Textsplosion – Malicious Texts!

[UPDATED: 12/30/20] Beginning in late September, 2020 The Daily Scam began to experience and hear from our readers about an explosive increase in very sketchy, spammy texts arriving on people’s smartphones.  The great majority of these texts contained links that, we believe, likely lead to malware infections of phones. We believe that the same cybercriminal gang is responsible for most of them because most follow a similar pattern.  Some of these texts are simple, social engineering tricks to produce a click or a response that will confirm a gullible and real human being is the recipient.  Don’t be that person who responds!

We STRONGLY urge readers to delete questionable/suspicious texts.  Do not reply, do not text back with “stop” and never, ever click the links in these texts!

Below you’ll find screenshots of these texts that we suspect are malicious or suspicious, along with additional information we know about them. Most of the domains found in the links in these texts were registered within days or even hours of the text being sent.  This is a serious warning sign of malicious intent!  Rarely will a business register a new domain and use it within days of having registered it.  

We’ve organized these texts by category (see below) and will routinely update the list as our readers continue to send us screenshots. (Click on an image to enlarge it.)  

1. Gifts For You (Holiday gifts, Giveaways, & Prize/Lottery Winners)

11/27/20 – “Congrats! Looks like a new PS5 might be on the way to you…” from 938-253-6034 and contained a link to bc5ti[.]comThis domain was registered  on the day the text was sent on November 27.

11/25/20 – “You might have a claim to unclaimed money. Check to confirm” from 864-548-8969 and contained a link to nzm02[.]comThis domain was registered  on the day the text was sent.

11/23/20 – “It’s your lucky day. Here’s your free entry into Tonight’s draw to win $1,000,000 dollars!!” from 334-508-5039 and contained a link to gclbe[.]comThis domain was registered  on the day the text was sent.

11/21/20 – “Christmas came early this year! Collect your brand new iPad Pro here” from 972-632-5448 and contained a link to hf20q[.]comThis domain was registered the day before the text was sent.

     

11/6/20 – “Congrats! Today’s winners of the iPhone 12 Pro are…” from 864-618-4578 and contained a link to jbdng[.]com.  Two days later another similar text arrived from 320-238-8843 with a link pointing another new domain called mea50[.]com.

         

10/30/20 – “This guy literally sent me money to join this system” from 504-638-8902
The domain in the link of this text is called NewTechCash[.]com and though it was registered several months before this text was sent, ClearWebStats.com and Cutestat.com both say that the website is unsafe to visit. The site newtechcash[.]com has also been blacklisted by McAfee.

9/18/20 – “We just tried to contact you about your gift” from 216-260-9154
The domain ncvtm[.]com was 1 day old and hosted on a server in Honk Kong.

    

2. Personal Accounts (Netflix)

11/23/20 – “Your Netflix account will be locked because your payment was declined” (unknown phone number)

The text included a link to the domain sp12v[.]com which was registered 4 days earlier and is hosted on a server in Hong Kong.

     

3. Package/Delivery Notifications (FedEx, UPS)

11/29/20 – “FedEx Notification: Your package is on its way with a complimentary item” from 910-922-8273

The text included a link to the domain gw02r[.]com which was registered 6 days earlier and is hosted on a server in Hong Kong.

     

11/23/20 – “UPS – Package 1z62496 notification – on the way! Track here>” from 803-686-2883

The text included a link to the domain h4fzn[.]info which was registered the day before and is hosted on a server in Hong Kong.

     

4. Employment (Working from home)

10/25/20 – “We are currently seeking to employ an individual in the position of assistant payroll manager…” from 850-303-8229

People who are interested to be victimized, er… we mean apply for the job, are asked to call 725-800-4492. Notice that no company is named, no legitimate website is offered for the unnamed company, just a random text.

 

5. Health (Weight loss, Blood sugar)

12/5/20 – “Want to drop 43 lbs inside 29 days? Recommended by sharktank judges” was sent from 219-333-1544. This text contained a link to the domain hzumm[.]me.  This domain was registered a few days earlier, on Dec. 1, and is hosted on a server in Hong Kong.

10/24/20 – “Wow! If blood sugar is above the average, then BloodB is what you need!” from 501-356-3725 and then later the same day “[Name redacted], your blood sugar is higher than usuals? Simply take these BloodB pills”

Links in these emails pointed to the crap domains jcwvmmm[.]xyz and njdlcaka[.]xyz.  The former domain was registered 5 days earlier on October 19, while the latter domain was registered the day before the text was sent.

     

6. Grants, Government, Loans, & Insurance (Auto, Home)

12/27/20 – “Notice: Grants are available for financial assistance this year. They don’t need to be paid back. Tap now to apply here: http:// cashrelief[.]us” from 504-214-3150.

The domain cashrelief[.]us was registered in early October by someone identified as “TMTM TMTM.”  Does this mean “The More, The Merrier” or perhaps “The Muppets Take Manhattan?”  We have no idea but the Registrant called “TMTM” has registered many hundreds of domain names.  During the last 2 weeks of January, 2019 alone they registered 158 domain names.  Most of them included the words “grant,” “autoinsurance,” “vehicleinusrance,” “carinsurance,” and even “cartaxrebate[.]us” and “assureyourcar[.]us!”  For example, domains registered by TMTM included “usgovgrant[.]us” and “grantusgov[.]usDo you really think this Registrant called “TMTM” has anything to do with the U.S. Government? NEVER VISIT THESE DOMAINS!

     

10/24/20 – “If you just moved in, then you should insure your house! It’s very affordable here!” from 423-445-1571.

The link in this text pointed to  bxmvqsr[.]xyz. This domain was registered just 3 days before this text was sent and is hosted on a server in London, England.

     

10/19/20 – “You can get your car insured for as low as 38.61 a month! Check this out!” from 405-591-3129.

The link in this text pointed to  ccqgdiffo[.]xyz. This domain was registered just 2 days before this text was sent.

7. Random Communication and Personal Messages From Strangers

12/29/20 – “Hey Douglas! Do not drive before seeing this: 94wbg[.]com/u8lx82” sent from 208-408-1680. The  domain 94wbg[.]com was registered just hours earlier!  That’s a guarantee that malware is lying in wait!

     

12/3/20 – “You need to read this” sent from 832-400-4640. The link in this text points to the domain dby2b[.]com that was registered just hours earlier!  That’s ALWAYS a BAD SIGN!

     

12/2/20 – “Are you still interested in this?” from 863-591-0986.  The link in this text points to a domain, tk11m[.]com, that was registered just hours earlier!

     

11/21/20 – “Gm my love if u could spare I need my beauty lol” from email address trackk70 @ yahoo.com.

There is no link in this text.  It was meant to produce a reply to confirm that your phone number is real and YOU are gullible enough to engage!

8. Christmas

11/25/20 – “Send a personal letter from Santa and brighten up your child’s Christmas this year” from 307-336-7983.

The link in this text pointed to  b5nz9[.]com. This domain was registered the day before the text was sent.