Oct 192019
 

Get Rich Quick Schemes Being Served From Comprimised Websites (probably)

Today I got a few spam emails with spoofed “from” addresses of folks I know.  So what, it happens all the time…  But just for fun I decided to check them out.  They arrived in my Gmail, a catch-all system I use, not exclusively I might add, but the spam filtering is great.  These are the two emails, with the spoofed email addresses and shortened URL links highlighted.

For my research I copied the offending yet unknown URLs into Microsoft’s Edge web browser inside the now working Windows Sandbox.  It works very well now!  This is to keep my machine as safe as I can get it from any nasties.

This is a brief look, with my [comments in brackets] of what I found.

Email 1

From:   stuart_chc@patrizia-schopf.com   [domain seems to be a design consultant]

Link URL:   http://xurl.es/qbqa2  [Spanish URL shortener]

Points to:   http://mondialcapsule.com/templates/jb_grid2/html/com_k2/templates/grid2/images/social/chksave/photo_gallery/page_not_found.php/mpy/zgafd/?9a9gw9c9nd0

Actual host domain of mondialcapsule.com is an Italian business that makes wine bottle tops.

 

Email 2

From:   stuart_chc@interadionet.com.br [Brazilian radio stuff]

Link URL:   http://bit.do/fcR7Y [Braxilian URL shortener bizz]

Points to:   http://sonadtransport.cz/components/com_jce/editor/tiny_mce/themes/advanced/skins/classic/img/tuttoinunclick/comment_reply/sidemenu.php/wap/ppce/?9ms9ga9sv9qv0

Actual host domain of sonadtransport.cz is only partly configured at the time of writing and has an unusual message that I’ve not seen before,

No configuration file found and no installation code available. Exiting… [but I’ve limited experience in the many sorts of web setups]

Points of Commonality: Query Strings and the Webpage

In each example to my eyes there are three similarities;

  1. Each scam webpage has a very long URL
  2. Each scam webpage looks identical
  3. The query strings (the bit at the end of each URL after the question mark [?] have a very similar format with the number “9” being a key repetitive element.  I have those query strings highlighted in bold above.

The Two Almost Identical Websites all Point to Smarttrack.Pro

There are very small differences in the pages which shows that they are generated from a dynamic template, just like mail-merges in Microsoft Word, say.  With only a few dynamic search and replaces in play, the websites are identical.  One wants to sell Crypto Nation and the other BTC Profit.  Even the comments at the bottom of each page are almost alike!!!

Despite this, I have highlighted in the bottom left of the screenshots above the destination URL, which goes to http://smarttrack.pro/DXeMqAvr and http://smarttrack.pro/3bVnTeaV

In fact, all outbound links, including all the fake Facebook folks and ads down the sides, all point to either http://smarttrack.pro/DXeMqAvr or http://smarttrack.pro/3bVnTeaV  !!!

The end of the smarttrack pro URLs are affiliate identifiers.  This is a key piece of information since it’s pointing to the setup being a pyramid scheme of scaminess much like my first venture into this murky world of Google Treasure Chest which saw Pacific Webworks (PWW) get in a lot of trouble and eventually go bankrupt.

But for now, as I write my investigations as I do them, we’ll see how it goes shall we?

Smarttrack Pro

In trying to connect to http://smarttrack.pro/ all that returns is a 404.   Actually, in all browsers I tested with they all convert the http to the secure https protocol and it’s this URL, https://smarttrack.pro/ that gives the 404, screenshot on the left.

I can only get to Smarttrack Pro using the links, which….er…..don’t actually go to Smarttrack Pro!    Nope – they all get redirected, again.

http://smarttrack.pro/DXeMqAvr goes to https://cryptonation.thesecuretrack.pro/en/crypto-nation/?destinationid=a69c269e-cffc-4e95-b129-b223f9fb8142&clickid=0cda7b36-49c2-480b-88e7-3dc50cf436bb&sourceid=0dc9d884-8c89-459c-a11e-17f78ee29563

http://smarttrack.pro/3bVnTeaV goes to https://btcprofit.onlinetradingplatform.pro/en/btcprofit-plus/?destinationid=8d060f87-d2ff-4144-8072-c1f765badd83&clickid=9670900e-a479-43b0-91be-bf60d3f40646&sourceid=0dc9d884-8c89-459c-a11e-17f78ee29563

At least they’re trying to be proper now by using HTTPS!!!

You will see that the sourceID in each link is the same, that will be me being given a unique fingerprint:  sourceid=0dc9d884-8c89-459c-a11e-17f78ee29563   But now I have two domains to check out:  thesecuretrack.pro and onlinetradingplatform.pro

TheSecureTrack.Pro

This again returns a 404 unknown webpage.  No screenshot this time as it’s repetitive.

The sub-domain that the link actually points to, works. cryptonation.thesecuretrack.pro, with or without the identifying query string.

There are three T&C links at the bottom of the page and within these and the whole website there are no identifiers about who runs this or where it’s run from.   Sounds like a sound investment…….?  🙁   They do have some T&C’s that claim that thy are subject to UK law, in London, helpfully, in small print, at the bottom, but not quite….

 

OnlineTradingPlatform.Pro

This domain exists as does the sub-domain of btcprofit.onlinetradingplatform.pro.   It’s T&C links claim it as being a Seychelles entity.[screenshot left].  It says;

Online Trading Platform is a trading name of Online Trading Platform Ltd Seychelles, regulated as a Securities Dealer by the Financial Services Authority of Seychelles with license number (SD008) and the Principal office at: Trop-X Securities Exchange Building, 3 F28-F29 Eden Plaza, Eden Island, Mahe, Republic of Seychelles. Unless specified, the use of the word Online Trading Platform on this website includes either entity.

The website(s) is offered to you conditionally on your acceptance without modification of the terms, conditions and notices contained herein (the “Terms of Use”). Your use of the website(s) constitutes your agreement to comply with these Terms of Use.

Btcprofit.Onlinetradingplatform.pro

This part of the operation truly has all the hallmarks of a pyramid scheme.  See this US Gov’t website.

There are no ownership declarations apart from they claim everything is copyright!!!  While the main domain says they’re a Seychelles business, the sub-domain of BTC Profit, tellingly, in tiny print they claim to be subject to the laws of Estonia (yes really) and have this key paragraph here in their T&Cs.  The whole T&Cs I’ve stored here, password 1234.

Thank you for visiting the website (the “Website”) on which you found the link to these Terms Of Use (the “Website”). The Website is an Internet property of TheSoftware. (referred to collectively as “TheSoftware,” “we” and “us”). You agree to be bound by these TheSoftware Website Terms of Use (“Terms of Use”), in their entirety, when you: (a) access the Website; (b) register for a newsletter or subscribe to a mailing list or request information by and through the Website (“Subscription Services”); (c) register to participate in promotions, contests and/or sweepstakes offered by TheSoftware from time to time (each, a “Contest”); (d) join, or attempt to join, an affiliate program or other membership organization featured on the Website (“Membership Services”); and/or (e) order a product and/or service through the Website (“Vendor Services, and together with the Subscription Services and Membership Services, the “Services”). TheSoftware Privacy Policy (“Privacy Policy”), the Official Contest Rules applicable to each Contest, TheSoftware Purchase Agreement(s) (“Purchase Agreement”), TheSoftware Membership Agreement(s) (“Membership Agreement”), as well as any other operating rules, policies, price schedules and other supplemental terms and conditions or documents that may be published from time to time, are expressly incorporated herein by reference (collectively, the “Agreement”). Please review the complete terms of the Agreement carefully. If you do not agree to the Agreement in its entirety, you are not authorized to use the Services and/or Website in any manner or form.

I’ve bolden various key words in their first paragraph.  Very much like the Google Treasure Chest methodology, they sell software that allows you access to a magical money tree system that you further sell on, via “membership”, to other people.  These people are obtained through emailing lists (aka spam lists) and it’s at this point that any earnings are made.

Making an Account

I started the account process in the URL:
https://btcprofit.onlinetradingplatform.pro/en/btcprofit-plus/?destinationid=8d060f87-d2ff-4144-8072-c1f765badd83&clickid=9670900e-a479-43b0-91be-bf60d3f40646&sourceid=0dc9d884-8c89-459c-a11e-17f78ee29563

…..by creating an email address for spammers and entering it, a password, but then they wanted my phone number where I will be contacted by a “personal coach”.  I haven’t got enough money to be getting disposable phone numbers and am certainly not going to give an entity that arrived through spoofed email spam any actual personal details, so at this point I left.

Crypto Nation Pro Account Creation

I tried the same account creation at Crypto Bollox Nation and again, they want a phone number so I left.  No personal coaching for me!  Oh no!!!

Anti-spam Policy

Despite me arriving at this murky website through spoofed email spam, they do have a Spam policy!!!   You’ve got to laugh at the nerve.  Following directions from Trump probably – just lie lie lie and bluff bluff bluff.  I copied their whole spiel to here [1234, remember?] Here’s part of what they say:

TheSoftware prohibits the use of the Services in any manner associated with the transmission, distribution or delivery of any unsolicited bulk or unsolicited commercial e-mail (“Spam”). You may not use any Services to send Spam. You also may not deliver Spam or cause Spam to be delivered to any of TheSoftware Services or customers.
In addition, e-mail sent, or caused to be sent, to or through the Services may not:
Use or contain invalid or forged headers;
Use or contain invalid or non-existent domain names;
Employ any technique to otherwise misrepresent, hide or obscure any information in identifying the point of origin or the transmission path;
Use other means of deceptive addressing;
Use a third party’s internet domain name, or be relayed from or through a third party’s equipment, without permission of the third party;
Contain false or misleading information in the subject line or otherwise contain false or misleading content;
Fail to comply with additional technical standards described below; or
Otherwise violate the applicable Terms of Use for the Services.
TheSoftware does not authorize the harvesting, mining or collection of e-mail addresses or other information from or through the Services. TheSoftware does not permit or authorize others to use the Services to collect, compile or obtain any information about….[…..blah blah blah…]

Of course, I ended up at their website by exactly those means above.

Conclusion

Leave well alone. All these websites want around £200 upfront to get the magic money tree software.  In doing so, you will lose that £200 as well as the privacy of your phone number and email addresses.  As a minimum you will be pelted with spam calls and emails until the end of time itself unless you change them.

Get rich quick, pyramid schemes, Bitcoins are the new snake oil for the sharks.

Postscript

This scam has been going on sice at least January 2019.  Details in the videos from the early morning UK TV show led me to this property website.  This tells the same story in a much more concise method than I, including a link to a scam website.  As I found out when investigating Google Treasure Chest, these websites don’t stay live for long and it’s now defunct.

I expect the same to happen in a few weeks to these two that I’ve looked at today.

 

 

 

 

 

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

© 1977, Strangely Perfect.