Select Page
Weekly Alert  |  November 16, 2022

Would You Guess These Websites are Scams? Part 2 Anyone can create a website, even criminals. And one of the easiest ways to do that is to steal content from a legitimate website to use on a fake site.  We’ve got several fake websites to show you! From bogus banks and fake financial services, to a phony liquor store. This is part 2 in our series simply because lots of  cybercriminals need a credible website to perpetrate their fraud. (Part 1 was in our July 13 newsletter.) The critical question is… Can YOU see through their fraud? What should you look for? What are easy tools to help you evaluate whether or not a website is suspicious, or deserving more investigation? Let’s take a stroll through several glittering shams, keeping in mind that the third one was the most challenging one to unmask.…

It’s important to verify, verify, verify! Does the website provide a physical address and phone numbers, as well as an email address?  It is highly suspicious if ONLY an email address is provided! And if a physical address is provided, Google it and look for the business!  When we searched Google for the address listed on the Premium Insurance Assets Bank website, we couldn’t help but laugh! Look at the image below for their address and keep in mind that they state they are “the international banking and treasury centre.”

Also, remember to use the AI tool at ScamAdviser.com to evaluate the authenticity of a website! (A fraudulent assessment is proof, but a legitimate assessment may mean that more hands-on investigation may be needed.)

Additionally, when WHOISXML API looked at the WHOIS records of the people who registered these domains (called “Registrants”) in July, 2021, it is no surprise that they found other consistent information showing that these fraudulent domains were all registered by the same cybercriminals…

However, one of the best ways to see through online fraud is an exceptionally easy check for the website name using a WHOIS tool.  Three good WHOIS tools are: 

    https://whois.domaintools.com/

    https://www.domain.com/whois/whois

    https://www.godaddy.com/whois

The most important information to look for in a WHOIS search includes:

  • Creation Date – how old is the registered domain? Anything less than 6 months is suspicious.
  • Registrant – the person who registered the domain; lots of registrants use proxy services, including criminals, to hide website ownership
  • Registrant Country – in which country was the domain registered? Experience has taught us that cybercriminals have been registering a LOT of their fraudulent domains in Iceland (through a Registrar called Namecheap). Keep in mind that if you see that a website which claims to be from the UK or USA is registered in the UK or USA, that doesn’t make it legitimate. By contrast, if you see that a business claims to be centered in the UK or USA, but the domain was registered in another country, like Malaysia, Russia, or Romania, for example, that is suspicious or outright fraudulent (depending on the country).

Here is a screenshot of the WHOIS result for premiuminsuranceassets.com. When we first visited, this bank was less than 2 months old and it had been registered anonymously in Iceland using Namecheap.

Do you like specialty liquors? In late September we published an article about online fake liquor stores. Following that article, we learned of a new website called bourbonwhiskeyforsale.shop. (Still active as of November 12, 2022) They claim to have been in business for 16 years and yet, when we found them, their domain was less than 3 weeks old. For contact information, they provide only an email address and a Whatsapp phone number, though they claim to be located in the USA.

Many websites offer links to related news and a blog. It’s important to check these links because, often, scam websites have no content in these sections or ONLY content posted when the site was first created and nothing since then. Bourbonwhiskeyforsale.shop has a Blog page on their website but the blog consists of Latin gibberish typically found on newly installed web pages that was never removed or modified. (Newly installed websites often use Latin gibberish as a text placeholder.)

Our final example concerns a financial services company that is also used for advance-fee 419 scams. It is called “Abu Dhabi Finance P.P.C.” and uses the website abfinanceppc.com (which was active as of November 13, 2022). On the top page of the Abu Dhabi Finance website, they say they are licensed by the Capital Market Authority of the United Arab Emirates. This is, unsurprisingly, a lie. There is no such business listed at the CMA in any of their business categories. Also, their website says that they have been in business since 2008. And yet, a WHOIS lookup shows that their domain was registered in Malaysia on May 12, 2022!

Most interestingly about this fake financial services website, is the fact that nearly all of the content on the abfinanceppc.com website is real! It was stolen from a real financial services website called ArbahCapital.com. It is located in Saudi Arabia and was registered in 2008. In fact, the entire website design of abfinanceppc.com was stolen from Arbah Capital. The cybercriminals changed the names of the leaders on the bogus Abu Dhabi Finance P.P.C. and left out photos of them.  Check out these two comparisons of people from the FAKE website with the REAL website…

We could go on and on exposing fraud like this! It’s so easy to create and post a website saying anything at all! But that doesn’t make it true!  Do your due diligence! Verify, verify, verify that a website is legitimate by using several methods, not just one.  And if you find a suspicious website, let us know at spoofs@thedailyscam.com!

Twitter “Blue Check” Scam Alert! No doubt, you’ve heard that Twitter is charging $8/month for Twitter accounts to be verified and proving that they are “legitimate” accounts. This was soon followed by several new “blue check” Twitter accounts actually being exposed as fraudulent, including some purposely created to test Twitter’s new verification policy.

Although the precise information about the Twitter verification system revamp isn’t finalized, scammers already see it as a chance to target verified Twitter users! Don’t click on anything in this fake email. Protect yourself with this FREE, all-in-one tool and learn more:

Malicious Mimics! We received the screenshot below from a 14-year old girl who noticed that this exciting offer came to her from a website called Amaznon[.]net RATHER than amazon.com! This malicious mimic was registered on October 9, nearly a month before it targeted the girl. It is such an obvious fraudulent mimic, we’re shocked that it didn’t grab immediate attention from the Registrar Police. Oh yeah, we forgot, there are no Registrar Police!

Speaking of mimics, our friend Rob sent us a rather long and exciting email he received from the United Nations, informing him of millions of dollars in restitution due to him. However, he noticed that instead of the email coming from UN.org, the REAL domain for the United Nations, this email came from “potus[.]us[.]gov @ presidency[.]com”  Presidency[.]com is a domain that is available to use by anyone for FREE, just like accountant[.]com and engineer[.]com. We believe that the overwhelming majority of users of these free domains are scammers!

    Another example of this type of fraudulent mimicry is another email that supposedly came to Rob from the United Nations. The bottom of that email said “Kindly get back to us for further instructions on how you will receive your compensation on our confidential email account: INFO[.]UNITED[.]NATIONS @ usa[.]com” USA[.]com is another free domain used for email! And speaking of free, apparently there’s lots of free money being given away these days! It’s kind of like Christmas on steroids!

      Paypal and Geek Squad We had a good laugh at this phishing scam disguised as a bill sent through Paypal because it contains two important “poker tells” that, we believe, might point to African scammers.  The first is that the bill starts with “Dear.”  Our experience over 10 years of tracking scams is that African scammers overwhelmingly use the word “Dear” more than any other foreign scammers! The second tell concerns the date. You can see that this email was sent on November 7, 2022 using the American date protocol of month, day, year. But if you look at the content of the email, the scammers used the date protocol used by the rest of the world… Day, Month, Year, demonstrating clearly that this bogus email was created by someone from outside the US!

      Lots of bogus phishing emails are sent from free Gmail accounts! This Gmail account is a perfect example where the scammers entered “Geek Services” into the text field but used a free email account made of gibberish!

      Deeeeeleeeete!

      Credit Card Refund and Fleek.co Often, legitimate services get so severely misused by cybercriminals, it’s a wonder they can be trusted at all! Take the service Fleek.co for example. They describe themselves as “a suite of tools with everything you need to build modern sites and apps on the Open Web and its protocols seamlessly.” Obviously, that includes cybercriminals.  Check out this bogus email sent to us recently about a “virtual credit cards to refund.”  The link to view our refunds pointed to fleek.co and VirusTotal.com showed us that 13 security services had identified that link as malicious! We’ve been targeted for months by the cybercriminals who created this malarky! We wish we could quantify the hours they’ve put into their effort because it would make us feel even better! And we’re not alone. Look below at the 3rd screenshot sent to us by an Accountant. His bogus email also contained a link to fleek.co!

        Purchase Order Attached and Quote Requested – We LOVE learning something new about online fraud and threats! Last week we did! We received a malicious email disguised as a purchase order sent to us from an obvious criminal domain called BillingUpdatesCA[.]live. (Gotta give them credit for trying!) The email was supposed to contain a purchase order. But attached purchase order documents are NOT tiny! They might be anywhere from 80 KB to 20 MB in size. If you look at the size of the attached document order details[.]r00 you’ll see that it is a very tiny 7 KB. That size is so small that it is likely just a link to a website and nothing more. We don’t need to open it for proof because that tiny size is all the proof we need! As many people often say… “size matters!”

        Speaking of attached files, here’s another malicious email we received from a server in France. They claim to have attached a pdf file but the file name shows that it ends with DOT-z. DOT-z as in “zip” file!  NOT a pdf file!  Zip files are compressed files that can easily contain malware or malicious instructions that are triggered when opened.  No thanks, we’re good.

        House for Rent and Your Cloud is Filled – One of our longtime readers sent us this lovely text informing her of an opportunity to rent a 4 bedroom, 2 bathroom house for just $365/month. SERIOUSLY??? This house must have just burned down in a fire to be rented for that low a price!  The bizarre font used in the link tells us immediately that it is malicious! It points to the domain called approvedurl[.]info which was registered about 2 weeks earlier.

        Delete!

        Anytime you see an email or text where the sender uses a ZERO instead of the letter O, lunge to delete! Check out the word “CL0UD” in this bogus text.  And delete!

        Until next week, surf safely!

        Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
        have subscribed to it via Scamadviser.com or thedailyscam.com

        Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

        Contact Webmaster