I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called
savenepal.org which is soliciting donations via PayPal.
The site largely cloned from the
legitimate ActionAid site which is genuinely seeking donations to go to Nepal.
ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the
UK charities commission and we can see that the charity with this number is actually an orchestra.
Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:
The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:
com-indexhtml.link
com-indexhtml.us
grantsekit.com
Out of these, only
com-indexhtml.us has a non-anonymous WHOIS entry:
Registrant ID: C4E83B25FA8AD52D
Registrant Name: Frank J. Moore
Registrant Address1: 2441 Byers Lane
Registrant City: Davis
Registrant State/Province: CA
Registrant Postal Code: 95616
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5307574940
Registrant Email: uscustomerhelp@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C12
I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:
Registrant ID: 29B0B5BBD7190398
Registrant Name: dinna james
Registrant Address1: po box 876
Registrant City: dl
Registrant State/Province: dl
Registrant Postal Code: 110098
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +1.918978978
Registrant Email: helpot80@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C12
Of course, these contact details could also be false and there's no definite connection to
savenepal.org yet. But out of curiosity, who is
helpot80@gmail.com? Googling doesn't reveal much, but it does show a copy of a conversation in the
news.admin.net-abuse.email where someone who is claiming to use this email address is
complaining about spam. If we then use Google Groups to find the
original newsgroup post we see it was posted from an IP of
182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.
Another Google result is this
Phishtank entry listing
social2013.com/rockgrade/ which appears to be a copy of the
Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of
social2013.com before it expired in February 2015.
This
WHOISology report links the address to several domains:
beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us
Also,
94.242.255.129 has hosted many other domains, many of which appear to be scammy.
com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics
Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.
What else can we find out?
The email address is connected with this
scammy looking Facebook page allegedly giving away "free laptops"
The email address also links to this
Google+ profile naming them as "N. Al.". It also links to this
YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.
I cannot prove that helpot80@gmail.com is connected with the
savenepal.org, but they probably know whoever is behind it.
Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.
