The team recently got a false-negative report on the SmartScreen phishing filter complaining that we fail to block firstline-trucking.com. I passed it along to the graders but then took a closer look. I figured maybe the legit site was probably a very similar name, firstlinetrucking.com or something, but no such site exists. Odd.
Simple Investigation Techniques
I popped open the NetCraft Extension and immediately noticed a few things. First, the site is a new site. Suspicious, since they claim to have been around since 2002. Next, the site is apparently hosted in the UK, although they brag about being “Strategically located at the U.S.-Canada border.” Sus... and just above that, they supply an address in Texas. Sus.
Let’s take a look at that address in Google Maps. Hmm. A non-descript warehouse with no signs. Sus.
Well, let’s see what else we have. Let’s go to the “About Us” page and see who works here. Right-click the CEO’s picture and choose “Copy image link.”
Paste that URL into TinEye to see where else that picture appears on the web. Ah, it’s from a stock photo site. Very sus.
Taking a look at the other employee photos and the pictures from their “Customer testimonials” section, most of them are also from stock photo sites. The unfortunately-named “Marry Hoe” has her picture on several other “About us” pages — it looks like she probably came with the template. Her profile page is all Lorem Ipsum placeholder text.
I was surprised when one of the biggest photos on the site didn’t show up in TinEye at all, until I looked at the Developer Tools and noticed that the secret is revealed by the filename — ai-generated-business-woman-portrait. Ah, that’ll do it.
I tried searching for the phone number atop the site ((956) 253-7799) but there were basically no hits on Google. This is both very sus and very surprising, because often Googling for a phone number will turn up many complaints about scams run from that number.
Not a Phish, but definitely Fishy
I went back to our original complainant and asked for clarification — this site doesn’t seem to be pretending to be the site of any other company, but instead appears to be just entirely manufactured from AI and stock photos.
He explained that the attackers troll Craigslist looking for folks buying used cars and offer to act as an escrow provider. After they are wired the money for the car, they send a fake tracking number that goes to an order tracking page that’s never updated. They’re abusing people who are risk-averse enough to seek out an escrow company for a big transaction, but not able to validate the bonafides of said escrow company… aka, smart humans.
Unfortunately, creating a fake business almost entirely in pixels is a simple scam, and one that’s not trivial to protect against. Because no existing business’ reputation is being abused, there’s no organization that’s particularly incentivized to do the work to get the bad guys taken down. Phishing protection features like SafeBrowsing and SmartScreen are not designed to protect against “business practices scams.”
The very same things that make online businesses so easy to start — low overhead, no real-estate, templates and AIs can do the majority of the work — make it easy to invent fake businesses that only exist in the minds of their victims. After the scammers get found out, the sites disappear and the crooks behind them simply fade away.
I advised the reporter to report the fraud to the FTC, the Internet Crime Complaint Center, and also to Netcraft, who do maintain feeds of scam sites of all types, not just phishing/malware.
Stay safe out there!
-Eric
Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now working on Microsoft Defender. My words are my own, I do not speak for any other entity. View more posts