Martin Karlsson /

Notes to self

Daily scamming

I received a weird SMS today. The text is a tracking id for a parcel and the message "Pending delivery from distribution terminal" in passable Swedish. There is also a link to the "tracking site". This is missing a couple of umlauts ("farsandlse" should be försändlese) but this is pretty common in automated texts like this is supposed to mimic. The big red flag was that I didn't expected any package. Since I'm being a stay-at-home dad for 6 months, money is pretty tight and my spending habits has been severely limited. So I thought it would be fun to see what kind of scam this was.

Searching for the phone number that sent this has one hit on a site called which seems to be a service kind of like guerrillamail but for SMS. That is, if you what to use a service that requires SMS you can get a phone number listed on this site and you can see the reply online, anonymously.

The number that sent the text is highlighted on the screenshot, and it seems that the message is an activation code. I'm not sure why, but the two next messages seems to have received the exact same code, the latest one coming from WhatsApp.

The domain was registered on 2020-03-26, that is, only 4 days ago and the server seems do be down now. Maybe they are using (the registrar) free trial offer and it has now expired.

When I originally clicked on the link in the SMS the site redirected me here:

Looks like a tracking site right? In fact, it looks exactly like PostNord:s tracking site did a year ago. They have since changed the design. Except this page has a little notice about COVID-19 and how PostNord is working according to official Swedish health guidelines ("wash your hands, and don't sneeze on people", as far as I can tell). And this "tracking site" is apparently hosted by I have reported this using Google's "safe browsing" form.

Clicking the "Sök" ("Search") button brings us here:

Someone would love to send me something from Stockholm, but the shipping is not paid. This is not completely unreasonable. About 2 years ago PostNord started to drown in small packages from China (orders from and and many others). When someone in Sweden orders stuff from outside of the EU, they are supposed to pay an import VAT. However the payment was to be handled by each "importer" (the person who placed the order). This was almost never done, and no one seems to have cared very much until PostNord started to receive a lot of packages. Being a post carrier who in normal cases seems outright reluctant to actually deliver any mail, all these packages made PostNord go: "No more China-packages until everyone pays the VAT upfront". Then it was chaos for a couple of months, until someone came up with a flat VAT charge system, that is, no matter what the value of the order was, you pay 75 SEK and PostNord releases your package (unless one of their employees steals it first). TLDR: Charges like this happen, even if they don't looks exactly like this.

Clicking on the "Betala fraktkostnader" ("Pay shipping charges") button takes us here:

Its a form for entering your billing information, with the highest standard of security, and the price to pay is only SEK 14.95, about EUR 1.5. But here comes the scam payoff. This is not about paying for shipping any more. It's right there in the small grayed-out text after the obligatory cookie-warning. This is an order form for a subscription service. The first payment is SEK 14.95. But then, its SEK 749.95 (about EUR 75) per 30 days. And what is the subscription for?

A fitness program! As you might imagine I dropped out at this point. Not sure what they are providing as part of this subscription but I'm pretty sure it's not worth EUR 75 a month. Nearly a third of that would get me access to a pretty nice 24-hour gym in my town.

So who are the scammers? Impossible to say. was registered with Namecheap only a little over 4 months ago, so its pretty new. It seems likely that they are themselves trying to drive people to sign up for their "fitness subscription", but with plausible deniability. I found this thread on sweclockers describing a very similar scam but first post on that page is over a year old and the target site is different (still a subscription service, but for a lottery). Maybe that scam was from the same people. Or maybe someone is selling a scam-kit.

Get in touch: martin [at]