The BBB warns of a rising ghost-tap scam exploiting tap-to-pay cards and mobile wallets. How attackers use NFC proximity tricks.
The post Ghost-Tap Scam Makes Payments Scarier appeared first on Security Boulevard.
Indian authorities recovered Rs. 14 lakh (approximately $16,500) along with 52 laptops containing incriminating digital evidence when they arrested Vikas Kumar Nimar, a key cybercrime kingpin and fugitive who had evaded capture for two months while continuing to operate an illegal call center defrauding American citizens.
The arrest by India's Central Bureau of Investigation (CBI) marks the latest disruption in Operation Chakra, a coordinated international crackdown targeting transnational tech support scam networks that have stolen more than $40 million from victims in the United States, United Kingdom, Australia, and European Union countries.
The CBI registered the case against Nimar on September 24, 2024, conducting extensive searches at multiple locations in September that dismantled four illegal call centers operated by the accused in Pune, Hyderabad, and Visakhapatnam. Nimar, who was instrumental in establishing and operating the illegal call center VC Informetrix Pvt. Ltd at Pune and Visakhapatnam, went into hiding following the initial raids.
The CBI obtained an arrest warrant from the Chief Judicial Magistrate Court in Pune and tracked Nimar to his residential premises in Lucknow. Searches conducted during the November 20, 2025, arrest led to recovery of cash, mobile phones, and incriminating documents pertaining to the crimes.
During search operations, investigators discovered Nimar had established another illegal call center in Lucknow continuing to target US nationals despite being a fugitive. The CBI immediately dismantled this fifth operation, seizing 52 laptops containing digital evidence used in the cybercrime network's operations.
The agency said investigations continue with efforts to identify additional accomplices and trace stolen funds through cryptocurrency channels.
[caption id="attachment_107086" align="aligncenter" width="350"] Source: CBI on X platform[/caption]
The cybercrime networks dismantled through Operation Chakra employ social engineering tactics to defraud victims. Criminals contact targets claiming their bank accounts have been compromised, exploiting fear of financial loss to manipulate victims into taking immediate action.
Under the guise of providing technical assistance, fraudsters gain remote access to victims' computers and convince them to transfer money into cryptocurrency wallets they control. The operations targeted US nationals from 2023 to 2025, with one network alone defrauding American citizens of more than $40 million through these tactics.
The illegal call centers operate under legitimate-sounding company names to establish credibility. Previous raids uncovered operations running as "M/s Digipaks The Future of Digital" in Amritsar, "FirstIdea" in Delhi's Special Economic Zone, and VC Informetrix Pvt. Ltd in Pune and Visakhapatnam.
Operation Chakra represents extensive collaboration between Indian authorities and international law enforcement agencies. The CBI works closely with INTERPOL, the US Federal Bureau of Investigation, the UK's National Crime Agency, Homeland Security Investigations, and private sector partners including Microsoft Corporation.
Intelligence sharing from US authorities triggered the earlier investigation that led to raids uncovering the large-scale illegal call center in Amritsar. That operation intercepted 34 individuals engaged in active fraud, seizing 85 hard drives, 16 laptops, and 44 mobile phones loaded with incriminating digital evidence.
Operation Chakra-III's September raids last year across Mumbai, Kolkata, Pune, Hyderabad, Ahmedabad, and Visakhapatnam resulted in 26 arrests and seizure of 57 gold bars, Rs. 60 lakh in cash, 951 electronic devices, and three luxury vehicles. The coordinated strikes targeted call centers where over 170 individuals engaged in various forms of online fraud primarily targeting US citizens.
The networks rely heavily on cryptocurrency to launder stolen funds, presenting challenges for traditional financial crime investigations. Virtual asset transactions allow criminals to quickly move funds across borders with perceived anonymity, complicating recovery efforts.
One investigation revealed that key suspect Vishnu Rathi's group had scammed a US citizen into transferring nearly half a million dollars into cryptocurrency wallets under the guise of tech support services. The victim, led to believe her bank account was compromised, unknowingly handed control to criminals who manipulated her into making the large transfer.
The CBI coordinates with INTERPOL and foreign law enforcement bodies to follow money trails through virtual asset transactions, working to dismantle associated laundering networks alongside the operational infrastructure.
The CBI reiterated its commitment to rapidly identifying and taking action against organized technology-enabled crime networks. Authorities arrested individuals face charges under India's Information Technology Act of 2000 and the BNSS Act of 2023.
Previous Operation Chakra actions included the August arrest of a fugitive kingpin at Delhi's international airport while attempting to flee to Kathmandu, Nepal. Immigration officers intercepted the suspect based on CBI intelligence, preventing escape through a route previously exploited by wanted fugitives.
The multi-phase operation demonstrates India's strengthening cybersecurity posture through real-time intelligence sharing with global counterparts, moving beyond domestic law enforcement to tackle cybercriminals exploiting technological vulnerabilities across borders.
Four U.S. citizens and a Ukrainian national pleaded guilty to their roles in a North Korean IT worker scam that victimized more than 135 U.S. companies and netted more than $2.2 million for the DPRK regime and is military and weapons programs.
The post 4 U.S. Citizens, Ukrainian Plead Guilty in N. Korea IT Worker Scheme appeared first on Security Boulevard.
A Phishing-as-a-Service (PhaaS) platform based in China, known as “Lighthouse,” is the subject of a new Google lawsuit.
Lighthouse enables smishing (SMS phishing) campaigns, and if you’re in the US there is a good chance you’ve seen their texts about a small amount you supposedly owe in toll fees. Here’s an example of a toll-fee scam text:
Google’s lawsuit brings claims against the Lighthouse platform under federal racketeering and fraud statutes, including the Racketeer Influenced and Corrupt Organizations Act (RICO), the Lanham Act, and the Computer Fraud and Abuse Act.
The texts lure targets to websites that impersonate toll authorities or other trusted organizations. The goal is to steal personal information and credit card numbers for use in further financial fraud.
As we reported in October 2025, Project Red Hook launched to combine the power of the US Homeland Security Investigations (HSI), law enforcement partners, and businesses to raise awareness of how Chinese organized crime groups use gift cards to launder money.
These toll, postage, and refund scams might look different on the surface, but they all feed the same machine, each one crafted to look like an urgent government or service message demanding a small fee. Together, they form an industrialized text-scam ecosystem that’s earned Chinese crime groups more than $1 billion in just three years.
Google says Lighthouse alone affected more than 1 million victims across 120 countries. A September report by Netcraft discussed two phishing campaigns believed to be associated with Lighthouse and “Lucid,” a very similar PhaaS platform. Since identifying these campaigns, Netcraft has detected more than 17,500 phishing domains targeting 316 brands from 74 countries.
As grounds for the lawsuit, Google says it found at least 107 phishing website templates that feature its own branding to boost credibility. But a lawsuit can only go so far, and Google says robust public policy is needed to address the broader threat of scams:
“We are collaborating with policymakers and are today announcing our endorsement of key bipartisan bills in the U.S. Congress.”
Will lawsuits, disruptions, and even bills make toll-fee scams go away? Not very likely. The only thing that will really help is if their source of income dries up because people stop falling for smishing. Education is the biggest lever.
There are some tell-tale signs in these scams to look for:
Recognizing scams is the most important part of protecting yourself, so always consider these golden rules:
If you have engaged with the scammers’ website:
Pro tip: You can upload suspicious messages of any kind to Malwarebytes Scam Guard. It will tell you whether it’s likely to be a scam and advise you what to do.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Source: NCSC[/caption]
Victims were directed to a fake website that closely mirrored the legitimate Canton of Zurich portal. After providing personal details such as their address, IBAN, date of birth, and telephone number, users were shown a confirmation page and then redirected to the real website — reinforcing the illusion of authenticity.
[caption id="attachment_106721" align="aligncenter" width="1000"] Source: NCSC[/caption]
[caption id="attachment_106722" align="aligncenter" width="1000"] Source: NCSC[/caption]
Although the stolen data might not seem highly sensitive, authorities warn that it can be misused in follow-up scams. For instance, fraudsters may later call victims pretending to be bank representatives, using the collected personal details to sound credible and gain further access.
Source: NCSC[/caption]
Such campaigns highlight the shift from random spam emails to targeted phishing, where scammers invest more effort in psychological manipulation and social engineering.
Source: Department of the Treasury’s Office of Foreign Assets Control (OFAC)[/caption]
|
| USAO Central California |
The headline last month was that Shengsheng He, a 39 year old Chinese native living in La Puente California (described as being a resident of Los Angeles and Mexico City) had been sentenced to 51 months in prison and ordered to pay restitution in the amount of $26,867,242. The press release quotes Matthew Geleotti from the Attorney General's office:
"The defendant was part of a group of co-conspirators that preyed on American investors by promising them high returns on supposed digital asset investments when, in fact, they stole nearly $37 million from U.S. victims using Cambodian scam centers. Foreign scam centers, purporting to offer investments in digital assets have, unfortunately, proliferated."
When talking about Crypto Investment Scams, they certainly have "proliferated." They are currently the number one form of cybercrime financial losses in America, for the third year in a row, according to the FBI's IC3.gov. When we refer to these "Pig Butchering" scams as Crypto Investment Scams, it is easy to forget that many "crypto" scams still rely on the tried and true method of wire transfers to shell companies. When we first started exploring Romance Scams and their link to Business Email Compromise, the mostly Nigerian scammers referred to these as "Wire-wire jobs." A wire goes from the victim to a shell company, and a second wire goes from the shell company to the ultimate beneficiary of the crime. While West African Organized Crime continues unabated, Chinese Organized Crime has taken the top spot and is learning that many of the methods of their West African predecessors are still quite useful.
 |
| (figures from the ic3.gov 2024 report) |
Zhang's communications revealed "extensive coordination to facilitate the international money laundering, including chats discussing the commission structure for the network, various shell companies used, victim information, and at least one video from a co-conspirator calling a U.S. financial institution."
Daren Li is described as being "the leader of the syndicate." Daren used his Telegram id (@KG71777) to communicate with the Cambodia-based members of the conspiracy. (Daren's email was: darren1575687@gmail.com). In court documents, the primary USDT address of the conspiracy is referred to as "the TRteo" address (for the first five characters of the address.) While TRteo is not an uncommon prefix, there are certainly very few such addresses that have received in excess of $39 Million in deposits, much less the higher number mentioned in the press release of $341 Million! In fact, there is only one.
|
| BlockSec QQ Post |
Because Daren Li is described as being in control of this USDT wallet, it is generally considered that he was the leader of this entire enterprise. In July 2022, a meeting was held in Phnom Penh of the top leadership. Daren Li, JingLiang Su, Shengsheng He, and Jose Somarriba were all present. Daren Li also controlled a Binance account that received at least $4.5 Million in USDT that originated from "Bahamas Account #2." He was also the source of funds to create that "Bahamas Account #2 at Deltec Bank by transferring $999,383 in USDT.
|
| (extract from loss amounts for 174 victims) |
The post Crypto-less Crypto Investment Scams: A California Case appeared first on Security Boulevard.
Last week on Malwarebytes Labs:
Stay safe!
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Think of your digital footprint as your online shadow—the trail you leave behind whenever you browse, post, shop, or even appear in someone’s contact list. It’s your likes, reviews, comments, and all the little traces you didn’t mean to share. Together, they paint a picture of you—one that friends, employers, and yes, scammers can see.
Your active footprint is everything you choose to share online. Every photo, product review, or status update you post adds another brushstroke to your online portrait. Over time, those choices form a public story about who you are—your interests, values, and connections. That story shapes how people, employers, and even algorithms see you.
Your passive footprint is the quieter one—the data you leave behind without meaning to. Every website you visit, every cookie that tracks your clicks, every photo that quietly tags its GPS location adds to it. These fragments often work in the background, invisible but persistent, quietly mapping your habits, preferences, and even your movements.
Your personal data is scattered in more places than you’d expect. Social networks like Facebook, LinkedIn, and TikTok hold snapshots of your life and relationships. Government databases, company websites, and news mentions might hold your name or location. Forums, review sites, and shopping accounts keep their own records. And data brokers collect and sell huge bundles of personal details, sometimes packaging them into lists anyone can buy. Even if you’ve never shared something directly, chances are it’s already out there.
Alone, small details don’t seem like much—a nickname here, a photo there—but stitched together they can reveal a lot. Your job title, home city, favorite restaurant, even your pet’s name (a popular security question!) can help someone impersonate or target you. Combine that with info leaked in data breaches, and attackers can build an eerily complete version of you—ready-made for scams or identity theft.
To stay safe, it helps to see the world the way a scammer does: your online details are puzzle pieces, and they’re putting the picture together.
Scraping
Attackers use automated tools to pull information from public pages across the internet. That can include your bio, job history, or photos from social media, or your name and email address from company websites and online forums. All technically “public,” but when combined, they create a full dossier of your online life.
Breaches
When companies get hacked or fail to secure their databases, your data can spill into the open. Big names like Equifax, LinkedIn, and Yahoo have all been hit. Leaks like these often contain names, addresses, phone numbers, and passwords—and once data hits the dark web, it can circulate for years. That’s why old breaches can still come back to haunt you.
Brokers
Data brokers legally collect information from public records and commercial sources, then sell detailed profiles for advertising and risk scoring. On the dark web, things get murkier: stolen logins, payment info, and even full identity kits (“fullz”) are traded by criminals. You’ll never meet these markets—but your data might end up there anyway.
Social engineering is where information meets manipulation. Attackers blend the details they find—your social posts, work info, or breached credentials—to make scams feel real. They might impersonate your boss, your bank, or even you. These scams work because they sound familiar, borrowing the tone and timing of real interactions.
Here are just a few examples of how personal content shared online—even casually or lovingly—can be reused in ways you’d never imagine.
When a mother in the US received a call from her daughter saying she’d been in a car accident and needed bail money, she didn’t hesitate to help. The voice on the other end sounded exactly like her, but it wasn’t. It was an AI-generated clone.
Scammers don’t need much to pull this off—just a few seconds of clear speech. That could come from a TikTok clip, a podcast snippet, a YouTube video, or even a Facebook post where your child’s voice can be heard in the background. Once they have that audio, AI tools can replicate tone, emotion, and phrasing so accurately that even family members struggle to tell the difference.
You don’t need to tag your location for someone to find you. A recent Malwarebytes investigation showed how AI can now identify where a photo was taken just from the background—down to the street, storefront, or skyline. That means every sunny brunch pic or family snapshot on Facebook could quietly reveal where you live, work, or spend time.
Attackers can use this information to craft more convincing local scams—pretending to be from nearby businesses, schools, or community groups to earn your trust. It’s a sharp reminder that even innocent photos can expose more than you intend.
Earlier this year, Californians were hit with a wave of fake tax refund texts and emails. The messages looked convincing—complete with government logos, correct refund amounts, and links to realistic-looking sites. But the senders weren’t tax officials. They were scammers who had pieced together public and leaked data to make their messages sound real.
That data can come from anywhere—a tagged post that shows you live in California, a LinkedIn page that lists your workplace, or a data broker that sells demographic info. When combined, these fragments let criminals target specific regions or groups, making their scams feel personal and timely.
S – Share less, on your terms
Tighten privacy settings on your social accounts so only people you trust can see your posts. Avoid oversharing—travel plans, birthdays, and addresses are gold for scammers. And skip those “fun” quizzes and surveys; they’re often data collection traps in disguise.
A – Arm your logins
Use a password manager to create strong, unique passwords for every account. Turn on multi-factor authentication (MFA) wherever possible. Avoid using personal details—pets, schools, hobbies—in passwords or security questions.
F – Find your exposure
Set up Google Alerts for your name and nicknames to see when new information about you pops up. Run a free scan with Malwarebytes Digital Footprint Portal to find out if your email appears in data breaches, and change affected passwords fast. Many banks and credit cards also offer free identity monitoring—use it.
E – Evaluate trust
Treat surprise messages and calls with healthy skepticism, especially if they sound urgent. Verify requests by going directly to official websites or contact numbers. And talk to family about scams—kids and seniors are often the most common targets.
S – Stay updated
Keep your software, devices, and apps current. Security updates close the loopholes that criminals love to exploit. Use an up-to-date real-time anti-malware solution with a web protection component—and follow us to stay alert to new scams and major data leaks.
Your digital footprint tells a story, but you don’t need to vanish from the internet, just manage what you leave behind. A few small, consistent habits can keep your online shadow short, sharp, and safely under your control.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
One of our employees received this suspicious email and showed it to me. Although it’s a pretty straightforward attempt to lure targets into calling the scammers, it’s worth writing up because it looks like it was sent out in bulk.
Let’s look at the red flags.
Firstly, the sender address:
PayPal doesn’t use Gmail addresses to send invoices, and they also don’t put your address in the blind carbon copy (BCC) field. BCC hides the list of recipients, which is often a sign the email was sent to a large group.
And “Tina Pal” must be Pay’s evil twin—one who doesn’t know it’s customary to address your customers by name rather than “PayPal customer.”
Because the message came from a genuine Gmail address, the authentication results (SPF, DKIM, and DMARC) all pass. That only proves the email wasn’t spoofed and was sent from a legitimate Gmail server, not that it’s actually from PayPal.
The red flag here is that PayPal emails will not come from random Gmail addresses. Official communications come from addresses like service@paypal.com.
The email body itself was empty but came with a randomly named attachment—two red flags in one. PayPal would at least use some branding in the email and never expect their customers to open an attachment.
Here’s what the invoice in the attachment looked like:
“PayPal Notification:
Your account has been billed $823.00. The payment will be processed in the next 24 hours. Didn’t make this purchase? Contact PayPal Support right now.”
More red flags:
In this type of tech support scam, the target calls the listed number, and the “tech” on the other end asks to remotely log in to their computer to check for “viruses.” They might run a short program to open command prompts and folders, just to scare and distract the victim. Then they’ll ask to install another tool to “fix” things, which will search the computer for anything they can turn into money. Others will sell you fake protection software and bill you for their services. Either way, the result is the same: you’ll be scammed out of a lot of money.
The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:
If you’ve already fallen victim to a tech support scam:
Pro tip: Malwarebytes Scam Guard recognized this email as a scam. Upload any suspicious text, emails, attachments and other files to ask for its opinion. It’s really very good at recognizing scams.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Vulnerable Facebook Messenger and WhatsApp users are getting more protection thanks to a move from the applications’ owner, Meta. The company has announced more safeguards to protect users (especially the elderly) from scammers.
The social media, publishing, and VR giant has added a new warning on WhatsApp that displays an alert when you share your screen during video calls with unknown contacts.
On Messenger, protection begins with on-device behavioral analysis, complemented by an optional cloud-based AI review that requires user consent. The on-device protection will flag suspicious messages from unknown accounts automatically. You then have the option to forward it to the cloud for further analysis (although note that this will likely break the default end-to-end encryption on that message, as Meta has to read it to understand the content). Meta’s AI service will then explain why the device interpreted the message as risky and what to do about it, offering information about common scams to provide context.
That context will be useful for vulnerable users, and it comes after Meta worked with researchers at social media analysis company Graphika to document online scam trends. Some of the scams it found included fake home remodeling services, and fraudulent government debt relief sites, both targeting seniors. There were also fake money recovery services offering to get scam victims’ funds back (which we’ve covered before).
Here’s a particularly sneaky scam that Meta identified: fake customer support scammers. These jerks monitor comments made under legitimate online accounts for airlines, travel agencies, and banks. They then contact the people who commented, impersonating customer support staff and persuading them to enter into direct message conversations or fill out Google Forms. Meta has removed over 21,000 Facebook pages impersonating customer support, it said.
We can never have too many protections for vulnerable internet users, as scams continue to target them through messaging and social media apps. While scams target everyone (costing Americans $16.6 billion in losses, according to the FBI’s cybercrime unit IC3), those over 60 are hit especially hard. They lost $4.8 billion in 2024. Overall, losses from scams were up 33% across the board year-on-year.
Other common scams include “celebrity baiting”, which uses celebrity figures without their knowledge to dupe users into fraudulent schemes including investments and cryptocurrency. With deepfakes making it easier than ever to impersonate famous people, Meta has been testing facial recognition to help spot celebrity-bait ads for a year now, and recently announced plans to expand that initiative.
If you know someone less tech-savvy who uses Meta’s apps, encourage them to try these new protections—like Passkeys and Security Checkup. Passkeys let you log in using a fingerprint, face, or PIN, while Security Checkup guides you through steps to secure your account.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
We received a timely phishing email pretending to come from Home Depot. It claimed we’d won a Gorilla Carts dump cart (that’s a sort of four-wheeled wheelbarrow for anyone unfamiliar)—and said it was just one click away.
It wasn’t.
The whole image in the email was clickable, and it hid plenty of surprises underneath.
Sender:
The sender email’s domain (yula[.]org) is related neither to Home Depot nor the recipient.
The yula[.]org domain belongs to a Los Angeles high school. The email address or server may be compromised. We have notified them of the incident.
Hidden characters:
Below the main image, we found a block filled with unnecessary Unicode whitespace and control characters (like =E2=80=8C, =C3=82), likely trying to obfuscate its actual content and evade spam filters. The use of zero-width and control Unicode characters is designed to break up strings to confound automated phishing or spam filters, while being invisible to human readers.
Reusing legitimate content:
Below the image we found an order confirmation that appears to be a legitimate transactional message for trading-card storage boxes.
The message seems to be lifted from a chain (there’s a reply asking “When is the expected date of arrival?”), and includes an embedded, very old order confirmation (from 2017) from sales@bcwsupplies[.]com—a real vendor for card supplies.
So, the phisher is reusing benign, historic content (likely harvested from somewhere) to lend legitimacy to the email and to help it sneak past email filters. Many spam and phishing filters (both gateway and client-side) give higher trust scores to emails that look like they’re part of an existing, valid conversation thread or an ongoing business relationship. This is because genuine reply chains are rarely spam or phishing.
Tracking pixel:
We also found a one-pixel image in the mail—likely used to track which emails would be opened. They are almost invisible to the human eye and serve no purpose except to confirm the email was opened and viewed, alerting the attacker that their message landed in a real inbox.
The address of that image was in the subdomain JYEUPPYOXOJNLZRWMXQPCSZWQUFK.soundestlink[.]com. The domain soundestlink[.]com is used by the Omnisend/Soundest email marketing infrastructure for tracking email link clicks, opens, and managing things like “unsubscribe” links. In other words, when someone uses Omnisend to send a campaign, embedded links and tracking pixels in the email often go through this domain so that activity can be logged (clicks, opens, etc.).
That’s a lot of background, so let’s get to the main attraction: the clickable image.
The link leads to https://www.streetsofgold[.]co.uk/wp-content/uploads/2025/05/bluestarguide.html and contains a unique identifier. In many phishing campaigns, each recipient gets a unique tracking token in the URL, so attackers know exactly whose link was clicked and when. This helps them track engagement, validate their target list, and potentially personalize follow-ups or sell ‘confirmed-open’ addresses.
The streetsofgold[.]co.uk WordPress instance hasn’t been updated since 2023 and is highly likely compromised. The HTML file on that site redirects visitors to bluestarguide[.]com, which immediately forwards to outsourcedserver[.]com, adding more tracking parameters. It took a bit of tinkering and a VPN (set to Los Angeles) to follow the chain of redirects, but I finally ended up at the landing page.
Of course, urgency was applied so visitors don’t take the time to think things through. The site said the offer was only valid for a few more minutes. The “one-click” promise quickly turned into a survey—answering basic questions about my age and gender, I was finally allowed to “order” my free Gorilla Cart.
But no surprise here, now they wanted shipping details.
Wait… what? A small processing fee?!
This is as far as I got. After filling out the details, I kept getting this error.
“Something went wrong with the request, Please try again.”
The backend showed that the submitted data was handled locally at /prize/ajax.php?method=new_prospect on prizewheelhub[.]com with no apparent forwarding address. Likely, after “collecting” the personal info, the backend:
We’re guessing all of the above.
This campaign demonstrates that phishing is often an adaptive, multi-stage process, combining technical and psychological tricks. The best defense is a mix of technical protection and human vigilance.
The best way to stay safe is to be aware of these scams, and look out for red flags:
During this campaign we found and blocked these domains:
www.streetsofgold[.]co.uk (compromised WordPress website)
bluestarguide[.]com (redirector)
outsourcedserver[.]com (fingerprint and redirect)
sweepscraze[.]online
prizewheelhub[.]com
techstp[.]com
Other domains we found associated with bluestarguide[.]com
substantialweb[.]com
quelingwaters[.]com
myredirectservices[.]com
prizetide[.]online
As we have said many times before, falling for a scam can happen to the best of us. And it can ruin lives. In our podcast How a scam hunter got scammed, scam hunter Julie-Anne Kearns talked about how she had been duped by people pretending to be from HMRC, which is the UK’s version of the US Internal Revenue Service (IRS).
This week in the New York Times crime reporter Michael Wilson, who has covered many scams during his career, almost fell for a scam that used a spoofed telephone number from Chase Bank. Michael’s story sounded vaguely familiar to us because we reported about something similar back in 2022.
The scam is a prime example of how social engineering is used to talk victims out of their money.
Michael received a call, seemingly from a Chase bank branch. The caller even invited him to Google the number and pointed out which branch he was “calling from.” The scammer claimed that fraudulent Zelle transfers had been made to and from a bank account in his name, even though Michael had never opened an account with Chase.
The initial scammer gave Michael a case number and put him through to “his supervisor.” This man asked Michael to open Zelle.
Zelle is a popular US peer-to-peer payment service that allows users to send and receive money quickly and securely directly from their bank accounts using just an email address or mobile phone number.
Where it says, “Enter an amount,” the “supervisor” instructed him to type $2,100, the amount of the withdrawals he said he was going to help reverse. In another field the scammer wanted Michael to enter the 10 digits of the case number. This triggered Michael’s spidey senses—it looked suspiciously like a phone number:
“This case number sure looks like a phone number, and I’m about to send that number $2,100.”
At that point the scammer gave him a 19 character code to put in the “What’s this for?” field, telling Michael it was needed for his team to be able to reverse the transaction.
But that didn’t calm down the spidey senses and Michael asked the question that will scare most scammers away. He proposed to meet in person and settle this. The scammer tried to persuade him by saying it might be too late by then, but Michael persisted and said he’d call back.
Only then did he realize the scammers had him on the hook for 16 minutes before he managed to break free.
“I should be able to spot a scam in under 16 seconds, I thought — but 16 minutes?”
Michael found that several others had been approached in the very same way. The “supervisor” is an element that provides legitimacy to the call and makes people feel like they’re talking to actual bank employees.
And once they have you filling out forms and writing down long codes, they have turned you from a critical thinker into a person with a mission to fulfil.
For completeness’ sake, Michael went to the bank office and asked for the two employees he’d allegedly spoken to. No surprise they didn’t work there, but someone who did work there recognized the scam and said she’d heard the story many times before and actually knew about a few people that lost money to these scammers.
There’s several aspects of this attack common to many others which may indicate a fraud attempt.
Zelle transfers are instantaneous and almost impossible to reverse. And neither banks nor Zelle are liable for fraudulent payments, so a refund is highly unlikely. So, be extra careful when using Zelle.
Did you know, you can use Malwarebytes Scam Guard for this kind of situation as well? We tested Scam Guard with some details from the NYT story and it correctly identified it as a known scam, asked some follow up questions, and provided a clear set of recommendations.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Last week on Malwarebytes Labs:
Stay safe!
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Last week on Malwarebytes Labs:
Stay safe!
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Scammers are sending out texts that claim to be from the Bureau of Motor Vehicles (BMV), saying that you have outstanding traffic tickets.
Here’s an example, which was sent to one of our employees.
“Ohio (BMV) Final Notice: Enforcement Begins September 10nd.
Our records indicate that as of today, you still have an outstanding traffic ticket. Pursuant to Ohio Administrative Code 15C-16.003, if you fail to pay by September 9, 20025, we will take the following actions:
1. Report to the BMV violation database
2. Suspend your vehicle registration effective September 9st
3. Suspend your driving privileges for 30 days
4. Pay a 35% service fee at toll booths
5. You may be prosecuted, and your credit score will be affected.
Pay Now:
linkPlease pay immediately before enforcement begins to avoid license suspension and further legal trouble. (Reply Y and reopen this message, or copy it to your browser.)
The Ohio Department of Public Safety actually warned about this scam a few months ago, and the Bowling Green (OH) Police Division repeated that warning on Facebook this week.
The people in Ohio are not alone. We found similar warnings issued by the Indiana DMV, Colorado DMV, West-Virginia DMV, Hawaii County, Arizona Department of Transportation, and the New Hampshire DMV.
If you click the link in the message, you’ll be taken to a website that mimics that of the department in question. The site contains a form to fill out your personal details and payment information, which can then be used for financial fraud or even identity theft.
The scam messages all look the same except for the domains which are rotated very fast, as is habitual in scams. Because they are all from the same campaign, it’s easy to recognize them though.
There are some tell-tale signs in these scams which you can look for to recognize them as such;
Recognizing scams is the most important part of protecting yourself, so always consider these golden rules:
If you have engaged with the scammers’ website:
We found the following domains involved in these scams, but there are probably many, many more. Hopefully it will give you an idea of what type of links the scammers are using:
https://ohio.dtetazt[.]shop/bmv?cdr=Bue4ZZ
https://askasas[.]top/portal
https://dmv.colorado-govw[.]icu/us
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
A Japanese octogenarian from Hokkaido Island lost thousands of dollars after being scammed by someone who described himself as a desperate astronaut in need of help.
According to Hokkaidō Broadcasting, police in Sapporo say the fraudster contacted the woman on social media in July. After several weeks of exchanging messages, the ‘astronaut’ claimed he was under attack in space and asked her to send money for “life-saving oxygen” through prepaid systems at five different convenience stores in the city.
The money requests escalated as the woman got more romantically attached to the scammer, resulting in a total loss of around 1 million Yen (US$6,700). At that point she told her family and reported the scam to the police.
Romance scammers typically target individuals on social media or online dating platforms, building trust over time, before convincing victims to send money, personal information, or valuable items—sometimes to help the scammer launder funds or goods.
These scams have grown significantly in recent years, driven by the widespread loneliness epidemic and the increase in online activity.
Police in Sapporo’s Teine district are now treating the case as a romance scam and have warned residents to be cautious of similar social media encounters.
.wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57, .wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57[data-kb-block="kb-adv-heading309287_2bc2ac-57"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57[data-kb-block="kb-adv-heading309287_2bc2ac-57"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}It’s very easy to look at a case like this and think “How could they not know they were being scammed?” But anyone can fall for a scam, especially as scammers get more and more sophisticated and their use of AI increases.
Here are some tips to stay safe:
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
A co-worker forwarded this rather convincing PayPal scam to me. Thanks Elena.
A highly sophisticated email scam is targeting PayPal users with the subject line of “Set up your account profile.”
We decided to see what the scammers are after. First thing to do is to look at the headers:
The sender address service@paypal.com (sometimes the emails come from service@paypal.co.uk) looks legitimate because it is, but the scammers have spoofed the address.
Basically, when someone sends an email, their computer tells the email system what address to show as the sender. Scammers take advantage of this by using special software or programs that let them type in any “From” address they want. This technique is called spoofing. The scammer sends their email through the internet, and since most email systems aren’t strict about checking this information, the fake sender address is displayed just like a real one would be.
So it’s hard for the everyday user to tell if the email has been spoofed or not.
There are other signs that the email might be a scam though. There is the unusual recipient address, which is nothing like the one of my co-worker. Rather than targeting one individual, scammers set up a distribution list (often using Microsoft 365/Google test domains) with their own domain or, in this case, a compromised one. This allows them to send bulk phishing emails while masking their intent, but does mean that recipients see an unfamiliar address, e.g. {somebody}@{unknow-domain}.test-google-a.com, instead of their own.
The “.test-google-a.com” part of the address refers to a domain often used in testing or in cloud setups through Google Workspace, but in the context of this scam email, it’s a strong indicator of malicious activity or advanced phishing techniques rather than official Google practice. So, that’s red flag #1.
When looking at the email itself, the subject line has nothing to do with what the email is asking the target to do. That’s red flag #2.
“Set up your PayPal account profile
New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
Your user ID: Receipt43535e
Use this link to finish setting up your profile for this account. The link will expire in 24 hours.”
The layout of the email looks convincing enough, likely copied from an actual PayPal email.
The content however is typical for a phishing email:
The language used in the email is not perfect, but also not bad enough to stand out like a sore thumb. We have discussed in the past how AI-supported spear phishing fools more than 50% of targets, so looking for spelling errors is often not helpful these days.
But now comes the part which showcases the sophistication level of this scam. The link the button in the email points to, actually goes to PayPal.
However, the effect is different from what the target of the phishing email would expect. They are not going to set up a profile nor dispute a payment.
By clicking the link in the email, the target starts the routine to add a secondary user to their PayPal account. The danger here is that a secondary user can issue payments. In other words, the scammer would be able to clean out your PayPal account.
PayPal has over 434 million active users so for phishers that’s a large target audience. To make their attacks more targeted, some groups of phishers will buy or steal large databases of email addresses that are associated with PayPal accounts or which have previously interacted with PayPal services.
As far as we could determine this campaign has been running for a month or more. Here are some tips to help you avoid being caught out:
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
The State of California Franchise Tax Board (FTB) recently issued a warning to taxpayers to protect themselves from tax scams. In their warning the FTB states:
“Recently, the FTB received reports of a scam targeting taxpayers through text messages that appear to be from FTB. These text messages contain a link to a fraudulent version of certain FTB web pages, which are designed to steal personal and banking information. The scam aims to trick taxpayers into providing personal details and credit card information.”
As if to prove their point, one of my co-workers received this text message.
“State of California Franchise Tax Board (FTB)
Your tax refund claim has been processed and approved. Please provide your accurate collection information before September 01, 2025.
We will deposit the money into your bank account or email paper check within 1-2 working days.
{link}
Failure to submit required payment information by September 01, 2025 will result in permanent forfeiture of this refund under California Revenue and Taxation Code Section 19322.
Just reply with ‘Y’, then close and reopen the message to make the link work. If that doesn’t do it, copy the link and paste it straight into Safari.
California Franchise Tax Board|Sacramento, CA|Official State Agency”
The links that we found for this campaign are designed to look legitimate by using ftb.ca, ftb.gov, or ftb.cagov in the URL. The sites are designed to mimic the official version of certain FTB web pages, but in reality they are designed to steal your personal and banking information.
This type of scam is not limited to California or even to tax returns, so this advice is good for everyone. Here are some scammy signs to watch out for:
Spotting any one of these signs should be enough to delete the message. Never click links or provide personal details based on unsolicited texts or emails.
Other tips to stay safe are:
You can also visit the FTB Scams page to verify when FTB sends texts and what information is included.
We have spotted these subdomains in this campaign:
ftb.gov-ciehka.xmnsia[.]cc
ftb.ca-nt[.]cc
ftb.cagov-Ibh[.]cc
ftb.cagov-tqn[.]cc
ftb.cagov-cg[.]cfd
ftb.cagov-onr[.]cc
ftb.cagov-jme[.]cc
ftb.cagov-etu[.]cc
ftb.cagov-ib[.]cc
ftb.ca-mg[.]cc
ftb.gov-qls[.]help
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
The Department of Justice (DOJ) extradited and indicted 4 Ghanaian nationals for allegedly stealing more than $100 million, mainly through romance scams and business email compromises.
According to a report from Comparitech, nearly 59,000 Americans fell victim to romance scams in 2024, losing an estimated $697.3 million. Our own research from last year showed that 10% of romance scam victims lose more than $10,000. The overall true cost is believed to be vastly higher than official reports, as many cases go unreported due to victims’ shame and difficulty tracing scammers.
Many of the scammers work offshore from countries where the chances of them getting apprehended are slim. But US Attorney Jay Clayton stated:
“Offshore scammers should know that we, the FBI, and our law enforcement partners will work around the world to combat online fraud and bring perpetrators to justice.”
The four men are accused of being leaders of a criminal organization based in Ghana which committed romance scams and business email compromises against individuals and businesses located across the US.
Their victims were mostly older men and women tricked into believing they were engaging in a romantic relationship online. These “relationships” sometimes start as a harmless text or by a direct message on social media and dating apps. Soon the scammer will suggest to take the conversation to a more secure platform like WhatsApp or Telegram.
The scammers will take the time to get to know you and assess what the best approach is to deceive you. Most of the time they are after your money, but sometimes they are after information. These scammers may also use other people, who are often younger, as money mules.
The people entailed in romance scams are courted and lavished with attention, until it’s time to cash in. Then the scammer suddenly needs money for travel, an illness, or other made-up reasons. Some scammers also lure victims with a supposed, great investment opportunity that you can’t afford to miss—which will turn out great for them, not the victim.
The four Ghanaian men are facing multiple charges including wire fraud, money laundering, receiving stolen money and more. In total each is facing a maximum sentence of 75 years in prison if convicted on all the charges.
The scale of losses from romance scams often eclipses that of many other types of reported consumer fraud or internet crime, demonstrating the high financial risk entailed in these emotional exploitation schemes.
So, it’s important to understand how these scams operate and how you can stay safe. Some of these tips may seem basic, but in these cases, it’s easy for people to mistake their online relationship with the scammer for a real one. This isn’t the fault of scam victims—it is just a symptom of how effective these scam methods are.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.
The text message tells you that the item does not meet Amazon’s standards, and tries to install some urgency by claiming it is not safe to use. It also includes a link where it says you can find more information and claim a refund.
“Amazon Safety Recall: We are contacting you because the product you purchased is being recalled. This recall is due to quality and safety issues. We urge you to stop using the product immediately and contact us to arrange a full refund. You can view your order details at the following link:
Safety Recall: Order Number:#-142-15261-31435 Your safety is our top priority, please visit our website for more details and instructions. We apologize for the inconvenience and disappointment this may cause you.
Thank you for shopping at Amazon.”
Of course the link doesn’t go anywhere near Amazon, it’s actually a shortened URL that sends you to amazonzbzc[.]co. This is a known phishing site that mimics Amazon, and is after your personal information or to steal your money.
The text messages are intentionally vague about the nature of the product or the exact issue they are being recalled for. This is done so a maximum number of people will think that this might concern them. If the scammers said that the TV you bought might explode, you wouldn’t click the link if you hadn’t purchased a TV recently.
The Federal Trade Commission even issued a warning about these scams back in July, illustrating how this type of scam tactic is growing.
We don’t just report on scans—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Would you give a complete stranger your credit card in return for the promise of easy money? No, neither would we. But apparently well over a hundred people did. Hillsborough County Sheriff’s Office arrested 24 year-old Janetcilize Martinez in Tampa, FL, for allegedly using willing participants’ bank accounts to commit fraud.
Police are calling this a ‘tap-in’ scam. It’s not uncommon, and it works like this:
Another term for what these ‘tap-in’ scammers are doing is a third-party version of check kiting. Check kiters write themselves bad checks from another bank account, depositing them, and then picking up the money.
Hundreds of people on TikTok and X did this last year after being told of an apparent “infinite money glitch” at Chase Bank, which wasn’t one at all. They were just taking advantage of the standard fund availability window to collect money on fraudulent checks.
Check-kiting frauds like these depend on fast access to cash from deposited checks. By law, banks in the US have to make $275 of the deposited funds available within one business day, with the rest available within two business days.
Banks can only put a further hold on currency if the account is new, there’s a pattern of overdrawn activity, the check has been redeposited, there’s reasonable cause to believe that the funds aren’t collectible, or the check exceeds $6,725.
Ultimately, if you write yourself a fraudulent check, the bank will inevitably realize when the check doesn’t clear and will take the balance out of your account.
This is why those who thought they’d take advantage of the Chase ‘glitch’ ended up with a negative balance. In reality, they were using theft to give themselves an illegal loan. Doing so can result in you losing your account or even facing criminal charges.
Martinez, who someone reported to police anonymously, allegedly advertised these tap-in services on social media, posting pictures of cash and withdrawal receipts.
When detectives showed up at her residence with a warrant on July 29, they found 117 credit cards belonging to other people, tools for creating counterfeit credit cards, nearly $7,000 in cash, cannabis and associated paraphernalia, and a semi-automatic weapon.
She now faces the following charges:
Martinez has not yet been found guilty of this crime. She has been given bond release pending trial, but is being held without bond in another case, reporters for Fox 13 said.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Login