Email Spam has Links to Scam Websites Hiding in Bona Fide Business Websites
Get Rich Quick Schemes Being Served From Comprimised Websites (probably)
Today I got a few spam emails with spoofed “from” addresses of folks I know. So what, it happens all the time… But just for fun I decided to check them out. They arrived in my Gmail, a catch-all system I use, not exclusively I might add, but the spam filtering is great. These are the two emails, with the spoofed email addresses and shortened URL links highlighted.
For my research I copied the offending yet unknown URLs into Microsoft’s Edge web browser inside the now working Windows Sandbox. It works very well now! This is to keep my machine as safe as I can get it from any nasties.
This is a brief look, with my [comments in brackets] of what I found.
From: firstname.lastname@example.org [domain seems to be a design consultant]
Link URL: http://xurl.es/qbqa2 [Spanish URL shortener]
Actual host domain of mondialcapsule.com is an Italian business that makes wine bottle tops.
From: email@example.com [Brazilian radio stuff]
Link URL: http://bit.do/fcR7Y [Braxilian URL shortener bizz]
No configuration file found and no installation code available. Exiting… [but I’ve limited experience in the many sorts of web setups]
Points of Commonality: Query Strings and the Webpage
In each example to my eyes there are three similarities;
- Each scam webpage has a very long URL
- Each scam webpage looks identical
- The query strings (the bit at the end of each URL after the question mark [?] have a very similar format with the number “9” being a key repetitive element. I have those query strings highlighted in bold above.
The Two Almost Identical Websites all Point to Smarttrack.Pro
There are very small differences in the pages which shows that they are generated from a dynamic template, just like mail-merges in Microsoft Word, say. With only a few dynamic search and replaces in play, the websites are identical. One wants to sell Crypto Nation and the other BTC Profit. Even the comments at the bottom of each page are almost alike!!!
Despite this, I have highlighted in the bottom left of the screenshots above the destination URL, which goes to http://smarttrack.pro/DXeMqAvr and http://smarttrack.pro/3bVnTeaV
In fact, all outbound links, including all the fake Facebook folks and ads down the sides, all point to either http://smarttrack.pro/DXeMqAvr or http://smarttrack.pro/3bVnTeaV !!!
The end of the smarttrack pro URLs are affiliate identifiers. This is a key piece of information since it’s pointing to the setup being a pyramid scheme of scaminess much like my first venture into this murky world of Google Treasure Chest which saw Pacific Webworks (PWW) get in a lot of trouble and eventually go bankrupt.
But for now, as I write my investigations as I do them, we’ll see how it goes shall we?
In trying to connect to http://smarttrack.pro/ all that returns is a 404. Actually, in all browsers I tested with they all convert the http to the secure https protocol and it’s this URL, https://smarttrack.pro/ that gives the 404, screenshot on the left.
I can only get to Smarttrack Pro using the links, which….er…..don’t actually go to Smarttrack Pro! Nope – they all get redirected, again.
http://smarttrack.pro/DXeMqAvr goes to https://cryptonation.thesecuretrack.pro/en/crypto-nation/?destinationid=a69c269e-cffc-4e95-b129-b223f9fb8142&clickid=0cda7b36-49c2-480b-88e7-3dc50cf436bb&sourceid=0dc9d884-8c89-459c-a11e-17f78ee29563
http://smarttrack.pro/3bVnTeaV goes to https://btcprofit.onlinetradingplatform.pro/en/btcprofit-plus/?destinationid=8d060f87-d2ff-4144-8072-c1f765badd83&clickid=9670900e-a479-43b0-91be-bf60d3f40646&sourceid=0dc9d884-8c89-459c-a11e-17f78ee29563
At least they’re trying to be proper now by using HTTPS!!!
You will see that the sourceID in each link is the same, that will be me being given a unique fingerprint: sourceid=0dc9d884-8c89-459c-a11e-17f78ee29563 But now I have two domains to check out: thesecuretrack.pro and onlinetradingplatform.pro
The sub-domain that the link actually points to, works. cryptonation.thesecuretrack.pro, with or without the identifying query string.
There are three T&C links at the bottom of the page and within these and the whole website there are no identifiers about who runs this or where it’s run from. Sounds like a sound investment…….? 🙁 They do have some T&C’s that claim that thy are subject to UK law, in London, helpfully, in small print, at the bottom, but not quite….
Online Trading Platform is a trading name of Online Trading Platform Ltd Seychelles, regulated as a Securities Dealer by the Financial Services Authority of Seychelles with license number (SD008) and the Principal office at: Trop-X Securities Exchange Building, 3 F28-F29 Eden Plaza, Eden Island, Mahe, Republic of Seychelles. Unless specified, the use of the word Online Trading Platform on this website includes either entity.
This part of the operation truly has all the hallmarks of a pyramid scheme. See this US Gov’t website.
There are no ownership declarations apart from they claim everything is copyright!!! While the main domain says they’re a Seychelles business, the sub-domain of BTC Profit, tellingly, in tiny print they claim to be subject to the laws of Estonia (yes really) and have this key paragraph here in their T&Cs. The whole T&Cs I’ve stored here, password 1234.
I’ve bolden various key words in their first paragraph. Very much like the Google Treasure Chest methodology, they sell software that allows you access to a magical money tree system that you further sell on, via “membership”, to other people. These people are obtained through emailing lists (aka spam lists) and it’s at this point that any earnings are made.
Making an Account
I started the account process in the URL:
…..by creating an email address for spammers and entering it, a password, but then they wanted my phone number where I will be contacted by a “personal coach”. I haven’t got enough money to be getting disposable phone numbers and am certainly not going to give an entity that arrived through spoofed email spam any actual personal details, so at this point I left.
Crypto Nation Pro Account Creation
I tried the same account creation at Crypto Bollox Nation and again, they want a phone number so I left. No personal coaching for me! Oh no!!!
Despite me arriving at this murky website through spoofed email spam, they do have a Spam policy!!! You’ve got to laugh at the nerve. Following directions from Trump probably – just lie lie lie and bluff bluff bluff. I copied their whole spiel to here [1234, remember?] Here’s part of what they say:
TheSoftware prohibits the use of the Services in any manner associated with the transmission, distribution or delivery of any unsolicited bulk or unsolicited commercial e-mail (“Spam”). You may not use any Services to send Spam. You also may not deliver Spam or cause Spam to be delivered to any of TheSoftware Services or customers.
In addition, e-mail sent, or caused to be sent, to or through the Services may not:
Use or contain invalid or forged headers;
Use or contain invalid or non-existent domain names;
Employ any technique to otherwise misrepresent, hide or obscure any information in identifying the point of origin or the transmission path;
Use other means of deceptive addressing;
Use a third party’s internet domain name, or be relayed from or through a third party’s equipment, without permission of the third party;
Contain false or misleading information in the subject line or otherwise contain false or misleading content;
Fail to comply with additional technical standards described below; or
TheSoftware does not authorize the harvesting, mining or collection of e-mail addresses or other information from or through the Services. TheSoftware does not permit or authorize others to use the Services to collect, compile or obtain any information about….[…..blah blah blah…]
Of course, I ended up at their website by exactly those means above.
Leave well alone. All these websites want around £200 upfront to get the magic money tree software. In doing so, you will lose that £200 as well as the privacy of your phone number and email addresses. As a minimum you will be pelted with spam calls and emails until the end of time itself unless you change them.
Get rich quick, pyramid schemes, Bitcoins are the new snake oil for the sharks.
This scam has been going on sice at least January 2019. Details in the videos from the early morning UK TV show led me to this property website. This tells the same story in a much more concise method than I, including a link to a scam website. As I found out when investigating Google Treasure Chest, these websites don’t stay live for long and it’s now defunct.
I expect the same to happen in a few weeks to these two that I’ve looked at today.