BEWARE of Stimulus Check Scams and Oddball Top Level Domains!
Who is Terri Jackson and why is he/she sending me a notification that my stimulus check for $6,345 is ready and waiting for me? The domain jacksonterri[.]com was newly registered last October and someone has reported this site as a scam on ScamAdvisor.com.
Most importantly, a mouse-over of the link “Review Now” shows that it points to a HIGHLY MALICIOUS domain called aiftrckr[.]com. We’ve reported several times about malware lying in wait at this domain! Delete and wait for your stimulus check to be announced on a US Government website (“.gov”)
Every internet user has experienced domains that end in “.org” or “.com.” These are called global Top Level Domains (gTLDs) The internet began with only 6 gTLDs and now has more than 1500. Most of these are obscure and used primarily by cybercriminals, such as “.cam” and “.work.” (A glance at “.cam” may lead some to assume this is “.com”) Here’s a simple example. One of our honeypot accounts received an email to remodel your bath & shower with a “$500 off” offer. But the email came from the oddball domain bhswr[.]work --the gTLD is “.work.” A WHOIS lookup of this domain shows that it was registered in India on the very same day that this email was sent! Longtime TDS readers know that this is a VERY bad sign meaning malicious intentions.
Here’s another example. This time from an email claiming to represent supplemental medicare coverage, which means it is clearly targeting Americans. “Affordable Medicare Supplement Coverage Starts Here.” But the email was sent from the crap domain “medcre[.]cam” and links point back to that domain. That domain was also registered in India just hours before the email was sent and is being hosted on a server in the city of Kharkiv, Ukraine.
Did you see who is behind both of these malicious clickbait? If you look carefully at the links in those emails, you’ll see two hyphenated random words. Both of these malicious clickbait are the work of the notorious Hyphen-Poopy gang. We believe these cybercriminals are located in India. The Hyphen-Poopy gang is an archnemesis responsible for targeting millions of Americans with malicious tricks for their financial gain. STAY VIGILANT! Notice the gTLDs that appear at the end of a domain name. Look to see if oddly hyphenated words appear anywhere in a link. Trust your gut! If something seems “off,” do not click the link! Send it to us to check out! In the meantime, check out the misspelling of the word “citizens'' in this email sent from another “.cam” called citzns[.]cam. Like the others above, it was registered in India on the day the email was sent.
Need we say more?
As we stated in our opening remarks, it is becoming increasingly hard to tell the truth from fiction online. Cybercriminals and bad actors with an agenda are using very sophisticated tools and clever techniques to fool unsuspecting netizens the world over. Here’s are 3 simple examples.
IntelliShop is a real service that uses the domain intelli-shop.com and has been around for at least 21 years. In Internet years, that’s ancient! But almost exactly a year ago, scammers created a look-alike domain, usa-intelli-shop[.]com, that tricked people into believing they were dealing with the legitimate company.
Our honeypot email accounts get lots of Nigerian 419 scams every week and TDS readers send us more. They are so common that we don’t often spend much time on them UNLESS we see something clever or unique. Such was the case of an email sent directly to Doug at The Daily Scam! It was as if the scammer was begging for attention! Check out this email from “Richard Ball” informing Doug that he is set to inherit millions of dollars (British pounds). The email came from a server in Brazil on January 15, BUT a reply to this message will automatically be sent to a domain called MillstreamFinancial[.]com. THIS got our attention! (Notice the FROM address ends with the 2-letter country code “.br”)
Who is Millstream Financial Services and the Advisor named Richard Ball? Apparently, Mr. Ball is a real financial advisor of a real business in Beckenham, England, according to the Financial Conduct Authority, along with other credible websites that verified this business. This financial service has used the domain MillstreamFinancial.co.uk, which was initially registered and hosted in England in March, 2010. (However, as of January 16, 2021 there is no website available at MillstreamFinancial.co.uk.) A Google search shows yet a third website about this business and it is on a subdomain found on SimplyMemberSites2.co.uk. All of the contact information found on this “member site” matches the information listed with the Financial Conduct Authority. Are we to believe that Mr. Ball is also using MillstreamFinancial[.]com now?
Though MillstreamFinancial[.]com seems like a very logical domain owned by Mr. Ball, and it was where our email Reply is to be sent, Google doesn’t have any listing for this website. In addition, a WHOIS lookup for this domain shows that it was registered anonymously in Canada on August 11, 2020. Remember, this is in contrast to the 2010 domain, millstreamfinancial.co.uk, which was registered AND hosted in the United Kingdom, and verified by multiple sources. It should now be obvious to all that MillstreamFinancial[.]com is a fraudulent domain, registered by a Nigerian 419er running a typical “advance fee” scam. We’ll keep you informed how this plays out because we’ve replied to “Mr. Ball” saying that we’re very happy he found that we are related to a “long lost relative” who left millions of dollars without an heir!
Our final example concerns your health and medicine. If you Google “Zantac cancer claims” you’ll find thousands of websites (many from personal injury lawyers) providing information about lawsuits being brought against the manufacturer Sanofi because many now believe that the primary ingredient in Zantac causes cancer. This has led to many class-action lawsuits against Sanofi for, what was, a very popular antacid drug. One of our honeypot email accounts received this solicitation to possibly join a lawsuit and receive compensation if we believed that we (or a loved one) developed cancer AND used Zantac regularly. The email name is titled ZantacLawsuit Compensation and remarkably, the domain name is not visible in the email address, which is rare. This is the first clue that suggested this may not be what it appears to be.
Though the address in Mt. Kisco, NY, listed at the bottom of the email, is for an email marketing service at this address, we became even MORE doubtful about this email when we discovered that the links in the email pointed to an IP Address, rather than a domain name. An IP Address is a set of numbers used to identify every device connected to the Internet, including its location. To help us humans navigate the Internet more easily, IP Addresses are almost always mapped to a name because names are easier to remember than a seemingly random set of numbers. So WHY did the links in this email show only an IP Address? We used a tool called IPLocation.net to inform us where in the world this IP Address 51[.]68[.]143[.]24 was located. The answer was Warsaw, Poland! We also found this IP blacklisted by the security service McAfee AND that a redirect at the end of this link sends visitors to another odd website named plutofresh[.]com.
It is clear to us that this invitation to join a lawsuit is completely fake, and nothing more than malicious clickbait. In case all of this talk casting doubt on what is believable online is giving you heartburn, please don’t take Zantac to quell that acid overflow. Go take a walk in the woods, or along a lake, river or ocean. You’ll be glad you did.
Daily Scam Home Page