Select Page
Weekly Alert  |  January 3, 2024

Two Victims of Poisoned Google Searches Recently we spoke with two of our readers who had been victimized by cybercriminals in unexpected ways. One was because a legitimate tech support company did NOT do its due diligence when it provided a phone number to a woman whom they could not help! The legitimate tech agent searched Google for a phone number and didn’t spot that the search result was a scammer’s number! The second instance happened to a man looking for Paypal customer support and turned to Google to find it. The tricks employed by Indian cybercriminals to manipulate these victims were clever and all of our readers should be aware of them! Do you know the term “sleight of hand?” That’s what happened to these elderly people and they had no idea, until they did, in the nick of time!  Would you have seen through these examples of fraud in time to escape a financial loss?

Just before Christmas we spoke with a 77-year old woman from New England whom we’ll call Gina. Gina has a McAfee service for her computer, through a “prime” program that gives her the ability to call them for assistance as needed.  She had recently switched from Windows 7 to Windows 11, but this had produced audio problems on her computer. That’s why she called her McAfee service. The number she called was a legitimate phone number that came with the service she had purchased and she had called them at least 15 times previously for assistance.  But not this time, as you’ll see. By the way, Gina told us that when the legitimate McAfee company takes control of your computer remotely, a small window appears, informing you that it is McAfee service working on your computer.  She tells us that this has always given her a sense of authenticity. This wasn’t the case with her scammer experience!

On Thursday, November 29, a legitimate McAfee agent connected remotely to her Hewlett Packard computer but was unable to fix the audio problem. He worked for a while on it and, as Gina explained to us, she could see everything he was doing. She told us he moved at a normal pace and nothing was hidden from her. Because he couldn’t fix the audio issue, he suggested that Gina contact the computer manufacturer, and, at her request, the McAfee Agent did a Google search for the Hewlett Packard Customer Support number. BUT, the McAfee Agent gave her a scammer’s phone number because he didn’t do his due diligence! He likely gave Gina the first number that Google said was for HP Customer Support.  But we know, all too well, that Google searches are often poisoned by scammers and return lies!  This screenshot proves our point. When we used Google to search for the phone number, 805-994-0590, that was given to Gina, we see that someone posted this number on Manta.com as both a tech support number for Hewlett Packard Printer support AND Norton support. Both are lies! (Manta is just a marketing agency!)

The next day, Gina called the number given to her by the McAfee agent. A man answered, identifying himself as a senior technician (but didn’t name the service). He told Gina that he had to take control of her computer in order to help. That wasn’t unexpected. However, in so doing, the trouble this scammer caused took Gina approximately 15 hours to resolve, and it’s not clear that it was actually thoroughly resolved when we spoke to her!  Clearly, the phone number she was given (805-994-0590) was not the phone number for Hewlett Packard support, the manufacturer of her computer.

Gina tells us that the scammer, disguised as an HP technician, worked very quickly, making it hard to follow what he was doing. Unexpectedly on Amazon, he ordered gift cards and two Sandisk memory cards using her credit card and costing a total of $489 and change. He explained that these purchases were needed in order to help him repair her computer. He also said she would be reimbursed for these purchases because her computer was under warranty. (Gina learned that these scammers made another purchase on her Amazon account the next day using a different one of her credit cards that had been listed on her Amazon account.) Once Gina realized that this experience was a scam, she had to have both credit cards destroyed, and removing them from her Amazon account.  She also told us that she had to work for hours with her local Geek Squad tech team to clean up her computer.  The Geek Squad tech team discovered that the scammers had placed a hidden program called Supremo on her computer that gave them complete control of it. They disabled it but did not remove it! This was a mistake because Gina then discovered the next day after the Geek Squad worked on her computer that she was targeted again!  She said “I thought that I was done with those criminals. But it was only as a result of one of them calling me on the phone at dinner time did I go to my computer and see that they still had control of it. I should have told Geek Squad to remove Supremo, not just disable it. Also, I should have gone back to my computer to see what was going on later that day. And, maybe I should have shut it down completely after the Geek Squad worked on it.”

In the end, Gina was able to stop all financial loss by canceling the charges and canceling her two credit cards, but this experience was awful! She told us “I feel so dirty from it!” Gina ended up calling back her McAfee Agent and asked to speak to his Supervisor.  She explained to the supervisor that the agent had given her a scammer’s phone number to call and she was victimized as a result.  The supervisor was shaken and spent 3 hours of his time trying to clear out her computer remotely, since he felt so badly. He said he would change their policies so that agents don’t ever search for and provide bogus phone numbers in the future. In the end, Gina said that she should have realized that when she called the scammer’s phone number multiple times, thinking it was the Hewlett Packard number, there was NEVER any recording telling her this was HP Support. Also when she finally spoke to the supposed HP agent, he never identified himself as HP support.  These should have been warning signs to her!

Our second example was an 82 year old man what was victimized after using Google to search for Paypal customer service. But again, Google’s search results were poisoned and the man ended up with a scammer’s number. The man, whom we’ll call Hector said “I was almost a victim. I found a number online that purported to connect me to a live person at PayPal. (I had been trying to resolve a paypal problem online for the previous 10 days …frustration!). Turns out that the number took me directly into the grips of a scamming operation. Barely “escaped” thanks to help from my bank.”

Hector told us that he ran a Google search for the phrase “speak to a person at PayPal.” A number that came up was 844-498-0849 and he called it. [THIS IS A SCAMMER’s phone number!]  The person answered saying that he was a paypal representative, and a conversation developed from there. Hector said that he detected an Indian accent.  And after 5 minutes, he was transferred to an “associate” who had a very thick Eastern European accent. Hector explained to the associate that he was trying to get an email address changed in a PayPal business account and the associate said that they could do that. But soon both representatives told him that there was $184 dollars and change in the account that needed to be disbursed before any changes could be made. (This is, of course, bizarre and not true!)

This seemed strange to Hector. He is the treasurer of a non-profit, was newly appointed and he was trying for 10 days to get his information changed over to his name as the new treasurer but had been unsuccessful.  That’s why he went looking for customer support. He went on to say that these scammers tricked him into giving them access to his computer. (What he next described to us is NOT clear, but this is what we learned…)  He was asked to enter “C prompts” (command prompts) on his Windows computer to move the $184 over from the Paypal account to his bank account. They wanted this refund to come in 2 batches, first as $50 and then the balance.  They asked him to type in “50.00” as a C-prompt in this exchange but, he said, it came in as $50,0000!  He then realized that somehow, these scammers had actually moved $50,000 from his home equity account into his bank account!  It wasn’t clear to us how they managed to access both of his personal accounts but what WAS clear to us was that Hector had been tricked and lots of his personal funds had just changed accounts. Surely, the next step was for these scammers to move that $50,000 out of his bank account to one of their accounts!

By this time Hector was getting very suspicious and nervous, he told us.  He asked his wife to call his bank about this transfer and the bank told his wife that it was a scam and to hang up!  But he didn’t….. it took a few seconds before he did hang up and then unplugged his PC.  Later on, he contacted a real Geek Squad for support. They came to his home (in person) to review his computer and found that he had somehow been tricked to install ScreenConnect software on his computer. This software allowed the scammers to take control over his computer!  The Geek Squad saw that it was trying to connecting again but stopped it, and then removed it from Hector’s computer.  Fortunately, his bank also stopped a transfer of $50,000 to the scammers via remote access to his account!  Since then, he told us that these same scammers have tried calling him a half-dozen times during the next few days but he never answered the calls.

We also entered the phrase “speak to a person at PayPal” into a Google search field and got a very curious result. The top link for from a LinkedIn account and appeared to show two legitimate numbers from Paypal that each began with 888. We were even able to verify the second number as legitimate from Paypal’s own website, though it took us MULTIPLE clicks to locate it on their site.  HOWEVER, we found it odd that this top search result also included a strange graphic on the right saying “to Speak to a Live Person at PayPal…” and included the number 1-844-498-0049.

We thought this number, 844-498-0049, was very suspicious for three reasons….

  • A reverse search in Google for the phone number 844-498-0049 returned ONLY 2 links, both of which were to a LinkedIn account associated with the name “Anshul Verma” who posted them 2 months ago. There was no link or direct association whatsoever for this number to linkedin.com!
  • “Anshul Verma” appears to be a name most associated with men from India.  Given the fact that Hector identified his first scammer as having an Indian accent, and our experiences have taught us that Indian cybercriminals are most active in this type of scam, we believe the phone number 844-498-0049 is VERY RISKY!
  • Did you notice that this number, 844-498-0049, is remarkably similar to the scammer phone number that Hector found?  It was 844-498-0849, just one digit changed.

      Sadly, both of these victims could have completely avoided the pain and problems associated with these scams if only they had found, or been given, REAL customer service telephone numbers! This threat happens often and Google, as well as other search engines, are unable to control it. That’s another reason why it is critically important for the public to look carefully at the source of information they uncover through search engines! And, as always, don’t believe everything you read online!

        Rob Hits 1000 Trick-Clicks, and Package Delivery Scams Continue! — Last week’s Top Story was about the experiences of a man who put a used car for sale on Facebook Marketplace and Craigslist.  Almost immediately, we heard from another US citizen who told us….

        “Your article on car sales scams hit about every flag that we have been experiencing in our effort to sell our car. I’ve even run into the same issues in trying to sell my sister’s bike on Craigslist. In that instance, it isn’t VIN reports but is related to shipping of the item. As soon as I ask for an invoice from the “shipper”, they disappear.”  The man asked us where he can give a review of these bogus VIN reporting sites we listed last week. We recommended reporting any bogus business websites to the BBB.org/scamtracker, on TrustPilot.com and also to us at The Daily Scam!

        If you’ve been reading business news in the last few months, or following some of the scams we’ve reported on concerning cryptocurrency, then you no doubt know that the world of cryptocurrency is a bit like the “wild, wild, west!” This phrase characterized the western United States in the early days of our union. It was filled with lawlessness and a was a very rough time. That’s where the entire cryptocurrency landscape is now! So where is the US Government when it comes to safeguarding its citizens AND regulating the Cryptocurrency industry? One can easily argue that this is now the 21st century’s Wild, Wild, West. Just one small example of this shady, unregulated form of banking and money exchange was described on Christmas day in a New York Times article. Check out: https://www.nytimes.com/2023/12/25/technology/bitrush-bitcoin-cryptocurrency-china.html

        By the way, if you thought that smart and professional people are not susceptible to fraud, think again! This poor woman was tricked into losing her life’s savings of more than $630,000, and still she owed the US Government back taxes for the earnings on her lost life savings! By the way, she has a PhD!

        https://www.dailymail.co.uk/news/article-12864049/frances-sharples-scammers-cyber-crime-tax-fraud.html

        Our friend and professional scambaiter, Rob, broke the 1000 tracking-click landmark! As of December 29, he showed us that he had successfully tricked scammers into clicking on tracking links disguised as fake gift cards, thereby revealing their locations 1050 times!  These clicks were generated from more than 380 unique  locations. Rob kept a spreadsheet detailing his click-tricking escapades with scammers, which began last summer. Would it surprise you to learn that 87% of his frustrated scammers demonstrated that they were located in Nigeria when they clicked Rob’s gift card trick? Another 8% were in Ghana. The remaining 5% were a mix of countries including Benin and Thailand.  A very small number of clicks were done when the scammer connected to a US or UK VPN service to hide their location.

        If we presume that scammers wasted 3 minutes, on average 3, to open each of his emails, click the link to his fake gift cards, ponder the unexpected negative result, perhaps even click the tracking link again (many did), or send him a reply email asking why it wasn’t working (many did this too!), then it means that Rob wasted more than 50 hours of scammer time! That’s likely more than a work week for any one scammer!  But even more importantly, Rob has frustrated, confused and annoyed the hell out of hundreds of scammers!  Included in this list of scammers were some who pretended to be “Joe Biden,” “Mark Zuckerberg,” FBI employees, Shipping Service Companies (such as DHL), and employees of many Banks. Kudos to you, Rob! Below are just a few responses that Rob has received from scammers, including “Mark Zuckerberg” after they clicked his tracking links….

        Because of Rob’s work baiting scammers, we were able to learn about and identify dozens of fake businesses, banks and businessmen!  We posted many of these fake services on our website and reported many to other services, including our friends at Scamadviser.com. However, in consideration of Rob’s good work, here’s a small example of a recent fake bank he brought to our attention. Nigerian 419 scammers registered the domain urcinvst[.]com in mid-December, calling it URC Investments. The site claims to have been in business for 20+ years and have 40+ branches in the Cayman Islands!  Don’t believe everything you read online! (They should learn how to spell “Branchs” don’t you think?)

        Last week we received the email below from a resident of New Zealand. We responded with a question about “NZ Post” and this led to a nice conversation. However, his email reminded us that people all over the world have to deal with malicious clickbait and fraud! This fellow received his scam email from a server in the Netherlands and the link to “confirm” his package delivery pointed to the misused services at GoogleAPIS.  Package delivery scam texts and emails have been a problem around the world, especially over the last few months!

        Here is another package shipping scam email received by one of our readers in the US. But this came from a server in Japan on Christmas Day. The link in this clickbait pointed to a link-shortening service at conta[.]cc.  This link will redirect people to a frightening website called Credit-CustomerSCARE[.]info!  Fortunately, Virustotal is well aware that this is a phishing fraud site and we know it was registered less than 7 weeks before we saw this fraud. (Is the site “customers care” or “customer scare?” We think the latter!)

          We have been referencing pig-butchering scams for several months now, sometimes showing our readers screenshots of initial text conversations with the scammer. Pig-butchering scams were recently detailed in a special article on CNN. Check out…

          https://www.cnn.com/interactive/2023/12/asia/chinese-scam-operations-american-victims-intl-hnk-dst/

          There was a time when “secret shopper” scams were all the rage!  We wrote about these scams waaay back in 2017-2018 and published an updated article about them in 2019.  However, we haven’t seen them in quite a long time, until a couple of weeks ago. Check out this bogus secret shopper job offer from a free Gmail account called ubank2022 and NOT from BestMark.com!

          Costco, Geek Squad, Paypal and a Laugh! Every week for more than eleven years we have reported on multiple examples of phishing scams that we’ve found or have been shared with us by our readers. We’re happy to let our readers know that there is a good website where we encourage all of you to report your smelly phish, and continue to send them to us! The link to report phishing scams is: https://safebrowsing.google.com/safebrowsing/report_phish/  This phish pretended to be from the consumer products business called Costco. Notice the lame trick scammers use by substituting a ZERO for capital O’s in the words “Costco Support” to try to avoid scrutiny from anti-spam servers. Real businesses will NEVER send you emails like this with an attached pdf file containing a link.

          Delete!

          The scammers who sent this smelly phish messed up royally!  They dumped nearly 100 email addresses of potential victims into the “TO” field instead of the BCC field, making their email addresses visible to all! This email is total malarky, and not to be believed!  Notice that it doesn’t include the recipient’s name, credit card information or anything personal. ‘Nuf said!

          Speaking of total malarky, check out this phishing fraud that came from an iCloud account.  Much like the Costco phishing scam above, the recipient was sent an email with an attached pdf file. It contains several suspicious red flags!

          We are often targeted by all kinds of fraud. (Big surprise.) Check out this email sent to us from a website called green-moon-veg[.]com! This phishing fraud would be funny if it hadn’t misused two legitimate websites to send us to a phishing login. Lunge for the delete key!

          Hulu & Paramount Special Offers, Home Warranty Deals Your Hulu membership has expired, claims this email sent from a server in India! But that’s not where Hulu is located so don’t “embark on your Hulu journey” just yet! And it should have said “Get ready to immerse yourself in a world of fraudulent and painful possibilities” instead of what is typed below.

            Several different readers have simultaneously reported this clickbait last week! The email claimed to be a “last call” for a special subscription rate for Paramount Plus! In every case, the links pointed to a dangerous website where malware is lying in wait for you. You know what to do!

            Were you considering home warranty special deals over the holidays?  Scammers thought you might be interested because they sent out LOTS of these types of clickbait recently! Check out the two examples below. Neither came from the company they claim to represent and the links to both lead to malicious websites.

            Malicious Shoes and Your Recent Payment — On December 22, a woman visited the official Aerosole Shoes website and selected 2 pairs of shoes to put into her online cart. However, she tells us that she changed her mind and simply closed the page. She hadn’t saved any credit card or entered any contact information onto the site and wasn’t at all concerned.  However, about 12 hours later, she received the email below from “ShoPay” for her $236 purchase but was told that she could dispute the charge by clicking a document called “Return_Process_Instructions.”  All of this was an odd coincidence for this woman. The shoes she had almost purchased were less than $100.  This “ShoPay” email was not from Aerosole Shoes, but what was it? Before she clicked on the attached file. She contacted us. Thank God she did that! The attached file was a VERY dangerous “html” file containing a malicious javascript! Was this email somehow related to her near-purchase of Aerosole Shoes or just a nasty coincidence?  Likely the latter but we’ll never know if somehow the Aerosole site knew this woman’s contact information anyway and some of that data was compromised.  In today’s digital muddy waters, anything seems possible!

            Until next week, surf safely!

            Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
            have subscribed to it via Scamadviser.com or thedailyscam.com

            Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

            Contact Webmaster