📣 👨🏾‍🤝‍👨🏼 🚀 Masks reset ↔️ 😻 🥕

In difficult times, society is divided into two categories. Some people seek to help others in order to overcome difficulties through joint efforts as soon as possible and more efficiently. And others use a critical situation exclusively for profit. And they do not care at all that they profit from those who are already not just in this situation.

You don’t have to go far for examples. One can recall the terrorist attacks in the Moscow metro in 2010, when some drivers threw their affairs and drove people to hospitals for free, while others inflated prices for taxi services 10 or more times.

Something similar is happening now. In the wake of general isolation, demand for goods that few people were previously interested in has sharply increased. Take medical masks, for example. For the three months from October to December 2019, a little more was registered2300 domain names with a particle * mask *. What do you think, how many of these resources were intended for the sale of medical masks? ..

Zero ... Not one ... By the way, in pharmacies masks were sold on average at a price of 7 to 15 rubles apiece.

The year 2020 has come, and with it the coronavirus. Everything has changed dramatically. Over the same 3 months from January to March, 32,000 domain names with the * mask * particle appeared on the network , 80 percent of which exploited the topic of medical masks. Further, everything developed in two ways. Part of the resources was intended for the real sale of masks, but their cost of the mask increased on average to 60 rubles apiece. Other sites were frankly fraudulent.

Last week 2maski.ru came into my view .

I intentionally quote the site address, as it may be interesting for users to familiarize themselves with its contents.

This resource is interesting in many ways. Firstly, it is aimed at legal entities: The minimum lot of masks that can be ordered on the site is 200 thousand pieces at a price of 7 cents per mask. That is, the cost of the minimum lot is 14 thousand US dollars or 1 million 120 thousand rubles at the current Central Bank rate.

Secondly, he uses a very specific order payment system: it is proposed to transfer money through the Contact and Hummingbird transfer systems, as if through a guarantor. That is, indicate as a recipient of the transfer your relative or friend, send a scan of the receipt, and after receiving the goods, change the recipient to the desired one.

And thirdly, this site has a definitely fraudulent orientation, as evidenced by numerous publications in the media and on various resources. If you wish, you can even google scans of receipts for the transfer of considerable sums of money to pay for non-existent masks.

Let us ignore the fact that such settlements between legal entities are generally unacceptable, and in general the payment scheme will horrify any adequate accountant or employee of the economic security service of the enterprise. The main thing that we see: in practice, it works.

Given the cynicism of this fraudulent scheme, I could not remain indifferent and invited subscribers of the In4security channel on Telegram to conduct a small investigation, while simultaneously launching my own.

We responded to the callashotog and momonovwho monitored the contact information provided on the scam site and helped streamline the information received.

On the website 2maski.ru, the telephone number +79645829878 and the email address cn-partner@mail.ru are used for communication. Both mail and phone are mentioned in a huge number of advertisements placed on all kinds of boards in mid-March 2020. An interesting detail: all advertisements are placed on behalf of Victor.

The phone appears in relation to the old and long dead VKontakte and Odnoklassniki accounts, but, apparently, they belong to the old owner of the number.

The e-mail address cn-partner@mail.ru is unique and brings us to the site cn-partner.ru .

We go to the main page of the site and see, it would seem, a regular online store.

But, as they say, there is one caveat. Prices. For example, the Nvidia GeForce GTX 1060 graphics card costs about 2 times cheaper here than the market average - 8 thousand rubles against 16-20 thousand. Well, the offer is excellent, we must take it. Click on the Buy button.

Oh. The minimum order is from a million rubles, and payment should be made according to the same scheme as on the 2maski.ru website. Using the same mailing address for two different fraudulent adventures ... How imprudent.

A contact search allows you to identify additional addresses used to publish ads. In particular, the address partner_73@inbox.ru and rotenberg1960@mail.ru.

The mail rotenberg1960@mail.ru in combination with the phone +79645829878 was indicated in the ad medfirms.ru/med82713.html , posted on February 10, that is, a month before the appearance of the site 2maski.ru.

Pay attention to the name Victor (written in this case with an error).

Email addresses also appear in other ads.

For example, it can be found on the website voshod-invest.ru/inv_show_offer.php?id=9672 , where the phone number is +79653493247 as the contact number.
With contact details, everything is more or less clear. Let's look for domain names and ad text fragments.

First we find an article on Pikabu, whose author took the time and wrote to scammers. The article mentions a curious fact. In order to obtain the transfer code and the data of the sender and the recipient, the attackers sent a link to a phishing resource that mimics the website of Sberbank: sber-bank.su/ru/person/remittance/kolibry_rus/ .

The site is still valid. Hanging over CloudFlare, when registering a domain, the e-mail address ki.wa18@yandex.ru is indicated. Especially interesting is the fact that the domain name was registered in May 2019, long before the pandemic, which once again proves that mask dealers can be involved in a variety of fraudulent schemes.

However, we already know two of them (masks and goods from China). Or maybe there is something else?

Of course there is! Firstly, we find the Instagram profile created for advertising: www.instagram.com/2maski.ru , in the subscriptions of which two more are found:
www.instagram.com/2maski_ua
www.instagram.com/2maski_ru

In parallel, VKontakte pages used to advertise 2maski.ru, but they’re not very interesting, so we won’t focus on them. Back to Instagram.

The 2maski_ua account leads us to the analogue of the 2maski.ru website, for residents of Ukraine - www.2mask.com.ua .

In general, sites are identical, differing only in language and contact information.

So, the ukraina1960@bk.ru mail is used on the Ukrainian resource in combination with the telephone +380972451427. Partial coincidence with the address rotenberg1960@mail.ru can be noted, however, these are just assumptions.

Also in the announcement to the address: www.44.ua/ads/583818 the mail cn.partner@yandex.ru appears, which only strengthens the connection of the three already identified scam sites.

By the way, site advertisements for Ukraine are also published on behalf of Victor.

But then the fun begins. Mail ukraina1960@bk.ru is mentioned on various sites in relation to scams with the sale of apartments in the period from 2015 to 2019. For example, here sovet.kidstaff.com.ua/question-2185350. And here we see that the scheme of deception when selling apartments is no different from the scheme with masks or Chinese electronics. Coincidence? I don’t think so.

It becomes clear that behind all these scams, most likely there is one person or group of people, and the “business” is put on stream. This is great news. Since the more active the person involved, the greater the likelihood that one day he will burn on some little things.

Necessary remark. The investigation analyzed hundreds of resources and dozens of phone numbers. I intentionally do not insert into the text all the contact details of the attackers, since this information does not help the story, but only confuses the readers.

Searching for information about “apartment scammers” leads to another article on Pikabu. In it, as a seller, a certain Viktor Pavlovich appears. As you can see, scammers have some unhealthy craving for the name Victor.

In addition, dozens of mentions of frauds with apartments of Viktor Pavlovich are found in the vast countries of the former Soviet Union from Ukraine to Kazakhstan, many of which feature the already familiar mail ukraina1960@bk.ru. By the way, unlike email addresses, scammers change phones quite actively.

In the news feeds of various news agencies, information appears about the numerous victims who transferred money to purchase a non-existent apartment. Online forums are full of apartment fraud topics. Sometimes they come across quite interesting comments.

However, this information has not received confirmation.

We will study the history of a fraudulent scheme with the sale of apartments with a transfer of prepayment through instant money transfer systems. The main text of the announcement is standard, only certain details change: the name of the owner of the apartment, the country and the reason for his move, address, names of payment systems (depending on the country of residence of potential victims). Most of the ad is aimed at residents of Russia, Belarus, Ukraine and Kazakhstan.

The semantic and stylistic features of the ads are interesting. In particular, the absence of commas or a space before the comma, and not after it, is striking.

In addition, all telephones, both in the letters of apartment scammers and in the ads or pages of websites selling medical masks, are indicated in a similar format.

Some of the earliest ads with similar text date back to 2013. The link you can read the touching story Zarutskogo Belov Alexander Pavlovich and Constantine Pavlovich, to sell their livestock farms in Pavlodar region and moved to Peru and Israel respectively. In addition to farms, Pavlovich combines two points: a nonexistent apartment in Astana and an e-mail address kz-leo@bk.ru.

Let's look where else this email address was featured.

First, check the profile on Mail.ru. What do we see?

Victor Pavlovich! This is the third Pavlovich in our history. And recall that our fraudster with masks is clearly an unhealthy craving for the name Victor.

More interesting.

The address kz-leo@bk.ru was mentioned on Mail.ru by natalisvs in a message dated October 19, 2013 .

Thus, we get the address natalisvs@mail.ru, whose profile shows a certain Igor Sidorenko.

Note that Igor is also a fan of putting a space before the comma.

Igor’s profiles are quickly found in other social networks.

The e-mail address natalisvs@mail.ru was indicated on the site vse.kz by a user with the pseudonym dark.nik in the subject dedicated to the search for tours .

This person is a very active user of the forum. At the moment, he left more than 4.5 thousand messages. In particular, in 2015, he sold an apartment in Kazakhstan .

And in 2016, he offered the services of a personal guide and driver on a Toyota Land Cruiser Prado.

And finally, in 2019, he posted documents on the passage of t / o , on which his name and phone are clearly visible.

So. Who do we have as a result?

Living in Kazakhstan Nikita Konstantinovich L.

VKontakte page: vk.com/nikinzdeshniy
My world: my.mail.ru/mail/dark.nik
Facebook: www.facebook.com/nikin.zdeshniy
Instagram: www.instagram.com/nikin_zdeshniy

I want to note right away. The purpose of the article is not to accuse anyone of fraud, but to note coincidences, analyze trends and study trends. This is food for thought, which may be useful to someone.

What next?

Then there are law enforcement agencies that can check, because according to media reports, over the past month, dozens of allegations of fraud have been filed with the police using the 2maski.ru website.

I really want that in this difficult time for everyone, the Internet does not become a clearing for all kinds of romantics from the big road.

Masks reset

More articles: