<h1><strong>Key Findings</strong></h1> <ul> <li>In early December 2020, Anomali Threat Research identified a website engaging in fraudulent dog sales, specifically for German Shepherds.</li> <li>The analysis revealed 17 additional websites also engaging in pet fraud activities for birds and cats, as well as one phone number match for a Facebook page car fraud scheme, and one number for an essential oils scam.</li> <li>The actor(s) behind this campaign are not sophisticated, and aim to receive non-refundable deposits for fraudulent pet sales and services; payment methods include Bitcoin, PayPal, Zelle, etc.</li> <li>The actor(s) have been active since at least November 2018.</li> </ul> <h1><strong>Overview</strong></h1> <p>Threat actor(s) engaging in fraudulent pet-selling activities appear to have increased their recent efforts as the Holiday Season continues. The actors are scamming victims into believing that birds, cats, and dogs are available for purchase.</p> <p>The COVID-19 pandemic has increased pet purchases as stay-at-home policies and remote work makes people seek companionship from their animal friends, a condition that may amplify the bad actors’ ability to run a more successful scam. Furthermore, these scams focus on purebred dogs, which again are increasingly difficult to find.</p> <p>The fraud scheme works as shown in Figure 1 below.</p> <p style="margin-left:.5in;"><img alt="" src="https://cdn.filestackcontent.com/CCzCPYXQTirNBpcjRTEw"/><img alt="" src="https://cdn.filestackcontent.com/2we6aEpzRpizHsrCA0xM"/><img alt="" src="https://cdn.filestackcontent.com/b68qAin5StS8OXQBOhOs"/></p> <p style="margin-left:.5in;"><img alt="" src="https://cdn.filestackcontent.com/Wp1DsBS7TwW0ZHusMcbw"/><img alt="" src="https://cdn.filestackcontent.com/ihrPrS2SvCiXOwePPme2"/><img alt="" src="https://cdn.filestackcontent.com/QQttDRDSr2gFABPvy5kc"/></p> <p align="center"><strong>Figure 1 -</strong> Fraud Chain</p> <h1><strong>Details</strong></h1> <p>In early December 2020, Anomali Threat Research discovered a suspicious website (darlinggermanshepherds[.]com) purporting to be selling German Shepherd puppies, shown in Figure 2 below. The website is designed with a modicum of skill where actors took images and text from open sources (Facebook, legitimate websites, Wikipedia) to make their site appear more authentic.</p> <p align="center"><img alt="" src="https://cdn.filestackcontent.com/DUCvocAURMuXwiNegxaS" style="width: 600px; height: 433px;"/></p> <p align="center"><strong>Figure 2 - </strong> darlinggermanshepherds[.]com Homepage</p> <p>Anomali Threat Research analyzed the website and was able to find 17 additional websites engaging in pet fraud. The websites all share similar and sometimes identical text in their reviews/testimonials pages. There are also numerous typos in the testimonials with one post discussing how a German Shepherd had “hatched” and was available, which is a clear copy-and-paste error from the actors’ bird fraud websites. The analysis revealed a pet fraud campaign spanning multiple websites and shared hosting providers.</p> <h2><strong>Text Analysis</strong></h2> <p>Anomali Threat Research found commonalities amongst the text throughout the websites. Obvious words were incorrect, such as testimonials with extra spaces where the actor changed the type of animal or forgot to change to the appropriate pet as advertised on the site. Table 1 below shows a small sample of how the actors are using identical and modified versions of the same testimonials located on multiple websites.</p> <p><strong>Table 1 - </strong>Re-use of Testimonials / Reviews</p> <table border="1" cellpadding="0" cellspacing="0" width="762"> <tbody> <tr> <td style="width:243px;"> <p><strong>darlinggermanshepherds.com</strong></p> </td> <td style="width:257px;"> <p><strong>saparrotsbreeders.com</strong></p> </td> <td style="width:263px;"> <p><strong>gorgeousgentlepuppies.com</strong></p> </td> </tr> <tr> <td style="width:243px;"> <p>Darling German Shepherds was a guiding light in an otherwise confusing maze of information that would-be Puppy purchasers have to navigate!</p> </td> <td style="width:257px;"> <p> </p> </td> <td style="width:263px;"> <p>Gorgeous Gentle Puppies was a guiding light in an otherwise confusing maze of information that would-be Puppy purchasers have to navigate!</p> </td> </tr> <tr> <td style="width:243px;"> <p>I remember listening to a voice mail from Darling German Shepherds informing me that the German Shepherd baby had hatched and was available.</p> </td> <td style="width:257px;"> <p>I remember listening to a voice mail from Parrots Nest Breeders informing me that the Hyacinth macaw baby had hatched and was available.</p> </td> <td style="width:263px;"> <p> </p> </td> </tr> <tr> <td style="width:243px;"> <p>My husband races motorcycles and we take Kahuna with us, even with all the commotion, people, and engines, he just sits on his stand basking in the sun on one foot.</p> </td> <td style="width:257px;"> <p>My husband races motorcycles and we take Kahuna with us, even with all the commotion, people, and engines, he just sits on his stand basking in the sun on one foot.</p> </td> <td style="width:263px;"> <p>My husband races motorcycles and we take Kahuna with us, even with all the commotion, people, and engines, he just sits on his stand basking in the sun on one foot.</p> </td> </tr> <tr> <td style="width:243px;"> <p> </p> </td> <td style="width:257px;"> <p>I really don't know where to start, but I guess saying thank you for starters is adequate. Sammy has helped me and my family deal with the loss of a dear family member as you already knew.</p> </td> <td style="width:263px;"> <p>I really don’t know where to start, but I guess saying thank you for starters is adequate. Sammy has helped me and my family deal with the loss of a dear family member as you already knew.</p> </td> </tr> </tbody> </table> <p> </p> <h1><strong>Image Analysis</strong></h1> <p>The actors appear to have put in slightly more effort when populating their sites with animal images. Most of the images are from old, ancient by technology standards, websites that are no longer maintained by administrators, and from generic locations like Facebook and Wikipedia. This makes some of the images almost unique because they are only located on these old sites and the fraudulent ones.</p> <p><img alt="" src="https://cdn.filestackcontent.com/1OPp5qMlRoqWobvlrrNd" style="height: 484px; width: 350px;"/><img alt="" src="https://cdn.filestackcontent.com/l8UKPEGYTxuB6UYkikE3" style="height: 508px; width: 290px;"/><img alt="" src="https://cdn.filestackcontent.com/YphhDjvQhmgIkdnpbp7g" style="height: 498px; width: 300px;"/></p> <p align="center"><strong>Figure 3 - </strong>Example Fake Puppies for Sale: guardgoldenretriever[.]com, beaglepuppiesforsales.com, gorgeousgentlepuppies[.]com</p> <h1><strong>Recommendation Actions</strong></h1> <ul> <li>Be extremely cautious if the price is too good to be true.</li> <li>Be extremely cautious if the site does not provide you with the owner’s names, address, and social pages.</li> <li>Pay attention to elaborate testimonials that are too good to be true. They are often copied too, so you may google a part of it to see if it is unique.</li> <li>Pay attention to typos and phrases like “Labrador baby had hatched,” scammers often sloppy in their templates and have bad English. </li> <li>If they give you a phone number, try Googling it. Often the fraudsters use the same phone number for different schemes, and it might be already listed on some scam lists.</li> <li>Be extremely careful if you are advised to pay for your future pet with Bitcoins or gift cards, which is even more suspicious</li> </ul> <p>For more technical users:</p> <ul> <li>Check the domain creation date. It is especially suspicious if the domain was registered this year, but has a copyright footnote with a 2015 timestamp.</li> <li>Do a reverse image search to see if the images were stolen from another site.</li> <li>See if HTML code connects this site with other suspicious domains. Advanced site builders might have matching tags such as Google Analytics ID. Basic fraud sites described here often had meta tags copied from another domain.</li> </ul> <h1><strong>IOCs</strong></h1> <p><strong>Fraud domains</strong></p> <p>akomplekt.by/oze9s/macaw-rescue-texas.html<br/> beaglepuppiesforsales.com<br/> darlinggermanshepherds.com<br/> darlinglabradors.com<br/> cutepuppiesforsaleonline.com<br/> goldendoodlehomess.com<br/> gorgeousgentlepuppies.com<br/> guardgoldenretriever.com<br/> hermanparrots.com<br/> hyacinthmacawparrotsfarm.com<br/> miniaturedachshundpups.com<br/> parrotsnestbreeders.com<br/> outstandinggoldenretrievers.com<br/> ragdollkittenhomecattery.com<br/> romelsboxerpuppies.com<br/> saparrotsbreeders.com<br/> worleysgoldenretrieverpet.com</p> <p><strong>Phone Numbers</strong></p> <p>+1 3025143315<br/> +27 834893640<br/> +27 835885423</p>
Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox
Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.