Setting the Stage
On March 20th, I was sent an email from Danica Sadlowski, a Financial Manager at Decantae Financial Inc. Unfortunately, the position I had (supposedly) applied to had been filled but, fortunately for me, there was another opportunity available for a Remote Administrative Assistant yippee!
Initially, this email had been sent to my spam folder, as happens with some employment emails. The next day I received a follow-up email that had bypassed spam, essentially stating they were sad that they had not received an additional application but that I was still being considered for this position. This is what made me aware of the initial email as, naturally, I wasn’t even aware of this until receiving that follow up.
I sat back for a moment… Did I apply for a position with them? If so, why was a Financial Manager contacting me personally about an open job position? Why did they check back in the following day?
Was This a Scam?
Upon my initial Google search of “Decantae Financial”, there weren’t a considerable amount of results, but something still felt off about the whole situation. I momentarily considered that maybe they were a new company, until…
AHA!
Not only was Decantae Financial a scam, but they were also impersonating another company, essentially copy-pasting the target company’s entire website and changing some of the names. I suspect that, in an attempt to distance themselves, they did a quick search and replace to change the company name and the name of the Managing Partner position. Other than that, many elements remained identical to the original website.
Wait. I Thought This Was About German Casinos?
Well, yes. Just not yet.
Out of curiosity, I decided to poke around both websites, as even the target website seemed fairly suspicious upon first glance. First, I went searching for the robots.txt on decantaefinancial.com.
Note
What is Robots.txt? This is a feature of most modern websites, but is not actually intended for people. It is primarily there so that search engines can gather additional information about what is available on a given website. This will often contain things such as a sitemap (which will be explained later), as well as commands indicating what the website does and does not want search engines to include in their results. It can be helpful for website investigation, as it shows pages that the website does not want listed publicly (which, while sometimes reasonable, can also be suspicious!)
Where Is It Found? Usually, you can find this feature by simply adding “robots.txt” to the end of your base URL. For example, if we want to find the robots.txt for “example.com”, we would search for: “example.com/robots.txt”.
Okay! So, I can tell just through my investigation that, for some reason, they really don’t want Google knowing about their Remote Administrative Assistant position. Maybe they’re holding on to it, in the hopes I’ll eventually apply. Or, a more likely option, they’re trying to cover their tracks. But… why?
Next, I decided to take a quick peek at the robots.txt of Numeracy Accounting, the target company, to see if I could find anything.
From here, we can see that the only thing excluded from Google’s search results for Numeracy Accounting is /wp-admin/. This is not particularly concerning, as this is where the admin panel for WordPress websites are located. However, unlike Decantae Financial, Numeracy Accounting had a sitemap. Initially, everything looked fairly normal, until I scrolled down some ways.
Note
What Is a Sitemap? A sitemap is similar to robots.txt, but includes more information about what pages are included on a website. This will ensure that Google will not miss any pages when providing search results for a given website, however, it can also be useful for showing us pages not easily reached through general website navigation!
This is when we begin to see URLs that include words like casino, blackjack, and roulette.
Why Care About Sitemaps?
Since these pages are inaccessible through Numeracy Accounting’s “base” website, they would be otherwise impossible to find without a sitemap. Having these links listed but generally inaccessible through website navigation allows this scam to function, as Numeracy Accounting is able to rise to the top of search results because their site has been around for longer, thus raising their website’s “trustworthiness” in Google’s eyes. Therefore, if someone were to search for “German casinos” on Google, Numeracy Accounting’s website would appear closer to the top of the list of search results.
Now I know there is likely some overlap with accounting and cryptocurrency, but this feels like a bit… much. At this point, I am still holding out hope that maybe things aren’t as bad as they seem, so I click on one of the suspicious links out of curiosity.
Well. This… is not great. Why was this seemingly legitimate financial institution that had renounced Decantae Financial for being a scam also appearing fairly scammy? Take note of the name “Thomas Farber” as this will be important later.
Are They BOTH Scammers?!
Sorry to spoil things, but not necessarily. Numeracy Accounting is not a scam, and I don’t want to damage their reputation by claiming they are. However, this still doesn’t explain why they have German casino ads on their website. Figuring this out took me a bit of Google Dorking, as I was interested to see if I could find “Thomas Farber” listed elsewhere online.
Note
Google Dorking: Using Google searches with special parameters in order to get more specific results. For example, we can use
scams site:thehumblesite.comto find Google results for the word “scams”, while also limiting our results to things posted by thehumblesite.com.
Through my Google Dorking endeavor, I would discover this German article about Thomas Farber, the very same person connected to the scam on Numeracy Accounting.
(Source: https://spinsfactory.com/wirbt-ministerpraesidentin-malu-dreyer-fuer-online-casinos-2174/).
The same Thomas Farber who had been advertising illicit German gambling on Numeracy Accounting’s website had also been involved in attacking a German politician’s website, posting pages fairly similar to those found on Numeracy. Finally, puzzle pieces began to fall into place.
Why Keep the German Casinos Secret?
A reasonable question, and something I was equally curious about. Through that linked article, I would come to learn that gambling in Germany is actually illegal. While not hosting any casinos himself, it is reasonable to assume that advertising them to Germans is still pretty illegal.
Therefore, as suggested, he was likely using Numeracy Accounting’s positive reputation to rank higher in search results, thus receiving an increase in customers. We can also guarantee that these pages on Numeracy will show up on Google, as they are listed on their sitemap.xml. In short, Thomas was hoping that if someone searched for German casinos (or anything similar, as there were also results for blackjack, roulette, etc.), they would click his link, as it appeared higher up in Google search results.
But how is this financially beneficial? A while back, I learned about a similar scam that utilized referral links as a sort of pseudo-pyramid scheme. Essentially, each person who gets referred will result in some amount of income for the person who had initially referred them. We can prove this through hovering over one of the links provided:
In doing this, we receive a redirect to an external website with a string of numbers and letters attached. It is reasonable to assume that these numbers and letters are a unique referral code, allowing the scammer to receive some sort of financial incentive for doing all of this. Generally, it appears that a lot of online casinos will provide a $50 cut to those who give out referrals to their site, and I wouldn’t be surprised if the casinos that he advertises promise even more.
Why Was Numeracy Accounting Targeted Twice?
I’m not sure they were, actually. It seems entirely possible that the person behind the illegal casino advertisements is also the one conducting the Decantae employment scam. While there isn’t a considerable amount of proof backing this, this capture from the WayBack Machine seems fairly damning:
Note
The WayBack Machine is a website that takes snapshots of websites over time. While you can’t find everything on it, it is incredibly useful to travel back in time to see what a website looked like at various points in time. This can be both a fun activity in understanding how websites changed over time (I highly recommend checking out pepsi.com), as well as a tool to see if websites had previously contained information that we weren’t meant to see.
(Source: https://web.archive.org/web/20250313203006/http://decantaefinancial.com/).
This page looked generally inconspicuous at first, but it was interesting that all the text was suddenly German (especially for a supposedly Canadian company.) While this could be completely coincidental, I’m not entirely sure I believe that.
How Did the Content Even Get on Numeracy’s Website?
As we have previously seen, the only thing excluded from Numeracy Accounting’s search engine results was /wp-admin/. Listing this would enable people to log into their WordPress website as an administrator, thereby allowing them to add “secret” links and do generally devious activities.
The most likely explanation is that Numeracy Accounting likely had their admin panel hacked, either through default login credentials or another vulnerability in WordPress. Once inside, the scammer was able to post whatever content they wanted, and could even copy all of Numeracy’s settings to make a completely identical website (such as Decantae).
So, What Did We Learn?
I did not have a real job opportunity. :(
We also learned that no scam is completely black or white, and many can operate in increasingly deceptive ways to trick people. If someone were unable to properly vet Decantae Financial (and I do hope this hasn’t been the case), they would be eligible to have their personal information stolen, be scammed out of money, or become a money mule (would you hesitate if your new boss told you to move money around in business accounts, especially if it were a financing business?) As someone who is currently navigating the job market, I can understand how desperation or lack of technological understanding could easily overshadow many red flags. Scammers recognize this, too, and will regularly exploit it as a way to earn money.
While all of this can come across as dark and scary, that’s why I consider it valuable to report on these topics! The more we can educate people about online scams, the better the chances are of someone avoiding being taken advantage of. As technology is constantly changing, it becomes more and more important to keep up to date with this stuff, so we can help keep people safe.
If you made it this far, I appreciate you taking the time to read my article and I hope to produce more in the future. Stay safe and make smart decisions!