The other day in the course of my usual hunting, I came across a network of seemingly run-of-the-mill websites designed to spoof banks, financial organizations, oil and gas companies, and other large corporations. All of the sites shared the same registrant email address ([email protected]). Many of the sites were already taken down or taken over by the companies they were spoofing, and a few were parked and not hosting any malicious content. It seemed like a relatively dead-end research topic until I noticed one domain that stood out to me among the rest: lunaxtracker[.]com.
Lunax Tracker stood out to me for a few reasons: one, it was one of the only domains in the list with a .com TLD. Two, most of the other domains were registered to the same registrant name and address, whereas this one was under WhoIs Guard. And three, it didn’t match the pattern of spoofing a large, well-known organization. I decided it was worth a deeper look.
A quick google search for Lunax Tracker indicated that it was associated with a company called “Lunax Group.” The website itself seemed odd to say the least, but didn’t really have a lot of clues as to what the company did. They were tracking something, but it didn’t say what.
Searching again for Lunax Group gave me a better picture of this company, which described itself as a Europe-based logistics and freight company. The website itself was kind of phishy, but offered more clues about this particular organization.
Looking at the page source for this website, I was able to see that it used WordPress, which led me to discover there was a WordPress user named “caseyjoe” who posted the pages on the Lunax Group site. In addition, there was a Disclaimer page that included a phone number and an interesting email address: [email protected]. I looked up trxservices on Google and was led to a legitimate looking business that unfortunately didn’t seem related to this scammy network.
I decided to pivot off of “caseyjoe,” and conducted a search in Iris for domains associated with that name. I immediately came across an interesting domain – trxservices[.]org.
Pivoting on the associated email address led me to two related domains, both associated with the TRX Services group.
Both of these two domains are down now, but a quick search in the Wayback Machine led to an interesting discovery – the sites were identical to the current Lunax Group website, right down to the sketchy Disclaimer page and the “Flexibility” section that says, bizarrely, that you are a peculiar entity.
Back in Iris, I decided to dig further into trxservices[.]org and looked at the historical WhoIs information which identified another related email address, which I have censored as it doesn’t seem to be related.
Pivoting on that email led to a network of over 250 domains, most of which seemed similarly scammy to Lunax Group and TRX Services and which were registered to the same individual who used an admin email address for a company I hadn’t heard of. Looking up the company, I discovered it was a business based in Ghana (all of the associated domains in this case were registered to people in Ghana), the CEO had the same name as the registrant, and the company specialized in Website Design and Domain Name Registration.
To me, it seems that the registrant email for this site is associated with the individual who registered these scammy domains for people, not necessarily the scammer himself. I decided it would be more beneficial to focus my search on Lunax Group itself.
Lunax Group is associated with a few different countries if you trust all the different pages on their website – they say they’re registered in Canada, their address in in Belgium, and the domain was registered in Ghana. Neither the European or Canadian business registries have any entries for Lunax Group. The European registry has an entry for another group called Lunax Digital, which appears to be a legitimate business not associated with Lunax Group. Ghana does not have a business registry in the same way Canada and Europe do, but it does have a business directory site; however, Lunax Group was not listed there either.
Looking at the other domains registered by [email protected] led down another rabbit hole. A couple of the other domains seemed to be associated with shipping and freighting, including sandboxonline[.]us and santrustcourier[.]us.
The first one, sandboxonline[.]us, leads to a site claiming to be a shipping company based in Brooklyn, NY that boasts services such as Fedex shipping, US postal service shipping, and mailbox rental. It also had a tracking page that looked noticeably similar to the Lunax Tracker page. However, despite the legitimate looking website, there are some clues that prove this is indeed fake and potentially a scam.
First of all, searching the provided address shows that there used to be a company called Sandbox at that location; however, it has long since closed down. There are still other Sandbox locations open, but those locations have a different website (sandbox[.]biz). Also, the tracking feature of the two websites is noticeably different, and the legitimate site returns data associated with major shipping carriers (DHL, FedEx, etc.) while the scam site only return a “Not found” error. Finally, looking at the page source for the scam site shows that it was mirrored from another site when it was registered. The second site, santrustcourier[.]us, was also a mirrored fake.
Some more digging showed that all of these sites had very similar tracking pages for a pretty good reason: WordPress has a plugin called “WPCargo” that offers a default tracking page that these sites are using, giving more credence to the theory that these aren’t legitimate sites as they don’t have their own tracking page or one provided by any large courier service.
In trying to figure out the goal of these shipping sites, the DomainTools research team came across a business model in Ghana that may explain the origin of the sites. Individuals will sell Chinese phone numbers and website hosting services and templates in order to enable import and resell businesses, where people can buy items from China and resell them in their home countries for a profit. The shipping and tracking sites associated with this business model look very similar to the ones described above; however, we were unable to confirm that they are part of this business model and were unable to find a storefront site where imported items would be for sale. Additionally, some of the sites described in this post were mirrored from and were imitating legitimate shipping sites and businesses, and were not always unique businesses.
If these sites are not related to the import and resell business, the end game of this network of fake shipping and freighting services remains to be seen. None of the sites seems to be delivering any malware and asking for any PII. It’s possible they’re used in phishing campaigns to add an air of legitimacy to an otherwise shaky scam, but that remains unclear. It’s also possible these are being used for something much more illicit, such as the tracking of illegal shipments. Research continues into this scam.
Suspicious Data Points Collected