Fraud: a2simplybettermilk.in

# Fraud/Fake Website ## Common Services Centre As I noticed last time, Common Services Centre (CSC) is the registrar. **BUT** I had no idea about this [Diginame](https://www.diginame.in/) initiative by CSC: ![image](https://hackmd.io/_uploads/BkVbIQ4Zyx.png) This seemingly allows anyone to register a domain with CSC. Seeing CSC as the registrar adds some legitimacy if you try to look details about the domain: ![image](https://hackmd.io/_uploads/SkOQ8mNbkl.png) ## Google Ads [Google Ads Transparency Center](https://adstransparency.google.com/advertiser/AR06802116607788187649?origin=ata&region=IN) is no longer showing any running ads by this profile: ![image](https://hackmd.io/_uploads/S18LPmEWye.png) This could happen because of the following reasons: ![image](https://hackmd.io/_uploads/rkravmVZkg.png) However, if you are certain that you have the correct profile in your [Google Docs](https://docs.google.com/document/d/1qb9rO3ROomsraNZBsKhLpO6G85cn8aMytKAFVojVQR4/edit?tab=t.0), then this Vijay Barbhaya guy could be invovled, either knowingly or otherwise. One good thing is that Google says that the profile was verified: ![image](https://hackmd.io/_uploads/HypNvXEZyl.png) It is still possible that his ID was misused, or that he never expected anyone to look for him. ### Vijay Barbhaya Interestingly, this looks like a unique name, and searching his name brought me to https://about.me/vijay.barbhaya ![image](https://hackmd.io/_uploads/BJmvFXVWJx.png) He is a freelance web developer, who works with WordPress (a2simplybettermilk.in) and PHP (a2simplybettermilk.in and globaltechsolutionsinc.in). Coincidence? Maybe, but very suspicious IMO. He could be an innocent person here, I am just sharing the info that I came across, and all this is already public. ## Payment Gateway The second site or domain involved in this fraud is globaltechsolutionsinc.in, where you see a fake Razorpay form: ![image](https://hackmd.io/_uploads/rk7yy4V-1g.png) This entire form is fake and has nothing to do with Razorpay. The amount you see is controlled by a POST request parameter: ![image](https://hackmd.io/_uploads/HkFnHVNZ1e.png) You can simply modify this parameter to change the value: ![image](https://hackmd.io/_uploads/H1Me8VNWyx.png) This is done for 2 reasons based on my experience: 1. If you report the site for fraud/phishing, person processing the report would never see the form: ![image](https://hackmd.io/_uploads/H1UvINNZkx.png) 2. Developer can make many fake sites/products and just modify the POST parameter to change the price to whatever they want the victims to see. ### Logging Any person who is willing to try the form **MUST BE CAUTIOUS** not to enter any real information. The website is sending every field change to the backend, basically creating a keylogger for the form: ![image](https://hackmd.io/_uploads/SyMKvN4ZJl.png) ![image](https://hackmd.io/_uploads/ryR9vV4-1g.png) This goes on for each update: ![image](https://hackmd.io/_uploads/H16av4Nbyx.png) ![image](https://hackmd.io/_uploads/S19VuN4Wye.png) The second form you see for OTP, also does the same logging: ![image](https://hackmd.io/_uploads/HkH9_44ZJx.png) ![image](https://hackmd.io/_uploads/rJ8sdNEbyx.png) Continue button has no role, scammer already has all your info, including OTP. At this point you are just waisting your time trying to enter the "correct OTP". Example URL: https://globaltechsolutionsinc.in/s/api/rozorpay-secure-pay/aHR0cDovL2xvY2FsaG9zdC90ZXN0Lw How to reproduce: https://files.catbox.moe/hop415.mp4 or https://gofile.io/d/KQ7g0U