A cunning scam targeting people selling online is going around on WhatsApp. The con is remarkable because it operates with professionally designed phishing pages and tailored chat messages. The criminals’ goal is to get the credit card details of the unsuspecting sellers on Gumtree, eBay and other marketplaces.
This OSINT analysis found a novel hosting infrastructure, many targeted brands, and strong ties to Russia.
The Breakdown of the Scam
I was selling a few things on Gumtree, and a potential buyer (or so I thought) approached me the other day. The enquiry came through WhatsApp, and as an experienced seller, it was suspicious that “Matilda” did not even try to haggle. Instead, she was keen on arranging the payment and shipping right away. I knew something was up when she asked if I would send the parcel with “Auspost secure trade”.
Although I am a higher-than-average Australia Post enjoyer, I had never heard of this service, and a quick Google search did not help either. But, according to Matilda, “The courier will pack everything, don’t worry”. She continued: “Look, I pay through Auspost, you go to their website and get the money through them, then the courier calls you to get your address and a convenient time for courier to arrive during the week.” It sounded convenient.
At this point, I knew it was a hoax and I decided to go along with it to find out more about the scheme. The link I was given took me to a professionally designed landing page showing the relevant details of my Gumtree ad, like the name of the product and the selling price.
I was asked to hit the ‘Get Funds’ button to proceed with the transaction. The second webpage welcomed me with a friendly payment page asking me for my card details.
At this point, I asked why do I need to add my card details “when funds are meant to be paid to me.”? I suggested sending my PayPal address instead. Matilda assured me she had already paid for the goods and the card details were “to confirm that this is your card and you are not a bot”. Does it make sense?
Anyway, I entered the details of a dummy Visa card, and the web page kept telling me that it was waiting for the bank. Interestingly, the page kept pinging the remote webserver every second with a GET request to presumably signal that I am still on the page.
The ‘Wait’ page crashes ultimately, but it does not matter as the ripoff is complete as the card details are now sent to the criminals.
I tried to get some help through the in-built chat from “Sophia”, but I never received any answer.
I was curious if Matilda would get greedy if I offered her to use a different card, and sure she was keen. Unsurprisingly, she kept nagging me to enter the details and try again.
Matilda came up with some excuses to urge me with the second card. She said, “I was told by support that you need to change the card, because they cannot send money to you because you do not have such a function connected”. Clear as mud.
Matilda’s try is actually the second attempt at this scam because I was approached a couple of weeks ago by someone else. So, if you have any goods on Gumtree or Facebook Marketplace to sell, please be always mindful of what links your buyer wants you to click. Mine was
hxxps://auspost[.]paymerz[.]online/6221306875462, which obviously does not belong to the genuine Australia Post.
Once I could not get any more information out from Matilda, I started to poke around a bit. What I found interesting was that
22.214.171.124, the IP address of
auspost[.]paymerz[.]online, was based out of the Russian Federation.
The IP address belongs to
AEZA GROUP Ltd, a Russian web hosting company offering virtual machines to hire.
An IP address search on urlscan.io reveals that this webserver is hosting a large number of phishing pages targeting different brands like DPD.
A closer look at the scanpshots reveal that the targeted brands include FedEx, Fastway Couriers, Emirates Post, eBay, Gumtree and OLX. As some of the pages are written in German and Romanian, the fraud is targeting marketplace sellers worldwide apparently.
Interestingly, I found that Matilda’s WhatsApp profile contains Cyrillic text for some reason. This indicates that the criminals have ties with Russia, but more about this in the next section. Please note that the phone number is probably spoofed.
Pivoting on the Name Servers
The other thing I noticed is that the NS record of my phishing domain name (
ns2[.]qhdns[.]net. The IP address of both is
126.96.36.199, and it is also hosted at
AEZA GROUP Ltd. So it turns out that the scammers are self-hosting their DNS servers to serve the DNS records of their domain names.
This finding is good news because a simple passive DNS search at SecurityTrails could reveal all related domain names.
A bulk IP address lookup of these domain names revealed one additional IP address:
188.8.131.52. In addition, the WHOIS lookup of the domain names indicates that they were registered in (or from) Russia.
I am listing all of these findings in the IOCs section below.
Thanks to the uptick in online transactions and home deliveries since 2020, various online scams rely on classifieds as a pretext. In this scheme, the scammers pose as an enthusiastic buyer who is overly helpful with the payment and shipping process. The victim is lured onto a web page where the sellers are meant to enter their credit card details for “verification purposes”. The hosting infrastructure of this particular scam was running the Russian Federation of a small-time web hosting company. As the IOCs show, a large-scale operation merely requires a few virtual servers, a handful of domain names and some time on WhatsApp to milk the credit card of the unsuspecting victims.
184.108.40.206 220.127.116.11 18.104.22.168
alemtat.payng.online auspost.payvk.online auspost.paywu.online auspost.safe-pay.online cdek.paytz.online check2.xyz deal-3ds.online deliverya.online deliveryac.online deliverye.online deliveryg.online deliveryhj.online deliveryj.online deliveryk.online deliveryld.online deliveryn.online deliveryo.online deliveryph.online deliveryr.online deliveryu.online deliveryw.online deliveryyc.online deliveryyk.online deliveryyt.online deliveryz.online deliveryzj.online dhl.deliveryu.online dostavka.paytz.online dpd.deliverya.online dpd.deliverye.online dpd.payjt.online dpd.przelew-srodki.store ebay.payrg.online ebay.payvk.online ebay.payyt.online ebay.payzo.online econt.deliveryyc.online emiratespost.payiy.online emiratespost.payso.online emiratespost.payyt.online ems.payrh.online fastway.pay-o.online fastway.payti.online fastway.payyt.online fedex.deliveryq.online fedex.pay-l.online fedex.paygv.online fedex.payho.online fedex.payke.online fedex.payoy.online fedex.payub.online fedex.payur.online gpost.paycl.online gpost.payrr.online gpost.payyt.online gpostonline-safe.su gumtree.deliveryw.online halykbonus.online indriver.paycl.online kaspi.paytz.online kaspost.site kazpost25.space magic-mile.ru mbway.payzg.online mymarket.safe-pay.online ns1.qhdns.net ns2.qhdns.net olx.deliveryyc.online olx.pay-h.online olx.pay-p.online olx.paynb.online onlinepay.store orderq.online pacj.online pay-a.online pay-i.online pay-q.online pay-u.online pay-v.online paybg.online paybh.online paybv.online paycd.online paycf.online paycl.online paydc.online payeb.online payep.online payey.online payfc.online payfe.online payfs.online payfy.online payga.online paygc.online paygg.online paygi.online paygj.online paygp.online paygr.online payhn.online payho.online payht.online payhw.online payiy.online payjb.online payjo.online payjv.online payky.online paykz.online paylinqs.org paylinqs.store paylp.online paylr.online paymerz.online paymf.online paymr.online paynb.online paynt.online paynv.online payordery.online payorderz.online payp.online payre.online payrf.online payrg.online payro.online payrr.online payrt.online payrv.online paysf.online paysk.online paysr.online paysu.online payta.online paytj.online paytr.online payty.online paytz.online payub.online payuc.online payui.online payur.online payvc.online payvg.online payvi.online payvj.online payvk.online paywc.online paywe.online paywi.online payxf.online payyt.online payzg.online payzk.online payzs.online post.deliveryu.online post.deliveryv.online post.order23440.online post.paybg.online post.paygy.online post.payji.online post.pays.guru post.paytb.online post.paytz.online postnord.pays.guru rentcars.store royalmail.payur.online transferj.online transferyp.online trasfveryt.online trust-orders.com vinted.deliveryyc.online