Loan Application Spam

Usually Gmail does a great job at keeping spam out of my Gmail inbox, but this morning I found an unsolicited email that looked like perhaps it was meant for someone else, supposedly for a loan application I had made:

Hi,

Welcome to Statforge Finance!!

Thank you for applying loan with Statforge Finance.

As per the telephonic conversation, please find attached the company brochure and list of required documents.

Please find below the list of documents which you need to submit as a primary and secondary identification proof.

1. Primary Identification Proof (Driver’s License or Copy of the passport)
2. Address proof (Any utility bill under your name. Most recent is preferred)
3. Income Proof (Recent 3 Months of bank statement/Pay stubs/Tax Documents)

In case of any further clarification please revert on this email or feel free to reach us back on our Toll Free number 1-855-892-0516.

Please submit all the required documents on our email or fax us on 1-810-222-7376 in order to proceed further.

We are happy to help you.

Thanks & Regards,
Communication Department,
Statforge Finance US LLC
Contact No: 1-855-892-0516
Fax No: 1-810-222-7376
Email: info@statforgefinance.com
Website: https://www.statforgefinance.com/

I had never heard of this company, let alone contacted them for a loan (I don’t live in the US).

Sometimes I receive mail meant for people with a similar address, so I wanted to check out if this was perhaps legitimate, but the more I looked the more I found that was odd about it.

To start with, the email wasn’t addressed to anyone by name, nor was it signed by anyone by name. “Thank you for applying loan” is broken English. This matched up with a line in the email header that mentioned an IP address in India:

x-originating-ip: [175.111.128.90]

I had a look at the website listed in the mail footer. The “About Us” page stated:

Statforge Finance loans are best-received and utilized by our customers when they are able to easily understand the loan terms and determine whether the product is the correct fit for their needs.

Searching Google for that line, without the company name, also found the same wording on a couple of other websites, e.g.

Ventura Financials loans are best-received and utilized by our customers when they are able to easily understand the loan terms and determine whether the product is the correct fit for their needs.

and

LOANRAFT finance loans are best-received and utilized by our customers when they are able to easily understand the loan terms and determine whether the product is the correct fit for their needs.

Web contents ripped-off from other websites is never a good sign, but sometimes it’s not straightforward to tell whether a site is a legitimate original or a dodgy clone. So I looked at all three sites (there may be more).

These were the contact details for “LOANRAFT”:

Give us a call
855 955 9655
Mail us
info@loanraftfinance.com
FAX
3023518834

855 955 9655
Address: Delaware Avenue , Wilmington, DE 19801
Email: info@loanraftfinance.com

Notice the absence of a number on the street address. Like the other two companies it uses an 855 free dial phone number with a physical area code for the fax number. The domain is registered through GoDaddy, with the registrant hidden:

Domain Name: loanraftfinance.com
Registry Domain ID: 2283058202_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-07-09T16:51:23Z
Creation Date: 2018-07-06T22:55:47Z
Registrar Registration Expiration Date: 2020-07-06T22:55:47Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com

Contact details for Statforge Finance:

info@statforgefinance.com
Greenfield Rd, Oak Park, MI 48237
Statforge Finance US LLC
Contact No: 1-855-892-0516
Fax No: 1-810-222-7376

Again no number on the street address, 855 free dial and a physical area code for the fax. However, the 810 area code does not include Oak Park, MI which instead uses 248 and 947.

The domain is also registered via GoDaddy, only two months earlier and the registrant is also cloaked:

Domain Name: statforgefinance.com
Registry Domain ID: 2259908468_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-05-13T20:06:35Z
Creation Date: 2018-05-04T17:19:55Z
Registrar Registration Expiration Date: 2020-05-04T17:19:55Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC

And this is the third one in the set:

Green Valley Parkway,
Henderson, NV 89074
+1 (855) 850 7390
info@venturafinancials.com
Fax: 13033747343

No number on the street address, 855 free dial plus physical area code for the fax.

It is also registered via GoDaddy, in the same month as loanraftfinance.com:

Domain Name: venturafinancials.com
Registry Domain ID: 2416866824_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-07-25T21:31:33Z
Creation Date: 2019-07-25T21:31:32Z
Registrar Registration Expiration Date: 2020-07-25T21:31:32Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC

Looking at who hosts email for the three different domains:

loanraftfinance.com. 3600 IN MX 0 loanraftfinance-com.mail.protection.outlook.com.
venturafinancials.com. 3600 IN MX 0 venturafinancials-com.mail.protection.outlook.com.
statforgefinance.com. 2858 IN MX 0 statforgefinance-com.mail.protection.outlook.com.

They are all using Microsoft’s Outlook mail infrastructure. This is also where my initial sample email was sent from.

While I don’t know yet what exactly these people are up to, I would advise anyone who received a loan offer via spam to steer well clear of such offers.