Select Page
Weekly Alert  |  August 23, 2023

Please take our victim survey on Pollfish to help us better understand online threats targeting the public. One of the best ways for you to stay informed and recognize online threats is by helping to build a list of scammer websites, and check out the list from time to time. 

Unless you are living under a rock, you’ve likely heard about online AI services that can easily create content for people or provide answers to questions in seconds. (But some of these answers contain false information!) For example, the AI service called ChatGPT.  According to, there is a similar AI service called wormGPT built specifically for scammers to use, increasing the risks to all of us!

Sneaker Sales on Instagram Not long ago, one of our readers was scrolling through his Instagram feed and came upon an advertisement for sneakers. He had been interested in some quality sneakers and the ad grabbed his attention. He clicked on it showing him a company called EquadBikes[.]com. This single click completely changed Instagram’s algorithm for this man and, over the next few days he received multiple advertisements for sneaker sales from about seven stores on his Instagram feed. (It’s important to note that Instagram is owned by Meta, Facebook’s parent company.) Every  one of these online stores was a scam store! Could you see through these faux footwear stores? We’ll show you what we found after the man contacted us because these deals seemed too good to be true!

To protect the man’s identity, we’ll call him “Chris.”  Chris’ first Ad was for a store called EquadBikes[.]com and when he clicked the Ad to visit their website, he found an online store, rich in sales and quality sneakers of a brand called On Cloud. The sneaker prices were incredible! Below you’ll see that the On Cloud women’s sneakers were priced at $19.95! On nearly all other KNOWN websites Chris had looked at, this brand and type of sneaker was going for $139.95 – $149.95. (Here they are, for example, on Chris was smart enough to know that these amazing prices didn’t feel right. He took the screenshot below and sent it to us to ask what we thought…

We told Chris that we HIGHLY suspected that EquadBikes[.]com was a scam website for two reasons besides the absurdly low pricing.  The first was that it was registered on the last day of January, 2023 about 6 months earlier. Secondly, their domain had been registered through Xiamen Technology, a Registrar located in China. (Unfortunately, Chinese scammers have a reputation for creating lots of fake consumer product websites, or cheap, lower quality knockoffs.)  Chris thanked us and didn’t think much more about it until about 45 minutes later when another Instgram Ad appeared on his feed. This time it was for a store called RoadRunningHub[.[com. Again, the Ad showed On Cloud running shoes that Chris knew could be found on lots of other known consumer sites for about $139.95. On RoadRunningHub[.[com, they were 50% off! Now Chris was wary and immediately sent us another screenshot.

When we investigated RoadRunningHub[.]com we were surprised by what we discovered. The domain was registered back in mid-January, thirteen days prior to the EquadBikes website, but this time through a Registrar called Shinjiru Technology in Malaysia. More importantly, when we asked Google to run a site search for the address of this business, we saw that it was listed as “Address 1” and the phone number was simply “123456789.” That obvious misinformation led us to ask if it knew anything about this website and, to our surprise, we learned that it had already been identified as malicious some time last February!

Now we alerted Chris to be wary of ALL sneaker Ads in his Instagram feed! Clearly, Instagram was doing a horrible job of evaluating fraud from real online consumer stores! (What a surprise, right? Would YOU expect Meta to protect consumers from fraud? We don’t. They have a horrible reputation for taking care of consumers and their data!) Below is a screenshot of the full top page of the RoadRunningHub[.]com website. (Click to enlarge.) It’s designed to look like any consumer product website. Can you tell just by looking that this was a scammer’s site?

Chris continued to see many other suspicious consumer sites selling sneakers. (Thank you, Meta!) He told us of another site called HotsShoing[.]com (Notice the misspelling of “shoeing”) Our favorite WHOIS tells us that this bogus domain was registered on June 8, a little more than two months before Chris stumbled upon it in an Instagram Ad. In the screenshot below of their “Contact” page you’ll notice a timer at the top of the page showing a countdown of days/hours remaining for their 70% off summer clearance sale. And if you believe that, then we’ve got land to sell you in Atlantis for 70% off! Awkward/incorrect English on their contact page, along with a contact email pointing to a free Hotmail account called steysarn, tells you everything you need to know about this sneaky site! CAVEAT EMPTOR! 

FOOTNOTE: Sometimes it is eye-opening what a little research can reveal. We conducted a Google search for the email address, steysarn @, as seen on the Hotsshoing[.[com contact page and discovered this listing on Scamwatcher for a suspicious website called vrzuike[.]shop as well as the following 7 additional suspicious websites. 

  • Duolyshop[.]com
  • Finkwesley[.]shop
  • TVstuffonline[.]com
  • Sportshoesa[.]com
  • Butarly[.]shop
  • Syracuseomt[.]shop
  • Onkaoonline[.]com

The lesson here couldn’t be more clear! Don’t trust Instagram (Meta) to keep you safe, don’t trust online stores, no matter how well designed they may appear Do your research! VERIFY, VERIFY, VERIFY! And if it looks too good to be true, it probably is.

Is Bella Heather Really Missing? Have you come across these posts of a missing girl called Bella Heather on Facebook? Watch out – it’s a scam! Check out and protect yourself with this 100%  FREE, all-in-one tool.

I’m Your Badness!We admire the effort and energy that our friend Rob puts into baiting scammers! He spends hours on it every week and this effort wastes their time, exposes their fraud, and make us all a bit safer by his effort. Listen to this recent phone call he made to a scammer after getting an email from a free Gmail account saying…

Thank you for shopping online with us! The transaction is made $ 500.00 from the paypal account credit balance, it wìll reflect on the statement in few hours.

Your recent shopping for Target E Gift Cards is successful, we wìll deliver the cards to [EMAIL REDACTED] within 04 to 24 hours.

Happily, Rob picked up the phone, turned on his recording software and called the Customer Support Helpdesk at +1 (858) 367 3953. WARNING: The language at the end of this 4 minute call gets spicy when Rob and the scammer exchange loving remarks, beginning when the scammer informs Rob “I’m your badness!” (This is particularly funny because it is such an uncommon expression and “badness” means “low standard” or “lack of or failure to conform to moral virtue; wickedness; evil.”)

We shortened Rob’s phone call from about 7 minutes down to 4 minutes by cutting out hold-time, Rob’s email and phone number requested by the scammer and repeated sentences. The scammer tells Rob that “some hacker got into your IP address and we need to block them” He asks Rob to visit a website called drto[.]info but Rob’s security services stopped him. Malwarebytes Browser Guard blocked the site, adding that it “may contain malicious activity.” Hell yes! But the scammer tried to mislead him and told Rob that he will provide him with a “cancellation code” for that website. This is COMPLETE BS and drto[.]info is a VERY dangerous site!  Rob thought that if he had entered the code on this website, this action would have given the scammer full access to his computer. VirusTotal tells us that two of three security services have found malware lying in wait at this website!

It is soooooo easy to lie online! (We wish we had a dollar for every time we’ve said this!) People, websites, businesses, social media and the online world are littered with lies! Some are easy to spot and others are not. Here are two small examples to test your ability to see through these lies. Let’s start off with the easy one. How many suspicious red flags can you spot in this email? We count at least six!

So, what did you see that made you suspicious about the legitimacy of that email? Here’s what we saw….

  1. The email came from a University server in Peru (that’s 2 signs of fraud)
  2. The email came from a person’s named account (Karla…) and not a business name
  3. In five instances, the email uses a zero for a capital O. For example “0rder” instead of “Order”
  4. Though there is a lot of detailed information about “your 0rder,” the email doesn’t contain a single piece of information about YOU, the supposed person who placed this order.
  5. The subject line contains a graphic used to indicate a “warning” (exclamation mark in a yellow triangle). This is NOT done by real businesses but is sometimes used by scammers to get your attention
  6. Technically, a named department in the final line should be capitalized… “Cancellation Department.”
  7. If you took a moment to search for the phone number listed at the bottom of this email, you’ll find that it was reported as a scam on both and

    Ok. That email should have been easy for readers to spot at least four of the items we listed. But what about in this next photo. One of our readers saw this on a website, found it really valuable and sent us this photo of it. Can you spot the differences between the links in the image? Look carefully! Cybercriminals often substitute Cyrillic alphabet characters in a link because they look very closely like the English alphabet. But many are uniquely different! According to, the Cyrillic alphabet is used in Belarusian, Bulgarian, Kazakh, Kyrgyz, Macedonian, Montenegrin, Russian, Serbian, Tajik (a dialect of Persian), Turkmen, Ukrainian, and Uzbek languages.

    Please take our victim survey on Pollfish to help us better understand online threats targeting the public. One of the best ways for you to stay informed and recognize online threats is by helping to build a list of scammer websites, and check out the list from time to time. 

    Unless you are living under a rock, you’ve likely heard about online AI services that can easily create content for people or provide answers to questions in seconds. (But some of these answers contain false information!) For example, the AI service called ChatGPT.  According to, there is a similar AI service called wormGPT built specifically for scammers to use, increasing the risks to all of us!

    Amazon Package from the Extraterrestrial Embassy! And more… Fact is often stranger than fiction! We never make stuff up and only report what we find. What we found at the end of a scammer’s link had us shaking our heads in disbelief! One of our readers sent us another Amazon phishing scam email she received on August 15. It came from a server in Japan. Oh no! Amazon couldn’t process your payment, please update your payment details. But the link to update those details pointed to a website called elohimembassy[.]org. We were curious about that name since “elohim” is hebrew for the word “Gods.” (Embassy of the Gods?) According to Google, that DOT-org website turned out to be the “World’s First Official Embassy for Extraterrestrials.” Seriously? But don’t go rushing off to visit this website because the security service Fortinet tells us that malware is lying in wait for citizens of the Earth! Oh dear! Just when we were so excited to connect with E.T.!

    A new tactic on the rise with sleaze-bag phishermen is to create bogus Google Groups and, without your permission, sign you (and thousands of other people) up as members of the Group. Then they send out scam notices to members of the Google Group. If you ever see this trick, such as the screenshot sample below of a Google group called “Helping Group7936ffds,we want you to know that you can safely click the “opt out” link or follow the instructions to email to the opt out address, SO LONG AS you mouse-over those links and confirm that they point to the domain

    Ipfs[.]io is an internet service that is easily and heavily misused by cybercriminals, including the malicious phishing email below claiming to be about your Intuit Account. Our advice? If you EVER see an email from the domain ipfs[.]io DO NOT TRUST IT!

    Answer & Win A particular cybercriminal gang targets netizens of the world WEEKLY with bogus emails offering free merchandise through an “Answer & Win” bogus survey. They’ve been sending this scam out for years in many different forms! During the last year they’ve disguised many of these bogus surveys as merchandise like tools and goods from known hardware stores such as Harbor Freight and Home Depot. This email came from a server in Qatar and the link misuses Twitter’s link-shortening service, again. (**sigh**) tells us that the Twitter link will redirect visitors to a known malicious website called horstedens[.]com. Lunge for the delete key!

    Track Your Package… — One of our readers sent us this interesting email from “Order pending.” But the sender’s name and domain was “homeless” at “anklewarmers[.]net.” Really? She was told her “parcel” couldn’t be delivered due to “insufficient postage.” But the link pointed to the incongruous domain DisentangleGrew[.]net. A quick investigation of this bizarrely named domain threw so many red flags at us! We summed them up in the graphic below, including the fact that DisentangleGrew[.]net will redirect visitors to a VERY malicious website called Traggetters[.]com hosted on a server in Germany!

    Your Package Cannot Be Delivered — This “package delivery problem” has been a MAJOR theme used by cybercriminals for many months! Check out this recent text shared with us by a TDS reader. She received it from a phone number that began with the country code for the Philippines! (“+63”) What is clever about this malicious trick is the fact that these scammers created subdomains on their malicious website called “usps” and “com.” AND these were nested, one inside the other, to read as “” in their link.  BUT THESE ARE SUBDOMAINS and not the domain you would visit if you clicked this clickbait!  (Subdomains appear in a link IN FRONT OF the real domain, separated by a period.) The domain in this link is uspvl[.]shop. It was registered just 2 days before this text was received and had already been found to be hosting malware. Swipe left and delete!

    Online scams are the most reported type of crime. Most countries now state that between 20 to 50% of all crimes reported are related to online fraud. This is only the tip of the iceberg, as only 7% of all scam victims report the crime to law enforcement. With nearly $55 billion lost last year and more than 300 million consumers scammed fast action is required.

    On October 18–19, 2023, the 4th Global Anti-Scam Summit (GASS) will take place. The goal of the GASS is to bring governments, consumer & financial authorities, law enforcement, brand protection agencies, and (cybersecurity) companies together to share knowledge and define joint actions to protect consumers from getting scammed.

    In 2022, we had nearly 1,300 virtual guests and 120 physical participants from 70+ countries. This year the event will be organized hybrid again. Last year, we defined 10 Recommendations to Turn the Tide on Scams. This year, we will focus on further defining these solutions and showcasing the best practices from around the globe.

    Schedule  |  Book Tickets

    October 18-19  |  Ramada by Wyndham Lisbon Hotel, Portugal & Online (Zoom)

    Until next week, surf safely!

    Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
    have subscribed to it via or

    Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

    Contact Webmaster