Select Page
Weekly Alert  |  November 29, 2023

Woman Scammed by Instagram Ads & Fake Stores Earlier this month we were contacted by a 72-year old Massachusetts woman who had made several online purchases through Ads that appeared in her Instagram feed in July. She still hadn’t received her items by mid-November and, it seems, there were now shipping problems with some items coming as far away as Vietnam. This also meant that the original cost of her items was increasing due to the shipping issues. Despite multiple attempts to understand what the problems were, and why the delay and price increases, all she got back from the company was “it isn’t our problem” and here’s the tracking code to the shipping site. Do you recall that Bed, Bath & Beyond declared bankruptcy last April and closed all its stores by August 1st? A bunch of this woman’s purchases were heavily discounted items sold on bedbathbeyond[.]sale, a fraudulent website. But this woman’s journey spanned 9 fake consumer & shipping websites! It’s a rollercoaster of fraud!

To protect her identity, we’ll call this elderly victim “Marilyn.” When Marilyn saw the Instagram Ad for incredible savings at Bed, Bath & Beyond on the last day in July, she immediately jumped on the opportunity, knowing they were soon to close all their stores. She chose something for herself and her grandchild, totaling a little more than $35. Here is her order confirmation she received from BedBathBeyond[.]sale.  However, the link to check the order status pointed to an email marketing service often misused by cybercriminals, called Sendgrid.

Also in the last week of July, Marilyn purchased other discounted products she found as Ads in her Instagram feed, such as this order for cutting boards and outdoor string lights from a company called csmarket-ht[.]com. All together, she made about $144 worth of purchases in late July for online products she found in her Instagram Ad feed.

It is unfortunate that Marilyn was so trusting of Instagram to verify, authenticate and protect her from online fraud on their platform. Also, Marilyn’s has very limited skills to evaluate online fraud and see through it for herself. She was, sadly, the perfect target for these scammers. In August, several things began to unexpectedly happen with her orders and credit card used to place these orders…

  • All of Marilyn’s orders made through Instagram Ads were delayed.
  • Marilyn tells us that she was notified by USPS that circumstances required her to pay higher shipping costs than initially indicated. (We don’t have these emails/notifications from Marilyn.)
  • Marilyn’s credit card company contacted Marilyn to say that her credit card had also been charged about $700 in fraudulent charges, including a plane ticket from Boston, Massachusetts to Denver, Colorado. She had not made these purchases and the credit card company counted it as fraud, shut her card down and issued her a new card number.

There are SOOOOO many red flags from these online stores and email communications shared with us that scream fraud! It’s unfortunate that she was not able to see any of these warnings and became suspicious months after placing her order. That’s when she contacted us to ask for our opinion about these purchases.  Here are just a few of these red flags we saw…

  1. Marilyn made several purchases from bedbathbeyond[.]sale. This domain was registered about 3 weeks before she made those purchases.  The REAL website for this business is BedBathandBeyond.com and it was registered in 1996.

2. On July 25, Marilyn purchased items from csmarket-ht[.]com. A Google search asking what is this company shows at least the top 5 returns, all from credible websites, identifying this service as a shopping scam site.

3. Confirmation links in her orders from csmarket-ht[.]com all pointed to a website called shoplazza[.]com instead of csmarket-ht[.]com. ShopLazza turns out to be a very suspicious website registered in China in 2017 that enables anyone to create an online store. There are many online complaints about this site, including at least 99 1-star reviews on TrustPilot.com and Reddit Community complaints about consumer sites run by ShopLazza.com.  Months after her confirmation email, Marilyn’s link to verify her order at ShopLazza says “this store is currently unavailable.”

4. Oddly, Marilyn’s confirmation email from csmarket-ht[.]com also identifies the store as “cidose” (upper left corner) with a missing “LOGO.”  Cidose[.]com is another suspicious online store, as indicated by our friends at Scamadviser.com, Webparanoid.com and others.

    As if these red flags, and missing orders above weren’t enough, Marilyn shared a number of emails with us from these stores that included replies and/or links to several more fake websites. Below is an exchange of 4 emails between some of these stores and Marilyn between the end of October and start of November. Marilyn still had not received anything she had ordered through these Instagram Advertisements. The orders placed with BedBathBeyond[.]sale offered a tracking link for a newly issued shipment. Of course, this shipment had its own shipping costs! But here’s where this mess gets messier. The link pointed to a shipping site at the domain liy[.]la. This domain was registered in October, 2022 and has no website at the top of it. But the link points to a page buried on the site that also contains a redirect to a shipping company called “Global Express Group” at the domain Global-Express[.]co. This domain was registered 9 months ago on February 23 using the Registrar NameSilo. Complicating this craziness even further is the fact that the webpage presented to Marilyn to track her order shows an email address for customer service as contact@expressglobal[.]us (and NOT global-express[.]co)  This other shipping domain was registered on the same day as global-express[.]co, February 23, 2023 using the same Registrar.

    Finally, we hoped you noticed that 2 of the emails that Marilyn shared with us above came from 2 people at a domain called peachcher[.]com. A Google search for this domain (using Firefox so we don’t visit this site) turns up a bunch of top links referring to shopping scams, including Scamwatcher.com!

    We can go on and on in this crazy set of scams targeting Marilyn after she clicked on Instagrams advertising but we’ll stop here by mentioning only two more suspicious companies that online reviews suggest are scam sites: westarshop[.]com, mailshopline[.]com and lendleo[.]com.  In total, Marilyn’s fraud spanned more than 9 websites and she told us she lost about $400 that was not refunded by her credit card company.  From our assessment of the content she shared with us, we believe that Chinese scammers are the most likely cybercriminals behind all of this fraud. (Their specialty is fake shopping websites.)  

    Perhaps not coincidentally, Marilyn also told us that in September, again through Instagram, she met a supposed orthopedic surgeon online who is in Syria. Their friendship grew over several weeks until he asked her for money, four times! Including $2000 in Apple gift cards! Shortly after we spoke to Marilyn, we also spoke to Gavin Dunaway, Product Specialist for the Media Trust, a company devoted to safeguarding other company’s online services from fraudsters and malicious threats. Gavin told us that Facebook and Instagram seem to be really struggling to perform due diligence on advertisers, a challenge for any company with a major self-serve operation. However, the Meta platforms are allowing obvious scams to continue running even after they are identified and shared widely by well-known threat hunters. Verifying whether or not ads on their site are legitimate or fraudulent is sadly not a high enough priority! BOTTOM LINE: Never trust any online ads, especially those on social media, without doing your own background checking or looking closely at domain names!

    Tips for Avoiding Older Adult Romance Scams Romance scams targeting older adults are the most common — and often the most damaging.  Check out and protect yourself with this 100% FREE, all-in-one tool.

    Scam Dating Sites, National Tax Relief & Another Extortion Threat — In our top story of November 15, we reported on unsuspecting threats that originated with a friend request from a woman named Victoria Webb.  After our friend Rob saw that story, he wondered if there might be other types of threats or fraud to worry about with online dating sites so Rob decided to join LadaDate[.]com, a dating site around for about 10 years. Rob noticed that Ladadate[.]com had over 146 reviews on Sitejabber.com and 46% of them were 1-star, while a nearly equal 45% were 5-star reviews. Very quickly after joining, Rob discovered that he had 99 messages from beautiful young women all over the world! Many wanted to meet him in California, where he said he lived. (Did we say that Rob is over 70 years old and, though a handsome fellow with a smile that would freeze most scam artists, he’s no spring chipmunk.) But when Rob tried to respond to the first of these beautiful young ladies (profile ages 21 – 40 years old), he was immediately stopped and told he would have to pay for “credits” in order to chat.

    To Rob, and to us, this website felt like a complete fraud! As adorable as our friend Rob is, he’s still over 70 and brand new to this dating site. To suddenly have nearly 100 messages from beautiful young women within hours of joining is absurd! And when you consider the fact that he was required to pay for “credits” in order to chat with these women, makes us wonder if these ladies were real or if they and the website split the money that Rob and others must pay.  Rob found other poor ratings of this site (links below). Our point is that typically fraud concerning online dating is associated with scammers who create fake profiles. But there are multiple ways to run scams online, including from the dating sites themselves! Sometimes it helps to look at fraud from different perspectives.

        https://www.trustpilot.com/review/ladadate.com

        https://www.sitejabber.com/reviews/ladadate.com

        https://www.complaintsboard.com/ladadate-truth-about-ladadate-c802956

        https://www.scamadviser.com/check-website/ladadate.com  (Very low trust rating)

    Though his dating endeavors have not worked out, Rob’s been busy. Recently he received a phone call from the “National Tax Relief Program” but instead of taking the call himself, he decided to turn on his “bot” to speak with “Jessica” and record the call. The call came from 831-204-4718 and more than 3 dozen people have complained about this fraud on EveryCaller.com! We found it interesting that these fraudsters chose to use a bot with an British accent to describe their US tax relief program!  Enjoy this 4 minute call…

    In mid-November, we heard from a friend who was a bit worried after receiving the email extortion threat below. He thought it was likely a scam but asked us just to set his mind at ease. We assured him that these threats are scams and sent to thousands of email addresses all the time! We stopped counting after getting more than 20 of them during this year alone!  If what this email says is true, show me the proof!  Show me a photo or video!? But 99% of these scams can’t even name the recipient and NONE show proof of what they claim they have.

    Facebook Phishing Threat Last week we put out a last-minute warning about a phishing scam spreading like wildfire across Facebook. After conducting a more thorough investigation of this threat, we have more to share with you. When the scammers gain access to your account, they collect LOTS of your personal information including your contact list and then send a copy of this phishing post to your friends while disguised as you! “I can’t believe he is gone, I’m going to miss him so much.”  It is followed by 1-3 sad or crying emojis. The image seems to show a link to a YouTube video about a very bad car crash. But the links associated with these images point to various phishing websites and victims are often tricked to giving up their login credentials.

    When we searched Facebook for either “Fatal road accident,” “bad accident” or “I can’t believe he is gone” we found DOZENS of these posts on accounts from friends and public accounts open to the Internet in the previous few weeks. There were so many that we stopped counting after reaching 36. When we moused over the links to the many we reviewed, we couldn’t help but notice that each link had a subdomain at the start of it that was meant to appear as a news website or Youtube.  Subdomains referenced BBCNews, NewsUSA, YouTube, NewsUSAInt, CA-US-News, and others. But in each case, the domain was almost always psee[.]io followed by a short code.

    Here are just 2 examples of the depth of this fraud…

    On November 15, someone named Kelly posted this message on Facebook and the link pointed to… newsusa123[.]psee[.]io/5d6rk4?fbclid=IwAR2mqIhwGEKSHJbOvnFAuPAcvb1AOKHfXyAgr0dvoBl5oODqFXp0zub3hnE&h=AT0d-QQeUwxv8sqJF44lgJvtreQ1….(Followed by a LOT more random characters.) We recognized the domain psee[.]io and first six characters (5d6rk4) as a shortened link. When Sucuri.net looked at newsusa123[.]psee[.]io/5d6rk4 it told us that visitors will be redirected to the following website: newsusaint-6wub72[.]n51q[.]com. The domain n51q[.]com was registered on the same day as the post, November 15, through Namecheap!  Also, this domain sits on a server in Germany.

    Also, on November 15, someone named Dolly posted the same message on Facebook and the link pointed to… youtube29[.]psee[.]io/5dp3s6?fbclid=IwAR2-dwKj2yaz4r_h5vbS1vyibHojbVLS1a8kLZav8I_GY0ORYEPLGXbHEhQ&h=AT1yUchVTETGBWdjTw8PoXxJJgCXvH6dq….(Followed by a LOT more random characters.) When Sucuri.net looked at  youtube29[.]psee[.]io/5dp3s6, it told us that visitors will be redirected to the website: newsusaint-9l1qqg[.]zx1j[.]comZx1j[.]com was similarly registered through Namecheap on November 15 and also sits on a server in Germany.

    We found other psee[.]io links that redirected to other websites in Germany.  We also found several links that redirected to web pages on the domain called digitaloceanspaces[.]com. We returned to the Facebook accounts of 3 of these phishing tricks on November 19, clicked the 3 horizontal dots in the upper right corner of each, selected “Something else” and then reported each as a “Fraud or Scam.”  Two days later we received a reply from Facebook. For two of our reports, Facebook’s support message said “It seems that the post you reported has been removed from Facebook.” But the third reply said that Facebook found nothing wrong with the post and was not removing it!  These posts literally pointed to the same psee[.]io domain and not to YouTube videos as they implied. This one-out-of-three inability to identify and remove an obvious fraud targeting the Facebook community implied two important things worth noting….

    • Not all Facebook support staff have the ability to see through online fraud!
    • You cannot rely on Facebook to protect you and safeguard your accounts from misuse

    Fortunately, VirusTotal was pretty good at finding security services that identified these links as malicious.

    Black Friday Threats and Abuse of APC What do you get when you combine Black Friday with a focus on senior citizens? LOTS of malicious threats!  Many of our readers sent us a lot of these threats last week in the few days leading up to “Black Friday” and other holiday deals.  Here is a perfect example. This clickbait claimed to come from AARP and offer a 5-year membership for only $9 per year and offer a free gift if you joined or renewed your membership.  But the offer didn’t come from AARP and the links in the email pointed to the misused services at AmazonAWS. Once again, VirusTotal was able to find one security service who saw through this fraud.

      We just want to warn our readers about an explosion of malicious emails with links pointing back to a legitimate website that is being heavily abused.  If you see any emails with links pointing to apc[.]org, we do NOT recommend clicking!  Lunge for the delete key!  Here’s one example that wants you to think you have a package waiting for delivery, a common malicious trope.

      Package Waiting for Delivery — Speaking of malicious delivery notices, check out this delivery notice that looks very much like a Fedex notice. “Track and Trace” came from appropospher[.]com. This oddball domain was registered by someone named “Emilia Cain” from “Florida, Florida, back in July, 2022. The links point to a website we’ve seen misused before and called ceremovember[.]com and registered by “Skylar Maxwell” from Iowa, Iowa.  But that’s not your final destination!  Skylar will redirect you to a big GiantTransferWind[.]com website that has been identified by 2 security services as malicious!  Lunge for the delete, delete keys!

      Package Cannot Be Delivered —Apparently, telling you that you have a package that cannot be delivered, via email or text, is a powerful trigger of human behavior because cybercriminals are using this trick A LOT! One of our readers recently received a text from a phone number that came from the Philippines!  It began with the country code +63. Wow! We didn’t know the US Postal Service had offices there?  The subdomain in the link is “USPS” and the fully-qualified domain is uspsjz[.]com. It was registered in Singapore about 3 weeks ago.

      Deeeeeeleeeeete!

      Until next week, surf safely!

      Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
      have subscribed to it via Scamadviser.com or thedailyscam.com

      Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

      Contact Webmaster