Money frauds going on in India with the name of colour games and prediction name:
A few days back my friend received a text message with the below content. She found it fishy and forwarded me the text to have a look.
Digging in, first I visited the website at “www.gogeshop.com” to understand the context:
During my research, I managed to identify more than 18 domains with similar contents: this started driving my curiosity! I immediately inspected the “whois” records of all domains and I found that most of them were pointing to “hk” (Hong Kong) or “cn” (China).
For example, the following is the “whois” record of the domain “gogeshop.com”:
Another example of “whois” record for the domain “gooemall.com”:
A subset of identified domains was found using the Content Management System (CMS) ThinkPHP (www.thinkphp.cn) – and guess what? The platform is developed in China!
Some of the websites were found running on Microsoft IIS server; I managed to trigger an application error for these websites and it can be noticed from the screenshot below that the language configured for the error message is mandarin.
Additionally, I also found a comment in mandarin in the HTML source of the pages:
The websites are used for marketing the "real” websites, which are gambling/trading platforms. They are also including contents in different languages (such as Hindi, Kannada, Malayalam, Tamil etc.) to infiltrate different crowds of India.
The following is an example:
The following is a list of websites market https://bozerclubs.com (the gambling/trading site):
https://bozervip.com/
https://bozerstore.com/
https://bozerup.com/
https://bozerwin.com/
https://bozermall.com/
https://www.bozergo.com/
The following are, instead, websites market for https://goge.in (the gambling/trading site):
https://www.gogevip.com/
https://gogeclub.com/
https://www.gogeshop.com/
https://gogevip.com/
https://gogeshop.com/
https://www.googemall.com/
List of websites market for https://gooe.in (the gambling/trading site)
http://gooemall.com/
https://gooevip.com/
List of websites market for https://coem.in (the gambling/trading site)
http://www.comv.in/
http://www.comc.in/
http://xy8776.com/
http://www.yd888.in/
Additional marketing websites:
https://rettyvip.com/
http://www.66emall.com/
http://www.a975.com/
http://t2.mademoney.net/
http://www.money-making8.com/art2/
http://1ndiatoday.in/
http://allcash.in/
http://www.bibide.com/
http://www.aedhg.com/
https://www.yootwotv.com/
http://www.apisdka.com/
http://www.jrgsnk.com/
http://www.goeadf.com/
http://thoo.in/
http://njffdz.com/
http://shewish.com/
http://6088pz.com/
http://www.jrgsnk.com/
http://www.goeadf.com/
http://www.comit.in/
http://gainnow.net/
http://www.cashmax.vip/
https://uk9688.com/
http://nygq.icu/
http://www.fylongyun.com/
http://www.bibide.com/
http://njffdz.com/
http://www.yrxpfw.com/
http://www.richerlife.net/
http://infk.in/
http://betterjob.online/
http://www.luckinl.com/
https://rettygo.com/
http://www.jrgsnk.com/
https://www-indiatimes.com/
http://www.bhrtj.cn/
http://wygq.icu/
http://financenews24.in/
http://www.apisdka.com/
https://www.ysxsw.cn/
http://www.cvahs.cn/
I started digging real websites – actually, the entire research can be summarized as "the more I was digging, the more domains were coming to light!.
First I started with the sites https://coem.in and https://bozerclubs.com:
At first, it might look like a legit shopping website (for buying gold, silver, diamond, clothes, etc.), but once after the registration, you will find a game called "wingo/win" – this is a “number and colour” prediction game, and illogical game.
Additional functionalities provided by the website are documented below:
But the people who propagate these apps put up a show stating, the colour keeps changing based on the real price of gold and silver (once again, it is illogical!), and these websites have also given rules, disclaimer:
Additionally, you can share your referral code to anyone, if the person joins that website via your referral code then you will get money. Even they have rules of referral codes: money is played real here!
Since its lockdown because of the current pandemic, most youngsters are looking for easy ways to earn money online: a simple Google search can point anyone to this kind of website.
Not just that! In fact, since people get referral money, there are many individuals propagating these websites in social media, such as YouTube or Quora, mostly in all Indian languages (be it Tamil, Kannada, Malayalam, Telugu, Hindi, or Gujarati). They will also leave their WhatsApp number:
All the people who are making YouTube videos, answering questions in Quora about this, or creating Facebook pages, Twitter or Instagram accounts promise that "you will earn money", and they also will show you their withdrawal screenshot!
From my understanding, once you message the person in WhatsApp (he/she will supposedly become your teacher, and will add you to a WhatsApp or Telegram group based on the slot you pay for – this game has four slots); they will start giving predictions, like "next red colour might come, next green might come", etc.
The predictions will be correct (for some time) and you will get more predictions, and you will also earn real money! However.. after a certain time people will start losing their money.
The pattern is "the application first makes you addicted, and then it makes you put in more money, makes you feel like you are earning money (I am not getting into how to play the game)", but very soon you will start losing hard.
This website to make this look real, they keep posting this kind of message – though they are illegal in India, they do not have any office setup there.
An example is the following Internet defamation statement that I found while checking one of the analyzed websites:
They make everything look so legit.. they have a presence in India since 2018 which is, once again, a false claim! As per “whois” records, this domain was registered in the month of May 2020 – so just 2 <months> ago, and not two years.
Also, they make it easy for withdrawal to make people believe on this platform, this website also charges a certain fee for every withdrawal. So, if anyone asks in public forums or social media "what this platform gains out of giving us money", people will answer it stating "see for every withdrawal they charge you fees", that’s how they earn..
Most of the people who are posting YouTube videos on this topic, are either new or have been inactive in YouTube for at least a year! They started posting only these contents recently, which means that they all are getting suggested to post videos and promote this site on social media platforms!
Once again.. guess what?? A very strong propagation, so more and more people can fall into the trap!
Now, coming to their Android app, you need to download the APK directly from their site – none of this available APK is published in the Google Playstore.
During my investigation, I decompiled and understood that the APK has been developed by Chinese developers – a lot of indicators point to China – and the APK’s permissions also give a suspicion. I have shown a few indicators below.
From the “Androidmanifest.xml”:
When you install the app and run it, first it checks for an update. Based on the response, it will fetch the newest version of a “wgt” file, and the app will store it onto your SD Card.
Description value in mandarin language:
After decoding the base64 string “Sk9JTiBVUyBtYWlsdG86aHIyMDEzQGRjbG91ZC5pbw==” found hardcoded in the Android app, I obtained the following:
JOIN US mailto:hr2013@dcloud.io
The following is another proof of multiple references to China website present within the decompiled code – I used the command grep -r "cn" –colour to search for the desired keyword (“cn”):
I ended up finding a lot of platforms like.. guess what? The only difference is domain name and logo, the concept of the game remains the same – I can state that they are reusing the same framework with different domain names:
Even the APK app’s contents remain the same, just the package’s name, URL endpoints, and the logo change based on the domain the app is linked to.
The following is a list of gambling/trading websites, and all of them came into existence starting from the middle of January 2020, and it’s growing wild!
https://www.jonyclubs.com/
https://www.bozerclubs.com/
https://www.pussclubs.com/
https://www.boninclubs.com/
https://coem.in/
https://goge.in/
https://gooe.in/ (previously lefey.in)
https://www.faryclubs.com/
https://www.vilioclubs.com/
https://www.rettyclubs.com/
https://tomis.in (down)
https://www.castoclubs.com/
https://www.qualeclubs.com/
https://www.paduoclubs.com/
https://www.metalyclubs.com/
https://005420.com/
https://www.enzoclubs.com/
https://www.ricoclubs.com/
https://www.richshop.in/
https://www.yellsclubs.com/
https://terion.in/
https://luckym.in/
https://www.julyclubs.com/
https://www.husorclubs.com/
https://www.suderclubs.com/
https://talineclubs.com/
https://thoe.in/
https://biote.in/
https://www.facdorclubs.com/
https://www.coneclubs.com/
https://www.facdor.in/ (down)
https://www.accgo.in/ (down)
https://www.mayclubs.com/
https://apps.ketty-apps.com/
https://www.marcclubs.com/
https://moneycoaching.in/
https://addrs.in/
https://www.angaclubs.com/
https://www.joysclubs.com/
https://www.vishclubs.com/
https://www.lidaclubs.com/
The main motive of this operation could be "not to steal data but to damage the Indian economy by looting money from people". All the collected pointers indicate that the scammers are from China.
At the time of writing this article, I also collected merchant details linked to a few domains. The data is given below – the mobile numbers of the registered merchants are of Indians, that confuses my theory a bit.
bozerclubs.com
returnUrl : https://pay.yesclub.in/redirect/cashfree/*
logoLarge : https://s3-ap-southeast-1.amazonaws.com/cfmerchantlogo/649d6d3f937a2a9a26fdfcb2a75a5461bfc4b2039008b4121bb8c5d943923d3c
merchantId : 50948
merchantName : Aoke Club
merchantEmail : vanessaliu718@yahoo.com
merchantPhone : 8374534725
coem.in / terion.in
returnUrl : https://pay.mypays.in/Pay_ACFRC_returnUrl.html
logoLarge : https://s3-ap-southeast-1.amazonaws.com/cfmerchantlogo/649d6d3f937a2a9a26fdfcb2a75a5461bfc4b2039008b4121bb8c5d943923d3c
merchantId : 58614
merchantName : Rummy Club
merchantEmail : lindong11234@gmail.com
merchantPhone : 9667729195
richshop.in
returnUrl : https://pay.mypays.in/Pay_ACFDP_returnUrl.html
logoLarge : https://s3-ap-southeast-1.amazonaws.com/cfmerchantlogo/649d6d3f937a2a9a26fdfcb2a75a5461bfc4b2039008b4121bb8c5d943923d3c
merchantId : 59837
merchantName : Dream Party
merchantEmail : zhangan19890@gmail.com
merchantPhone : 9667729561
goge.in / luckym.in
country : IN
email : customercare@linkyun.com
phone : +91 9667794258
createOperator : jianzhi
The following are my observations from merchant data collected:
All the email IDs look like addresses of Chinese people.
3 mobile numbers start with "96677".
3 domains use logos from the same Amazon S3 Bucket.
The host “linkyun.com”, which is mentioned as an email for “goge.in”, belongs to China – however, the address given could be fake.
Some observations from merchant data,
All the email ID's look like the mail ID of Chinese people.
3 mobile numbers starts with "96677"
3 domains use the logo from same Amazon s3 bucket
The host “linkyun.com”, which is mentioned as an email for “goge.in”, it also belongs to China – however, the address given could be fake.
To play this game you need to recharge first by using Gpay or Phonepay and when you're withdrawing your money from this website or from this game then you have to enter your bank details. This is one type of money fraud, which is going on in the country. Don't trust virtual games and don't become their targets.
I agree some people get money and some people lose money by playing these games, colours and prediction games. Don't trust anyone if they say you can earn 1000 per day. Remember one thing no one gives you money for free.
Don't trust Virtual friends (online). We don't know who that person is and some fraudsters will steal money from the person by sending any link and by this type of games. Stay away from these types of games, colour games and predictions games are one type of cybercrime they all are fraudsters they steal money from us and they will transfer that money from one account to another account. When they transfer money from one account to a different other account then it becomes a chain. It takes more time to find out who that person is and some will submit fake id proofs in the banks and do frauds in this way.
Don't give your personal details like bank details and Aadhar card details. Mainly they are doing this business in the lockdown only because they know that everyone wants money to live so by saying these colours games and prediction games they are taking our money. Kindly don't trust anyone. If they send you any link please don't click on that link and ignore it. Be Safe and Be Alert from this kind of fraudsters
Don't install any kind of malicious apps if anyone tells you to install be aware of these fraudsters.
Follow us on Instagram for more updates.
If you have any questions/queries, do not hesitate to contact me.
@.cho2. : https://instagram.com/_.cho2._?igshid=gycsfe5exb08
@liferacer333 : https://instagram.com/liferacer333?igshid=52f7yygpe2o1
0 Comments