Using TDS for Malicious Purposes!
During our 6-plus years in operation, cybercriminals have tried thousands of times to shut us down, hack our site, malign our content, or target us and our family members with malware tricks and scams. Their collective effort has never shut us down longer than a day and nothing they do will ever deter us from our mission to help netizens of the world recognize fraud and malicious tricks that target them daily!
Cybercriminals are “at it” once again in a way that is very public and misleading. We recently noticed that Google searches during the previous 24 hours or week for “The Daily Scam” are turning up links that reference us and our content. However, other than two legitimate links about us, (found on DigitalGuardian.com and SusieAndSecurity.com) all of these other links point to VERY suspicious websites, or websites with confirmed malware traps lying in wait for visitors. Between December 1 and 6 we found 22 such links poisoning Google’s search results. Here are two screenshot examples of what we mean…
The fact that we have identified malware lying in wait on several of these sites leads us to believe that every single one of these links likely has a malware trap set up for it. Our tools also detected that several of these links showed “no web content found” on the page in the link. This fact is simply confirmation to us that it is also malicious or was malicious (assuming the site owner or host service found the malware and removed it.) Again, here are screenshots of just a few results confirming this...
Some of these malicious websites citing us are meant to poison Google searches for brief periods of time. They appear to be up for one to two days and then they disappear. Others linger longer. Some are crap domains registered for malicious purposes, while others appear to be legitimate websites that have been hacked and maligned.
The “headlines” used in the meta data collected by Google vary somewhat but they are generally centered around the theme of fake phone and text numbers. Headlines include:
- 500 Fake Ids Seized
- Amazon Prime video customer service phone number
- Amazon Toll Free Number
- Fake Amazon Customer Service Number
- Fake Emergency Alert app
- Fake German Phone Number for Sms
- Fake Microsoft Tech Support Numbers
- Fake Numbers to Text
- Fake Saudi Number Sms
- Fake Utility Bill for Amazon
- France Fake Phone Number
- Is 999 a prime number
- Money Numbers
- Text Bot Numbers
Of course we have no evidence who is behind this poisoning attack but we can speculate. Since most of the bogus content seems to be about fake phone numbers such as for Amazon and Microsoft, it feels like we’ve pissed off cybercriminals who are most responsible for these scams. It is our experience that these crimes are most perpetrated by cybercriminal gangs in India. And so we wonder. This has happened to us in the past and we also suspected cybercriminals in India.
Below is a list of the 22 websites where we found references to us in early December. We have posted links below to some of the WHOIS records for domains that were newly registered. All other domains were either hacked or not “newly” registered. We’ve also informed some domain hosting services and domain owners of the fraud using their websites. In at least 2 cases, cybercriminals were using content from MANY other websites to poison Google, including content about a funeral home! Never a dull moment in this business.
MALWARE LADEN WEBSITES THAT CITE TDS between 12/1 - 12/6
- ledap.skymovie[.]site/888-phone-number.html (skymovie[.]site registered in Russia 11/2)
- ihfi.greenwoodteatro[.]it/france-fake-phone-number.html (greenwoodteatro[.]it registered 12/2)
- hspwdm.txshore[.]tech/xczmhu/6934 (txshore[.]tech registered 11/23; updated 12/1)
- ivolthi.pageantvoteph8[.]online/amazon-prime-video-customer-service-phone-number.html (pageantvoteph8[.]online registered in Russia 11/27)
- lalbu.pageantvoteph10[.]online/amazon-video-help-phone-number.html (pageantvoteph10[.]online registered in Russia 11/27)
- raphaartlifetv[.]com/nmfta-login-ywdyi/fake-emergency-alert-app.html (raphaartlifetv[.]com registered 10/14)
- enpge.norrmio[.]site/888-phone-number.html (norrmio[.]site registered in Russia 11/2)
- ogif.funlearning[.]it/500-fake-ids-seized.html (funlearning[.]it registered 12/2)
- mico.qualitywines[.]it/fake-amazon-customer-service-number.html (qualitywines[.]it registered 12/3)
- bax.perfectfamily[.]life/xs/35115 (perfectfamily[.]life registered 11/23)
- bpsars.shoplag[.]site/amazon-customer-service-number.html (shoplag[.]site registered in Russia 11/2)
Daily Scam Home Page