Sign in

Ruining All My Branding
Cyber Security professional and actual detective. True crime blogger and kicker of @.

A text message stating that a Stimulus check is coming, promising financial reward to click the URL. This is malicious code running on instrastructure that spans the globe. It is a clever form of malware delivery that evades antivirus and other protections, and is geared to drop malware on your device undetected via a form of delivery called ‘gootloading.’

30 Photos Deleted from Gallery — Click here to restore and scan for virus [URL]

Full Text

30 Photos Deleted from Gallery — Click here to restore and scan for virus [URL]

Do not click the link, report the spam to 7726 (see below).

Yup, This is a Scam.

I’ve been getting a series of spam text messages from various phone numbers, likely compromised devices, all seem to be from AT&T in origin. These text messages have various messages, this one in particular saying, “30 Photos Deleted from Gallery — Click here to restore and scan for virus [URL].” with a link to click. DO NOT CLICK THE LINK and forward it to the SPAM number (7726, see below).The URL is likely…


Namecheap, a US-based domain registrar, is allowing scammers to infest their registrations using global infrastructure to attack Americans and Canadians with malware. When this is reported, Namecheap does nothing. Over the course of months, I have been researching a series of text message campaigns that originate from a US domain registrar who both refuse to act , but also refuse to acknowledge there is a problem thus allowing cyber abuse, text message spam and smishing to go unchecked.

There is a Massive Spam Campaign out of Namecheap

Namecheap’s bulk update function [Edited for this article]

Namecheap protects the scammers in the name of profit. The hosting providers keep taking down their infrastructure when reported, but for the scammers, updating the DNS is as easy as selecting three menu items within Namecheap’s bulk update function.


When a Pharma Spammer is ballsy enough to make a home on WebMD, utilize at least five whatsup numbers, traceable voip, a Wikr, Kick, Skype and Twitter account and websites to sell their wares, one must wonder, what are we, in the cyber security community, snoozing through. Some linked sites were up over seven years! This blog post is detailing the research involved to both make it easier to report to authorities and also make terms searchable in a collective spot to help people from getting scammed, or worse, die from fake medication.

Disclaimer

I don’t normally publish emails and phone numbers because often times due to innocent victims, or if these are compromised accounts. Also I don’t want some noob going to the URLS, or responding to the emails, or clicking the links. So, to start with this article, don’t do that.

These are here simply as a record, in part, to warn people that they are treading in dangerous waters should they engage with these scammers, to present to authorities, to provide an entertaining read for practitioners in Cyber Security.

Note that in researching these URLS/etc, I am doing so in a…


I’ve been getting a series of spam text messages from various phone numbers, likely compromised devices, all seem to be from AT&T in origin. All of them say, “We will lock your device soon. Please clear your spam messages. Scan now” with a link to click, and let me tell you, DO NOT CLICK THE LINK and forward it to the SPAM number (7726, see bottom of article). The URL is likely designed to deliver ransomware, credential phishing, malware, spyware or anything the scammer desires. Also of note, the most recent reports about this kind of text message (smishing) spam/scam…


US Pipeline Ransomware Attack

A map of major US Pipelines (source).

In what is described as the “largest successful cyber attack” on fuel infrastructure to date, Colonial Pipeline’s infastructure was hit by a Ransomware attack, which lead to the pipeline ceasing operations. According to Colonial Pipeline, prices for gasoline will not be impacted unless the pipeline stays down, and according to other sources, this could be a matter of 4–5 days (1–3).

US Pipeline Cyber Attack

On Friday, May 7th, 2021, Colonial Fuel Pipeline reported during trading that they were having network issues, and two people had reported issues posting “refined product batches, updates or changes to batch deliveries” using the Colonial Pipeline website (likely…


The Rockstar Decal Scam is what is known as a ‘car wrap scam’. Likely they will want you to pay for the installation of the decal and then bail. The scam usually starts out like “Could you allow ROCKSTAR ENERGY DRINK to put a small sticker on your vehicle and get $500 weekly?” This has been seen over and over in other similar scams, like the Bud Light Scam and the Mountain Dew Scam.

The Text Message

Hi, Could you allow ROCKSTAR ENERGY DRINK to put a small sticker on your vehicle and get $500 weekly?
Hi, Could you allow ROCKSTAR ENERGY DRINK to put a small sticker on your vehicle and get $500 weekly?  we want to multiply our customers…


We received a one world text message so I decided to take a deeper look. This url exists simply as a forwarding site for marketing or promotional spam.

A single word text message: chacuns.co

Email Text Message

Last night, we recieved a one word text message. This appears to be marketing of a fake site. The one word text message came from magdalenqperripq5940@hotmail.com. This email was likely created for the purpose of spamming and was reported to outlook.com


The user receives a fairly legitimate looking phishing URL from a text stating an unknown user logged into their account. Its fake. The message is a clever Phishing campaign and not from Coinbase. Learn more about it below.

(coinbase)-Unknown user Iog-in from lP 95.58.21.0,lf this was not you foIIow steps: [URL]
#see how the I & the L are switched ?  Evasion technique.(coinbase)-Unknown user Iog-in from lP 95.58.21.0,lf this was not you foIIow steps: [URL]
OR
(coinbase)-Unknown user Log in from IP 95.58.21.0, if this was not you follow steps: [URL]

As a side note, a scammer replaced the I & L in the text, and hillariously Google recommended a correction, albiet…


My partner once hated spinach, and I have converted him to the cult of fresh cooked spinach. You are also welcome to join.

At some point I’ll get a better photo but this is all I have right now.

Ingredients

  • Three handfuls of cut fresh spinach
  • Two handful of cut fresh basil
  • Diced garlic (3 cloves)
  • Thinly sliced onions, about 1/4 C
  • One whole lemon, cut into halves
  • Johnny’s Fine Seasoning Salt (not optional)
  • Black Pepper (to taste)
  • Fennel Seed (2–3 TB or to taste)
  • Extra Virgin Olive Oil
  • Goat Cheese (optional)

Methodology

If you have a dutch oven for this, use it, otherwise get a big ### saucepan. Remember if you are cooking a dinner, this should…


A text message stating that photos have been deleted from the gallery and there is a need to scan for viruses. It couldn’t be further from the truth. The scammer is trying to use fear to get you to click the URL. This is malicious code running on instrastructure that spans the globe. It is a clever form of malware delivery that evades antivirus and other protections, and is geared to drop malware on your device undetected via a form of delivery called ‘gootloading.’

30 Photos Deleted from Gallery — Click here to restore and scan for virus [URL]

Full Text

30 Photos Deleted from Gallery — Click here to restore and scan for virus [URL]

Do not click the link, report the spam to 7726 (see below).

Yup, This is a Scam.

I’ve been getting a series of spam text messages from various phone numbers, likely compromised devices, all seem to be from AT&T in origin. These text messages have various messages, this one in particular saying, “30 Photos Deleted from Gallery — Click here to restore and scan for virus [URL].” with a link to click. DO NOT CLICK THE LINK and forward it to the SPAM number (7726, see below).
The URL is likely…

Ruining All My Branding

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store