Monday, May 18, 2020

College Students Beware

by Robin Pugh
President, DarkTower

Fraudsters are always quick to leverage a crisis for the purposes of cybercrime, and COVID19 has created a new target demographic of 14 million college students.  As over 1,100 colleges and universities across the United States have closed their doors, forcing students to leave their college housing, many have been actively pursuing a sub-lease of their off-campus housing to try to alleviate the financial burden of a semester now forced to go virtual.

Anatomy of a Rental Fraud
Most campuses have official or unofficial online bulletin boards where students can look for roommates, apartments, sub-lessors, etc., and these places are target-rich environments for fraudsters.  Take the case of my friend whose son, like millions of others, is now living at home, finishing out his semester online.  There’s no refund for his fees, tuition, or meal plan, and to continue to pay for his off-campus housing is yet another financial burden.  So, like millions of others, he and his parents have been looking for someone to sub-lease his apartment.  When they finally got a bite, it was from someone in a Facebook Group where he had posted his apartment for rent.  The person who contacted him was “Anthony S Felix” who did so on behalf of his ‘friend’ Liang—a nice, quiet, single woman with no kids and no pets – who was very interested in his place.  We’re going to call my friend’s son “Austin.”

Figure 1: hxxps://www.facebook[.]com/groups/NCSUOffCampusHousing/

Exactly as “Anthony” promised, his friend Liang texted Austin with her interest in sub-leasing his apartment.  
Figure 2:  Initial contact from Anthony introducing "Liang"

Liang built rapport and trust, sharing details of her job, the timeline of her move, and both her phone number and email address.  Since she is a traveling nurse, she wouldn’t be able to come see the apartment in person, which worked well, since the property managers weren’t allowing in-person showings anyway.  It seemed like a match made in heaven!

Figure 3: First communication from Liang

Liang’s move was being funded by her employer; so, she told Austin she was going to get them to approve her relocation costs and get back to him.  And she did – she committed to sub-leasing the apartment and promised to send her first partial-month’s rent right away.  
Very soon, Liang texted Austin with the tracking number for the rent check, but there was just one little problem.  The check was actually for quite a bit more than just her first partial-month’s rent of $386.  Her employer had mistakenly issued the check for all of her relocation costs, but she trusted Austin completely; so, she just asked that he keep the rent payment, and transfer the rest to her via Zelle.  As a matter of fact, she was so flexible that she didn’t even mind if he broke it into two payments of $1,000 each.

Figure 4: Communication with Liang, continued
          
Figure 5: Liang constructs the fraud


As Liang promised, the check arrived via USPS, and Austin’s parents deposited it into their Bank of America Wealth Management account.  Because they are long-time customers of Bank of America, the funds were available quickly, giving Austin’s parents confidence because a) it was a Cashier’s check, and b) since the funds were available, the check must have cleared.  They kept their end of the bargain, retaining $386 for the partial month’s rent and sending $2,249 via Zelle to the recipient Liang had directed.
A few days later, the bank notified Austin’s parents that the check had NOT, in fact, cleared, and they were now left with no renter, no first month’s rent, and a bank account balance $2,249 less than it should have been.  Due to the fact that Zelle transfers happen within minutes, there was no recourse to retrieve the funds that were now in the scammers hands.

Figure 6: Cashier's Check from Liang

Will the Real Anthony S. Felix Please Stand Up?
A review of Anthony’s Facebook profile shows no public posts since 2017; however, his Facebook URL reveals the name “Osunday Adekunle,” and a Facebook search reveals many profiles under the name Sunday Adekunle.  The “O” could possibly refer to the title “Oba” which, in West Africa, means “Ruler.”  Additionally, there are a few “friendversary” Facebook videos showing Adekunle and his Nigerian friends.  Regardless, his Facebook profile says that he is an employee at Oklahoma State University, living in Seattle, Washington.  That’s quite a commute!  His profile photo is a quote attributed to Bill Gates about his wish to become involved in Network Marketing.  

Figure 7: hxxps://www.facebook[.]com/osundayadekunle

His Likes include sketchy financial investment firms and Nigerian companies.

Figure 8: hxxps://www.facebook[.]com/osundayadekunle/likes

Austin is not alone
From reviewing the interactions between the scammers and Austin, I knew that this wasn’t the scammers’ first rodeo.  They had a well-crafted script that was designed to build trust with the victim until the very last minute when they realized their money had been stolen.  I reached out to the administrator of the Facebook Group “NCSU Off Campus Housing” to see if she’d be willing to speak with us.  While she declined to be interviewed, she allowed me to post in the Group, asking others who had been victimized to reach out to me with details. Within a day of posting, I received another story identical to Austin’s.  Same actors (“Anthony Felix” and “Liang Quain”) and the same story – traveling nurse, won’t be able to see the apartment first, but it’s PERFECT!  And whoops – my company accidentally sent all of my relocation funds to you, so I need you to keep $375 and send the rest to me via Zelle.

Figure 9: Liang texts to Victim 2


From Victim #2 – let’s call her Gabby – we learned a couple additional things.  She had saved a copy of the shipping label from the envelope containing the counterfeit check.  We knew from Austin’s tracking number that the check had been mailed from Newington, Connecticut, but with Gabby’s mailing label, we learned that the shipping label was from a legitimate company located in Hartford.  Fraudsters commonly use stolen shipping labels – it further covers their tracks and keeps their costs down!

Figure 10: Stolen Mailing Label addressed to Victim 2

Further, Gabby had a hard time sending the total amount via Zelle; so, she ended up sending part of the payment through Zelle and then was provided a CashApp ID to send the remainder.  She was given the name Christopher Brown and the associated ID to process the payment.
Because DarkTower has a good working relationship with the team at Early Warning, the owners of Zelle, we immediately reached out with the Zelle ID that the fraudsters were using to move money, and the team was able to notify the associated bank (Citizens Bank) and shut down the account.


Recommendations
Let’s talk briefly about the Facebook Group where these apartment sub-leases were shared.  The Administrator had actually done a very good job of trying to raise awareness in the Group about the fact that fraudsters and scammers would potentially target individuals posting there.  She has an ongoing list of names that she shares with the Group and updates regularly.  She also posted tips about identifying scams, not sending money to someone you don’t know, etc.  The Group requires approval to become a member, and you had to be a member to post.  However, you don’t have to be a member to SEE the posts and the names of the posters.  So, in this case, Anthony Felix could peruse the postings, identify a situation that was ripe for their scam, send a direct message to the poster, and then direct them off-platform to the next step of the scam.
Instant payment platforms are a wonderful thing for transactions with PEOPLE YOU KNOW and trust.  Many of them, including Zelle, even post warnings in their apps about not sending funds to people you don’t know.  Nevertheless, the scammers are really good at building trust with their victims and creating plausible scenarios that give a false comfort level to ignore those warnings and send out funds that can never be recovered.

Sunday, May 03, 2020

More Covid Charity Scammers (hosted by Shinjiru Technologies AS45839)

Last week we shared information about a particularly interesting cluster of scams that focus on their shared use of a set of nameservers where all of the related content seems to be criminal in nature.  Working with CAUCE (The Coalition Against Unsolicited Commercial Email) and the ZETAlytics "Massive Passive DNS" we have continued to monitor the hostnames associated with these DNS servers for additional Covid-19 related fraud.  The criminals certainly did not disappoint!

A Fraudulent GiveDirectly Donations site

The first website that we chose to look at claims to be a 501(c)3 Non-Profit called "GiveDirectly, Inc."  We certainly agree that GiveDirectly is a 501(c)3.  According to their publicly available information, they gave out $59 Million USD in support to those in need during calendar year 2018.  The problem is that THIS website has nothing to do with the actual charity.  The real charity is supported by organizations including NBA Cares, Google.org The Late Show, and the Schusterman Family Foundation and they have provided financial support to 65,600 American families, as well as families in Kenya, Rwanda, Malawi, Morocco, DRC, and Uganda.  Again - the REAL charity is rated 100/100 by Charity Navigator and others.  But this website is NOT the real charity.

The real site: GiveDirectly.org

givedirectly[.]org's Real website - a real charity doing good work!

The FAKE website: givedirectly-covid19-emergency-fund[.]ibonline[.]digital

FAKE website: givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Hitting the "Give Now" button on the fake website transfers the user to a PayPal Donate page - a real PayPal page, but falsely claiming to be funding GiveDirectly.

The Scammer's Paypal page 

eMedia COVID-19 Relief Fund targeted by Scammers

The second fraudulent charity website we see is stealing a campaign from eMedia.  eMedia got a great deal of media attention in South Africa, where many websites, such as "ibusiness.co.za" ran stories like this one:
https://www.ibusiness[.]co[.]za/community/coronavirus/donate-to-the-emedia-covid-19-relief-fund/
The eMedia group's websites all provided a prominent link to the donation page, such as this one found on the homepage of eNCA.com: 
Valid website: eNCA[.]com asks for donations ...
When the Donate page is visited, we find information about donating to the HCI Foundation Trust's covid fund at ABSA Bank.

Directions for donating to the REAL Charity Fund - via ABSA Bank in South Africa - donate.enca[.]com 
The Scammers version of the same page offers both a Bitcoin and a Paypal donation capability, but doesn't mention the real Foundation Bank account.  The URL of the fake website is "emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital" the same domain (ibonline[.]digital) as the other scam above.
Fake Website: www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
The Bitcoin address has thankfully received no payments thus far: 

185M9pKN3wPy86YiAiY5LsMpsfLnEv4XH5

Nameserver MetalDNS and SteelDNS used in more scams

The nameservers in question here, which we continue to monitor, are tied to thousands of suspicious domains.  Here is our evidence that they are being used in the two scams above.  Anyone could imitate our query from a Windows CMD prompt or a Mac/Linus terminal window.  (We've added square brackets around dots for safety, you would remove them to make your own query.)

In the query below, we first set our query type to "ns" to show the authoritative Nameservers for the domain the fraudster is using - ibonline[.]digital.  We then change our query type to show "A Records" (the resolution of a hostname to the IP address where that machine can be found on the Internet.)

nslookup 
set type=ns
> server ns1.metaldns[.]com
Default Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

> ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

ibonline[.]digital        nameserver = ns2.steeldns[.]com
ibonline[.]digital        nameserver = ns1.steeldns[.]com
ibonline[.]digital        nameserver = ns2.metaldns[.]com
ibonline[.]digital        nameserver = ns1.metaldns[.]com
ns1.steeldns[.]com        internet address = 101.99.72[.]47
ns2.steeldns[.]com        internet address = 111.90.144[.]253
ns1.metaldns[.]com        internet address = 111.90.144[.]251
ns2.metaldns[.]com        internet address = 185.70.107[.]110

> set type=A
> www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

Name:    www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
Address:  111.90.156[.]73

> givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

Name:    givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Address:  111.90.156[.]73

Readers will recall that "111.90.156.0/24" was the scammy host block where we found the UK Government fake tax refund website in our previous post, "Scam Everything - Opioids, Netflix, Phish, Covid Charities, and Government Refunds in one network neighborhood." 

When we posted the previous article, the Covid-19 charities hostnames resolved, but they did not have any web content yet at that time.  We had found the scammer's site before he finished creating it through the power of Passive DNS!  As you can see, the sites are complete now, and beginning to be used to scam victims who believe they are helping a Covid-19 person in need!

The webserver at 111.90.144[.]251 is also hosting a fake loan services (zocaloans[.]co[.]com) 

That Class C subnet (111.90.144.0/24) is also a mess.  Yesterday Zetalytics saw the first resolution of the webserver "usaid-who[.]org" -- shall we go ahead and take bets on whether that will be a full blown charity fraud website by tomorrow?

Based on recent resolutions, we can also expect to see some HP Fraud here ... new resolutions to 111.90.144[.]67 include hp.support-numberireland[.]com and hp.supportnumbercanada[.]ca and hp.supportnumber[.]com[.]au.  

There are also some interesting websites providing information for completing Wire Transfers, cuh as "onlinebanking[.]su" (su = Soviet Union) with directions for how to do wire transfers to many common American, Canadian, Australian, and European banks!  Again, early DNS is helpful!  One of the other websites that is still being built to help with Wire Fraud holds only a single file - a 40 MB zip file called "onlinebanks.cc.zip" containing all of the web content for creating the website!  

A Reverse Lookup of the Google Analytics code found on that page shows that three other websites using "metalDNS" as their nameserver are using the same Google Analytics code (ua-157551747):

hackertools[.]su 
onlinebanks[.]cc 
wuhancoronavirus[.]me 

What an interesting combination of websites to be created by the same webmaster!

Hackertools[.]su makes this claim about their services:


The website claims that they will wire transfer you funds from one of the thousands of accounts for roughly a 10% commission on the money stolen.  Of course, like most of the scam sites run by these guys, they're just going to pocket the commission and you receive nothing.  Other interesting recent scam sites:
  • anaairlinesfirstclass[.]com - promises 50% discount on first class air from Japan's ANA.
    • related: anacustomerservicecenter[.]com 
    • related: anaairlinesreservationnumber[.]com 
  • expresscards[.]net - claims to sell pre-paid VISA cards purchased with Bitcoin.
  • glosscommercialbk[.]com - phishing site for Gloss Commercial Bank 
  • zabitpharmaceutical[.]com - claims to sell FDA-cleared "rapid platelet analyzers" 
  • and so many many more ...

Thursday, April 23, 2020

Scam Everything - Opioids, NetFlix, Phish, Covid Charities, and Government Refunds in one network neighborhood

There's a famous line in the movie Jerry McGuire where Tom Cruise's character says "Show me the Money!"  In online investigations, I prefer the line "Show me the Data!" This morning I was doing just that and found an interesting cluster of badness.

Dr. Elizabeth Gardner at UAB leads our Forensic Sciences program in the Department of Criminal Justice.  She and I have partnered on many projects in the past by mixing our expertise.  She's a forensic drug chemist, and I chase bad guys on the Internet.  8-).  Our current project follows up on some of the work we shared with the BBC Click episode "Can Technology Solve the Opioid Crisis?"

Last night we threw 586 Opioid and Fentanyl selling websites into our clustering-by-location program that Zack Knight (one of my student malware analysts) had developed for another project.  Our goal was to find clusters of drug-selling websites "in the same place" and then use other tools to explore what else is hosted in the same location.  The tool sorts first by country, then by ASN, and then by NetBlock.  There was a nice cluster that revealed itself, consisting of six websites all on the same Class C NetBlock:

Company: VERDINA Ltd., Autonomous System Number AS201133
111.90.156.117
thepleasantproducts[.]com
111.90.156.170
pharm-rx[.]to
111.90.156.173
globalheadshop[.]com
nembutalonlineshops[.]com
111.90.156.61
richmed-pharma[.]com
111.90.156.64
researchkem[.]com

Why were these sites in our database?  Well, they offer some overtly bad stuff for sale.  Here's an example:
thepleasantproducts[.]com
pharm-rx[.]to

nembutalonlineshops[.]com
You can clearly see why our Opioids project is interested in these sites!  But what we wanted to know was, given that there were six very clearly objectionable sites on the same Class C Subnet, might there be other sites there as well.  That's where the Zetalytics "ZoneCruncher" tool came into place.  We asked ZoneCruncher what other sites were recently resolved to this Netblock, fully expecting it to give us a list back of additional drug sales websites!  What we got back was much more interesting!

111.90.156.0/24 via ZoneCruncher from Zetalytics 
As soon as I saw the results, I knew exactly what scammers were behind these sites, as we were well familiar with the group from the work I've done with the excellent Business Email Compromise researchers at Artists Againt 419 (AA419)!  The "signature" of this group is their reliance on a set of nameservers running on domains "steeldns[.]com" "metaldns[.]com" and "argondns[.]com" hosted on the Malaysian hosting company Shinjiru MSC.  Verdina Ltd. is the owner of this particular netblock, which uses the Autonomous System Number AS201133.

Verdina has a few other Netblocks that we'll be exploring later, but this one has plenty of badness on its own!  Some of the most recent sites we have on this same Netblock include:

A fake Bank of Ireland site, indicating they would like to refund a suspicious transaction to your Visa card:

boi365refunds[.]com 

of course, first you have to login . . . 
An alert that your NETFLIX payment has been declined, which of course also requires a bit more information to "RESTART MEMBERSHIP" ...
netflx9-msg101[.]com 
netflx9-msg101[.]com / alldetails.html 

Many of the sites identified by ZoneCruncher have either already been remedied by security researchers working with registrars, are have not yet been deployed by the scammers.  The domain names themselves indicate the range of their creative scamming:

Covid Charity Scams 
=============================
e-media-covid19-relief[.]ibonline[.]digital
e-media-covid-19-relief-fund-donations[.]ibonline[.]digital
e-media-covid-19-relief-fund-donations-for-food-parcel[.]ibonline[.]digital
emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
givedirectly-covid19-emergency-fund[.]ibonline[.]digital
www.1covid-19-d[.]com
www.1covid9-cerb[.]com


Netflix Phish
=============================
n3tflix-billupdate1[.]com
netfl1x-accupdate3[.]com
netfloux474[.]com
netflx1-sms98[.]com
netflx9-msg101[.]com

Paypal phish, Scotia Bank phish, RBC phish, ANZ phish
============================
paypai[.]restringido[.]org
paypal[.]restringido[.]org
rbcsecu1ces32[.]com
scotia1ban2k1-info[.]com

"Secure" Messaging portals
====================
msg-integrity[.]com
report-payments[.]net
threessl[.]com

and so many more ... 112 different "scammy" domains were hosted on this single Class C just in the past ten days!

UK Government Refund Scam 

The most interesting of the current batch, however, was this one which was a means to update payment details in order to receive a refund from the UK Government via the website www[.]govuk-proceed-application[.]com, pictured below:

shall we begin the process?  


Give us all your personal data . . . 
Don't worry!  Everything is "secured with 256-BIT SSL Layer!" 

Give us all of your Banking Details!
 
And at the conclusion, you'll get a nice confirmation number!
(before a bit.ly link forwards you to the real UK Government)


Other Examples of Live Badness



Just a few more examples . . . all live as of this writing . . . 
volksign[.]bausp[.]com 

Gold Investing anyone? 

Paypal Phish

Bottom line?  Exploring the Network Neighborhood of a cluster of bad sites can lead to some very interesting findings!  I'm looking forward to learning more from Zetalytics!  They show 19,000+ more domains that were served by "ns1.metaldns.com" and so very many of them look scammy!



Saturday, April 11, 2020

SEC Suspends CoronaVirus Stock Pump-n-Dump Scammers

Last month we shared information on the blog about spam-driven affiliate programs who were selling a variety of shady "anti-Coronavirus" products, including immunity oils, masks, disinfectants, and no-touch thermometers. (See: CAUCE Spamfighters Rally Against Corona Health Fraud Affiliate programs ).  Today I wanted to share an update regarding another type of spam and the SEC's actions related to stock market symbols being manipulated through "pump-n-dump" scams.

Over the past several weeks, the SEC announced the suspension of trading of several stock symbols due to illegal attempts to manipulate the value of those stocks, often by driving the stock value up ("pumping") by making untrue claims about how the company was involved in helping fight the Coronavirus, Covid19.  We'll just dive into two of the most recent ones here.

Turbo Global Partners, Inc ("TRBO")

On April 9, 2020, the SEC suspended trading of Turbo Global Partners, Inc ("TRBO"), a company based in Tampa, Florida.  The suspension is due to claims made by the company that it had entered into agreement with BeMotino, Inc to provide non-contact human temperature screening and facial recognition technology, and that it had the ability to ship the technology to customers within five days of receiving an order.  Press Releases on March 30th and April 3rd made these claims.


The small spike to .0074 cents per share on February 7th corresponded with the announcement that the company was doing a pilot to place indoor digital billboards in 100 pharmacies in Florida in 2020 with aggressive expansion predicted:

 Singerman continues, "BeMotion's Mobile Commerce Network 'MCN' and the DCN Vending & Marketplace 'DCN-V' is the solution we are bringing to the global market under our joint TURBO - BeMotion brand. Our initial effort will be integrating both MCN and DCN-V technologies into our independent pharmacy silo in 3 Phases of our 2020 Strategic and Tactical Plan:

"Phase 1: Integrating our Co-Brand Solutions into our 100-Pilot pharmacy locations in Florida to be deployed during Quarter 2, 2020.

"Phase 2: Deploying the DCN Vending into 1,000+ pharmacy locations in the U.S. deployed with the TURBO - BeMotion Co-Brand by 2021.

"Phase 3: Deploying the DCN Vending into 5,000+ pharmacy locations by 2023."

On March 14th someone buys nearly 120 million shares of the company for between .0016 and .0055 cents per share.  Then this press release is splashed around the Internet in penny stock forums and "investor tip" messages:


The company that was previously saying it was a marketing company selling indoor billboards is suddenly selling "non-contact human body scanning technology" that can scan "up to 320 people per minute" saying "Imagine Law Enforcement with our Technology version for vehicles being able to scan like RADAR a cluster of people or a homeless encampment in minutes for elevated temperatures." and that "THIS IS THE KEY TOOL ... THAT CAN HELP BREAK THE CHAIN OF VIRUS TRANSMISSION."

If we guess that the average purchase price for that stock was .003 cents per share, immediately after this press release, the stock booms to six times that value.  The investors who are "in on the deal" and bought 120 million shares on March 16th to March 18th and sold on April 4th and 5th would have paid around $360,000 and sold for right at $2 Million.  This is how Stock Pump n Dump works.

Where did that garish and false ad come from?  This copy was posted in an investment board run by "SHEEPWOLF" 


But was Sheepwolf heavily pushing this stock?  Let's look at his recent posts on the site:

Do you get the feeling that SHEEPWOLF really wants the value of $TRBO to increase?  Hmmm... I wonder why. Between March 27, 2020 and April 7, 2020, SHEEPWOLF posted EIGHTY-ONE MESSAGES about this stock!

There was a clear change in marketing via Press Releases that occurred beginning March 13th, according to OTC Markets:

https://www.otcmarkets.com/stock/TRBO/news

And that was just ONE of the recent SEC Suspensions. If you have more information about this case, please contact Justin Jeffries, Associate Regional Director for the SEC, at (404) 842-5750.

BioELife Corp f/k/a U.S. Lithium Corp ("LITH") 

On April 8, 2020, the SEC suspended trading of BioELife Corp f/k/a U.S. Lithium Corp ("LITH").  The SEC has "questions and concerns regarding the accuracy and adequacy of publicly available information concerning LITH, including public statements made by LITH in press releases issued on March 12, 2020 and March 16, 2020 and reinforced by third-party stock promoters, regarding a purported new Coronavirus (COVID-19) Prevention Products Line, together with potentially manipulative trading activity between October 2019 and present."

That is certainly an understatement!  Let's look at the recent press releases, indicating that BioELife had a sudden change in product direction, from selling CBD Pain treatments, to suddenly preventing the spread in CoronaVirus.

https://www.otcmarkets.com/stock/LITH/news
Some of those recent statements were things like this:

The initial purchase order from Group Buying Club- GPOCBD, covers all current BioELife products – lotions, tinctures, flower and gummies as well as the BioEDefense product line: Sanitizers, RespiPro Virus Killer Masks, and the R-Shield (a reusable nanofiber scarf designed for 50 wash cycles). GPOCBD is marketing CBD products directly to wholesalers, consumers and affiliates looking to supplement their sales of BioELife products which offer natural products to fight pain and infection, as well as help defend against the growing global concerns regarding bacteria and virus’s contamination.

That's funny. Respilon R Shield is a Czech mask created for fighting smog and marketed primarily through their Instagram page:  https://www.instagram.com/respilon_r_shield/.  They have converted Czech prisons into mask factories, because it seems the masks are in high demand.  Definitely a more "Lit" mask than most people are wearing these days.  But since they are still in KickStarter mode, I don't think there is much chance that US Lithium is involved with them. I don't believe they are at any way to fault for $LITH's bad marketing!


Here's an example of how these press releases are then turned into "BUZZ" by newsletters, such as this one from "Make Penny Stocks Great Again" one of many such services that provide "free" newsletters to people who are trying to make a quick buck daytrading.


Ooh!  CBD-fortified hand-sanitizer!  Where do I sign up?

If anyone has more information about the $LITH pump, "they should immediately contact Celeste A. Chase, Assistant Regional Director, at (212) 336-0049, or Jason R. Berkowitz, Assistant Regional Director, at (305) 982-6309." (from: https://www.sec.gov/litigation/suspensions/2020/34-88607.pdf )

Spotting the Scammers

There are some members of these "stock promotion" investor boards that try to warn others.  My favorite right now is "reverse_long" who shares information about stocks that are in "PAID PUMP N DUMP" scams ... I love the tagline he uses on his profile! "Shorting Paid Pump and Dumps to Make The World A Better Place"  (He also has a great Twitter feed:  @reverse_long)


And, sure enough, one of the 80 Paid Pump And Dump scams he has been warning his fellow investors about was $LITH: 


Which was also on his Twitter feed back on March 4th: 



Honestly, I believe if we wanted to find more of these, it would probably be as easy as doing this Google Search:

site:www.otcmarkets.com inurl:news inurl:stock COVID-19

Then I would take the resulting symbols and check them against these bogus stock promoter sites.  Let me assure you there are some DOOZIES in there!  But subscribing to many of these Stock Tip Newsletters might be another way to do so.

Other SEC Actions

(Quoting from the SEC Suspension Orders, linked to each company's name below: ) 

Feb 7, 2020 = $AEMDAethlon Medical - Concerns regarding the accuracy and adequacy of information in the marketplace since at least January 22, 2020 that appears to be disseminated by third party promoters that are purportedly not affiliated with AEMD about, among other things the viability of the company's products to treat the coronavirus.

Feb 24, 2020 = $ETBI - Eastgate Biotech Corp - Concerns about the adequacy and reliability of publicy available information concerning ETBI since at least January 30, 2020, among other things, statements about the company's purported international marketing rights to an approved coronavirus treatment to potentially combat the Wuhan Coronavirus.  

Mar 25, 2020 - $ZOOM - Zoom Technologies, Inc - This one seems to be because of the name confusion of their stock symbol and the "similarly-named NASDAQ-listed" video conferencing company.

Mar 25, 2020 - $PXYN - Praxsyn Corporation - Questions  regarding the accuracy and adequacy of information in the marketplace since at least February 27, 2020.  Statements about PXYN having and being able to obtain large quantities of N95 masks used to protect wearers from COVID-19. 

https://www.karmadata.com/Entity/Sponsor/praxsyn.com
One of the places $PXYN was being pumped was "Investors Hangout" ... "hotforpenny" was pumping the Corona run, but a review of messages shows that the company had been pumped before as a medical marijuana company in 2018:


HotforPenny also participates on "Sheepwolf's 1,000,000.00 Journey" that was referenced above.  He's currently pumping (excuse me, "discussing")  $GRYN, $SING, $BCCI, $BTFH, $AYTU, $BWVI, and $RJDG ... 

https://investorshangout.com/profile/latestposts/id/14192

April 3, 2020 - $NBDR
- No Borders, Inc - Questions and concerns regarding the adequacy and accuracy of publicly available information concerning NBDR.  STatements about NBDR's products and business activities related to the COVID-19 pandemic, including NBDR's COVID-19 specimen collection kits, an agreement to bring COVID-19 test kits to the United States, and NBDR's activities related to the distribution of personal protective equipment. 

Example: 
https://investorshub.advfn.com/No-Borders-Inc-NBDR-3988/

April 3, 2020 - $SSTUSandy Steele Unlimited Inc - questions regarding the accuracy and adequacy of information in the marketplace since at least March, 2020. Those questions relate to apparent promotional activity, including e-mail stock promotions from unknown sources directed to investors, which claim that Sandy Steele is an operational garment manufacturer producing various clothing items and that it has the ability to produce protective masks that are in high demand due to the COVID-19 crisis.

InvestorsHub has over 700 messages related to this company, with many referring to the pump and dump.  See: https://investorshub.advfn.com/Sandy-Steele-SSTU-3697/ 

April 7, 2020 - $WMGR - Wellness Matrix Group, Inc - questions regarding the accuracy and adequacy of information in the marketplace since at least March 19, 2020. Those questions relate to statements WMGR made through affiliated websites and a company consultant about selling at-home COVID-19 testing kits that had been approved by the FDA.

NPR reported on this company's fraudulent behavior - See: SEC Suspends Trading of Company That Sold 'At-Home' COVID-19 Tests 

Ten months ago, they named a new VP of marketing (David Saltrelli) and a new president (Joshua Patterson) and a change in direction - developing "technologically advanced health care models in a Virtual Reality, Augmented Reality, and Creative Artificial Intelligence Platform." Kind of a jump from their origins as Fuhuiyuan International Holdings, which was mostly a real estate management company working with KWest Alberta in Canada.  When you issue 190,000,000 shares of stock to be valued at $0.0001 each and switch from real estate to Artificial Intelligence Health Care, something odd may be afoot.

April 7, 2020 - $PGEC - Prestige Capital Corp. -  concerns about the adequacy and accuracy of publicly available information concerning PGEC, including its financial condition and its operations, if any, in light of concerns about investors confusing this issuer with a similarly-named private company that is a manufacturer of N95 masks and the subject of increased media attention during the ongoing COVID-19 pandemic.

April 7, 2020 - $KCPC - Key Capital Corporation - questions regarding the accuracy and adequacy of information in the marketplace since at least March 5, 2020. Those questions relate to statements KCPC made about developing, and being able to make available to the mass market within three to six months, a vaccine to treat COVID-19 in press releases issued by the Company on March 5, 2020 and March 10, 2020.

Another company with a very interesting change in focus.  Recently this was a company who had announced a "Unique Digital Gold Standard Cryptocurrency" ... and now they have a vaccine for Corona?  

https://finance.yahoo.com/news/key-capital-seeks-partners-development-194915606.html

Quite a change from being the gold mining company behind the GoldCrypto ICO!

https://www.otcmarkets.com/stock/KCPC/news/GoldCrypto-Launching-Worlds-First-Hackproof-Cryptocurrency-Tokens?id=195885