Hey everyone,

This is continuation post of "Work from home and earn 5000 Rs everyday (Analysis of Gooe, Bozerclubs, Boninclubs, Coem .., China scammers op?)" scam, Incase if you have not read it you can check it via below link:

http://www.pranav-venkat.com/2020/07/work-from-home-and-earn-5000-rs-analysis-of-gooe-bozerclubs-boninclubs-coem-china-scammers-op.html

Now in this blogpost I have shown few more evidences and research that I collected in last few days which once again pointed to scammers from China region. (Hong Kong, Taiwan, Macau)

Research on email id’s associated with this scam: (OSINT)

This mail id coco718718@yahoo.com was obtained from person who was playing “qualeclubs.com” in the past

During the information gathering of email ID “coco718718@yahoo.com”, I hit password recovery option which in turn gave the gist of the mobile number linked to “coco718718@yahoo.com” , the number linked to this account starts with +8**

Possible countries that have +8** series

+852- Hong Kong, +853- Macau, +886- Taiwan, +86- China 



Mail id's that was obtained during initial research

vanessaliu718@yahoo.com
lindong11234@gmail.com
zhangan19890@gmail.com


Recovery details of the merchant email ID: vanessaliu718@yahoo.com



Recovery details of the merchant email ID lindong11234@gmail.com (The device linked to this mail is Oppo R15 梦境版)


https://www.oppo.com/cn/product/r15/index.html



zhangan19890@gmail.com email recovery number linked to this *** **** **05 (three digits country code can be any country code but since a lot of evidence point to Hong Kong (China), more possibilities of this number could be Hong Kong or Taiwan number.



Social engineering three mobile numbers associated with this scam:
  • +91-9159514382 - This number I got it from one person who was previously involved in playing this game on “qualeclubs.com”. He mentioned that he got added to one WhatsApp group and this number was the “promoter of qualeclubs.com” in that WhatsApp group
(The picture being used by this scammer could be someone else's pic, so I have hidden it for privacy reason)



Some snippet from the chat:



While social engineering this number (my server got a hit from Japan IP, 172.104.114.84, could be VPN or this scammer stays in Tokyo?)



  • +91-8006443726 - This number I got from one marketing website “www.gogeclub.com”, But after I social engineer this number now they updated different numbers on the same website. As a proof, I have shown google cached page


(The picture being used by this scammer could be someone else's pic, so I have hidden it for privacy reason)





Some snippet from the chat:



While social engineering this number (didn’t get hit initially, but slowly started noticing, Ip's majorly from Hong Kong, Taiwan, China)

40.83.93.244 - Hong Kong
149.129.119.3 - China
154.223.74.146 - Hong Kong
211.23.12.9 - Taiwan
211.23.211.66 - Taiwan
182.239.114.159 - Hong Kong



  • +91-7760324771 - I obtained third number from marketing website "www.comc.in"

Some snippet from the chat:





While social engineering this number (Majorly got hit from Hong Kong, Philippines, China) (Which gives a thought, Operation is mainly originating from China region but other Ip’s indicate either scammers are spread across different countries or they are using VPN)

137.59.213.83 - Hong Kong 137.59.213.82 - Hong Kong 137.59.213.84 - Hong Kong 61.9.105.13 - Philippines 121.54.32.167 - Philippines 59.57.153.86 - China 8.210.152.245 - Singapore 86.98.47.141 - UAE 13.209.41.202 - South Korea


I noticed few points while chatting with these scammers,
  • Most of their chat looks so professional (Like google translated reply not an Indian style reply), Yes most people who speak mandarin uses translation service a lot.
  • If you notice second and third chat, both addresses given are same (though different websites), and spelling of "address" is written as "adress" which implies all websites come under one operation.
  • In second chat that person uses term "I don't parse" and keep replying same thing, lol this even made me think if they are bot :P
Everyone who is playing this game (Points you should ask/note)
  1. All these websites doesn’t have any physical presence in India (No office)
  2. All these websites doesn’t have any digital presence in India (Since all domains are hosted either in China or HK)
  3. These companies/websites have no registration done with MCA
  4. No legal proofs can be found on this websites
  5. The money people are investing, where's it really going?
  6. Who is behind all this?
  7. How are these scammers using Indian mobile numbers?
  8. All these domains came into existence since middle of January 2020 and till today its growing wild
  9. Why do these websites keep changing their website names?
  10. Why should someone launch an illogical game and propagate it via different websites?
  11. Why do all these websites use the same strategy?
Just for everyone's reference:

The following is a list of gambling/trading websites, and all of them came into existence starting from middle of January 2020, and it’s growing wild! (For marketing website list, refer my previous blog post)
  • https://www.jonyclubs.com/
  • https://www.bozerclubs.com/
  • https://www.pussclubs.com/
  • https://www.boninclubs.com/
  • https://coem.in/
  • https://goge.in/
  • https://gooe.in/ (previously lefey.in)
  • https://www.faryclubs.com/
  • https://www.vilioclubs.com/
  • https://www.rettyclubs.com/
  • https://tomis.in (down)
  • https://www.castoclubs.com/
  • https://www.qualeclubs.com/
  • https://www.paduoclubs.com/
  • https://www.metalyclubs.com/
  • https://005420.com/
  • https://www.enzoclubs.com/
  • https://www.ricoclubs.com/
  • https://www.richshop.in/
  • https://www.yellsclubs.com/
  • https://terion.in/
  • https://luckym.in/
  • https://www.julyclubs.com/
  • https://www.husorclubs.com/
  • https://www.suderclubs.com/
  • https://talineclubs.com/
  • https://thoe.in/
  • https://biote.in/
  • https://www.facdorclubs.com/
  • https://www.coneclubs.com/
  • https://www.facdor.in/ (down)
  • https://www.accgo.in/ (down)
  • https://www.mayclubs.com/
  • https://apps.ketty-apps.com/
  • https://www.marcclubs.com/
  • https://moneycoaching.in/
  • https://addrs.in/
  • https://www.angaclubs.com/
  • https://www.joysclubs.com/
  • https://www.vishclubs.com/
  • https://www.lidaclubs.com/
  • http://gold88.in/
  • https://www.htmlen.com/
  • https://www.teenen.com/
  • https://www.copyen.com/
  • http://okbros.in/
  • https://www.nudeen.com/
  • https://www.trulahappy.com/
  • https://heeraunion.com/
  • https://mooe.in/
  • https://joeyunion.com/
  • https://www.monlemall.com/
  • https://www.rikyunion.com/
  • https://www.legend373.com/
  • https://www.qutimaspace.com/
  • https://www.bonumunion.com/

Awareness video on this scam:





Part 3: Connecting the dots, refer below article
http://www.pranav-venkat.com/2020/07/work-from-home-and-earn-5000-rs-analysis-osint-bozer-gooe-castoclub-coem-scam-linkyun-dokypay-china.html
12

View comments

    Loading