Skip to content

A Scam Study: Too-Good-To-Be-True Deal Sites Lurking in Your Social Media

If you don’t spend much time in the r/Scams subReddit, you really are missing out. Aside from the never-ending landslide of scam examples to learn about… if you’re an investigator, it also means a never-ending landslide of research fodder! One such example presented itself to me the other day, when I read a post about someone helping out their mother, who had clicked on a Facebook advertisement that led her to purchase a steeply-discounted set of patio furniture from what she believed to be a legitimate site bearing a highly recognizable company name and logo. The site was called “Weeyfair”, and spoiler alert, it was definitely not legitimate. Best case scenario, she’s out the money she spent… worst case scenario, her credit card is compromised and her contact information landed her a spot in the Scams-R-Us rolodex for future engagements.

Anyway, I decided to do a little digging to see what I might find, and it quickly spider-webbed into a network so convoluted that I quit taking notes, and started making a visual graph just to try and keep it all straight.

ugly, but it tells the story

I’m going to run through some of the research methods I used, but first I need to make a couple things clear:

-I do not recommend that you visit any of the sites mentioned in this research, in fact, I strongly recommend that you DO NOT.
-This is not an attempt at exhaustive research, there are so many different avenues to take when researching this kind of scam network, and if you have other ideas (and the time to run with them), then grab this torch and run like hell. I’m not exactly drowning in free time since I do this nonsense during the hours when I should be sleeping.
-I am not saying that every string we pull here leads to nefarious people running scams, “legitimate” drop shipping is possibly mixed in and the court of public opinion is split on whether that’s right or wrong.

Now, let’s get to work…

To start off, we need to take a look at the very first lead we have, the site used by the victim. When I say look at it, of course I mean have someone else look at it and report back to us. As an older brother, I’ve been deploying this tried-and-true method of self-preservation for many years, and it’s helped me avoid everything from getting grounded to getting doused in skunk spray.
So who can we get to look at a website for us and report back? One of my favorites is urlscan.io “A sandbox for the web”. Using this site, I can see where a link starts and ends up, any redirects, HTTP transactions, structurally similar sites and so much more. One thing I really like though… I can see a screenshot preview of what would be in my browser window had I not just sent my little brother over there to poke it with a stick!

For most of us, this is where the scam alert alarm bells would start going off. As you can see, this site is not only playing on the name of a widely-known furniture-selling website, it’s also visually impersonating a very well known retail chain (whose info I am obscuring… again, self-preservation). Most of you are probably already saying: I’ll take “Flags That Are Bright Red” for $200, Alex. Not everyone out there in internet-land would be suspicious at this point though, and that’s what these kinds of sites bank on.

So, I’m starting to get an idea of what I’m dealing with, but I want to see more before I get too close. I wonder if the Google machine has anything useful? When I head over there and give it some search params, I’m looking for any potential thread to pull. I search “weeyfair.com” and then I search “weeyfair” and then I search “weeyfair” alongside -site:weeyfair.com (to see all indexed content with weeyfair in it that does not include content from the actual site), and all of these things give me a chance to look around a bit more. I see the site has listings for various types of outdoor furniture, and they seem to have other site pages for things like a privacy policy (LOL), shipping policy, payment policy and so on. I start to wonder if they share any kind of contact information that I could research: a phone number, an email, a parent company or cross-linked website. I could continue on with adding more to my Google searches, but let’s try a different type of visual inspection that shows us more of the page.

One site I love to use is Dr. Fou’s pagexray. This site can tell some really interesting stories about the advertising tech & trackers being deployed on a site, it gives a larger screen shot, but most importantly for us right now… it nicely displays a list of all outgoing links from a web page for me to review. This can be extremely helpful when researching a site from a distance. In this case, I can see that the Weeyfair site has outgoing internal links to the other site pages, a bunch of product listings, and also external links to social media sites. Normally this is where I’d see someone linking to their social profiles but in this case, the links are simply to the homepages of each social site, probably left there from the website template being used, never having been changed to direct a visitor to a related profile. While it may seem like a swing and a miss, in reality it further adds to my pile of red flags because most legitimate companies are probably going to have that squared away.

I’m curious about some of the products for sale now, because who doesn’t love a deal that seems too good to be true?! I wonder if applying a bit of scrutiny to one of the listings will help us dissuade some of our less scam-conscious friends who might be victims of a site like this? I pick an item with a model name that could be unique to whatever company actually offers it for sale, and go out looking for a more reputable example of the $40 Damis 42.5″ Wide Tufted Oversized Accent Chair. Based on what little I know about accent chairs thanks to my mother in law, this price is either really suspicious or someone needs to explain the chair-shaped hunk of gold sitting in my living room. As it turns out, this exact item is offered by the much more well known site that this one attempts to impersonate… at 20x the price of Weeyfair!!! Red. Flag.

what’s the lowest you’ll go on the asking price?

I’m still exploring and looking for something I can exploit and pivot from, so now we’re moving on to another favorite of mine for visual website research… page2images. This is one of many webpage screen capture services out there, and I like it because not only is it easy to use, but it allows me to see either a mobile or desktop version of a site I’m capturing, which can come in handy sometimes. For the first time, I see something at the very bottom of the homepage that screams Pivot! louder than Ross Geller helping Chandler Bing carry a couch up the stairs.

A Gmail??? Come on now, scammers… you’re better than this.

What can we do with a simple Gmail address? Well, a lot actually. Most of that type of exploit is a story for another day though, and in this case we’re just going to rely on our old pal Goog’ to help us find some other websites that might have flaviodeby08’s contact info listed. A couple quick searches for “flaviodeby08” and for “[email protected]” start showing us that we’re dealing with more than just the Weeyfair site. Let’s explore…

For each new site indexed with this email in the contact area, I’m applying a similar process to what was described above, and seeing the same template site deployed over and over using different names: pasenstore, wayccop, and comsestore. Through further research, I can see that each of these sites are recently created, and seem to replace a prior set of sites deployed a month earlier, and others deployed prior to that. Some of these sites no longer exist so I’m checking cached versions from the google results, or I’m reviewing those junk “scam review” sites that pretend they did some research by auto-filling images and details from dodgy sites like Weeyfair, then delivering the result to you in the form of an advertisement-laden “report”. The one nice thing about these cookie-monsters is that they capture the contact information as it appeared on the page, and this leads me to another Gmail address to check: “[email protected]”.

Suddenly, the Weeyfair universe begins expanding rapidly as my Google searches for the various site names, email addresses, and so on allow me to connect the dots between dozens and dozens of pages deployed in recent months with the same format, the same suspiciously low prices, and the same evil intention. At some point while down this rabbit-hole I come up for air and I wonder to myself… gee Griffin, how many more hours could you spend on this if you started searching for contact phone numbers too? Off we go again, this time finding other networks of sketchy looking template sites displaying the same contact number, like a group of pages sporting the name “Venzkemall”. Here’s a look at how this part of the graph is shaping up…

Now I feel compelled to say that the farther away I was from the original site, the more often I found what appears to be potentially “legitimate” drop-shippers (don’t @ me with your views on this topic, please). Drop shippers are people who essentially take your order for a product they don’t own, then facilitate the ordering of that product for you at a slightly inflated cost. Some of these shippers might also leave you with sub-par products intending to either defraud you entirely, or knowing they can offer a partial refund, still making off with a profit. That’s just scratching the surface, and if you’re interested in the topic there are plenty of opinions out there, even people writing books and how-to guides designed to help you get your drop-ship side hustle on. Conversation for another day, over a beer perhaps.

Let’s get back to the fun. After all this digging I decide to shift gears and head over to Facebook. As we know from the Reddit post that started it all, the victim found themselves following a Facebook link to Weeyfair. I wonder if Weeyfair, or any of the dozens of other sites I’ve discovered, have a Facebook page? Turns out, most of them have several! Some are pretty bare bones, but others in the far-reaching spiderweb I’ve now found myself struggling in offer pivotable contact phone numbers, contact emails, images, and so on. If I’m really being thorough, I can look through their posts, see who like/comments/shares them, and dig til my little paws fall off. Not today, Satan. One great thing about Facebook pages for business is that you can view what’s called the Page Transparency information. This can tell you things like when they were created, where the site owners are based (or at least where their profiles are set up), what kind of advertisements are running from a page, and more. Look for a box like this when visiting one of these pages and see what you can learn.

Another thing I feel compelled to mention here… This research led me to find an obscene amount of websites masquerading as well-known companies of all kinds, selling goods of all types, on template sites with stolen imagery, brand names and logos any one of us would recognize immediately. Nothing new in the online world unfortunately. All I’m saying is that those represented here are not the only companies being copied, not by a long shot.

Alright, this story is starting to get a little long-winded, so let me summarize a few other investigative possibilities, if not to give you some more ideas, then at least to reduce the number of comments I’ll get from people trying to call out other things I “missed” looking into. Someone with no day job and the kind of free time I had before kids could go on and on here looking at code, images, sitemap, other site text, other search engines, other social media sites, WHOIS information, shared analytics IDs, IP addresses, certificates, victim reported contact information, the list goes on and on and on. I did some of those things, and never tried others. We could never hope to exhaust everything, but after staying up til 2am researching and putting this together, I can definitely say it exhausted me. The bottom line is, this scenario presented more than a handful of red-flag learning moments, that hopefully help you and your less-savvy loved ones stay safe while bargain hunting online. I’m hoping it also gave you a few new OSINT ideas for your future investigations.

Published inUncategorized