More Covid Charity Scammers (hosted by Shinjiru Technologies AS45839)

Last week we shared information about a particularly interesting cluster of scams that focus on their shared use of a set of nameservers where all of the related content seems to be criminal in nature.  Working with CAUCE (The Coalition Against Unsolicited Commercial Email) and the ZETAlytics “Massive Passive DNS” we have continued to monitor the hostnames associated with these DNS servers for additional Covid-19 related fraud.  The criminals certainly did not disappoint!

A Fraudulent GiveDirectly Donations site

The first website that we chose to look at claims to be a 501(c)3 Non-Profit called “GiveDirectly, Inc.”  We certainly agree that GiveDirectly is a 501(c)3.  According to their publicly available information, they gave out $59 Million USD in support to those in need during calendar year 2018.  The problem is that THIS website has nothing to do with the actual charity.  The real charity is supported by organizations including NBA Cares, Google.org The Late Show, and the Schusterman Family Foundation and they have provided financial support to 65,600 American families, as well as families in Kenya, Rwanda, Malawi, Morocco, DRC, and Uganda.  Again – the REAL charity is rated 100/100 by Charity Navigator and others.  But this website is NOT the real charity.

The real site: GiveDirectly.org

givedirectly[.]org’s Real website – a real charity doing good work!

The FAKE website: givedirectly-covid19-emergency-fund[.]ibonline[.]digital

FAKE website: givedirectly-covid19-emergency-fund[.]ibonline[.]digital

Hitting the “Give Now” button on the fake website transfers the user to a PayPal Donate page – a real PayPal page, but falsely claiming to be funding GiveDirectly.

The Scammer’s Paypal page 

eMedia COVID-19 Relief Fund targeted by Scammers

The second fraudulent charity website we see is stealing a campaign from eMedia.  eMedia got a great deal of media attention in South Africa, where many websites, such as “ibusiness.co.za” ran stories like this one:
The eMedia group’s websites all provided a prominent link to the donation page, such as this one found on the homepage of eNCA.com: 
Valid website: eNCA[.]com asks for donations …

When the Donate page is visited, we find information about donating to the HCI Foundation Trust’s covid fund at ABSA Bank.

Directions for donating to the REAL Charity Fund – via ABSA Bank in South Africa – donate.enca[.]com 

The Scammers version of the same page offers both a Bitcoin and a Paypal donation capability, but doesn’t mention the real Foundation Bank account.  The URL of the fake website is “emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital” the same domain (ibonline[.]digital) as the other scam above.

Fake Website: www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital

The Bitcoin address has thankfully received no payments thus far: 

185M9pKN3wPy86YiAiY5LsMpsfLnEv4XH5

Nameserver MetalDNS and SteelDNS used in more scams

The nameservers in question here, which we continue to monitor, are tied to thousands of suspicious domains.  Here is our evidence that they are being used in the two scams above.  Anyone could imitate our query from a Windows CMD prompt or a Mac/Linus terminal window.  (We’ve added square brackets around dots for safety, you would remove them to make your own query.)
In the query below, we first set our query type to “ns” to show the authoritative Nameservers for the domain the fraudster is using – ibonline[.]digital.  We then change our query type to show “A Records” (the resolution of a hostname to the IP address where that machine can be found on the Internet.)
nslookup 
set type=ns
> server ns1.metaldns[.]com
Default Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251
> ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251
ibonline[.]digital        nameserver = ns2.steeldns[.]com
ibonline[.]digital        nameserver = ns1.steeldns[.]com
ibonline[.]digital        nameserver = ns2.metaldns[.]com
ibonline[.]digital        nameserver = ns1.metaldns[.]com
ns1.steeldns[.]com        internet address = 101.99.72[.]47
ns2.steeldns[.]com        internet address = 111.90.144[.]253
ns1.metaldns[.]com        internet address = 111.90.144[.]251
ns2.metaldns[.]com        internet address = 185.70.107[.]110
> set type=A
> www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251
Name:    www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
Address:  111.90.156[.]73
> givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251
Name:    givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Address:  111.90.156[.]73
When we posted the previous article, the Covid-19 charities hostnames resolved, but they did not have any web content yet at that time.  We had found the scammer’s site before he finished creating it through the power of Passive DNS!  As you can see, the sites are complete now, and beginning to be used to scam victims who believe they are helping a Covid-19 person in need!
The webserver at 111.90.144[.]251 is also hosting a fake loan services (zocaloans[.]co[.]com) 
That Class C subnet (111.90.144.0/24) is also a mess.  Yesterday Zetalytics saw the first resolution of the webserver “usaid-who[.]org” — shall we go ahead and take bets on whether that will be a full blown charity fraud website by tomorrow?
Based on recent resolutions, we can also expect to see some HP Fraud here … new resolutions to 111.90.144[.]67 include hp.support-numberireland[.]com and hp.supportnumbercanada[.]ca and hp.supportnumber[.]com[.]au.  
There are also some interesting websites providing information for completing Wire Transfers, cuh as “onlinebanking[.]su” (su = Soviet Union) with directions for how to do wire transfers to many common American, Canadian, Australian, and European banks!  Again, early DNS is helpful!  One of the other websites that is still being built to help with Wire Fraud holds only a single file – a 40 MB zip file called “onlinebanks.cc.zip” containing all of the web content for creating the website!  
A Reverse Lookup of the Google Analytics code found on that page shows that three other websites using “metalDNS” as their nameserver are using the same Google Analytics code (ua-157551747):

hackertools[.]su 

onlinebanks[.]cc 
wuhancoronavirus[.]me 
What an interesting combination of websites to be created by the same webmaster!
Hackertools[.]su makes this claim about their services:
The website claims that they will wire transfer you funds from one of the thousands of accounts for roughly a 10% commission on the money stolen.  Of course, like most of the scam sites run by these guys, they’re just going to pocket the commission and you receive nothing.  Other interesting recent scam sites:

  • anaairlinesfirstclass[.]com – promises 50% discount on first class air from Japan’s ANA.
    • related: anacustomerservicecenter[.]com 
    • related: anaairlinesreservationnumber[.]com 
  • expresscards[.]net – claims to sell pre-paid VISA cards purchased with Bitcoin.
  • glosscommercialbk[.]com – phishing site for Gloss Commercial Bank 
  • zabitpharmaceutical[.]com – claims to sell FDA-cleared “rapid platelet analyzers” 
  • and so many many more …

*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2020/05/more-covid-charity-scammers-hosted-by.html