The Financial analysis shared a selection of fraudulent web pages that may appear high in search rankings with cybersecurity firm CyberCX. Analysis of website functionality, backend design and server providers indicates that one group runs several dozen fraudulent websites.
“What strikes me is that the threat actor has done their homework to match the trend of financial instruments that people might be interested in, relative to current events,” said cyber analyst Oliver Smith. information at CyberCX.
Mr Smith said the business appears to have kicked off around mid-2021 with a more global focus, in the UK, US, Canada and Australia. The bogus investments offered were riskier, such as pre-IPO investments in SpaceX, stock trading platforms, or cryptocurrency-facilitated financial products.
Links to the dark side of Russia
“Going forward as the economic tide shifted a bit at the start of this year, they really turned and focused their efforts differently. Bonds were their number 1 thing, then term deposits – they were really throwing their lures more on people who were looking to invest their retirement pension,” he said.
Calls to AusBondTrust and Au-Investor, which had the same number, were answered by a callback service.
The sites have disclaimers stating that they are not authorized or regulated by the Australian Prudential Regulation Authority or the Australian Securities and Investments Commission. However, financial products – including bonds – cannot be sold to Australians without ASIC regulatory oversight.
AusBondTrust, Au-Investor and Millenium Bonds all have the same disclosure at the bottom of their websites. Domain identity data is hidden, but shows that all three were registered in Iceland’s largest city, Reykjavik.
Certain domain registration details also match analysis performed for the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security.
The matches are linked to the Russia-linked ransomware group DarkSide, which provides ransomware-as-a-service (RaaS). The DarkSide ransomware group was responsible for the Colonial Pipeline Company ransomware incident in May 2021.
Bond scammers and ransomware operators use domain host NameCheap.com and a privacy service called Withheld For Privacy, which “substitutes actual customer contact information with our own generated information”.
The Icelandic company offers privacy services for people registering website domains that allow them not to post any identifiable information, which is normally required.
The bond sites all claim to be the trading name of London Choice Investments SL, a company registered in the port city of Dénia on the Mediterranean coast of eastern Spain.
A search of Spain’s business regulator – Comisión Nacional del Mercado de Valores (CNMV) – turned up no such company.
“The company you are requesting is not registered with the CNMV, which means that it is not authorized to offer investment services in Spain and therefore we have no information about the said society,” the Spanish regulator told the Financial analysis.
UK regulator warned against ‘London Choice’
The UK’s FCA issued a warning about the company in November 2020, using websites such as bestfixedratebonds.uk and bestisas.uk.
“Almost all businesses and people offering, promoting or selling financial services or products in the UK must be authorized or registered by us,” the FCA said.
“This business is not authorized by us and targets people in the UK. You will not have access to the Financial Ombudsman Service or be protected by the Financial Services Compensation Scheme (FSCS) so it is unlikely that you get your money back if things go wrong.
The syndicate doesn’t just target bond investors, it has branched out into other investment scams. The Financial analysis also found another site, Investorleads.eu, claiming to be the trading company of London Choice Investments, encouraging investors to sign up with brokerages.
“Not a lot of sophistication…but a bit dodgy”
The site used the same stock photographs as Ausbondtrust and the company office was registered with a virtual office service, which allows entities to set up UK companies and domain names with a London address, giving a sense of legitimacy.
An investment website – Whiskey Investor Club – with the same hosting and registration details as bond scams, also claimed to be the trading name of London Choice Investments, with offices in Melbourne, London, Spain and Dubai. The registered address was a house in the Melbourne suburb of Keysborough.
“There’s not a lot of sophistication here,” Mr. Smith said. “It’s in a family of things that could be accomplished primarily by an automated process.
“You notice things like consistent use of stock images and consistent use of certain elements across websites. If you take a look under the hood, they’re all built on the exact same type of template , a WebFlow website, it’s quite easy for someone to create.
“If you take a cursory glance at any of these sites, they are very natural looking websites. Not the sort of thing that would immediately set off those alarm bells that it is. something a little fishy.
“They all have the right language, refer to the financial regulator of the country they are targeting. They often refer to regulatory status with ASIC, so that ticks off a lot of things that you would typically see with this type of offering.
Last month the Financial analysis revealed bond scammers posing as investment bank Barrenjoey, using emails to potential investors from a domain @nswbarrenjoey.com, which the bank confirmed was not genuine .
Earlier this month, the Australian Competition and Consumer Commission issued a warning that bond scams were on the rise and reported losses so far in 2022 amounted to more than $20 million. dollars.
This is the second time in just over 12 months that Google’s search engine advertising has been abused by bond-flagellating scammers. The Financial analysis revealed another fraudulent bond scheme using Google search ads in May 2021.
This masthead also revealed the misuse of Google search ads to flog fraudulent websites targeting people looking to buy and rent shipping containers amid global supply chain issues.