The Financial Review shared a selection of likely scam webpages that were appearing prominently within search rankings with cybersecurity firm CyberCX. Analysis of the website’s functionality, backend design and server providers indicate one group is running many dozens of scam websites.
“The thing that strikes me is that the threat actor has done their homework to match the trend of what financial instruments people might be interested in, in relation to current events,” CyberCX cyber intelligence analyst Oliver Smith said.
Mr Smith said activity appears to have kicked off around mid-2021 with a more global focus, across the UK, US, Canada and Australia. Fake investments offered were on the riskier side, such as pre-IPO investment in SpaceX, share trading platforms, or financial products facilitated by cryptocurrency.
Links to Russia’s DarkSide
“Moving forward as the economic tide has changed a little bit into the beginning of this year they really turned and focused their efforts differently. Bonds have been their No.1 thing, and then term deposits – they were really pitching their lures more at people who are looking to invest their superannuation,” he said.
Calls to AusBondTrust and Au-Investor, which had the same number, were answered by a call-back service.
The sites have disclaimers that they are not authorised or regulated by the Australian Prudential Regulation Authority or the Australian Securities and Investments Commission. However, financial products – of which bonds are included – cannot be sold to Australians without regulatory oversight from ASIC.
AusBondTrust, Au-Investor and Millenium Bonds all have the same disclosure at the bottom of their websites. Domain identity data is hidden, but does show all three were registered in Iceland’s largest city, Reykjavik.
Some domain registration details also match analysis done for the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The matches link to Russia-linked ransomware group DarkSide, which provides ransomware-as-a-service (RaaS). The DarkSide ransomware group was responsible for the Colonial Pipeline Company ransomware incident in May 2021.
The bond scammers and the ransomware operators use domain host NameCheap.com and a privacy service called Withheld For Privacy, which “replaces real customer contact details with our own, generated information.”
The Icelandic company offers privacy services for people registering website domains allowing them not to publish any identifiable information, which is normally required.
The bond sites all claim to be the trading name of London Choice Investments SL, a company registered in the port city of Dénia on the Mediterranean coast of eastern Spain.
A search of Spain’s corporate regulator – Comisión Nacional del Mercado de Valores (CNMV) – revealed no such company.
“The company you are asking for is not registered in CNMV, which means that it is not authorised to offer investment services in Spain and, therefore, we don’t have information on said company,” the Spanish regulator told the Financial Review.
UK regulator warned on ‘London Choice’
The UK’s FCA published a warning about the firm in November 2020, using websites such as bestfixedratebonds.uk and bestisas.uk.
“Almost all firms and individuals offering, promoting or selling financial services or products in the UK have to be authorised or registered by us,” the FCA said.
“This firm is not authorised by us and is targeting people in the UK. You will not have access to the Financial Ombudsman Service or be protected by the Financial Services Compensation Scheme (FSCS), so you are unlikely to get your money back if things go wrong.”
The syndicate is not just targeting bond investors, it has branched out into other investment scams. The Financial Review also found a further site, Investorleads.eu, claiming to be the trading company for London Choice Investments, encouraging investors to sign up to brokerages.
‘Not a lot of sophistication … but a bit dodgy’
The site used the same stock photography as Ausbondtrust and the company office was registered to a virtual office service, which allows entities to create UK companies and domain names with a London address, giving the sense of legitimacy.
An investment website – Whiskey Investor Club – with the same hosting and registration details as the bond scams, also claimed to be the trading name for London Choice Investments, with offices in Melbourne, London, Spain and Dubai. The registered address was a house in the Melbourne suburb of Keysborough.
“There’s not a lot of sophistication here,” Mr Smith said. “It’s in a family of things that could be accomplished mostly by an automated process.
“You notice some things like consistent use of stock imagery and consistent use of some elements across the websites. If you take a look under the hood, they’re all built on exactly the same kind of template, a WebFlow website, that’s pretty easy for somebody to spin up.
“If you take a superficial glance at any of these, they’re very natural-looking websites. They’re not the sort of things that would immediately trip those alarm bells that this is something that’s a bit dodgy.
“They have all the right language, refer back to the financial regulator in the country that they’re targeting. They’ll often refer to regulatory status with ASIC, so it ticks a lot of the boxes of things you’d typically see with this type of offering.”
Last month, the Financial Review revealed bond scammers impersonating investment bank Barrenjoey, using emails to prospective investors from a @nswbarrenjoey.com domain, which the bank confirmed was not genuine.
Earlier this month, the Australian Competition and Consumer Commission issued a warning that bond scams were on the rise, and that reported losses so far in 2022 were more than $20 million.
It is the second time in a little over 12 months that Google’s search engine advertising has been abused by scammers flogging bonds. The Financial Review revealed another fraudulent bond scheme using Google search ads in May 2021.
This masthead also revealed the abuse of Google search ads to flog fraudulent websites targeting people looking to buy and rent shipping containers amid global supply chain problems.