Today I got a scam text message from +1 (604) 339-2192, telling me to deposit email money transfer at et-lnterac-xxx (see screenshot). Notice how the scammer changed the letter I to lowercase l (L). I am not sure if the number is spoofed or not, or if the cellphone is compromised and used as a bot. Basically the scam message claims that CRA (Canada Revenue Agency) has sent me $297.00 and that I should deposit the money.
Then I checked the whois data, but it seems to be fake.
The address is in Toronto but the originating number is from Richmond, BC.
I'm usually too lazy to check it because I already know it's a scam. But this time I checked it because I'm bored, and when I checked the address, it goes to this site. Now, the only time somebody can create a subdomain record on a CPanel-based server is when they have access to the CPanel itself, so even if the application (e.g. Wordpress or any other script hosted there) is compromised, unless the person has the username & password for CPanel, they won't be able to create a subdomain record. Another possibility is if the scammer has compromised the whole server and got himself a root account. Who knows.
Then I proceeded to check the index files. Ahh, I can see now what the scammer has uploaded because he forgot to disable index in .htaccess.
Then I tried clicking the INTERAC e-Transfer_fichiers folder as I was just curious to see what's there.
Very interesting. Then I clicked td, rbc2, bmo, sco. Here's what came up - a fishing page trying to get users to post their credentials for TD, Royal Bank of Canada, Bank of Montreal, and ScotiaBank.
Here's the Scotia one (check out the URL in the address bar):
Here's the TD scam (check out the URL in the address bar):
There you go.
If I go to the main domain, apparently the site is from India (country code +91):
Hope this can help some people. Be careful and stay safe.