Gumtree and Australia Post Credit Card Scam

A cunning scam targeting people selling online is going around on WhatsApp. The con is remarkable because it operates with professionally designed phishing pages and tailored chat messages. The criminals’ goal is to get the credit card details of the unsuspecting sellers on Gumtree, eBay and other marketplaces.

This OSINT analysis found a novel hosting infrastructure, many targeted brands, and strong ties to Russia.

The Breakdown of the Scam

I was selling a few things on Gumtree, and a potential buyer (or so I thought) approached me the other day. The enquiry came through WhatsApp, and as an experienced seller, it was suspicious that “Matilda” did not even try to haggle. Instead, she was keen on arranging the payment and shipping right away. I knew something was up when she asked if I would send the parcel with “Auspost secure trade”.

Matilda was not beating the bush around like a typical buyer on Gumtree.

Although I am a higher-than-average Australia Post enjoyer, I had never heard of this service, and a quick Google search did not help either. But, according to Matilda, “The courier will pack everything, don’t worry”. She continued: “Look, I pay through Auspost, you go to their website and get the money through them, then the courier calls you to get your address and a convenient time for courier to arrive during the week.” It sounded convenient.

The pretext of the Gumtree & Australia Post scam.

At this point, I knew it was a hoax and I decided to go along with it to find out more about the scheme. The link I was given took me to a professionally designed landing page showing the relevant details of my Gumtree ad, like the name of the product and the selling price.

The convincingly fake Australia Post 'Secure Trade' service page.

I was asked to hit the ‘Get Funds’ button to proceed with the transaction. The second webpage welcomed me with a friendly payment page asking me for my card details.

Why would Australia Post need my card details? It is a nice design, by the way.

At this point, I asked why do I need to add my card details “when funds are meant to be paid to me.”? I suggested sending my PayPal address instead. Matilda assured me she had already paid for the goods and the card details were “to confirm that this is your card and you are not a bot”. Does it make sense?

Anyway, I entered the details of a dummy Visa card, and the web page kept telling me that it was waiting for the bank. Interestingly, the page kept pinging the remote webserver every second with a GET request to presumably signal that I am still on the page.

My card details are being sent to the scammers.

The ‘Wait’ page crashes ultimately, but it does not matter as the ripoff is complete as the card details are now sent to the criminals.

The final step of the scam. By this time, the card details are already sent to the scammers.

I tried to get some help through the in-built chat from “Sophia”, but I never received any answer.

Sophia if you ever read my message, please get back to me.

I was curious if Matilda would get greedy if I offered her to use a different card, and sure she was keen. Unsurprisingly, she kept nagging me to enter the details and try again.

The scammers were keen to squeeze as many card details as they could.

Matilda came up with some excuses to urge me with the second card. She said, “I was told by support that you need to change the card, because they cannot send money to you because you do not have such a function connected”. Clear as mud.

Matilda’s try is actually the second attempt at this scam because I was approached a couple of weeks ago by someone else. So, if you have any goods on Gumtree or Facebook Marketplace to sell, please be always mindful of what links your buyer wants you to click. Mine was hxxps://auspost[.]paymerz[.]online/6221306875462, which obviously does not belong to the genuine Australia Post.

The Analysis

Once I could not get any more information out from Matilda, I started to poke around a bit. What I found interesting was that 185.229.66.68, the IP address of auspost[.]paymerz[.]online, was based out of the Russian Federation.

The DNS A record of the phishing page.

The IP address belongs to AEZA GROUP Ltd, a Russian web hosting company offering virtual machines to hire.

The IP address belongs to a VM at a Russian hosting provider.

An IP address search on urlscan.io reveals that this webserver is hosting a large number of phishing pages targeting different brands like DPD.

The search on urlscan.io results could reveal active scams abusing other brands.

A closer look at the scanpshots reveal that the targeted brands include FedEx, Fastway Couriers, Emirates Post, eBay, Gumtree and OLX. As some of the pages are written in German and Romanian, the fraud is targeting marketplace sellers worldwide apparently.

Other brands involved in this scam. The criminals also target non-English speakers.

Interestingly, I found that Matilda’s WhatsApp profile contains Cyrillic text for some reason. This indicates that the criminals have ties with Russia, but more about this in the next section. Please note that the phone number is probably spoofed.

Russian text on Matilda's WhatsApp profile. The phone numbers is probably fake.

Pivoting on the Name Servers

The other thing I noticed is that the NS record of my phishing domain name (paymerz[.]online) is ns1[.]qhdns[.]net and ns2[.]qhdns[.]net. The IP address of both is 45.142.122.61, and it is also hosted at AEZA GROUP Ltd. So it turns out that the scammers are self-hosting their DNS servers to serve the DNS records of their domain names.

This finding is good news because a simple passive DNS search at SecurityTrails could reveal all related domain names.

Domain names are also served by the ns1[.]qhdns[.]net DNS server.

A bulk IP address lookup of these domain names revealed one additional IP address: 185.17.0.228. In addition, the WHOIS lookup of the domain names indicates that they were registered in (or from) Russia.

The domain names also indicate the Russian connection.

I am listing all of these findings in the IOCs section below.

Conclusion

Thanks to the uptick in online transactions and home deliveries since 2020, various online scams rely on classifieds as a pretext. In this scheme, the scammers pose as an enthusiastic buyer who is overly helpful with the payment and shipping process. The victim is lured onto a web page where the sellers are meant to enter their credit card details for “verification purposes”. The hosting infrastructure of this particular scam was running the Russian Federation of a small-time web hosting company. As the IOCs show, a large-scale operation merely requires a few virtual servers, a handful of domain names and some time on WhatsApp to milk the credit card of the unsuspecting victims.

IOCs

IP addresses:

185.17.0.228
185.229.66.68
45.142.122.61

Domain names:

alemtat.payng.online
auspost.payvk.online
auspost.paywu.online
auspost.safe-pay.online
cdek.paytz.online
check2.xyz
deal-3ds.online
deliverya.online
deliveryac.online
deliverye.online
deliveryg.online
deliveryhj.online
deliveryj.online
deliveryk.online
deliveryld.online
deliveryn.online
deliveryo.online
deliveryph.online
deliveryr.online
deliveryu.online
deliveryw.online
deliveryyc.online
deliveryyk.online
deliveryyt.online
deliveryz.online
deliveryzj.online
dhl.deliveryu.online
dostavka.paytz.online
dpd.deliverya.online
dpd.deliverye.online
dpd.payjt.online
dpd.przelew-srodki.store
ebay.payrg.online
ebay.payvk.online
ebay.payyt.online
ebay.payzo.online
econt.deliveryyc.online
emiratespost.payiy.online
emiratespost.payso.online
emiratespost.payyt.online
ems.payrh.online
fastway.pay-o.online
fastway.payti.online
fastway.payyt.online
fedex.deliveryq.online
fedex.pay-l.online
fedex.paygv.online
fedex.payho.online
fedex.payke.online
fedex.payoy.online
fedex.payub.online
fedex.payur.online
gpost.paycl.online
gpost.payrr.online
gpost.payyt.online
gpostonline-safe.su
gumtree.deliveryw.online
halykbonus.online
indriver.paycl.online
kaspi.paytz.online
kaspost.site
kazpost25.space
magic-mile.ru
mbway.payzg.online
mymarket.safe-pay.online
ns1.qhdns.net
ns2.qhdns.net
olx.deliveryyc.online
olx.pay-h.online
olx.pay-p.online
olx.paynb.online
onlinepay.store
orderq.online
pacj.online
pay-a.online
pay-i.online
pay-q.online
pay-u.online
pay-v.online
paybg.online
paybh.online
paybv.online
paycd.online
paycf.online
paycl.online
paydc.online
payeb.online
payep.online
payey.online
payfc.online
payfe.online
payfs.online
payfy.online
payga.online
paygc.online
paygg.online
paygi.online
paygj.online
paygp.online
paygr.online
payhn.online
payho.online
payht.online
payhw.online
payiy.online
payjb.online
payjo.online
payjv.online
payky.online
paykz.online
paylinqs.org
paylinqs.store
paylp.online
paylr.online
paymerz.online
paymf.online
paymr.online
paynb.online
paynt.online
paynv.online
payordery.online
payorderz.online
payp.online
payre.online
payrf.online
payrg.online
payro.online
payrr.online
payrt.online
payrv.online
paysf.online
paysk.online
paysr.online
paysu.online
payta.online
paytj.online
paytr.online
payty.online
paytz.online
payub.online
payuc.online
payui.online
payur.online
payvc.online
payvg.online
payvi.online
payvj.online
payvk.online
paywc.online
paywe.online
paywi.online
payxf.online
payyt.online
payzg.online
payzk.online
payzs.online
post.deliveryu.online
post.deliveryv.online
post.order23440.online
post.paybg.online
post.paygy.online
post.payji.online
post.pays.guru
post.paytb.online
post.paytz.online
postnord.pays.guru
rentcars.store
royalmail.payur.online
transferj.online
transferyp.online
trasfveryt.online
trust-orders.com
vinted.deliveryyc.online