Due to a lack of action from domain registrars and antivirus vendors, I’m documenting this publicly to raise awareness and protect Moroccan internet users. This post outlines a deceptive phishing campaign that has targeted Facebook users in Morocco under the guise of a Dyson V15 giveaway.
Overview of the Scam
This campaign begins with a malicious TinyURL link shared in the comments of a Facebook post by a fake profile named Yasmine El Fassi. When clicked from outside Morocco, the link redirects users to a harmless article. However, Moroccan users are redirected to a fraudulent product page offering a free Dyson V15 Detect vacuum.
Victims are asked to complete a short survey. Each step leads to a different redirect, and the URLs grow increasingly complex until the user lands on a fake payment page. Once personal and credit card information is entered, the page returns an error and claims the user will receive a phone call.
Targeting Methodology
- Uses geo-targeting to serve malicious content only to Moroccan users.
- Initial link: https://tinyurl.com/entrepot-vente-ma (Reporting [email protected] doesn’t help)
- Facebook post URL: View post (Facebook Support relies heavily on AI for moderation, so it’s pretty much useless in taking down actual harmful content.)
- Final destination: fraudulent payment pages designed to steal credit card data, and potentially double-charge unsuspecting customers.
Confirmed Malicious Domains
- plenorhq.site
- all4discount.world
- gostyle4life.com
- findall4cheap.xyz
- getsupersell.world
- blakfridaysales.click
Each of these domains uses services such as Cloudflare for DNS and is hosted under registrars known for low-cost or unregulated domain registrations.
Registrar Abuse Contacts
blakfridaysales.click[email protected]
| Domain | Registrar Abuse Contact |
|---|---|
| gostyle4life.com | [email protected] |
| all4discount.world | [email protected] |
| plenorhq.site | [email protected] |
| findall4cheap.xyz | [email protected] |
| easytosellamerica.lat | [email protected] |
| getsupersell.world | [email protected] |
| blakfridaysales.click | [email protected] |
Case Study: A Victim’s Experience
A friend’s mother fell victim to this scam after seeing the Facebook post. She entered her credit card information and was charged twice. As of the time of this writing, she is contacting her bank to try to recover the funds.
Security Observations
- Random fake data causes server errors, but realistic fake data occasionally allows the scam to proceed.
- Payment pages accept sensitive information without validation.
- Each visit and submission leads to different domains and increasingly obfuscated URLs.
Recommendations
- Do not trust giveaway claims on social media, especially those using link shorteners.
- Educate family members and especially older users on common phishing tactics.
- Use browser tools or VPNs to inspect geo-based redirects.
- Report malicious URLs and behavior to hosting providers, DNS services (like Cloudflare), and abuse contacts.
- If you’ve submitted personal or payment data, contact your bank immediately and monitor for suspicious activity.
Conclusion
Despite reporting the above domains to registrars and security vendors, many remain live or are quickly replaced by alternate versions. I’m publishing this in the hope that transparency and public documentation will help curb the spread of such campaigns.
If you are a registrar or a DNS provider reading this, consider this a call to action to review your abuse handling processes. Inaction only emboldens threat actors who are now comfortably targeting entire demographics.
For screenshots and more details, please check this PDF: Scam_Report_involving_4_domains_registered_with_3_different_registrars; I kept trying to send this PDF to the 3 registrars, so that they can do something about the malicious domains, but my emails kept getting rejected by their systems no matter how many times I tried to send them the evidence they asked for.