Background Wallpaper for Header
EricN Publications by Eric Niewoehner
EricNPublications by Eric Niewoehner

Tracking Scams in Phone Messages

June 1, 2021


Every now and then I put together something related to computer security. My objective is to be technically precise, yet provide the common computer user some information that might protect them from fraud or malware. Hopefully this helps.




Just received a message on my phone saying


Notice: Your stimulus is ready to be claimed.


It is really sad that people are exposed to scams such as this. What it is – I don’t know and I am not in the position to use any tools to explore the details of how it operates.

The key thing to note is the link. Anything from the federal government would have a .gov ending. DO NOT CLICK ON THE LINK. Clicking on the link could compromise the security on your cell phone, or send you down the rabbit hole of an evolving fraud scheme.


Who is


So who is To find an answer you can go to Simply type in and look at the results. The site will come up as already in use (in most cases) and you can simply click the “Whois” button on the right to get all the gory details about a website registration.


Registry Domain ID: D503300001198561385-LRMS
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2021-05-30T19:28:41Z
Creation Date: 2021-05-30T19:23:51Z
Registry Expiry Date: 2022-05-30T19:23:51Z
Registrar Registration Expiration Date:
Registrar: NameCheap, Inc
Registrar IANA ID: 1068
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited
Domain Status: serverTransferProhibited
Domain Status: addPeriod
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant State/Province: Capital Region
Registrant Country: IS
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form:
>>> Last update of WHOIS database: 2021-05-31T22:19:24Z <<<

Some things to note are

  • The domain name – for folks not familiar with the language of the Internet, the web addresses you use are referred to as “domains.”

  • The Registrar URL – this is the facility where the domain is registered. What is important about this information is that it provides you at least one place where you can lodge a complaint.

  • The dates – this I find interesting because I received the bogus message on 05/31. Notice it is registered on 05/30.

  • The Abuse Contact information – you can call or send an e-mail.

  • Registrant information – Domain owners have the option of keeping contact information private. I do so because my contact information is my personal address, so I don’t particularly care to broadcast to the entire world. But there is one detail here that is rather interesting. The Country Code is “IS” – which is Iceland. Whether that is for real or not will depend. When lodging your complaint, you may want to request that NameCheap compare the contact information with the credit card that was used to make the payment.

Why not just go to and check it out. I would normally make that attempt, but it is strongly recommended it is done on a non-production system. I am currently traveling and using my laptop, so I don’t want to risk accessing a website that is “hot”. Another thing to consider is whether you are code-savvy, know how to bring up the debugger in your browser and follow what the site is attempting to do. If you are lacking theses skills, I would recommend you NOT visit


A less risky maneuver is to conduct a trace route on the website. This would help you triangulate the location of the server itself.  You will need to open the command shell in Windows and then type the following command.


C:\tracert -4


Tracing route to []

over a maximum of 30 hops:


1 120 ms 3 ms 3 ms

2 54 ms 80 ms 54 ms

3 87 ms 56 ms 66 ms

4 84 ms 72 ms 65 ms

5 84 ms 61 ms 77 ms

6 82 ms 66 ms 65 ms []

7 58 ms 56 ms 64 ms []

8 85 ms 87 ms 66 ms []

9 192 ms * 190 ms []

10 * * 171 ms

I am communicating over a hot-spot, so the first 6 “hops” are related to ATT routing. It gets a bit more interesting when we reach GTT is a major network service. What this entails is another option for leveling a complaint. Breaking the law violates Terms of Service. They can investigate the operation and possibly terminate services. Law enforcement can use this information to correlate traffic running between and the address. Investigators will also be able to narrow in on the physical location of the scammers by requesting that GTT provide the location of the address.


I must warn you to not expect replies from your complaints. I generally do not hear back from providers. But it is at least a record can be used by security specialists when and if the information is ever needed.


What about the phone numbers?


Every message has an attendant phone number. Unfortunately, phone numbers are spoofed. So don’t bother tracing them. You may not want to block them because the scammers race through thousands of numbers. But you can block a string of text. From your Messages app, tap the double-dots in the upper right hand corner and you should see “Settings,” of which one of the options will be to block a message. You can then type in the string that will uniquely identify the suspicious message.


What about law enforcement?


Generally speaking, everyone from the local police department to the FBI and the US Marshals are not equipped to handle complaints from the general public. My attempts to do so have usually resulted in an advisory to be cautious. It is quite apparent that our government at all levels is not able to communicate with the millions of people who are affected by scams, yet some means of reporting would be helpful. This would allow investigators to gain the scope of the scam and to more aggressively pursue cooperation from providers. As it is, I can only assume that someone somewhere is aware of


What about searching the web?


Searching the web is often our first thought.  Type in and you should quickly see reports of fraud.  But scammers are pretty smart.  For DuckDuckGo (the search engine I use), the phrase "" is interpolated as "stim check info", producing a long list of perfectly legitimate sites about our stimulus checks.  You will not find any references to "" on any of their pages.  Another thing to consider is how recently the address was registered (on 05/30) and there simply may not be any track record of


But -- if I follow the phrase with the word "fraud" I will get one hit,  It is a scam database where you can type in "" to see if it is legit.  The result was "The site is very new and we can't judge it yet." 


As you can see, using web searches is a bit of an art.  While I find web searches useful, I would not find them a reliable indicator of trust.




In conclusion, I hope these tips are helpful.  There are certainly other resources out there and your comments and suggestions are always appreciated.  You can write your comments below, or click the button on the left to my other social media sites.





June 2, 2021


Golly!  After only one day I was hit by two variants: and


Again, went to and checked out who owned the account.  As suspected, same country (Iceland) and same DNS registrar (Namecheap).  So I decided to send a note 


I then did a trace route on the two new domains to confirm they are originating from the same area.


July 15, 2021


I must give credit where credit is due.  Did receive a reply immediately from Namecheap.  I waited to post their response to see if I would receive any follow-through.  Here is their response.


Thank you for contacting Namecheap Legal and Abuse department. We confirm the receipt of your ticket.

Please be assured that we will investigate the matter you reported and take action based on the results of our investigation. Please also be aware that, while Namecheap investigates every complaint, we cannot always respond with the results of the investigation and your ticket might be closed accordingly.

Important: In order to support the process of investigation, please review the instructions below depending on the type of the abuse you are reporting. To help us fully investigate your claim, please ensure your submission includes all of the requirements we describe. If you have submitted a complaint and realize that information is missing, please simply reply to this message and include the additional information:

Information required to support our investigation

How does Namecheap investigate Suspected Email Abuse/Spam?





By Eric Niewoehner

© Copyright 2021 to Eric Niewoehner. Use of this document is provided at no cost as long as the recipient does not replicate this document for profit.


There are no entries yet.
Please enter the code
* Required fields

   EricN Publications

If you find something that piques your interest, feel free to select the Contact Me menu item to send a non-spammable message.


       Follow Me

You have installed an adblocker. This Web App can only be displayed and edited correctly when the adblocker is disabled.
Print | Sitemap Recommend this page
All articles are copyrighted material under Eric Niewoehner. Created with IONOS SE WebsiteBuilder