Have you ever seen those spam messages claiming they have a great job for you as a mystery shopper? After seizing a customer’s check (and then shredding it), a local bank allowed us to verify the scam! In this scam, a company claiming to be “Private Mart Auditors” claims to have been hired by WalMart to try to identify stores that are violating their policies by refusing to sell gift cards! The project claims to actually be a partnership with the gift card companies themselves and the major retailers that sell them.
Criminals know that many companies have trained their staff so that if someone comes in and says, “I’d like to buy $2,000 worth of gift cards!” they should ask in-depth questions to try to prevent someone from getting scammed. Some businesses even have large signs on their cash registers, check cashing terminals and gift card sales displays warning of scammers. When we reviewed our mystery shopper instructions, we were told to validate our check by visiting their website ==> verifycheckatmet(.)org or verifycheckatbictoin(.)org. (The instructions actually provide both URLs.)
What we learned from the website was that Wal-Mart’s audit team had hired our new employer to conduct an audit. We were selected because some stores in our area were discouraging people from purchasing gift cards, despite the “Federal Reserve’s Global Campaign on Mobile Payment Security” requiring stores to encourage gift card purchases!
We wanted to proceed with caution, so we validated each of the facts in our instructions exactly as they asked. A few red flags arose, but these were easily explained by our new supervisor, Paul Newton. Paul sends and receives text messages from 574-777-6314 and uses the Gmail account paulnewt005@gmail.com.
First question: Why was this package, which claims to be from GNT Solutions at 5201 Thurman Way in Sacramento, California, mailed via the United States Postal Service from the Orlando, Florida area?
Second question: If they are in Sacramento OR Orlando, why is the routing number on their check used exclusively for TD Bank branches in Maine?
Luckily, we had an easy way to validate that OUR check was legitimate. If we clicked on the “Verify Check” button on the website, we could enter our name and check number. If it was a valid check issued by the company, the company would ask us to make the deposit. If it was NOT a valid check he would tell us and tell us what to do next. So we carefully entered our information:
And… we were lucky! The check was totally valid!
According to our instructions, here is what we needed to do next:
1. Cash a check or deposit it into your bank, then immediately text your supervisor via 574-777-6314 to receive further instructions.
2. Deduct $350 from your salary while you withdraw $2,000 for your assignment.
3. Locate 2 Wal-Mart stores near you.
4. Visit the first store and purchase 3 Wal-Mart gift cards worth $400 each.
5. After purchasing all 3 cards, successfully scratch each card to reveal its code, take CLEAR photos and send them to your supervisor at 574-777-6314.
6. Go to the second Wal-Mart store to purchase 2 cards worth $400 each, scratch off each and take photos which will be sent to your supervisor.
7. With the help of your supervisor, answer the questions on the WAL-CARD AUDITORIA EVALUATION FORM, then take a photo and email it to the designated rating staff at paulnewt005@gmail.com
8. Keep the cards safe as they will be used for your second assignment provided you achieve a passing grade, otherwise you will mail them back to an address that will be provided by your supervisor.
9. We encourage you to give back to society. As soon as the result is emailed, you need to purchase a cashier’s check worth $30 from your bank in the name of KIDNEY FOUNDATION. After purchase, text your supervisor for further instructions on the purchased cashier’s check.
If we pass our “grade,” we may be able to become a permanent contract employee, where we would earn $450 per assignment and complete 3-4 assignments each week! If we succeed, we could become an employee of the “WAL-CARD-AUDITORIA CONTRACT”! We would then earn $600 per mission and could do MORE than four missions per week!
Now, if you’re unemployed due to Covid and someone gives you a clear path to making $150,000 a year, might you be tempted? Along with our check, here are the instructions and PMA assessment form that were also in our Priority Mail package from the U.S. Postal Service. (Click to enlarge)
Of course, we wanted to look into this website too! We used the Zetalytics Zonecruncher tool to check this. The domain name was registered with the Registrar of the Public Domain, which was not shocking. The latest APWG report showed that with the exception of cybercriminals’ FAVORITE registrar NameCheap, PDR has recently been the second most common registrar for BEC attacks, and this scam is certainly related, as we’ll see.
It is hosted at 67.220.184.146 and its nameservers, ns5.doveserver.com and ns6.doveserver.com are also located at 67.220.184.146 and .147.
ZoneCruncher data |
One of my favorite things about ZoneCruncher’s data is that it shows the “Start of Authority” record. In this case, it tells us that the reseller this IP address space is assigned to is “csf@smartweb.com.ng”.
One of the most common scams in West Africa, apart from sending counterfeit checks, involves various “delivery” scams. These began with the first Nigerian prince scams, but more frequently today involve a valuable package (a box of diamonds, for example) that a soldier finds abroad and wants to ship it to you for sell it and share the profits. Other times it’s a “pet delivery” scam, where you plan to have a pet shipped to you and the pet gets caught in shipping. As expected, we got a lot on this IP address.
One thing all of these sites have in common is the “TRACK YOUR PACKAGE” option. This is where scammers associate pre-assigned tracking numbers with various conditions that require your payment to release a shipment. Pets may be “in customs quarantine” or valuables may be “pending customs inspection.” Your scammer will send the website address with a tracking number so you can look for “proof” of the situation.
- https://regalcourierservice(.)com/track/
- http://cargoexpedite(.)com/tracking.php
- https://submarinecourierservice(.)com/track-your-shipment.php
- https://www.safecargoeslogistics(.)com/?page_id=3731
You can often find many websites with identical content but a different company name. And also a red flag. For example:
http://ftcouriercompany(.)com/about.html (hosted on “our” IP address)
http://logitrex(.)net/about.html (hosted on 104.194.9.169, which leads to a whole new group of nastiness:
==> https://wpsdelivery(.)com/
==> https://nexaglobalexp(.)com/tracking.html
==> https://aimsair-ways(.)com/