Select Page

We would love to hear your feedback

THE DAILY SCAM NEWSLETTER  |  JULY 10, 2024

Co-Founder/Content: Doug Fodeman  |  Co-Founder/Creative: David Deutsch  |  V04N22

Scamming the Scammers! And the Good Guy Wins!

It isn’t often enough that we hear about good guys who are targeted by scammers and then turn it around by playing with the scammer, wasting their time, and then exposing their fraud. And sometimes even exposing their location in the world! This week we have two stories to share with you about good guys who scammed a scammer! The first is David’s story (David is my partner at TDS!) and the second was a total surprise! It came from a University athletic coach late last Friday night. This coach clearly has a great sense of humor and a knack for baiting a scammer after deciding to get back at him.  You’ll see that the scammer grew frustrated with the Coach and it certainly put a smile on our faces! Enjoy!

On Friday evening, July 5, we heard from a man who works with a group of coaches and athletic directors at a University in New England. We’ll call him Charlie to protect his identity. Charlie told us “Every once in a while I will get these emails from my athletic director and assistant athletic director that I know are fake. They always say the exact same thing. I’m guessing it’s just someone starting a conversation to scam me but it lists my official job title and comes from a gmail account made to look like a school account.” Charlie asked us what this scam was about and how were they able to design the email so well, with correct information. We told Charlie that this information is easily found on University, Athletic and Team websites. It is clear that scammers are scouring these sites for information to run this type of fraud. This type of fraud is intended to trick recipients into sending gift cards to the scammers! Charlie said he was willing to scam the scammer and try to find out where he was located in the world. So we sent Charlie a gift card photo connected to a location tracking link we created. Charlie then engaged the scammer for about an hour of email exchanges and did a great job playing the guy! (We think Charlie would be a great scambaiter!) Can you guess where this scammer was located? (We’ve removed all email header information to make the conversation below easier to read and protect the identities of the targeted victims.)

From: SCAMMER

Subject: Track & Field Assistant Coach (jumpers)

To: Charlie

Are you available?

I’m stuck in a meeting right now I can’t call that’s @ashleembanks why I’m contacting you through here and I need you to assist me with something very important right away. Can you? [NOTE: We have no idea why the scammer included the Instagram reference to Ashlee M Banks, possibly a White House Correspondent]

Charlie simply answered with “yes”

SCAMMER: I need you to purchase an apple gift card. When you get them scratch off the back, then take clear pictures of the cards and send them to me here. I will give you the text number of the person I need to get the cards to right now so you can send them to him also. Will that work for you?

I need to present some items to the board of this seminar tomorrow morning and I want you to help me to get some Gift cards from the CVS or any nearest store? I will surely reimburse you back tomorrow once I’m done with the meeting.

Charlie: Yes, that will work. Let me buy them now.

SCAMMER: Alright I’ll be waiting you’re just getting $100 3 pieces I’ll reimburse you once I get back from meeting tomorrow thanks I’d be waiting 

Charlie: That seems low, shouldn’t we do $200 each?  [THIS MADE US LAUGH!]

SCAMMER: Yeah, that’s fine.

Charlie then sent a photo of two Google Play cards with the code numbers visible after scratching the safety cover material off.

SCAMMER: I asked you to get an Apple Card you got Google play ?

A minute later, SCAMMER also said: You just sent a used card!! That’s the respond I just got !!   You’re getting an Apple Card Okay (The scammer also asked for the receipt from Charlie for his purchased cards.)

Charlie: Yeah but everyone uses Google now not Apple, they will hate an Apple card.

SCAMMER: Then why am I getting an information the card are used moreover you just got them so you should have the receipt

Charlie: I don’t know, are you typing the code in right? I clicked no receipt when I got them, I don’t waste paper. The planet is gonna collapse because of us humans you know.

SCAMMER: You’d make use of the card before sending it  Get another $200 I’ll reimburse 

Charlie: Hold on, I’m doing you a favor, why are you accusing me of using the card first? You told me to always let you know when you are making a mistake and you are making one right now. Okay fine, I told you I’m crazy when you hired me! I’ll get an apple card.

SCAMMER: Alright!! Get the Apple Card 

Charlie: I just sent it! [Charlie sent the scammer another image connected to a location tracking link]

Scammer: Haven’t received it yet

Charlie: I just sent it. Subject is Apple Card. So many tech issues today I wonder why.

Scammer: Then why did I get the other you sent and I’m not getting now? You kidding with me right

Charlie: Wait a sec, you have meetings at 9pm? Are you trying to scam me?

Scammer: Huh what do you mean ?

Charlie: It’s 9:20pm and you are in a meeting? Can’t you just get the cards yourself? No one has meetings at 9pm do they?

None of the numbers shown on the gift card images that Charlie sent to the scammer were valid. A few minutes later, the scammer sent Charlie this message…

From: SCAMMER, Date: Fri, Jul 5, 2024 at 9:14 PM

Subject: Re: Apple card

What’s the meaning of this you tryna play me ?

Moments later we checked the tracking links and discovered that this scammer had clicked the tracking links 10 times!  His location?….. Lagos, Nigeria. Of course! (Footnote: we checked again and, about an hour later, the scammer tried for the 11th time to click the link Charlie sent him. Clearly, he must have been frustrated. Oh, poor baby.)

On June 24, David received a fantastic opportunity in his email inbox. It was a request for a job interview from a Customer Service Manager named Daniel Brown from a company called CyberCloud IT Service

On Jun 24, 2024, at 11:03 AM, Daniel Brown <daniel_brown@cybercloudit.services> wrote:

Good day.

My name is Daniel Brown and I am the Customer Service Manager at CyberCloud IT Service.

Currently, our organization is in need of a Customer Service Officer. This position has nothing to do with sales. More details about the position are listed in the Description pdf file.

If you are interested in this position, please fill out the online form. An automated email with detailed information has been sent to your E-Mail (check your spam folder too). Fill out all fields on the form and then, you will be contacted by our HR Manager for a phone interview.

Please let me know if you did not receive the link.

Sincerely,
Daniel Brown
Customer Service Manager
CyberCloud IT Service
404 5th Ave
New York, NY 10018, USA

The email contained two attachments with details about the company and also the job description of a “Customer Service Officer” who could work remotely from home. The pdf describing the job was a 5 page document, stating that the salary started at $48,000 for full time work. David was invited to apply for either a full time or part time position: “$3,200.00 per month (part-time, 20 hours per week) or $4,000.00 (full-time), payable once a month plus 2% for each transaction conducted with a client (timely informing about promotions, receiving and sending client requests to the chief manager, which subsequently led to the successful conclusion of an agreement with CyberCloud IT Service, with a significant contribution from the customer service department).

CyberCloud IT Service said their website could be found at cyberclouditservice.biz and their office address was 404 5th Ave. New York, NY 10018.  However, visiting their website and looking carefully at email addresses associated with this business, we also see that they are using two other related domains:

Cybercloudit.services and Cyberclouditservices.com

Their job description ended with the thoughtful, encouraging and welcoming statements you see in the screenshot below….

A visit to the “Our Benefits” webpage of Cybercloud IT service website shows us that this business was started in 2021. This is also supported by the fact that every single webpage shows the following text in the bottom footer…. “Copyright 2021-2024.” This supposed “fact” strikes us as very strange since all 3 of their domains were registered about 6 months ago on January 30:

But what easily exposed this bogus “company” and job opening as a fraud was the attached pdf about the company itself.  The description of Cybercloud IT Service in the pdf file included images of its CEO, who was named Adam Cosby. However, a reverse image search showed us that the cybercriminals who created this scam company had stolen images from a 2018 Forbes.com article about the founder of the company known as SAP. The real man in these photos is named Juergen Mueller, and is CIO of a company called SAP.

    But David was curious to see where this fraud would lead and so he told their HR department he was interested in the job. They sent him to an application web page that would have collected a LOT of personal information, as you may guess. What was also surprising was the fact that this job application was hosted on another completely separate domain at: ccsitpanel.tech.  This domain was also registered on January 30, 2024 and is hosted on a server in Germany, as was true of the other domains. Ccsitpanel.tech requires an account to log into it but David was given a login to complete his application. Check out all of the personal information these scammers were collecting about their victims in the screenshot below (click to enlarge). Also, we’re sure that this isn’t the end of the personal information they will ask for!

    David said that ”My favorite part about uncovering this fraud is that Daniel Brown told me ‘I am the Customer Service Manager’ and this was followed by him saying ‘our organization is in need of a Customer Service Manager.’  Sounds like Daniel Brown is about to jump ship! We are not absolutely certain as to what type of fraud this bogus company job offer represents. (But a Reddit member shed more light on this fraud. See below.) BUT we are certain it is a fraud and we’re not alone. Check out these links we found from other people and security services when we went searching for information about Cybercloud IT Service and it’s phone number: (888) 959-8038

    However, most revealing of all and perhaps a window into the actual fraud behind this company, is what a victim of this job fraud posted on Reddit one month ago. The person describes being hired, trained and then what happened to make him feel very uncomfortable about this company. He was asked to open a business bank account in his own name. The victim said that the Supervisor, with whom he spoke by phone, had a foreign accent. No one should ever be asked to open a bank account to be used by the business they just joined!

    Extortion & Emails Targeting Family Continue, and More…

    One of our Canadian readers forwarded this extortion threat to us last week. The sender pretends to have installed monitoring software on her device/computer and documented her using that device to satisfy her sexual desires. He threatens to release embarrassing photos/videos of her unless she pays his extortion fee. But it’s all fake and these threats are sent out by the tens of thousands! We began documenting these fake threats in 2018 and again in 2020. Don’t believe these lies! If it were true, the extortionist would include a real photo!

    Speaking of threats, my family is still targeted by malicious clickbait disguised as me. At least a couple of times each month my family members receive malicious emails such as the one below. All of them appear to be about supposed photos or videos that I want to share.  Unsurprisingly, the last time I wrote about these threats I was contacted by another TDS reader who said that this also happens to his family and the sender pretends to be him. Fortunately, my family is well trained to recognize these threats.

    We have two brief updates to share with our readers…. Last week’s Top Story was about a woman who ordered pants from the deceptive online store called Vivienne Duvall. She finally received her order after 45 days, only to discover that she didn’t like the material used to make the pants. She emailed the company to ask for a return label. A full week went by before she received a reply. The reply was bizarre in that the company offered several options to her, all of them discouraging her to return her order. It included a simple 20% refund (without returning her order) and another option was to choose another item for free (provided it cost the same $ or she must pay the difference), without returning her order.  By contrast, our newest scambaiter, we call “T”, emailed this same company last Wednesday pretending to complain about an item his wife purchased and he received an immediate reply, followed by several email exchanges. However, this last email to T strongly suggests to us that Vivienne Duvall does NOT want him to return anything and will even give him another free item rather than take his return. On the surface, these sure sound like good deals but considering how many people have complained about the quality of their products, we don’t think so! CAVEAT EMPTOR!

    FOOTNOTE to deceptive clothing stores…. One of our readers just reported to us that a fake website was created on July 4 pretending to be the social clothing marketplace Poshmark.com.  The FAKE Poshmark was found at Poshmark[.]id038[.]comScam-Detector has already identified this malicious mimic! We urge our readers to ALWAYS look carefully at the website domain to make sure it is legitimate. (In this fake business, “poshmark” is a subdomain and the real fully-qualified domain is id038[.]com.)

    “T” was also responsible for the exchange we wrote about in the June 26th newsletter with a Richard Smith, who claimed to be from the Bank of Holland in New York. Mr. Richard Smith continued to reach out to T by email into early July, asking T to pay the small transfer fee in order to move his $50 million payment into the Bank of Holland. We also sent T a tracking link connected to a gift card image that he could forward to Mr. Smith, the supposed employee at the Bank in Holland, New York. On July 2, Mr. Smith clicked that tracking link 8 times!  We think you can guess where “Mr. Richard Smith” was really located! Check out his anxious emails and location in the screenshot below….

    Rob continues to get emails offering him many millions of dollars and sent by “419” advance-fee scammers primarily located in Africa.  Some of them make us smile and laugh at their efforts. We hope they do the same for you, like these two recent emails he shared with us recently.

    We have several articles about online fraud that may interest our readers this week, including tips on how to avoid fraud when buying a used car online. Articles also draw attention to fake videos that have been created by Russia about Ukrainian President Volodymyr Zelenskyy’s wife. Sadly, it has also recently been reported that a few Middle School students at a school in Pennsylvania have created lots of fake TikTok videos pretending to be more than 20 teachers at their school. As you can imagine, these TikTok videos are horrible in how they portray the teachers, including the suggestion that a teacher is a pedophile, racist or antisemitic. This is, of course, a serious form of fraud with serious consequences for the teachers. 

     https://www.fastcompany.com/91144654/elder-fraud-epidemic-how-to-can-combat-scams

    https://consumer.ftc.gov/consumer-alerts/2024/07/what-know-when-buying-used-car-online

    https://www.cnn.com/2024/07/02/europe/deepfake-video-zelensky-wife-intl-latam/index.html

    https://www.nytimes.com/2024/07/06/technology/tiktok-fake-teachers-pennsylvania.html

    https://main.whoisxmlapi.com/threat-reports/tracking-down-fake-cryptocurrency-sellers-using-dns-intelligence

    Remember to check out our new podcast, released on the 15th of each month:

    https://www.securewon.com/resources/podcasts/

    Phishing Emails with Attached Audio Files!

    We are seeing a possible new trend lately from phishing fraud that our readers are reporting to us. Several of these phishing emails have been including sound files! The fraudsters must think that these sound files are supposed to add credibility to these scams but we think they are hysterical!  Tell us what you think! Let’s start with this bogus invoice that came from a woman’s iCloud account and disguised as a Geek Squad membership notice.  It included a sound file oddly named “Joe War.” The woman narrating the message has a very obvious heavy Indian accent!

    This next phish was sent to hundreds of email addresses entered into the “To” field, instead of putting them in the “BCC” field to hide them. Apparently, Paypal has detected an unauthorized charge to your account but, like the above email, it also came from a person’s iCloud email account. The attached sound file sounds like an AI voice of a woman.

    Finally, we leave you with an interesting phishing threat that appears to be about a package delivery from the United States Postal Service. It is such BS! You’re told that unless you update your address, you’ll have to pay a redelivery fee! Of course, this email didn’t come from usps.com and the link doesn’t point to it either. Enjoy!

    $50 USPS Promotion!

    Wow, the United States Postal Service is one of the most common services in the US that is routinely misused by cybercriminals to target Americans! Check out this threat disguised as a promotion, like sooooo many others. “Take our survey” and earn $50!” NOT! The email sure didn’t come from usps.com and the links don’t point to it. In fact, the links point to a bizarre website were we found malware lying in wait for you! But after being hit with malware, you’ll be redirected to another shady website called TheDailyNewOffer[.]com. It was created less than a month ago! Deeeeeleeeete!

      Spotify Renewal Issue

      More often than not, emails disguised as Spotify are phishing scams. Not this time! This “payment verification issue” came from a server in Japan and not from spotify.com.  Malware was found at the other end of the link to “Update Payment” information. And then after being hit with malware, you’ll be forwarded on to a tabloid newspaper published in London! Like that makes any sense?! Lunge for the delete key!

      Apple Warnings, Delivery Notices, Job Offer and More…

      We wanted to share a scam text with you that was reported on Reddit. The text came from a free Yahoo email account and warned the recipient about an Apple Transaction connected with his ID. But, of course, the text didn’t include any personal details. Also, Apple will never send you a text from a free email service!  It will come from a short code, if it comes at all!

      Scam texts disguised as package delivery problems are indeed making a comeback! Check out the two in the screenshot below. It might help the scammers if they learned how to spell package correctly! The “EVRI Package delivery issue” came from a Reddit post. Notice that the top text was sent from a Hotmail account called “dirtbikebobby” and the bottom text was sent from the international dialing code +234.  This code is used by Nigeria!

      In addition to scammy texts about package deliveries, we’re still seeing lots of fraudulent texts disguised as job offers and interviews! Check out this exciting offer that came from a free Hotmail account, rather than a legitimate business. And it asks you to contact the unknown business via a Whatsapp number! That’s a sure sign of fraud!

      Until next week, surf safely!

      Copyright © 2024 The Daily Scam. All rights reserved.
      You are receiving this email because you have subscribed to thedailyscam.com

      Marblehead, MA 01945

      Contact Webmaster