Every now and then I put together something related to computer security. My objective is to be technically precise, yet provide the common computer user some information that might protect them from fraud or malware. Hopefully you will find this article on scams in text messages helpful.
First posted June 1, 2021
Updated June 2, 2021
Updated July 15, 2021
Just received a message on my phone saying
Notice: Your stimulus is ready to be claimed.
stimcheck.info/KXUqXXI
It is really sad that people are exposed to scams such as this. What it is – I don’t know and I am not in the position to use any tools to explore the details of how it operates.
The key thing to note is the link. Anything from the federal government would have a .gov ending. DO NOT CLICK ON THE LINK. Clicking on the link could compromise the security on your cell phone, or send you down the rabbit hole of an evolving fraud scheme.
Who is stimcheck.info?
So who is stimcheck.info? To find an answer you can go to www.whois.com. Simply type in stimcheck.info and look at the results. The site will come up as already in use (in most cases) and you can simply click the “Whois” button on the right to get all the gory details about a website registration.
Domain Name: STIMCHECK.INFO Registry Domain ID: D503300001198561385-LRMS Registrar WHOIS Server: whois.namecheap.com Registrar URL: www.namecheap.com Updated Date: 2021-05-30T19:28:41Z Creation Date: 2021-05-30T19:23:51Z Registry Expiry Date: 2022-05-30T19:23:51Z Registrar Registration Expiration Date: Registrar: NameCheap, Inc Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant State/Province: Capital Region Registrant Country: IS Name Server: RORY.NS.CLOUDFLARE.COM Name Server: GABRIELLA.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2021-05-31T22:19:24Z <<<
Some things to note are
- The domain name – for folks not familiar with the language of the Internet, the web addresses you use are referred to as “domains.”
- The Registrar URL – this is the facility where the domain is registered. What is important about this information is that it provides you at least one place where you can lodge a complaint.
- The dates – this I find interesting because I received the bogus message on 05/31. Notice it is registered on 05/30.
- The Abuse Contact information – you can call or send an e-mail.
- Registrant information – Domain owners have the option of keeping contact information private. I do so because my contact information is my personal address, so I don’t particularly care to broadcast to the entire world. But there is one detail here that is rather interesting. The Country Code is “IS” – which is Iceland. Whether that is for real or not will depend. When lodging your complaint, you may want to request that NameCheap compare the contact information with the credit card that was used to make the payment.
Why not just go to stimcheck.info and check it out. I would normally make that attempt, but it is strongly recommended it is done on a non-production system. I am currently traveling and using my laptop, so I don’t want to risk accessing a website that is “hot”. Another thing to consider is whether you are code-savvy, know how to bring up the debugger in your browser and follow what the site is attempting to do. If you are lacking theses skills, I would recommend you NOT visit stimcheck.info.
A less risky maneuver is to conduct a trace route on the website. This would help you triangulate the location of the server itself. You will need to open the command shell in Windows and then type the following command.
C:\tracert -4 stimcheck.info
Tracing route to stimcheck.info [172.67.148.128]
over a maximum of 30 hops:
1 120 ms 3 ms 3 ms 192.168.43.1
2 54 ms 80 ms 54 ms 172.26.96.161
3 87 ms 56 ms 66 ms 107.79.236.252
4 84 ms 72 ms 65 ms 12.83.186.161
5 84 ms 61 ms 77 ms 12.83.186.145
6 82 ms 66 ms 65 ms cgcil401igs.ip.att.net [12.122.133.105]
7 58 ms 56 ms 64 ms ae16.cr7-chi1.ip4.gtt.net [173.241.128.29]
8 85 ms 87 ms 66 ms ae19.cr9-chi1.ip4.gtt.net [141.136.108.189]
9 192 ms * 190 ms ip4.gtt.net [208.116.131.178]
10 * * 171 ms 172.67.148.128
I am communicating over a hot-spot, so the first 6 “hops” are related to ATT routing. It gets a bit more interesting when we reach gtt.net. GTT is a major network service. What this entails is another option for leveling a complaint. Breaking the law violates Terms of Service. They can investigate the operation and possibly terminate services. Law enforcement can use this information to correlate traffic running between ip4.gtt.net and the 172.67.148.128 address. Investigators will also be able to narrow in on the physical location of the scammers by requesting that GTT provide the location of the 208.166.131.178 address.
I must warn you to not expect replies from your complaints. I generally do not hear back from providers. But it is at least a record can be used by security specialists when and if the information is ever needed.
What about the phone numbers?
Every message has an attendant phone number. Unfortunately, phone numbers are spoofed. So don’t bother tracing them. You may not want to block them because the scammers race through thousands of numbers. But you can block a string of text. From your Messages app, tap the double-dots in the upper right hand corner and you should see “Settings,” of which one of the options will be to block a message. You can then type in the string that will uniquely identify the suspicious message.
What about law enforcement?
Generally speaking, everyone from the local police department to the FBI and the US Marshals are not equipped to handle complaints from the general public. My attempts to do so have usually resulted in an advisory to be cautious. It is quite apparent that our government at all levels is not able to communicate with the millions of people who are affected by scams, yet some means of reporting would be helpful. This would allow investigators to gain the scope of the scam and to more aggressively pursue cooperation from providers. As it is, I can only assume that someone somewhere is aware of stimcheck.info.
What about searching the web?
Searching the web is often our first thought. Type in stimcheck.info and you should quickly see reports of fraud. But scammers are pretty smart. For DuckDuckGo (the search engine I use), the phrase “stimcheck.info” is interpolated as “stim check info”, producing a long list of perfectly legitimate sites about our stimulus checks. You will not find any references to “stimcheck.info” on any of their pages. Another thing to consider is how recently the address was registered (on 05/30) and there simply may not be any track record of stimcheck.info.
But — if I follow the phrase with the word “fraud” I will get one hit, https://www.scamvoid.net. It is a scam database where you can type in “stimcheck.info” to see if it is legit. The result was “The site is very new and we can’t judge it yet.”
As you can see, using web searches is a bit of an art. While I find web searches useful, I would not find them a reliable indicator of trust.
In conclusion, I hope these tips are helpful. There are certainly other resources out there and your comments and suggestions are always appreciated. You can write your comments below, or click the button on the left to my other social media sites.
Updates
June 2, 2021
Golly! After only one day I was hit by two variants: stimulus-claim.info and claim-stimulus.info.
Again, went to www.whois.com and checked out who owned the account. As suspected, same country (Iceland) and same DNS registrar (Namecheap). So I decided to send a note abuse@namecheap.com.
I then did a trace route on the two new domains to confirm they are originating from the same area.
July 15, 2021
I must give credit where credit is due. Did receive a reply immediately from Namecheap. I waited to post their response to see if I would receive any follow-through. Here is their response.
Thank you for contacting Namecheap Legal and Abuse department. We confirm the receipt of your ticket.
Please be assured that we will investigate the matter you reported and take action based on the results of our investigation. Please also be aware that, while Namecheap investigates every complaint, we cannot always respond with the results of the investigation and your ticket might be closed accordingly.
Important: In order to support the process of investigation, please review the instructions below depending on the type of the abuse you are reporting. To help us fully investigate your claim, please ensure your submission includes all of the requirements we describe. If you have submitted a complaint and realize that information is missing, please simply reply to this message and include the additional information:
Information required to support our investigation https://www.namecheap.com/support/knowledgebase/article.aspx/9196/5/how-and-where-can-i-file-abuse-complaints
How does Namecheap investigate Suspected Email Abuse/Spam? https://www.namecheap.com/support/knowledgebase/article.aspx/10184/5/how-does-namecheap-investigate-suspected-email-abusespam
© Copyright 2021 to Eric Niewoehner