What is this TheGamingJoy.com website exactly?
When we were investigating an email storage phishing scam, we noticed that the site taking payment was here:
https://thegamingjoy.com/r/NmVdJk3EaqNBiyxA/7b8b36ba-7c33-4939-a5bf-238b64b8d646/payment?token=#string
We subsequently reported this via thegamingjoy.com abuse link on their website and sent an email through to [email protected] with all of the links to what happened and a link to this video showing the path taken by a visitor who was a victim of the scam:
So who are they? They have to have a connection to the scam, no one would just randomly send vulnerable people to make payments to a company that wasn't at least giving them a cut, if they are not the perpetrators of the whole thing, which seems more likely. We decided to investigate who TheGamingJoy.com are and what their connection to the scammers might be.
The scam begins, as nearly all scams do, with an email designed to get past spam security with a malware link. The email is here:
With the image link as: https://mare.crazymind.info/index.php/campaigns/fk039qj91rce9/track-url/aa3482rf55ab3/5c87af7c07b3b56f994701d321e5e15f4b95b900 and the link to the image as: https://mare.crazymind.info/frontend/assets/files/customer/qm804apg68c91/email-templates/86ck-Cloud%20Storage%20(4).png
So by the link having 'campaign' within it, the crazymind.info site must be an affiliate network and this is some sort of marketing campaign in the eyes of the perpetrator. Interesting.
The reply email is listed as [email protected] and this is important too as the crazymind,info affiliate marketers are listing this as the reply email for feedback, so as far as the affiliate marketers are concerned, this is the email address of their customer, the perpetrator of this email.
Now if we have a look at another crazymind.info email from another of their customers:
If you no longer wish to receive this offer https://mare.crazymind.info/index.php/campaigns/lc214owovgf3c/track-url/aa3482rf55ab3/7275f39cf244c1dccb1c064177950427b1db4193 to get you out
Address:-> Park Ln, London W1K 1BE, United Kingdom.
If you have any Feedback, please mail us at:- [email protected].
We can see that they are using a differrent email address to contact the marketer, so the opendoor.info email is the customer as presented to the affiliate marketing network. We need to find out if there is a connection between opendoor.info and TheGamingJoy.com.
Now thegamingjoy.com is a company that is registered in Cyprus, or is at least the property of a company in Cyprus by the name of Kaprozi Limited who share their address of Eleftheroupoleos, 10A Egkomi, 2400, Nicosia, Cyprus
There is also another Kaprozi Limited website here: kaprozi-ltd.com that appears to have been shut down. They do appear to be registered at the same registrar but this could be a coincidence.
Now a lot of boiler room scammers targeting the UK have their legal entities registered in Cyprus to allow them to operate within the fairly sketchy financial regulation that exists there as well as just being a place difficult to get to from the UK to try and track anyone down. These businesses are often not much more than a PO Box with a forwarding service to another, secure location outside of Cyprus, but this company appears to be different. They have the same address on both their e-commerce site and their holding company site. Often a boiler room scammer would not even have offered a real address at all on their site. So what is happening here? Could there be a rogue member of staff misusing the website. Probably not. Whatever money is going into that site will be arriving in the company accounts and there would be no easy way to siphon off the money without the accountants noticing. No, this has to be central to company management; they must know. For some unknown reason when you copy the Kaporzi Limited text off of the website you paste 'detimil izorpa' which is perhaps a sign that the website is translated from Cypriot? We don't know. Eiether way much will depend on the reply we get from whoever is answering the emails and the Essex phone number.
Interestingly, the same [email protected] just sent this through crazymind.info from the same address as the scam: [email protected] and this email is pretty disturbing for any marketing network to send out:
|
|
I think we can safely say that dooropen.info, if that is who is really serving up these emails, will try anything to make money. This is of course a scam too. The system will just be an automated set of message generators that persuade people to pay for return messages and fake photographs taken of some poor model in the Ukraine.
If we look into the dooropen.info domain we can see that it has been active:
and that the domain history shows it has been connected to a few different services:
Now the interesting part here is the DataBank part.
DataBank are a very US-centric provider. Not the sort of provider the Russians or the British would use, but the sort only an American citizen would use. This becomes more evident fro their website map: