538090600/
    • http://certificadoscolombia.com/
And the network is even bigger, because they also have female fake store owners selling Mobile Phones: 


Thursday, November 18, 2021

To the Black Axe: #GardaWillGetYou

 You may recall from July that I am very impressed with the Garda National Economic Crime Bureau (GNECB) in Ireland.  (See: "Operation Skein: The Irish Garda Target BEC Criminals")  While the biggest Black Axe arrest in recent days was the amazing work of the US Secret Service and their partners in South Africa (See: "Eight Nigerians Charged with Conspiring to Engage in Internet Scams and Money Laundering") the Garda are also taking things to a new level of working every lead and following every string and most importantly, sharing important facts with the public that allows us to be more wary!

In this last Garda action, two criminals were charged with Pandemic Unemployment Payment fraud, which in Ireland is called PUP.  In the US, we also have West African gangs heavily involved in unemployment fraud, as was demonstrated in Washington State in the case that Agari called "Scattered Canary." 

In Ireland, Oluwagbewikeke Lewis and Bashiru Aderibigbe stole €183,000 but were working on a scheme to steal €1,000,000 and communicating via WhatsApp on how to launder that amount of stolen funds.  Detective Superintendent Michael Cryan believes their activities were consistent with the behavior of The Black Axe. The pair were in communication with someone who they referred to as "the Chairman" where they discussed laundering funds, partly via bank accounts located in Germany.  The story is expertly conveyed by Liam Heylin of the Irish Examiner, which I summarize below:

This case would not have even begun were it not for the alert behavior of Detective Garda Kieran Crowley.  After stopping a suspicious Mercedes, Crowley discovered false passports, fraudulent bank documents, and extra SIM cards for mobile phones. The messages recovered from the phone linked to an active investigation into PUP fraud being conducted by another Detective Garda in Wexford.  A key behavior was unlocked during the investigation.  The individuals who were having their identities stolen to conduct the Unemployment fraud had all been victims of a phishing email! 

The Phishing Email: Jury Duty

Many of the victims reported that they had received a suspicious email informing them that they were being summoned for Jury Duty.  The email led the victims to a website where they were required (believing themselves to be on a government ordered website) to enter their personal details.  Those personal details were then used by the scammers to file for Pandemic Unemployment Payments, which were then harvested by the criminals after the payments went to bank accounts controlled by the pair.

Bashiru Aderibigbe was found on camera on 22 occasions making withdrawals from 13 bank accounts.

Knowing that the prosecutors had 70 witnesses lined up to testify against them, and giving the overwhelming weight of the digital evidence, the pair pled guilty to the charges. Oluwagbewikeke, aged 36, was sentenced to four years in prison. Bashiru Aderibigbe, 45, was sentenced to 3.5 years.  (Both will have the final year suspended, a common practice in Ireland if one behaves well in prison.)

Lewis has lived in Ireland since 2002 and claims he had worked as a taxi driver prior to Covid and became involved in this scam out of desperation.  


Saturday, September 18, 2021

AT&T Free Msg: You know you shouldn't click ... so we did it for you!

 If you live in the United States and have an AT&T phone, you are almost certainly receiving SMS messages that look something like this:

AT&T Free Msg: August bill is paid. Thanks, MARY! Here's a little gift for you: n9cxr[.]info/dhmxmcmBTQ (from +1 (718) 710-0863) 

or 

AT&T Free Msg: August bill processed. Thanks, Mary! Here's a little something for you: l4bsn[.]info/C2Lx3oggFi (from +1 (332) 220-7291) 

or 

AT&T Free Msg: Latest bill is paid. Thanks, Fedencia!  Here's a little freebie for you: k5amw[.]info/VloTBdytEl  (from +1 (870) 663-5472) 

AT&T has sort of trained us that it's cool to get messages from them with links in them.  Every time your bill is available, or paid, or has a new charge, you get a text message from them that starts with "AT&T Free Msg:" and ends with a link such as "att.com/myattapp" or "att.com/myViewBill."

This is where some independent amateur researchers make a mistake.  If you visit the URL in the first message from your Windows computer, you are automagically forwarded to Google.


That's what's happening in the background. My web browser (in red) tells the server, hey look! I want this page dhmxmcmBTQ and btw, here's my user agent.  n9cxr[.]info replies,
"Never heard of it - why don't you go to Google instead." by sending a "302 redirect."

If you had clicked on that same message from your phone, you would NOT be sent to Google.  That's because the web server is checking to see if you are asking for the information from a phone or from a computer.  Because they know they only sent their spam via "SMS-blasting" they believe that every legitimate potential victim should be coming from a phone.  Since I don't have a great set of rich monitoring tools on my phone, I'll just tell my Virtual Machine's Chrome instance that it should lie when it visits web servers and pretend to be an iPhone. I'm being a bit lazy here and using another Chrome Plug-in, this one called "User Agent Changer," which gives me a menu like this: 

Once I change my Chrome Virtual Machine to pretend to be "Safari on iPhone" we revisit the URL that was sent to my phone: 


Notice on line 5 that where it previously said I was "Windows NT 10" it nows says I am "(iPhone; CPU iPhone OS 9_2 like Mac OS X)." (Which is super out-of-date, but apparently good enough for this criminal's scheme, because now I get this!


We've written several times in the past about these never-ending surveys.  Their objective is to gather as much personal data from you as they can and to show you as many advertisements as they can.  They then experience revenue by both showing you ads during the survey, but also by selling the personal information that they gather you to organizations that need "qualified sales leads."  They will tell those organizations that you are looking for things like savings on college tuition, health insurance, car insurance, electronics, a new vehicle, etc, and you will start getting more spam messages from those organizations who will have believed that you asked for their spam! 

We asked our friends at Zetalytics, via their Zone Cruncher tool, "So where in the world is the IP address n9cxr[.]info?"  They told us that it is located in Hong Kong on a server that is hosted by Alibaba Inc.  


That's very interesting!  Thanks, Zetalytics!  Could you also tell us OTHER DOMAIN NAMES that have recently been seen on that same IP address?  After all, we've received three such domains in the three messages that I received on my personal phone!

All of those domains are of course registered at the scummy domain registrar NameCheap.  They claim that if we inform them of bad domains, they will de-register them.  Once I post this, I'll send them a copy and report back what happens.


By the way, the content is not exactly the same with each visit.  My next visit to the n9cxr URL gave me this pop-up instead:


So how are we getting to the fake AT&T page?  That's where a tool that CAUCE Director Neil Schwartman showed me comes in.  While I don't recommend the company necessarily, this little Chrome plug-in is gold for mapping out redirect paths!  (Search for the Chrome Extension "Ayima Redirect Path" and please remember you should only be reviewing potentially hostile URLs in a Virtual Machine!)



What does all that mean? It tells us that the first URL's webserver claimed that the page we were looking for "dhmxmcmBTQ" had been temporarily redirected to "themechallenge[.]club" and that we should ask that server for a particular "key."
That key caused the server to send us a Javascript that redirected us to another URL on their website, which in turn did a "META Redirect" to the webserver "go.metreysi[.]info" where we should tell them we were sent by a certain "cnv_id."  That server then pretended that we had clicked on it, and sent us via another "302 temporary redirect" to a webserver called "redirect.usersupport[.]net." UserSupport then did yet another redirect which took us to the webside "att.usersupport[.]net."

More domains to look up in ZoneCruncher!

https://themechallenge[.]club/click.php?key=abrrkduwznt79g18cx66

go.metreysi[.]info => hosted on LeaseWeb at 23.108.57[.]187
redirect.usersupport[.]net => hosted on 2606:4700:3032::6815:2b25
att.usersupport[.]net => hosted on 2606:4700:3031::ac43:da02


I'm guessing that all of these other "go" sites that are sharing the same IP address will also be involved in illegal "redirection" scams that start off with SMS Blasting.


By the way, do you remember the "key" we had to pass?  In a similar way to our User-Agent, if you visit one of these sites and fail to pass it a "key" it will just redirect you to 127.0.0.1, which means, "visit your own machine." 

Not just AT&T!

One of Zetalytics other tricks is being able to show me other hostnames on the same domain.  (The term for this is called "PassiveDNS")

It looks like "UserSupport[.]net" is also being used to imitate TikTok, CostCo, Walmart, and Google, shipping company UPS, FedEx, and US Postal Service, and Cell phone providers, AT&T, Comcast, Spectrum, T-Mobile, and Verizon!


Because I haven't received those particular SMS messages, I can't navigate to them.  (I have the wrong "key" to get the chain started.) But I'd love to see some more of these if you would be willing to share a screenshot! 

List of SMS-spam-abusing .info (and .xyz) domains believed to be associated with these campaigns.  It sort of makes sense that there are exactly 100 of them.

1find[.]info
1fwnx[.]info
1nvc[.]info
2edcc[.]info
2gtex[.]info
2ofgm[.]info
3mgie[.]info
3ohmd[.]info
4gogm[.]info
4onnr[.]info
4onnr[.]info
6ghme[.]info
6nbfu[.]info
6omrf[.]info
6wqbv[.]info
7botm[.]info
7gboe[.]info
7gboe[.]info
7uwhn[.]info
7wxcd[.]info
8bmxw[.]info
9bmdx[.]info
a2sct[.]info
a7tev[.]info
appsc[.]info
appsf[.]info
bjdz2[.]xyz
bmeq9[.]info
bookc[.]info
bookx[.]info
cartm[.]info
cartm[.]info
cartz[.]info
faceg[.]info
faceg[.]info
faceh[.]info
facem[.]info
faceu[.]info
facey[.]info
fuwd2[.]info
gg0l[.]info
gi3t[.]info
gi3t[.]info
gitn4[.]info
goen4[.]info
gotr6[.]info
gr8f[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havej[.]info
havew[.]info
hidej[.]info
hidej[.]info
hidem[.]info
hidep[.]info
hidep[.]info
j1bcs[.]info
j1bcs[.]info
j2bmf[.]info
k2ave[.]info
k4acr[.]info
k4acr[.]info
k8bvz[.]info
kpl5[.]info
kpp8[.]info
kpp8[.]info
kse0[.]info
ktf4[.]info
l1bmz[.]info
l5brv[.]info
lgte3[.]info
m2cxn[.]info
m6cda[.]info
mbdz2[.]xyz
mqbvn[.]info
n4csv[.]info
n9cxr[.]info
nameb[.]info
pexw0[.]xyz
qkkk2[.]xyz
raini[.]info
rainl[.]info
rainz[.]info
s1vrk[.]info
s2avr[.]info
s2avr[.]info
s4asc[.]info
s6axe[.]info
s7axm[.]info
s8avx[.]info
toer9[.]info
toer9[.]info
vbjh9[.]xyz
wodm7[.]info
wordc[.]info
wosn9[.]info