In our previous paper, Investment Scam Playbook: From Job Recruitment to Investment Scam, we detailed the scammer’s methods for luring victims into fraudulent schemes. This blog expands on that work.
By documenting the scam’s step-by-step process, this analysis aims to uncover the techniques employed by scammers, empowering individuals and organizations to identify, counteract, and report such malicious activities. Through this effort, we hope to foster greater awareness and resilience against evolving financial fraud tactics.
Infrastructure
Investment Website: totallysoftware[.]tech
The domain TotallySoftware[.]tech was registered recently on 2024-08-12 through NameSilo LLC and is hosted using Cloudflare services. At first glance, the website appears legitimate, positioning itself as a provider of ‘app store boost services’ for startups and mid-sized applications. However, registration on the platform requires a specific code exclusively by the scammer through WhatsApp. This selective entry method is strategically designed to shield the operation from scrutiny by security researchers and to obscure their fraudulent activities from being detected or analyzed. The following screenshots shows the webpage once you log in.
Administration/Scammer Front End
From the backend, the scammer accesses a private dashboard to manage victims’ accounts. The following screenshot illustrates the login page for this dashboard, highlighting the infrastructure supporting the scam’s operations.
Domains
Upon reviewing the domain totallysoftware[.]tech, we identified additional domains sharing similar themes and structures indicative of investment scams. Below is a list of these associated domains, which exhibit characteristics of fraudulent activity, including deceptive registration practices and thematic alignment with known scam infrastructures.
Hosting
The domains are hosted across various infrastructure providers, including Alibaba Cloud and Tencent Cloud, with some utilizing Cloudflare as a proxy to obscure their true hosting locations. Below is a breakdown of the associated domains and their respective IP addresses, illustrating the diverse hosting environments leveraged to facilitate their fraudulent activities.
IOCs
Domains
totallysoftware[.]techtotally-app[.]techcexsapp[.]bondgipfelmarketing[.]comgreenlanemarketing[.]bondgreenlanemarketing[.]ccnptn-app[.]comnptn[.]appnptnappp[.]comoneumbrella[.]appspeednetapp[.]comtecocraft-app[.]cctecocraft-app[.]comspeednetsoftwares[.]bondcexsapp[.]cyoucexsapp[.]shopevamobicc-vip[.]comevamobi-pro[.]comevamobicc[.]comevamobi-xzy[.]comevamobi-dond[.]comevamobi-vip[.]comdevlightxio[.]com/wyertlsdjcalwmf[.]com/masjiorvklmawl[.]com/mcasiohgoc[.]com/diksmfndctqa[.]com/devlightwmaw[.]com/wejaskzl[.]com/evamobilscc[.]com/badkvmisdo[.]com/devlightmwju[.]com/pdsfmwemkahdtop[.]com/devlighthsow[.]com/devlight-xyz[.]com/commercecentriczi[.]com/devlight-cyou[.]com/devlight-pink[.]com/devlight-io[.]com/commercecentricpink[.]com/devlight-shop[.]com/devlight-cc[.]com/appmonstacn[.]com/evamobicc-vip[.]com/appmonsta-org[.]com/evamobi-pro[.]com/thegamemarketer-shop[.]com/evamobicc[.]com/evamobi-xzy[.]com/evamobi-dond[.]com/thegamemarketer-bond[.]com/thegamemarketer-net[.]com/evamobi-vip[.]com/evamobi-site[.]com/devlight-vip[.]com/devlightxio[.]comwyertlsdjcalwmf[.]commasjiorvklmawl[.]commcasiohgoc[.]comdiksmfndctqa[.]comdevlightwmaw[.]comwejaskzl[.]comevamobilscc[.]combadkvmisdo[.]comdevlightmwju[.]comdevlighthsow[.]comdevlight-xyz[.]comdevlight-cyou[.]comdevlight-pink[.]comdevlight-io[.]comdevlight-shop[.]comdevlight-cc[.]com
IP Addresses
2408:4005:30a:4302:6218:d8d9:db29:5de02408:4005:30a:4302:6218:d8d9:db29:5dd6188.114.96[.3101.43.0[.157104.21.0[.113124.221.80[.91111.231.169[.247124.222.174.[117 2408:4005:30a:4302:6218:d8d9:db29:5dd243.129.22[.72104.21.15[.59104.21.88[.215104.21.7[.11947.242.66[.8547.238.214[.213172.67.184[.83104.21.80[.205172.67.215[.25347.238.214[.213
