“SpaceX” Scammers—YouTube Just Doesn't Care

3 Likes

More than a year after I posted about scammers on YouTube trading on the celebrity of Elon Musk and SpaceX (which had been going on for quite a while before I posted), it’s still going on, and has now risen to a new pinnacle of stupidity which is epic in its own cockroach-brain category. Showing up today on the first page of recommended videos for my YouTube account is this piece of…work.

“Elon Musk’s Virgin Galactic”—well, that’s interesting, from “Tesla”. Let’s look at the YouTube account that posted the video.

“TeslaEUR.”, registered in India, in 2011, with 1500 videos posted and 7.6 million views. That sounds legit, doesn’t it? Note that the trailing period is part of the account name. This allows them to spoof what looks like a legitimate account.

Now let’s see what they’re hawking. Click through to the “Live video” and we see some recycled video of what appears to be a younger Elon Musk with a Live Chat popped up.

Ahhh…there’s the scam, a two-for-one crypto grift, the same one they’ve been running for over a year. Let’s check out the domain, muskday.org.

$ whois muskday.org
Domain Name: muskday.org
Registry Domain ID: 9ce3e518146341ceb4a80ecbe452f6a5-LROR
Registrar WHOIS Server: https://www.nic.ru/whois
Registrar URL: https://www.nic.ru/whois
Updated Date: 2023-06-28T13:48:13Z
Creation Date: 2023-06-28T13:48:12Z
Registry Expiry Date: 2024-06-28T13:48:12Z
Registrar: Regional Network Information Center, JSC dba RU-CENTER
Registrar IANA ID: 463
Registrar Abuse Contact Email: tld-abuse@nic.ru
Registrar Abuse Contact Phone: +7.4959944601

Yup. Russia, registered two days ago, with all of the registrant information “REDACTED FOR PRIVACY”.

What awaits us at that domain?

Why, it’s Tesla, run by that Elon Musk fellow who shot the Virgin Galactic rocket up into “space”. Quick, let’s send him some Bitcoin before the whole US$ 100,000,000 promotion is gone. Remember, “You can only participate once!”.

The domain is registered in Russia, but where are the servers? A DNS query directs us to:

muskday.org.		300	IN	A	104.21.18.56
muskday.org.		300	IN	A	172.67.180.109

And those IP addresses? Why, they’re CloudFront cut-outs operated by Amazon Web Services, which serve content while hiding those responsible for it.

Since I started writing this, the @TeslaEUR. scam has been taken down and shortly thereafter replaced by one called @Tesla_USA. (again with the trailing period) which then was taken down. At least they do seem to be reacting more quickly, but there’s nothing which seems to prevent scammers creating these sites or to keep them from bubbling to the top of the YouTube recommendations.

Update: It’s baaaack! Now titled “Elon Musk’s Virgin Galactic 01 Mission: A Historic Commercial Crew Launch”, from an account calling itself “Tesla US” with the Tesla logo and a YouTube account name of @_Tesla_Us_Live____, which purports to have been created on 2015-01-30, based in Mexico, posted 404 videos with 28,988,634 views, and 128 subscribers. The chat piles one scam on another, beginning with:

US$5.4 M raised • Helping people affected by the war in Ukraine

(2023-06-30 14:04 UTC).

4 Likes

EU seems more concerned with slightly or significantly less fraudish crypto issues:

2 Likes

Monopolists are just like government - they don’t care.

3 Likes

https://www.yahoo.com/news/travelers-delta-flight-canceled-called-210821464.html

6 Likes

A reminder about trusting ‘Google’ to index our information.

4 Likes

Now they’re just taunting Elon.

This was posted on Twitter/X on 2023-07-28, promoting what appears to be a crypto token scam. The Twitter account which purports to have promoted this tweet:

image

is real, verified, but does not appear to have tweeted anything since 2018-10-08. The “Promoted” tweet does not appear in its history, so maybe it has been deleted.

Clicking on the embedded tweet brought up a “Tweet not available” message, so at least it looks like they’re shutting these down. From comments on the tweet, it appears this scam has been running on Facebook as well.

2 Likes

A post was merged into an existing topic: The Crazy Years

Happily for me, I use Brave browser and Express VPN. From time to time, Brave offers me information on intrusions which it has blocked. The vast majority are google and facebook (with which I have no account!). I await my ability to stand on the sidelines to applaud their being broken up (or burned down).

3 Likes
2 Likes

This scam has been running on 𝕏/Twitter for more than 11 hours (click it to see is it’s still up: clicking a tweet cannot cause harm, but all bets are off if you click links within one).

image

They’re using the 𝕏 logo without permission to promote—you guessed it—a crypto scam. If you go to the linked “xcoindrops.com” (Don’t!) you see a page promoting “$X The World’s Currency”, and this teaser:

image

Clicking “Claim” (which I did in a Tor browser window) extrudes a pop-up inviting you to “link” your in-browser crypto wallet to share in the bounty. I have a guess as to what happens immediately you do.

Let’s do a little digging. Who is “xcoindrops.com”? I have elided useless identity hiding outputs in the following.

$ whois xcoindrops.fun
Domain Name: XCOINDROPS.FUN
Registry Domain ID: D384630540-CNIC
Registrar WHOIS Server: whois.PublicDomainRegistry.com
Registrar URL: https://publicdomainregistry.com
Creation Date: 2023-08-01T22:54:33.0Z
Registry Expiry Date: 2024-08-01T23:59:59.0Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrant Organization: pool inc
Registrant State/Province: Moskovskaya oblast
Registrant Country: RU
Name Server: JULE.NS.CLOUDFLARE.COM
Name Server: LOU.NS.CLOUDFLARE.COM

Aha! Russian scammer, domain registered yesterday, 2023-08-01. And, their site is front-ended by Cloudflare, that oh-so-virtuous site the fiercely defends free speech as long as they don’t disagree with it.

4 Likes

An interesting question is whether, pursuant to their terms of service, a company such as X/Twitter can engage white hat hackers against such scammers. For example, it appears that the YouTuber, scammer payback, has an arrangement with AnyDesk that allows him to counter hack scammers that use AnyDesk software.

4 Likes
2 Likes

And now, the crypto scammers have landed on the shores of 𝕏.

image

(This showed up as “Promoted” in my “Following” timeline at the time noted in the screen shot. As of 2023-08-27 at 14:45 UTC, almost seven hours later, it was still active on Twitter. Click the screen shot above to see if it’s still there.)

Now, let’s fire up a secure incognito window and follow the link in the post.

image

Well, how about that!

Who are those guys?

$ whois spc-project.net
   Domain Name: SPC-PROJECT.NET
   Registry Domain ID: 2809073704_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.reg.com
   Registrar URL: http://www.reg.ru
   Updated Date: 2023-08-27T00:34:45Z
   Creation Date: 2023-08-27T00:32:24Z
   Registry Expiry Date: 2024-08-27T00:32:24Z
   Registrar: REGISTRAR OF DOMAIN NAMES REG.RU LLC
   Registrar IANA ID: 1606
   Registrar Abuse Contact Email: abuse@reg.ru
   Registrar Abuse Contact Phone: +74955801111
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: ABBY.NS.CLOUDFLARE.COM
   Name Server: NED.NS.CLOUDFLARE.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

Domain name: SPC-PROJECT.NET
Registry Domain ID: 2809073704_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.reg.com
Registrar URL: https://www.reg.com
Registrar URL: https://www.reg.ru
Updated Date: 2023-08-27T00:34:45Z
Creation Date: 2023-08-27T00:32:24Z
Registrar Registration Expiration Date: 2024-08-27T00:32:24Z
Registrar: Registrar of domain names REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: abuse@reg.ru
Registrar Abuse Contact Phone: +7.4955801111
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID: 
Registrant Name: Modest Zverev
Registrant Organization: Private Person
Registrant Street: Lenin str., 12, ap. 34
Registrant City: Chekalino
Registrant State/Province: Samara
Registrant Postal Code: 695807
Registrant Country: RU
Registrant Phone: +7.9160000000
Registrant Phone Ext:
Registrant Fax: +7.9160000000
Registrant Fax Ext:
Registrant Email: qq8eaw+35grdjt8e2kxk@sharklasers.com
Registry Admin ID: 
Admin Name: Modest Zverev
Admin Organization: Private Person
Admin Street: Lenin str., 12, ap. 34
Admin City: Chekalino
Admin State/Province: Samara
Admin Postal Code: 695807
Admin Country: RU
Admin Phone: +7.9160000000
Admin Phone Ext:
Admin Fax: +7.9160000000
Admin Fax Ext:
Admin Email: qq8eaw+35grdjt8e2kxk@sharklasers.com
Registry Tech ID:  
Tech Name: Modest Zverev
Tech Organization: Private Person
Tech Street: Lenin str., 12, ap. 34
Tech City: Chekalino
Tech State/Province: Samara
Tech Postal Code: 695807
Tech Country: RU
Tech Phone: +7.9160000000
Tech Phone Ext:
Tech Fax: +7.9160000000
Tech Fax Ext:
Tech Email: qq8eaw+35grdjt8e2kxk@sharklasers.com
Name Server: abby.ns.cloudflare.com 
Name Server: ned.ns.cloudflare.com 
DNSSEC: Unsigned

As a former U.S. president said, “Russia, Russia, Russia”. The domain was registered…wait for it…today, 2023-08-27 at 00:32:24 UTC.

Where does it send us?

$ dig -t A go.spc-project.net
go.spc-project.net.	0	IN	A	146.112.61.108

Where’s that?

$ dig -x 146.112.61.108
108.61.112.146.in-addr.arpa. 3089 IN	PTR	hit-phish.opendns.

Okay, OpenDNS has flagged this as a “phishing” (you see, it makes you more 1337 when you misspell a common word) site. Let’s go “phishing”.

Ahhhh, well, it does seem to be completely blocked now. I can’t get past the Cloudflare front-end, which takes me to the “phish” redirect.

Note that the URL has an https: certificate. Who issued it to them? Let’s ask Qualys SSL Labs:

Who might this “GTS CA” be? Why, that’s none other than “Google Trust Services”, whose home page proclaims they are “Helping build a safer Internet by providing a transparent, trusted, and reliable Certificate Authority.” They issued the certificate yesterday, 2023-08-26.

Helping, indeed. What’s the difference between “GTS” and “GTA”? GTA is a game about criminal activity.

As of 2023-08-27 at 15:30 UTC, the “phish” hook is still up on 𝕏, “Promoted”.

Surf safe.

4 Likes