If you’ve event run events on Facebook or another social media platform, you’ve probably run into the problem before of bot accounts posting on your event. A new one that came to us recently was a complete fake page setup in the name of the event which then created some fake events using logos and images from the event. Bot accounts were sharing this page and event and bot accounts were also posting on the real event’s posts trying to encourage people to watch a live stream (there was no live stream).
SPAM website being promoted: livestreams-now.com
All the details of the domain are redacted as you’d expect.
The webpage is a rather generic (stuck in the 90’s?) page offering to sell you access.
The watch now link directs you to a script on the 8pp33.com domain which in turn bounces through mcmo22.com then go.tffkroute.com then turnhub.net and finally lands you at goenjoymedia.com which is a more modern site where you can sign up to stream…. it doesn’t really say.
goenjoymedia.com is appearing as the destination for lots of other urls so it’s clearly the endpoint for a whole lot of this fake event SPAM from multiple sources.
It you’re running events, this is now a fact of life.
Tip from the submitter, contacting Facebook Business Support by messenger is the quickest way to get these pages and events shutdown (they found out after the fact).
The international robocall SCAM volume has had a noticeable increase over the past 6 months.
The scams are still the same, either being the purchase of an expensive Apple iPhone or an Amazon Prime subscription. The call is from a local number and a robotic voice reads you a message, obviously programmed with no punctuation as it rattles it off at a record pace.
You are always given the option to press 1 to speak to an operator if you want to cancel the order. Amusingly, they often don’t know which scam they’re talking to you about and often starting talking to you about something different from the robo message. The people you speak are reading from scripts and often trip over their own words and are easily stumped when you don’t respond the way they would expect. Questioning who they are or where they are from almost always results in the call being terminated.
In a recent call, whilst playing along, we were directed to go to an Amazon cancellation form at http://amazonformcancel.ukit.me
Ukit.me is a free hosting platform out of Russia and is being abused for SCAM and SPAM campaigns regularly. (just do a Google search)
On this fake Amazon page, you’ll find a few things.
First, the cancel order button helpfully points you to a download of the UltraViewer (ultraviewer.net) remote access software. Just in case that doesn’t work, there are also Support links to point you to download their other regular favorite, AnyDesk (anydesk.com).
Now, just in case you can’t download the above remote access software so they can access your computer (maybe your work has blocked these tools as a sensible precaution), they helpfully have a link to a Google form where they can collect personal information about you.
Going by the legitimate Amazon links on this fake page, this SCAM is operating out of India (amazon.in) which does seem to match the accent type we often hear.
TIPS:
Never respond to unsolicited automated or robocalls asking you to take action on something. If you’re concerned, login to your account or visit the vendors website directly to investigate.
If you’re called by an actual person, never be afraid to ask them to verify their identity BEFORE you hand over any of your personal information. If in doubt, let them know you will contact them back through their publicly advertised contact number. Most legitimate companies won’t have any concern with this and won’t try to coerce you into talking to them.
NEVER allow someone to remotely access your computer unless you implicitly trust them. If you have a work computer, this will be against your company policy. There is no legitimate reason a company like Amazon would need to access your computer to deal with an account issue.
Unsolicited SPAM from HomeLight home selling site. This looks exactly like affiliate SPAM as the email has come from a .click domain and the URL in the email are all very suspect.
With a whole raft of cheap top level domains has come a whole raft of spambots. Amongst the domains we are seeing are .cam , .click and .work and many others.
In all these affiliate SPAM emails we also see two unsubscribe options and two mailing addresses. One is for the product being SPAM marketed and the other is the bot/people sending the SPAM. The addresses are almost always invalid under the vague guise of meeting SPAM regulations, which of course the email doesn’t. As the pattern is almost the same, we suspect it’s the same SPAM organisation generating this traffic.
Although things keep changing, it’s reasonably easy to block a new top level domain and a new SPAM address. It is disappointing that mail providers generally don’t provide built in support for a top level domain block or allow list. It would make this style of SPAM behaviour far less appealing.
TIP: Never click on links or buy products from unsolicited emails. There is a chance the website you end up at won't be legitimate and, even if it is, you're earning a SPAMMER commission which only makes the behaviour continue.
SPAM Product
SPAM From Domain
SPAM Product Address
SPAMMER Address
Asianbride.info
certains.cam
23638 W. Lyons Avenue #468 – Newhall, CA
3737 Ashton Lane TX 78752
DateHotAsian.com
magazws.click
23638 W. Lyons Avenue #468 – Newhall, CA 91321
3737 Ashton Lane TX 78752
Curious Finds
chalege.cam
1968 S Coast Highway Suite 739 Laguna Beach, CA 92651
3737 Ashton Lane TX 78752
Lull
capimnjaqtal.click
3905 State Street Suite 7347 Santa Barbara, CA 93105
3737 Ashton Lane TX 78752
Nutrisystem Inc
chonbhyuaioose.cam
600 Office Center Drive Fort Washington, PA 19034
3737 Ashton Lane TX 78752
LeafFilter
arrangeq.work
1595 Georgetown Road Hudson, OH 44236
4783 Hall Street Las Vegas NV 89119
Caresole
economopapqmist.work
11 Broadway, Suite 615 | New York, NY 10004
3737 Ashton Lane TX 78752
United States Insurance
truemiss.cam
1901 Newport Blvd Ste 300B Costa Mesa, CA 92627
3492 Medical Center Drive FL 34232
Huusk Knives
ministra.cam
Donelaicio st. 60, Kaunas, Lithuania
3737 Ashton Lane TX 78752
Harry’s, Inc
immedinmhayuate.work
PO Box 566, New York, NY, 10014
4783 Hall Street Las Vegas NV 89119
EternaLight
americswz.work
73 Greentree Dr #60, Dover, DE 19904
3737 Ashton Lane TX 78752
USCO Affiliate
architectwaz.work
848 North Rainbow Blvd, #508, Las Vegas, Nevada 89107
Easy Canvas Prints
fricanwaz.work
11525A Stonehollow Dr. Suite 100 Austin, TX 78758
3737 Ashton Lane TX 78752
Better Butter Spreader
bsolutess.cam
4122 Keaton Crossing Blvd, STE 104 O’Fallon MO 63368
3737 Ashton Lane TX 78752
Nutrisystem
banbhaqwsket.cam
600 Office Center Drive Fort Washington, PA 19034
4783 Hall Street Las Vegas NV 89119
RB Audiobooks
medicinebnhsuiia.work
270 Skipjack Rd. Prince Frederick, Maryland 20678-3410
You often get cold calls from SCAMMERS pretending to be from Amazon or Microsoft or another big brand indicating you’ve purchased something and you need to press 1 to connect to an agent if you want to query it. AKA, a robo SCAM call. I haven’t had it come via an email in a very very long time.
Dear Customer,
Your trial version of McAfee internet security will expire today, and the professional version will be auto activated on the same date. Your registered card will be charged usd 280 automatically towards the activation of the professional version as requested during installation.
In order to cancel the activation kindly call +61 0280747756 before today’s EOD to cancel/modify your subscription or your card will be charged.
Thank you for choosing McAfee service from us.
Warm Regards, Mcafee Internet Security Team
So instead of pressing 1 on the robocall, I need to call this number. +61 0280747756 or +61 2 8074 7756 or 0280747756 or 02 8074 7756 or however you want to write it.
On calling the number we get connected to an overseas call centre where they generically answer:
“Thankyou for calling customer support, you’re speaking with <a name>, how can I help you”
Note they don’t answer with a company name as they want you to tell them which SCAM you’re calling about. It could be Mcaffee, it could be Norton, it could be Amazon or Apple. They will just flick to the correct script.
The outcome is still the same. They ask to start a remote session with the current remote support SCAM flavour product AnyDesk.
Bleeping Computer has a great writeup of this exact SCAM, only triggered by a site using browser notifications to trigger the user action.
