Scams & Threats Disguised as Love & Sex — In our Top Story of April 19, we told our readers of multiple female romance scammers who were trying to create bogus relationships with our friend, and professional scam-baiter, Rob. Of course, he had already found several of these women’s photos and aliases listed on scam reporting websites and he obviously knows a scam when he sees one! In the last couple of weeks, we’ve seen other examples of how these romance scams operate and the types of risks that may accompany them. One recent example concerns a supposed dating website titled “We will help you find your soulmate” and includes the photos of eight beautiful women, who appear to be in their thirties. Their names (Jane, Emma, Aubrey, Hannah, Ava, Charlotte, Hazel and Ellie) strongly suggest that they are likely native English speakers. This is funny and absurd after we show you what we discovered by looking behind the curtain of this dating domain!
Our investigation into this “soulmate” dating website started when one of our honeypot email accounts received this sexually suggestive “dating request from JDUBS1425.” What set off our “spidey-senses” were two clues found in the link used in the email….
- The country code found at the end of the domain name is “.tk” and indicates that this domain was first registered in Tokelau, a territory of New Zealand in the South Pacific. This is not exactly where one might expect to connect with a “soulmate” dating site targeting an American citizen!
- The link also contains several random words in it that make no sense for the context of the site: annotator, puzzling, objurgated, hiving and searcer. Seeing these random words in a link reminds us of a very active cybercriminal gang who had used two random hyphenated words in links thousands of times over several years. These random hyphenated words were generated by their software to help them create their malicious websites easily. That’s why we gave this gang of sleaze-balls the name “Hyphen-Poopy Gang.” The last good example we published about these sub-humans was in the “Your Money” section of our September 7, 2022 newsletter. Since last fall, their use of hyphenated words in links has all but disappeared. (Could they be subscribers to this newsletter?)
There were two domains associated with this suspicious email. They are the domain the email came FROM (oveltr[.]com) and the domain found in the link (finaynnand[.]tk). We learned A LOT when we looked them up in our favorite WHOIS tool! Such as…
- Oveltr[.]com was registered in Iceland using the Registrar service called Namecheap about four and a half months ago. This is VERY COMMON practice for a particular cybercriminal gang, like the Hyphen-Poopy Gang!
- The oveltr[.]com domain is hosted on a server in Madrid, Spain which strikes us as a bit odd since the site is not in Spanish and the names of the 8 women posted on the top page are not Spanish-sounding names.
- Though the website doesn’t exist anymore, our WHOIS tool found that oveltr[.]com at one time had the EXACT SAME website on it as the domain finaynnand[.]tk! Using information found on the website finaynnand[.]tk, we also learned of another identical “soulmate” website at tamamir[.]tk! And both of these “tk” websites were being hosted on the same web hosting service in Kyiv, Ukraine!
Does ANY of this make sense for a legitimate “soulmate” web service intended for English-speaking clientele?
Below is a screenshot of the top page found at each of these three suspicious soulmate websites. The only thing different was the name of the website in the upper left corner. Something else that is bizarre is the fact that seven out of the eight white captions over each image mention alcohol in their messaging. Remember, this craziness began when we received a strange invitation in our inbox to click a link and start a relationship with a much younger woman!
Another way that people are targeted is via random texts and we’ve written about these before. During the last few weeks, I have been targeted several times and it happened again last weekend as I was writing this very story! I received a random text from 505-675-2397. The sender claimed to have made a mistake in sending it to me, said her name was “Amy” and that she was 36 years old. Amy then started up a conversation as if we were friends! That is…. Until I called her out as a fraudster! I have now received this same type of text solicitation four times and they’ve been very similar in their opening lines. Here is that recent text thread. Please excuse my foul language in my final text reply to “Amy”…
PS: I don’t live in Florida, just like Amy is not from California.
Lots of people are being targeted by seemingly random and innocent texts such as the one above. On April 26, a Reddit member named Prussian Vape Cat also received a similar random text and knew it was a scammer. He kept replying with “Canada” just to play with the scammer! Notice the common scammer message “I’m sorry, I entered the wrong number due to my mistake.” In our opinion, her text contains very subtle awkward English phrasing, suggesting that she is not a native English speaker.
It may be hard for our readers to imagine how easily someone can be manipulated by cybercriminals using just text, pictures, or even voice-only phone calls across the Internet. But there are many people, through no fault of their own, who are desperate to connect emotionally with another human being. People who are hungry to feel love, acceptance and to be valued without judgment by another human being. These are the types of people these lowlife scumbags are searching for. And also people who are truly gullible and naive. We saw a terrible reminder of their success posted last week by a Reddit member who titled it “Beware of romance scams – my devastating story.” However, the person who posted it then removed the post a couple of days later. In a nutshell, the person wrote about an elderly family member who began to show money problems. At first this older woman had problems paying her bills and needed to borrow money from other family members. But her requests grew significantly. Other family members felt that something wasn’t right and her requests didn’t add up. When they confronted her about her borrowing, and subsequently her financial circumstances, they learned that she had been having an “online only” relationship with a man and had sent him hundreds of thousands of dollars during the previous year and a half! Not only had she depleted her savings, retirement accounts and all her financial resources, but she had been lying to her family about why she needed to borrow money from them as well. And yet, she had never met this man in person. Moreover, the family could not seem to convince her that this man was a scam artist, who only wanted her money! Though the elderly woman did not see it this way, her family clearly saw this as fraud and elder abuse.
These vile relationships with cybercriminals can start as easily as a random text or email. If you have a vulnerable family member please share this information with him/her and try to raise their awareness. And if, by chance, YOU are in a friendship or relationship that started with a random message or questionable online dating site, please, please, please reach out to other friends or family whom you trust and ask their opinion, especially if you’ve been sending money to your new friend!
Footnote: The United States government offers a National Elder Fraud Hotline 1-833-FRAUD-11 (833-372-8311) and supporting website with more information:
Also, the Consumer Financial Protection Bureau offers additional information about reporting elder abuse.
Top Phishing Scams This Week — Binance PayPal invoice, UPS, iCloud, Costco, Walmart, and Kohl’s. Can you spot all these scams? Check it out and protect yourself with this FREE, all-in-one tool.
Why is This Legit, Kidnapping Scam, and Holding Facebook Accountable! — Recently, one of our friends received the text below and asked us if we thought it was a scam. Our first and immediate reaction was yes! CVS is a legitimate retail pharmacy found throughout many states in the United States. The reason we yelled fraud was because the domain listed in the text was cvs.co instead of cvs.com! The “.co” is a 2-letter country code and indicates the domain was registered in Columbia. Why would the real CVS do that? But we were wrong! Here’s why… A WHOIS lookup of cvs.co shows that it was registered to “CVS Pharmacy Inc.” We have seen criminals lie about the names used in registering a domain. However, the domain cvs.co was registered waaaaay back in 2010! In Internet life, that’s like 30 years ago, which is plenty of time to reveal any fraud associated with that domain. Furthermore, the information in the WHOIS record for cvs.co also matches the information found in the real cvs.com WHOIS record. Also, as is customary for most legitimate businesses, CVS sent this legitimate text from a shortcode (#898287) rather than some random phone number or email address like scammers always do! Shortcodes cost money and require a corporation to register their information with cell service providers, something that cybercriminals DO NOT want to do!
In last week’s newsletter we raised the alarm about the growing use of artificial intelligence (AI) by scammers in kidnapping scams. Sadly, that alarm has grown louder in the last week! Check out this video post on Facebook about this brutal scam as well as this article on CNN:
Also, on April 27, Reddit member Yeetyteety03 said this…
“So recently a friend showed up at my house crying and in a panic, she said that she got a call from someone claiming they have her daughter and demanding money. She was able to call the school of both of her daughters and make sure they were there and hung up on the scammer. When she talked with the school after, they said the same incident has occurred multiple times in the last few weeks. She is still being called by random numbers and is scared to answer calls now. This occurred in Arizona, is this getting more common?”
It is becoming more common and we want our readers to spread the word about this brutal, frightening scam to friends and family who have children and especially teenagers.
We’re guessing that most of our readers have a Facebook (Meta) account. Have you heard about the settlement recently announced in the lawsuit against Facebook for selling user data to Cambridge Analytica? It’s all over news sites such as:
We are often angry at Facebook (Meta) for the way that they misuse the data of its community members, how poorly they protect against fraud on their social media platform, and how poorly they respond to reported incidents of fraud (including when it happened to one of us.) The ONLY way this successful lawsuit can have a REAL impact on them is IF FACEBOOK COMMUNITY MEMBERS APPLY FOR COMPENSATION! If you have had an account between May, 2007 and December, 2022, please apply for compensation and thereby let Facebook know you are not happy with the way they manage YOUR INFORMATION!
Some additional resources and articles shared with us by our friend Rob might interest our readers. For example, check out this podcast presented last year by Cybercrime Magazine host Hillarie McClure as she interviews folks at WHOISXMLapi about a phenomenon known as “typosquatting.” Or these additional articles…
Apple, Docusign, and Xfinity — One of our readers sent us this email that went to “undisclosed-recipients,” a SURE SIGN of fraud when it claims to be about a “billing problem” from Apple Computer. However, we loved the “name” these scammers tossed into the name field of the FROM address…. “We are sorry” What? For scamming you?? Notice that this email came from a server in Mexico (“.mx” = 2-letter country code) and the links point to the domain UniversityKart[.]com and not apple.com!
Doug at The Daily Scam was targeted by this **lovely** phishing email sent from the free email service at Mail.com. It did NOT come from docusign.com, as it wants us to believe. That should be obvious by the content because the idiots who sent this misspelled Docusign! As they often do, the link in this phishing scam included Doug’s email in it. We modified that email and then visited the login page. If you look below, the email address now makes it very clear what we think of their login page! (By the way, the scammers who created this put a graphic in the background of the login to look like an invoice from someone named Matthew Jones.)
Here’s another bogus email pretending to be from Docusign that targeted us at The Daily Scam. Would you have been fooled? Notice how many red flags we found in the domain used in the link! Also, notice how the malicious domain used in the link happens to be hosted on another server in Ukraine. What an interesting coincidence to the hosting location mentioned in this week’s Top Story!
Check out this lame email sent from a server in Japan and claiming to be about your Xfinity account. The content in this email is absurd! We hope recipients will recognize that. Now lunge for the delete key!
Free COVID Test Kits, Quickbooks Account on Hold — Technically speaking, anything “free” shouldn’t be in this column, titled “Your Money.” But it didn’t easily fit anywhere else and we felt it was critically important, especially since it is targeting Seniors! Trust us when we say that anyone over 65 is NOT going to get 8 free home COVID test kits by clicking the link in this email! The email came from a bogus domain called onlyexpert[.]com that has no website on it. The links in the email point to another website called brightdecor[.]info. Of course, you are offered an “unsubscribe” link that is NEVER safe to click in suspicious emails like this. The address associated with that unsubscribe link is a strip mall in Las Vegas.
This is a big, fat lie! DEEEEELEEEEEETE!
Yes, technically this next email is a phishing email but it does concern business accounts on Quickbooks! This scam was very cleverly constructed and looks like it came from the real Quicken Books software from intuit.com. However, read the email carefully and closely and you’ll notice this email uses the word “account” six times (if you also count the subject line) and misspells it once! But most importantly, the link to “complete verification” points to the domain “presec[.]us” and NOT intuit.com! The word “intuit” that appears in front of presec is a subdomain! Anyone can say anything at all in a subdomain! There are no rules for listing a subdomain, as there are for listing a domain. By the way, presec[.]us was registered anonymously on December 12, 2022. The real intuit.com domain was registered in 1994 to Intuit Inc.
Kohls Malware Confirmation, Find Attached PO and “Important Message” — One of our readers told us recently that he’s been receiving many emails with large attached files, like this one claiming to ask you to “confirm receipt” of something. But the “receipt” is a 2.4 MB file to download! That’s HUGE and likely VERY dangerous because it probably contains malware! Oh, and did we say that this email was sent from a server in Germany? Does THAT sound like the American company called Kohls?
This next risky email has SO MANY red flags! Like the fact that the sender claims to represent the company called United Group USA but the email came from ArrowHeadAdvancez[.]com. And the “attached file” is actually an image linked to a web site that is often misused by cybercriminals! It is NOT an attached file.
And finally, we have this short but oh-so-malicious email with an “important message” for you. The message makes NO SENSE but points to a malware infection ready to happen! Enjoy!
USPS Message — Oh dear! You have a package that needs to be delivered from the United States Postal Service but an incorrect delivery address has caused that delivery to be “suspended.” Like, in midair? If the REAL USPS service knew how to reach your phone number, don’t you think they would also have your real address? Yeah, that’s what we thought. The link points to a website named k712[.]site. It was registered the day before the text was received by our reader.
Deeeeeleeeeete for sure!
Until next week, surf safely!
Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands