| | | Effective PR

Rampant Spam shows widening of coronavirus-related frauds

FCRO Subsection: 
Editorial Staff

As spam-filters become more alert to spam-scams, many criminals have moved on from selling overpriced, poor quality or non-existent facemasks and the like.

Following the trend set by UK TV advertising where on-line gambling has reached near-epidemic proportions, there is an increased rash of gambling spams. But the most significant trend is to focus on the lifestyle changes faced by millions as they sit at home wondering what to do next.

An area of life that is gaining increasing attention in the media is the use of virtual courtrooms or, even, free online video chat software for hearings. One spammer has reacted to that increased interest by mailing from owsotuses@gmail.emailhearing.com . Obviously, that's not at gmail.com. In fact, it was issued via Microsoft Outlook Express. The domain was registered in 2017 and is hosted at SRSPLUS.com and has multiple reports on several spam databases. The mail consists solely of a link. The link is to a domain name that is registered in March 2020 and is stated to be a casino website.

The fascination with temperature testing as an indicator of possible CoVid-19 infection is the cause for the spam from "Alert Families." The domain fevator.live falls into our standard class of blocked domains (all .live and many other domains are automatically blocked due to relative proportions of criminal v legitimate operations using them) . The spam contains two links to that domain - and then includes blocks of text relating to the installation of the Linux operating system Ubunto, adopting an old spammer's trick of using a small amount of spam outweighed by a quantity of non-spam text. This is designed to foil filters into treating the spam content as inconsequentially small. Interestingly, a search for that domain returns no results. Whois also generated "no data relating to this domain." The name, we assume, is meant to associate "fever" with "fevator."

Another casino advert plays on the current fears of people about their finances. It's full of lies about opting in and so on. The link is to an IP address. The return mail is jchavalii@gmail.com. The suspicious domain name is tri-finance.com. This is an interesting thing: the domain was registered in 2001 and is hosted in Belgium. The address info@tri-finance.com has been reported for fraudulent conduct in relation to several dating websites. A search at UK Companies House for tri-finance.com Limited produces a result that contains only a link to a company called INTERNETSHOPPING4ALL LIMITED. Tri-Finance.com Limited was for a time registered as the Company Secretary of INTERNETSHOPPING4ALL LIMITED. Although Tri-Finance.Com limited is marked as being registered in England, there are absolutely no filed details relating to accounts, date of formation, officers, subscribers, etc. Internetshoppingforall Limited, on the other hand, has full and up to date information. It appears that, despite the connections we found that InternetShopping4All Limited, is and has been for some years a dormant company. We are unable to identify the persons behind Tri-Finance.com but there is one remaining niggle: one of the officers of InternetShopping4All Limited gives her nationality as Belgian. It may be nothing more than a coincidence.

More examples:

Red Stag Casino - investorsanalyst.com
Red Stag Casino - wheelsonweb.com
"Say hello to a bacteria free home" - secondgrade.world (this appears to be a carefully set up mass e-mail service) . .Registered through NameCheap, after GoDaddy one of the service providers used by the most prolific scammers, the only available information about this domain says that it's registered to someone in Uttar Pradesh, India.
Nail care for pets - smartbagbackpack.world - Registered through NameCheap - apparently to someone in Panama.
"Study Shows That Reading Makes Children Smarter" TeachYourchild@sqribbmass.bid - using the same cloaking style as earlier, the bulk text this time is about pottery. Again Panama and again NameCheap as the domain registration company.

And, finally, a giggle. We know to giggle because we don't allow html mail to pass to users. So we get to see all the hidden bits that HTML obscures to help the criminals. This is what it says "Amazon.comAccount ID: [false account number] We have reason to believe that your amazon account has been used fraudulently without your permission. In addition, any unauthorized activity, such as buying or selling, has been canceled and any associated fees have been credited to your account. Any listings that we removed are included toward the end of this email. We assure you that your financial information is securely stored on a server and cannot be seen by anyone. To secure your amazon account, you need to: 1 - Login to your account.2 - Update your payment information and other stored information on your account. For detailed instructions, please visit:...." It even includes a genuine link to an Amazon support page. But it gives itself away with the "from" address - smtpf0x@shaima.me. That's another late 2019 registration via NameCheap. It, too, is registered to someone apparently in Panama. What is surprising about this one is that it's hosted at BlueHost.com : this isn't a service we normally see criminals operating from.
A casino spam uses the domain "nicecrusing.com" - presumably because for some time cruise ships have been in the news and there is some chance people will respond. It is suspected that this e-mail address is spoofed i.e. not the address from which the e-mail in fact originates.
Government Approved! A get rich slowly spam scam. A dodgy thing called "The Daily Newsroom" spams from awdot.com . Although it headlines it's message "London" it appears to be registered to an address in India. It says "The following is an urgent public announcement from the president of The Daily Newsroom – The largest underground news and research publishing company in the U.K. – The facts you're about the see may seem incredible." Then it invites a click. Nah. It's OK, thanks. We'll stick with the credible.

---------------- Advertising ----------------

Paperback: Cleaning up the 'Net - An Action Plan to combat the use and abuse of the internet for financial crime

Click here for details