Guilty by Association (Pet-Selling Scams) — On Monday, August 29, we received an email from a father, telling us about a scam that his 33-year old son had just suffered when he tried to buy a puppy. As the father described it… “My son tried to purchase a Bernese Mountain Dog puppy over the internet from roseberners.com. Everything seemed to be going okay. They agreed upon a price for the dog, which we understood included shipping. After paying $600.00 for a puppy, $200.00 for shipping and another $100.00 for the crate, we were told the puppy required a special type of shipping container which cost $1590.00. When my son told the lady we did not have that they told him he lost all of the other money because he couldn’t pay for shipping.” This theft led them to start an online exploration of RoseBerners.com, only to discover other suspicious/fraudulent pet-selling websites and clues that they wished they had noticed before making this purchase. Let’s dig into their communication with RoseBerners.com and show you how they (and we) spotted other suspicious pet-selling websites connected to the same cybercriminals, making these other websites guilty by association.
After searching for Bernese Mountains dogs, the son found RoseBerners.com and fell in love with the photos. He reached out to the owner and received this response…
These dog breeders say they are located in Helena, Montana, and the area code “406” fits that description. Though there is nothing obviously fraudulent about this initial email, it is odd that a Google search for that phone number in the email (406-302-4574) turns up nothing, BUT a search for the email address firstname.lastname@example.org shows several links to Untitled oddball websites located on servers in Spain (2-letter country code = “.es”), Poland (2-letter country code = “.pl”) and the Netherlands (2-letter country code = “.nl”) saying things like “Welcome to Astoria Berners Pups.”
We also want to point out something that is unusual and important for our readers to know. The vast majority of legitimate businesses who have websites that support their business also have and use email addresses associated with their domain names. For example, we have email@example.com, not spoofs “@” gmail.com. However, the owners of RoseBerners.com are using a Gmail account for their email, firstname.lastname@example.org. We think this is a bit suspicious, because we’ve often seen this use of Gmail from scam websites.
The son continued a back and forth exchange of about ten emails with various questions and answers. Not once did the sender from email@example.com identify him or herself by name, though they sent several documents, including a contract on August 26. After settling on a final price, including shipping the puppy from Helena, Montana, the son was asked to send his full payment via Venmo to @Malcolm-Monroe-6, Name: Malcolm Monroe, which he did. However, serious red flags appeared in the contract sent to the son. If you look carefully through the two screenshots of the contract below, you’ll notice awkward English, incorrect grammar and spelling AND a new email address from the dog-seller that doesn’t match any of the previous emails. It is listed as firstname.lastname@example.org. Also, this contract was presumably signed by someone named “Tiesha Jones” but the signature doesn’t match that name at all! The first name looks to us like it is either “Bill” or “Brad.” And, just for the record, anytime we have seen scammers include so many references to the United States, such as in this contract, it usually means that these criminals are NOT from the U.S. but are trying hard to convince you that they are! In support of this suspicion, we later learned from the father that his son tried to call the number listed on their website and spoke briefly to a man before he hung up. The son reported that this man had an accent that sounded foreign, “like somewhere in Europe.”
On August 26, the son sent his payment via Venmo. Not long afterwards, he received information from a company called Petco Pet Ltd (also called Petco Ltd and using the website: petcopetltd.com), a shipping service claiming to specialize in shipping pets via air to a new owner’s destination. This is what their invoice says…
Where ever your pet is, where ever you need your pet, all you for my pet to follow me where ever I go. need to do is contact us. Its that simple. We are a high reputable pet delivery agency with more than two decades of experience. Over the years we have moved and relocated thousands of pets all over the world. Never be seprated from your pet
COMPANY 2018 © ALL RIGHTS PETCO LTD
Why does the delivery service say “more than two decades of experience” but the copyright at the bottom show only 2018? The invoice listed the Shipper’s Information as:
406 578 7775 email@example.com
Sadly, there were many opportunities for the son (and father) to better investigate these sellers in advance and discover lots of red flags suggesting they were not likely legitimate. Here are a handful of red flags…
- The website, RoseBerners.com was registered in Iceland using NameCheap less than 2 months before the son found it and contacted these scammers. (On July 8, 2022) This is a 100% sure sign of fraud!
- We conducted a Google reverse image search on a handful of the images shown on RoseBerners.com. One of these images led us to this service on Facebook called “Bernese mountain puppies for Rehoming.” The account has only 3 reviews and 2 of these 3 reviews are calling the service a scam.
- We conducted a Google search for the phone number listed on RoseBerners.com, 406-578-7775. We discovered other pet-selling websites using that phone number, such as RoseRagDoll.com (selling kittens) and links showing the same phone number appearing on sharpeivalley.com AND that it was another scam site! (See #5 below.) RoseRagDoll.com was also registered in Iceland, through Namecheap, about 2 months ago.
- Though the son had already Venmo’d money to these fraudsters, he did notice the discrepancies on the contract and did not sign it. Instead he reached out to the seller. But what followed was another second round of fraud that we’ve seen associated with pet scams. After receiving the full payment, the shipping company then insisted that a special crate was needed to ship the dog and this was going to cost another $1590! The son was told “THERMAL ELECTRONIC CRATE URGENTLY NEEDED.” If the son had investigated this shipping service, copyrighted in 2018 but with over two decades of experience, he would have discovered that the domain Petcopetltd.com was registered just a few days earlier in Iceland, using NameCheap! Additionally, the Petcopettld.com tracking document sent to the son on August 26 included the phone number: 406 351 4357. A search for this phone number turns up two links in Google about pet scams as well as other likely scam pet-selling websites: worldsharpeipuppy.com and maxfrenchbulldog.com. Though unrelated to pets, we also found this phone number associated with a newly registered financial services website called: Star Global Commercial and Financial Services, Inc. or SGCFS.com. It was also registered in Iceland, through Namecheap, in late June, 2022.
- The contract also included a new and different email address of: firstname.lastname@example.org. A Google search for the email address email@example.com shows the top link pointing to the dog-selling website sharpeivalley.com. HOWEVER, the next 7 links point to sites calling out sharpeivalley.com as a pet-selling scam! Included were these articles on Petscams.com and Puppyscams.org.
- After several searches related to RoseBerners.com, the father found information online that led him to several other websites that are likely scam pet-selling sites: www.astoriabernerspups.com, www.astoriaragdolls.com, and www.astoriacarinpups.com.
We could go on with more evidence of suspicious authenticity, or outright fraud, about Roseberners.com and Petcopetltd.com, or any of the other six suspicious websites, but you get the idea. Whenever dealing with online purchases that are not from long-established and well-known businesses, VERIFY, VERIFY, and VERIFY! Also, we strongly recommend that you insist on speaking to the seller over the phone or, better yet, through video chat to discuss your interest. Scammers will RARELY ever video chat and most won’t talk to you over the phone.
As for all of these other pet-selling websites that are associated with the phone numbers and email addresses found by us, the son and father during subsequent searches… we’re certain they are all scam sites as well! CAVEAT EMPTOR!
Back-to-School Supply Scams! – Looking to save some cash on back-to-school supplies? Don’t get tricked by these latest back-to-school scams! Use this FREE, all-in-one tool to combat scams with ease!
“Online Privacy” is an Oxymoron! – “Jumbo shrimp” makes no sense when you think about the meaning of both words. So too, is the reality of “online privacy.” There’s no such thing as privacy online! Check out this latest article on Scamadviser titled What is Internet Privacy & Why Is It So Important in 2022? Unsurprisingly, you’ll see that “data is basically the internet’s currency, and most cybercriminals use data to prey on their victims.“ We see this over and over, such as phishing emails that contain the full name of the recipient, along with their email and perhaps even physical address.
The 1966 film titled “The Good, The Bad and The Ugly,” and staring Clint Eastwood, is practically iconic! Our Superstar Scam-Baiter friend, Rob, recently sent us these links and a sound file that we think fit this movie’s title well. First, we have the good! Action taken by the Federal Communications Commission caused an amazing 80% reduction in auto-warranty scam robocalls! HURRAY! But now the “bad”… A recent post on the Malwarebytes.com Blog showed that criminals are using fake arrest warrants as a way to socially engineer their way into bank accounts to perpetrate fraud. YIKES! But the “ugly” is how a scammer’s effort to scam Rob was bizarrely sidelined when Rob used his female AI to answer the scammer’s phone call. We think it’s quite funny! (And you can hear other scammers in the background.) Enjoy….
Can I Speak with Author Rob
During the last few weeks, David and Doug at The Daily Scam have been HEAVILY targeted by cybercriminals. Apparently, they are not too happy with our use of a particular email address for reporting shipping mule scams perpetrated by a Russian-speaking cybercriminal gang. Check out this lovely “Last Warning” that arrived in our inbox just last week. The link associated with “Confirm email account” pointed to a malicious website. What a surprise, right? However, technically speaking, this wasn’t the “last warning.” We’ve had two more of these lovely emails since this one.
IMPORTANT SECURITY UPDATE ANNOUNCED FOR APPLE USERS:
If you have any Apple devices, including iPhones, Apple recently announced important security updates for multiple Apple products. They are so important that they were also written about on the U.S. government’s Cybersecurity & Infrastructure Security Agency website.
Footnote: In last week’s emailed newsletter, our readers may have noticed an oddball link that appeared in the first paragraph of our top story. We apologize for that mistake. Our email marketing service had the hiccups. The link wasn’t malicious, just a mistake that we didn’t see until after the newsletter went out. Thank you to those who reported it to us!
Amazon, AT&T, Norton, and Paypal – Below is a type of phishing email that is dominating the rotten phish perpetrated by scammers! It thanks you for a purchase you never made and provides you with an invoice. But wait! Not only did you NOT make this purchase, but the purchase is being shipped to someone else! On No! Fortunately, these criminals provide their scam phone number to call. Thankfully, it’s easy to notice that this email didn’t come from Amazon.com and the number 888-735-6005 is NOT associated with Amazon’s Customer Service if you conduct a Google Search for it. However, Google will show you that it found oddball (malicious) websites in Turkey (“.tk”) and Japan (“.jp”). Step away from that precipice!
During the last few weeks we’ve seen criminals misusing the video call service from Zoom.us. Check out the email source of this email that wants you to think it came from AT&T Account Management. However, the opening paragraph is crazy stupid! Services DO NOT send emails notifying you of a suspended account because of out-dated billing information. Mousing-over “Update My Account” CLEARLY shows that the link doesn’t point to ATT.com!
Sometimes the creativity of scammers is so funny because it also reveals their effort as a complete fraud. Check out the way the sender of this phish listed the “Billing Department” phone number for Norton. This is done to try to avoid the scrutiny of anti-spam servers from recognizing the number as a known fraudulent phone number. Of course, when we searched for that number, 808-461-7120, in Google we find people talking about it on Scammer.info!
And finally, not only are these emails missing personal details such as your name and correct address, or the credit card information used to make a purchase, but you have to wonder about the sender’s email. Who the heck is “Ethan I. William?” He’s the sender of this bogus Paypal “Order Validation.” Notice, too, the bogus explanation that your “transaction will display in your account as soon as possible, but it could take up to 24 hours.” That’s total nonsense! Deeeeeeleeeeete!
The Perfect Dog for You and Find Christian Singles – Coincidentally, one of our readers sent us this email she received about finding the perfect puppy for her! “12 Small Dog Breeds That Are Perfect For Any Home” looks like it is associated with a website called Animal Encyclopedia. But this website uses the domain animalencyclopedia.info. The malicious clickbait below came from bogus website called ativescrew[.]com. This domain was registered by the infamous Hyphen-Poopy Gang just 37 days before we got this email. (See our note below to explain the Hyphen-Poopy gang) The domain was registered to a Post Office Box in Pennsylvania at #7209 Lancaster Pike. There is NO website located at this domain, but you’ll be forwarded to the article about dogs that you expect to see at the legitimate website. This means that the link in this clickbait is 100% malicious and you’ll be hit with malware before being forwarded. Don’t click on those cute puppies!
Cybercriminals often use clickbait disguised as emails from dating services. Afterall, as the Beatles said, “All you need is love.” And every human being needs it and wants it. That’s why low-lifes like the Hyphen-Poopy Gang use it for clickbait. (We strongly suspect that the Hyphen-Poopy gang is located in India. They’ve been using automated software for years that creates directory structures in malicious links by combining 2 random words, such as protozoologists-myxa. The domain used in this clickbait, GenieEyes[.]com, was also registered to the exact same Post Office on 7209 Lancaster Pike as the email above!) Their recent sample targets members of the Christian faith. The Criminal creators of this particular email took the trouble to include a reference in the link to an early Christian author from Roman times, named Turtullian. Unlike the above email, the destination email will further forward you to another website we’ve seen used in clickbait before, called Yilopeet[.]com. Check it out…
Facebook Login Attempt, Adobe Review/Sign and Extortion Attempt! – Fortunately, anyone can see that SickHally[.]com is NOT facebook.com! This malicious clickbait was sent to us by a reader who immediately recognized that fact! We used IPLocation.net to show us that the domain associated with the links to “Report the user” and “Yes, me” is located on a server in Denizli, Turkey! Lunge for the delete key!
We’ve reported many times that cybercriminals misuse online services and tools to target the public. Here’s a perfect example. Someone using the name “Anderson Fisher” sent us an email from the legitimate Adobe service called Adobe Acrobat Sign. We were asked to review and sign some type of “Verification document.” Of course we didn’t click. Who the heck is Anderson Fisher, we wondered, and what is this document about? Fortunately, Mr. Fisher provided his email address tied to a domain called nordonilnc[.]com. However, a WHOIS lookup of this domain showed us that it has never been registered! It was a phony-baloney.
A little research taught us that these bogus Adobe sign emails have been used many times to target potential victims. Check out this article about them on P3CTech titled Tales from the Hacked: Fake Secure Document Signature Required.
We’re seeing an increase in the number of bogus extortion threats to people from a hacker claiming to have captured videos of you doing something personally sexual. Don’t believe this trash!
Camp Lejeune Compensation –Since the recent news from the U.S. Congress about supporting Veterans who suffered drinking water contamination at Camp Lejeune, scammers have been having a field day! They’ve created misleading and malicious emails, websites and now texts. Check out this very lame text that is an obvious fraud! Hopefully none of our Veterans will fall for it and click the link!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands