Mystery Shoppers Challenge Gift Card Warnings
Have you ever seen those spam messages claiming they have a great job for you as a Mystery Shopper? After seizing a check from a client (and then shredding it) a local bank let us check out the scam! In this scam, a company claiming to be “Private Mart Auditors” says they have been contracted by WalMart to try to identify stores that are violating their policies by refusing to sell Gift Cards! The project claims to actually be a partnership with the gift card companies themselves and the major retailers who sell them.
The criminals know that many companies have trained their personnel that if someone comes in and says “I’d like to buy $2,000 worth of Gift Cards!” they should ask probing questions to try to save someone from being scammed. Some companies even have big signs on their registers, check-cashing terminals and gift card sales racks warning about scammers. When we reviewed our Mystery Shopper instructions, we were told to validate our check by visiting their website ==> verifycheckatmet[.]org or verifycheckatbictoin[.]org. (The instructions actually provide both URLs.)
First question — why was this package, which claims to be from GNT Solutions at 5201 Thurman Way in Sacramento, California, being mailed through the US Postal Service from the Orlando, Florida area?
If we pass our “grade” we might be able to become a Permanent Contract employee, where we would earn $450 per assignment and do 3-4 assignments each week! If we do well with that, we might become a “WAL-CARD-AUDITORIA CONTRACT” employee! Then we would earn $600 per assignment and could do MORE than four assignments a week!
Of course we also wanted to look into that website! We used the Zetalytics Zonecruncher tool to check it out. The domain name was registered at Public Domain Registrar, which wasn’t shocking. The last APWG report showed that with the exception of cyber criminal’s FAVORITE Registrar NameCheap, PDR has recently been the second most common Registrar for BEC attacks, and this scam is definitely related, as we’ll see.
|APWG 4th Quarter 2020 Report|
It is hosted at 126.96.36.199, and its nameservers, ns5.doveserver.com and ns6.doveserver.com are also located on 188.8.131.52 and .147.
One of my favorite things about ZoneCruncher’s data is that it shows the “Start of Authority” record. In this case it is telling us that the reseller to which this IP address space is assigned is “[email protected]”
One of the most common West African scams, besides the shipping of counterfeit checks, is various “delivery” scams. These started with the earliest Nigerian Prince scams, but more frequently today involve a package of value (a box of diamonds, for example) that a soldier finds overseas and wants to ship to you to sell and split the profits. Other times it is a “pet delivery” scam, where you anticipate having a pet shipped to you and the pet gets caught up in shipping. As anticipated, we had plenty of these on this IP address.
But then we hit a gold mine! The complete Soldier Romance Scam Support site! (but that’s the next blog post …)
*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2021/02/mystery-shoppers-challenge-gift-card.html