A friend is relocating within the Bay Area and they’ve given me a Craigslist housing scammer. Overall it’s pretty pedestrian, there’s no money in it, but I’m trying to make the most of it, because there are some interesting infrastructure in the background.
Attention Conservation Notice:
This post does what it says on the tin - firing up Maltego, RiskIQ, and teasing out what’s happening with what I take to be an extended clown troupe using the same scam infrastructure.
Scam Posting:
On the surface this looks really good. It IS a bit far from the nearest BART stations, but that cost is enticing. Legitimate listings will be 50% more than this.
Do you see the immediate problem after the unbelievable price? That looks like a LOT more than a 12’x20’ studio to me, look through the doorways as much as you look at the rooms themselves. And no street address?? The other tipoff is this:
Credit report paid for by landlord.
Bay Area housing will usually involve a non-refundable credit check, a tiny bit of earnest money, filtering out the window shoppers and the like.
Scam Internals:
The victim who put me on to this had their own interactions. I started fresh to collect this.
We chatted a bit and I got this “credit check” email. Here’s the defanged link.
https://rent2checkr[.]com/25
This immediately flew to bits in the face of my Pi-hole local DNS. I told him it didn’t work and he offered a different option. Note the reduced price, lovely, isn’t it?
https://score4checkcredit[.]com/26
I complained about this link and received a THIRD option, this time without an attached image.
https://check2score[.]com/16
Infrastructure:
I put the domains into Maltego and ran a Footprint L1 machine on them. One one of the three seems to already be down. See all the DNS hosts? That’s obviously a cPanel system, you don’t need the cpanel@tech.namecheap.com email to tell you that. This is a very common “network motif”, a structure you’ll see over and over. Real businesses of any size never show this, they get things cleaned up and minimized.
I looked at the IP using RiskIQ and found that it’s a busy shared cPanel system. Only ONE of these is the fraudster, the rest are just random tenants of the same system.
cpanel.admin.skilllinkz.com
cpanel.akamnaturecare.com
cpanel.alnikah.pk
cpanel.ancuahokhime.shop
cpanel.apkapps.me
cpanel.app.senditinternational.com
cpanel.auzies.com
cpanel.billing.ng
cpanel.citasremx.xyz
cpanel.cryptomall.com.ng
cpanel.cuancc.com
cpanel.davidbushell.ca
cpanel.dibalikawan.online
cpanel.erodev.com.ng
cpanel.faarha.com
cpanel.fmapk.com
cpanel.frezep.com
cpanel.galaxyshop.pk
cpanel.hayaku.me
cpanel.hbl.com.bd
cpanel.immunesupportx.com
cpanel.japaabroad.com.ng
cpanel.kasiacademy.in
cpanel.khiteruskiasilang.online
cpanel.kviki.me
cpanel.legioners.com.ua
cpanel.makemyplate.co
cpanel.malaka13.com
cpanel.moonfashion.pk
cpanel.msibest.xyz
cpanel.mw4d.com
cpanel.naijashine.com.ng
cpanel.narjisinfotech.in
cpanel.na-sir.com
cpanel.onethredcomms.com
cpanel.pakhec.com
cpanel.pakpdf.com
cpanel.paynama.co.uk
cpanel.radiantcreation.in
cpanel.realtornaija.com
cpanel.rtpkuystr.rtpslotgacor.win
cpanel.rtpstrsini.rtpslotgacor.win
cpanel.simpleshadi.pk
cpanel.skilllinkz.com
cpanel.smallbusinessidea.in
cpanel.studyonline.pk
cpanel.targetpayandbenefits.cfd
cpanel.thetsangs.ca
cpanel.triplehandsfoods.com.ng
cpanel.tsangs.ca
cpanel.tsangs.host
cpanel.urgentrishta.pk
cpanel.web.skilllinkz.com
cpanel.xobarriga.com.br
cpanel.ymhspq.com
cpanel.zentravel.us
They have used the cPanel account to create a variety of domains. These two dozen are certainly involved and there may be others among the 1400+ DNS names using that single IP address.
aptnrent.com
aptrent2check.com
backgroundncheck.com
check2background.com
check2info.com
check2score.com
check4score.com
checkncredit.com
credit2checker.com
credit2information.com
creditinfochecker.com
creditncheck.com
creditninfo.com
creditnscore.com
happy2rent.com
happyrent2.com
info2rent.com
rentalcarway.com
renter4info.com
rentncheck.com
score4checkcredit.com
So I contacted NameCheap, and now we wait to see when it disappears, but there is a deeper layer to this.
Further Excavation:
The very first URL I received stumbled over Pi-hole because it contained a redirect to this:
https://www.ojrq[.]net/p/?return= https%3A%2F%2Fidentityforce.pxf.io%2Fc%2F10813%2F1675896%2F18952%3FsubId1%3D1433332081%26sharedid%3D668663%26subId2%3Dwr7kqrpa7avccuou2h0gvr4e%26level%3D1&cid=18952&tpsync=yes&auth=56caa90ed535b49e
Decoded, it’s this:
https://www.ojrq[.]net/p/?return=https://identityforce.pxf.io/c/10813/1675896/18952?subId1=1433332081&sharedid=668663&subId2=wr7kqrpa7avccuou2h0gvr4e&level=1&cid=18952&tpsync=yes&auth=56caa90ed535b49e
A quick Google for OJRQ dot net and malware shows a LOT of complaints. It’s described as a “hijacker”. The referral URL is a bit puzzling - IdentityForce was acquired by TransUnion. I used an unhardened browser, but with Pi-hole still active, picked my way through it, and signed up for the actual TransUnion service. This baffled scamboi and he sent the follow up URLs. I wonder what degree of compromise an unprepared system would face by doing that.
Among the blur of redirects I noticed another domain wrapped up in the middle of things, showing further signs of trying to misuse TransUnion. This is chaitneyprougees[.]com, and it’s got an interesting set of redirects.
And upon digging into these domains I hit paydirt. The afflat[a-z][0-9] domains are a counter filter domain cluster for MaxBounty, another affiliate marketing provider.
So the fraud stack is:
Gmail and a burner phone number.
Craigslist account.
NameCheap cPanel hosting for dozens of domains.
ORJQ malware/hijacker thing.
chaitneyprougees[.]com hosted on Amazon.
MaxBounty affiliate SaaS.
That’s a LOT of technology for a random scammer. The guy running the gmail/burner is NOT the admin for this stuff, he’s a foot soldier in a systemic fraud campaign. If this is happening in East Bay, it’s happening in every other housing market on Craigslist as well. The affiliate stuff provides a framework for the fraud, a way for the actual operators to equip and track those they recruit to run the scams.
Conclusion:
I think I managed to hit the NameCheap portion of this operation, but it’ll take a couple days. I sent LinkedIn connection requests to people who listed the companies providing the services as their employers. I got one “I left the company recently” response and I’m thinking that’s BS. Given the state of the world, I’m going to guess they’re vaguely aware of the problem and they turn a blind eye, so long as they’re getting paid.
Part of the reason I chose to work on this is my own “skill stack”. Humans behaving badly is something I see all the time, as are the various hosting related services. Where I’m basically flying blind is all this stuff in the middle. I know vulnerable browsers get hit with malware, but my stuff is so tight I don’t actually experience it. The use of redirects, URL obfuscation, and the purpose of the affiliate marketing program I get at a conceptual level, but the details remain a mystery to me.
There isn’t any place where someone with my motivations could just sign up and get schooled in this stuff in a fulsome, structured fashion. If I want this, I’m going to have to just take random small cases and poke around until I see patterns start to emerge from the fog.