{“lastseen”:”2026-04-15T10:07:48″,”description”:”If there is anything that annoys me more than a scammer, it’s companies that behave like one, while staying just on the right side of the law. They manage to linger and disappoint customers for years.\\n\\nIt’s also why sometimes people think that Malwarebytes Scam Guard can be overly cautious when flagging websites. Some sites sit in a grey area where even seasoned researchers have to look twice to figure out whether something is an outright scam.\\n\\nThat\u2019s exactly what happened here.\\n\\nAfter receiving an anonymized report from a customer, I started an investigation into an email Scam Guard flagged as highly suspicious.\\n\\n## The email\\n\\nThe email came from the address `anna@cosmosshift[.]org` and promoted a service called **Credit Resources Vault** , urging recipients to click a button labelled **Check Eligibility Now.**.\\n\\nThere are immediate red flags:\\n\\n * The sender domain (`cosmosshift.org`) has no clear connection to credit services or financial products. There is no \\”Cosmos Shift\\” financial institution.\\n * The message creates urgency around credit approval, a classic social engineering pressure tactic.\\n * It includes a physical address and an opt-out link which appear to be legitimate, but are also a common technique in phishing called legitimacy laundering.\\n\\n\\n\\nUnlike most phishing emails, this one includes a personalized greeting using the recipient\u2019s email address. Since the recipient says they\u2019ve never interacted with the sender, this suggests their details may have come from a data broker or a past data breach.\\n\\n## The website paints a suspicious picture\\n\\nClicking the link leads to (`yourcreditvault.com`), a polished-looking site that appears to offer credit services.\\n\\nCredit Resources landing page\\n\\nBut under the hood we found more red flags:\\n\\n * The website was built with Vite\/React, a modern JavaScript framework more typical of startup side projects than regulated financial services.\\n * References to bolt.new suggest the site may have been assembled using AI tools\\n * There are no visible indicators of banking-grade security. The HTML source shows only a basic app shell with no indicators of financial-sector encryption infrastructure.\\n * The branding (including the logo) looks hastily put together\\n * The JavaScript bundle (`index-B54Ghi53.js`) behind the submission form is heavily obfuscated: a technique used by cybercriminals to hide where the submitted data is being sent.\\n\\n\\n\\nNone of this proves malicious intent on its own. But together, it paints a picture of something built quickly, and designed to collect data rather than deliver a robust financial service.\\n\\n## The form collects data, and $20\/week\\n\\nThe biggest concern is the form, which collects an extraordinary amount of data for what’s presented as a basic credit eligibility check. \\n\\nThe application form\\n\\nBy monitoring network traffic during form submission, we were able to capture exactly what fields are transmitted:\\n\\n * Personal: first name, last name, email, phone\\n * Address: street, city, province, postal code\\n * Full banking details: bank name, institution number, transit number, account number\\n * Tracking data tied to advertising campaigns\\n * A drawn-on-screen signature, which gets uploaded to the owner’s Google Drive.\\n\\n\\n\\n* * *\\n\\n## See if your personal data has been exposed. \\n\\nSCAN NOW\\n\\n* * *\\n\\nThat’s far more than what\u2019s needed for a credit eligibility check. \\n\\nWith those banking details alone, someone can set up fraudulent Pre-Authorized Debits (PADs). A PAD is a form of direct bank withdrawal used legitimately by billers, but can also be abused.\\n\\nEnlarged screenshot of the box they want a checkmark in\\n\\nAnd that\u2019s exactly what appears to happen.\\n\\nA small checkbox, paired with fine print, authorizes the company to withdraw $20 weekly per the PAD agreement the target just signed. This checkbox serves two purposes: it provides the operators with legal cover (\\”you agreed to it!\\”) and it weaponizes the very bank account details the form just collected.\\n\\n## Targeting the financially vulnerable\\n\\nThis campaign seems to deliberately target people with poor or limited credit history. The promise of \\”approval when others say no\\” is powerful, especially for people under financial pressure.\\n\\nThese are not random victims, but people targeted because their need makes them more likely to hand over sensitive information without scrutinizing the source.\\n\\nThe $20\/week PAD charge (over $1,000 per year) can lead to overdrafts, fees, and further financial harm.\\n\\n## Where your data goes\\n\\nOur network traffic analysis revealed a sophisticated, multi-service backend that uses individual components which all might be legitimate.\\n\\n**Supabase:** Victim data is sent via POST request to a Supabase project:\\n\\n`POST https:\/\/bstvkdzfgpktokbiagsc.supabase.co\/rest\/v1\/vault_memberships`\\n\\nSupabase is a legitimate, well-regarded cloud database platform with free tiers.\\n\\n**Brevo** (formerly Sendinblue): This is a legitimate mass-email platform. Enrolling victims here means they can be targeted with follow-up campaigns indefinitely.\\n\\n`POST https:\/\/bstvkdzfgpktokbiagsc.supabase.co\/functions\/v1\/add-to-brevo`\\n\\n**Google Drive and Sheets:** The signature data field includes a `signature_drive_url,` indicating victims’ handwritten signatures might get stored on Google Drive infrastructure. A `google_sheets_synced` field confirms that incoming victim records are mirrored to a live Google Sheet, giving the operators a real-time dashboard of everyone that submitted a form.\\n\\nIndividually, these are trusted platforms. Together, they form a system designed to:\\n\\n * Collect sensitive personal and banking data\\n * Store it in accessible formats\\n * Add users to ongoing marketing or even phishing campaigns\\n\\n\\n\\nIn other words, submitting the form doesn\u2019t just risk your bank account, but may also put you on a list of people likely to be targeted again.\\n\\n## Infrastructure\\n\\nThe infrastructure behind this campaign spans multiple domains:\\n\\n * `cosmosshift[.]org` (email sender)\\n * `yourcreditvault[.]com` (landing page). \\n * `yourscore[.]ca` (redirect after submitting the form)\\n * `creditresources[.]ca` (follow-up email that included the phone number 1-833-427-1562)\\n * `debtlesscredit[.]com` (another website using that same phone number)\\n\\n\\n\\nUsing multiple domains and having one telephone number associated with more than one domain raising red flags about the legitimacy of the company. \\n\\n## So is this a scam?\\n\\nThat depends on how you define it. \\n\\nWhile this may not meet the strict legal definition of a scam, we can see why Scam Guard flagged it, as many of the tactics used here are also seen in phishing emails and on scam websites.\\n\\nThe evidence suggests these sites are operated by real companies, but they sit firmly in a grey area. On one hand, they have corporate registrations, public websites, and apparently even some satisfied customers. On the other, the business model\u2014charging recurring fees for credit or debt \\”programs\\”\u2014has generated a steady stream of consumer complaints and scam accusations. The use of multiple domains (Credit Resources, Debtless Credit, Your Credit Vault) also points to a lead-generation strategy that’s common in the debt-relief space.\\n\\nIt’s also likely that these companies rely on purchased mailing lists and may have found our customer\u2019s email address on a list of likely candidates. Unfortunately, lists like these are bought and sold by legitimate marketers and cybercriminals alike.\\n\\nWe have reached out to the sender of the email and Credit Resources for comment but had not received an answer at the time of publication.\\n\\n* * *\\n\\n**What do cybercriminals know about you?**\\n\\nUse Malwarebytes\u2019 free **Digital Footprint scan** to see whether your personal information has been exposed online.\\n\\nSCAN NOW”,”published”:”2026-04-15T09:08:47″,”modified”:”2026-04-15T09:08:47″,”type”:”malwarebytes”,”title”:”Credit Resources Vault: Why this credit email set off our scam alarms”,”source”:””,”references”:””,”id”:”MALWAREBYTES:7D4F5B8377D8BC89712B3F17D6883B15″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/04\/credit-resources-vault-why-this-credit-email-set-off-our-scam-alarms”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-15T10:07:48″,”description”:”If there is anything that annoys me more than a scammer, it’s companies that behave like one, while staying just on the right side of…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-47155","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n