EricN
EricN

Tracking Scams in Phone Messages

June 1, 2021

 

Every now and then I put together something related to computer security. My objective is to be technically precise, yet provide the common computer user some information that might protect them from fraud or malware. Hopefully this helps.

 

 

 

Just received a message on my phone saying

 

Notice: Your stimulus is ready to be claimed.

stimcheck.info/KXUqXXI

 

It is really sad that people are exposed to scams such as this. What it is – I don’t know and I am not in the position to use any tools to explore the details of how it operates.

The key thing to note is the link. Anything from the federal government would have a .gov ending. DO NOT CLICK ON THE LINK. Clicking on the link could compromise the security on your cell phone, or send you down the rabbit hole of an evolving fraud scheme.

 

Who is stimcheck.info?

 

So who is stimcheck.info? To find an answer you can go to www.whois.com. Simply type in stimcheck.info and look at the results. The site will come up as already in use (in most cases) and you can simply click the “Whois” button on the right to get all the gory details about a website registration.

 

Domain Name: STIMCHECK.INFO
Registry Domain ID: D503300001198561385-LRMS
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: www.namecheap.com
Updated Date: 2021-05-30T19:28:41Z
Creation Date: 2021-05-30T19:23:51Z
Registry Expiry Date: 2022-05-30T19:23:51Z
Registrar Registration Expiration Date:
Registrar: NameCheap, Inc
Registrar IANA ID: 1068
Registrar Abuse Contact Email: 
abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant State/Province: Capital Region
Registrant Country: IS
Name Server: RORY.NS.CLOUDFLARE.COM
Name Server: GABRIELLA.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2021-05-31T22:19:24Z <<<

Some things to note are

  • The domain name – for folks not familiar with the language of the Internet, the web addresses you use are referred to as “domains.”

  • The Registrar URL – this is the facility where the domain is registered. What is important about this information is that it provides you at least one place where you can lodge a complaint.

  • The dates – this I find interesting because I received the bogus message on 05/31. Notice it is registered on 05/30.

  • The Abuse Contact information – you can call or send an e-mail.

  • Registrant information – Domain owners have the option of keeping contact information private. I do so because my contact information is my personal address, so I don’t particularly care to broadcast to the entire world. But there is one detail here that is rather interesting. The Country Code is “IS” – which is Iceland. Whether that is for real or not will depend. When lodging your complaint, you may want to request that NameCheap compare the contact information with the credit card that was used to make the payment.
     

Why not just go to stimcheck.info and check it out. I would normally make that attempt, but it is strongly recommended it is done on a non-production system. I am currently traveling and using my laptop, so I don’t want to risk accessing a website that is “hot”. Another thing to consider is whether you are code-savvy, know how to bring up the debugger in your browser and follow what the site is attempting to do. If you are lacking theses skills, I would recommend you NOT visit stimcheck.info.

 

A less risky maneuver is to conduct a trace route on the website. This would help you triangulate the location of the server itself.  You will need to open the command shell in Windows and then type the following command.

 

C:\tracert -4 stimcheck.info

 

Tracing route to stimcheck.info [172.67.148.128]

over a maximum of 30 hops:

 

1 120 ms 3 ms 3 ms 192.168.43.1

2 54 ms 80 ms 54 ms 172.26.96.161

3 87 ms 56 ms 66 ms 107.79.236.252

4 84 ms 72 ms 65 ms 12.83.186.161

5 84 ms 61 ms 77 ms 12.83.186.145

6 82 ms 66 ms 65 ms cgcil401igs.ip.att.net [12.122.133.105]

7 58 ms 56 ms 64 ms ae16.cr7-chi1.ip4.gtt.net [173.241.128.29]

8 85 ms 87 ms 66 ms ae19.cr9-chi1.ip4.gtt.net [141.136.108.189]

9 192 ms * 190 ms ip4.gtt.net [208.116.131.178]

10 * * 171 ms 172.67.148.128
 

I am communicating over a hot-spot, so the first 6 “hops” are related to ATT routing. It gets a bit more interesting when we reach gtt.net. GTT is a major network service. What this entails is another option for leveling a complaint. Breaking the law violates Terms of Service. They can investigate the operation and possibly terminate services. Law enforcement can use this information to correlate traffic running between ip4.gtt.net and the 172.67.148.128 address. Investigators will also be able to narrow in on the physical location of the scammers by requesting that GTT provide the location of the 208.166.131.178 address.

 

I must warn you to not expect replies from your complaints. I generally do not hear back from providers. But it is at least a record can be used by security specialists when and if the information is ever needed.

 

What about the phone numbers?

 

Every message has an attendant phone number. Unfortunately, phone numbers are spoofed. So don’t bother tracing them. You may not want to block them because the scammers race through thousands of numbers. But you can block a string of text. From your Messages app, tap the double-dots in the upper right hand corner and you should see “Settings,” of which one of the options will be to block a message. You can then type in the string that will uniquely identify the suspicious message.

 

What about law enforcement?

 

Generally speaking, everyone from the local police department to the FBI and the US Marshals are not equipped to handle complaints from the general public. My attempts to do so have usually resulted in an advisory to be cautious. It is quite apparent that our government at all levels is not able to communicate with the millions of people who are affected by scams, yet some means of reporting would be helpful. This would allow investigators to gain the scope of the scam and to more aggressively pursue cooperation from providers. As it is, I can only assume that someone somewhere is aware of stimcheck.info.

 

What about searching the web?

 

Searching the web is often our first thought.  Type in stimcheck.info and you should quickly see reports of fraud.  But scammers are pretty smart.  For DuckDuckGo (the search engine I use), the phrase "stimcheck.info" is interpolated as "stim check info", producing a long list of perfectly legitimate sites about our stimulus checks.  You will not find any references to "stimcheck.info" on any of their pages.  Another thing to consider is how recently the address was registered (on 05/30) and there simply may not be any track record of stimcheck.info

 

But -- if I follow the phrase with the word "fraud" I will get one hit, https://www.scamvoid.net.  It is a scam database where you can type in "stimcheck.info" to see if it is legit.  The result was "The site is very new and we can't judge it yet." 

 

As you can see, using web searches is a bit of an art.  While I find web searches useful, I would not find them a reliable indicator of trust.

 

 

 

In conclusion, I hope these tips are helpful.  There are certainly other resources out there and your comments and suggestions are always appreciated.  You can write your comments below, or click the button on the left to my other social media sites.

 

 

Update

 

June 2, 2021

 

Golly!  After only one day I was hit by two variants:  stimulus-claim.info and claim-stimulus.info.

 

Again, went to www.whois.com and checked out who owned the account.  As suspected, same country (Iceland) and same DNS registrar (Namecheap).  So I decided to send a note abuse@namecheap.com. 

 

I then did a trace route on the two new domains to confirm they are originating from the same area.

 

 

 

By Eric Niewoehner

© Copyright 2021 to Eric Niewoehner. Use of this document is provided at no cost as long as the recipient does not replicate this document for profit.

Comments

There are no entries yet.
Please enter the code
* Required fields

   Contact Me Today!

If you find something that piques your interest, feel free to select the Contact Me menu item to send a non-spammable message.

   Follow Me

You have installed an adblocker. This Web App can only be displayed and edited correctly when the adblocker is disabled.
Print Print | Sitemap Recommend this page Recommend this page
Created with 1&1 WebsiteBuilder