I love two-wheeled vehicles. Motorcycles, dirt bikes — anything that has two wheels makes my heart smile. However, when I traded a motorcycle helmet for a stroller and bottle warmer I decided it was best to sell my beloved dirt bike. Like many Americans, I posted the bike on Craigslist, advertising the amazing merits of a riding such a trustworthy two-wheeled steed.
Two days after posting my dirt bike for sale, I received an email from a prospective buyer.
‘Ben Kern’ was claiming to be interested in the dirt bike, but really wanted me to purchase a Vehicle Identification Number (VIN) report from a site that seemed odd. I decided I wanted to investigate the domain a little more closely. The site referenced in the email – motovincheck[.]com is registered via a privacy proxy and ultimately redirects to a site that is more interesting: americanvin[.]com.
Using my analysis virtual machine, I visited the webpage and started testing the VIN lookup functionality.
It quickly became apparent that the site is in fact a scam. I tried several spurious VIN values testing if there are in fact valid VIN lookups. On every occasion that the VIN was ‘found’, exactly 65 records were located. And best of all, they were clean! At this point I started searching for additional infrastructure tied to this domain, with the goal of locating an entire campaign targeting individuals trying to purchase VIN reports.
Putting the newly discovered site into DomainTools Iris, I noticed the domain contained two great candidates for further pivoting:
- DNS/SOA record: root@linklebanon: The fact that the domain is hosted on a relatively small hosting provider helps during this investigation, as this record has 72 additional domains registered with this email address. I wanted to make a broad pivot and then move closer in on additional infrastructure if possible.
- IP Address: 220.127.116.11: 130 additional domains share this IP address, but it appears to be hosting infrastructure, therefore this nexus point will likely not reveal much in terms of actionable pivots.
Pivoting on either of these data points will reveal the scammer isn’t just targeting individuals who want to purchase a vehicle/motorcycle VIN report. I decided to pivot on the DNS/SOA record email address as the primary nexus since the IP address could have had shared content from other customers, therefore returning extraneous results.
When pivoting off the DNS/SOA record email address, there were several domains that immediately drew my attention. I further pared the results down to one Google Analytics code in Iris – 6206077. This particular code seemed to be the core of the scammer’s infrastructure.
For instance, boat-alert[.]com is a scam site offering boat hull verification history reports for $6.99.
Additionally, there were sites designed to scam interested parties in purchasing motorcycle VIN reports. In this case, a site called motorcyclevincheck[.]net sells a VIN report for motorcycles is $9.99.
Moral of the Story?
As with any good story, there’s a moral to be found. Ultimately, this type of scam succeeds because it’s targeting the weakest link in the computing chain – the human. Ultimately, taking basic precautions can help avoid a scam like this:
- ALWAYS scrutinize Craigslist buyers. A majority of the buyers I encounter on Craigslist are scams. I trust no one on Craigslist until I speak to someone on the phone verifying claims they make.
- NEVER purchase anything online that is not using a legitimate payment processor.
- Always use a reputable source when purchasing anything online.
- If it seems too good to be true or too cheap to be valuable, it likely is.
A list of domains that appear associated with this campaign (Based on code and functionality) are listed below: