Scarcity Scams

Published on: 
July 17, 2026

Whenever a government service has constrained supply (slot scarcity, queue, complexity, deadline pressure) against motivated demand, an arbitrage opportunity exists. Citizens are willing to pay extra to jump the queue, get a faster slot, or take a shortcut. Where official supply doesn't expand to meet that willingness to pay, someone fills the gap. Sometimes it's a legitimate expediter, but more often, it's a scam.

The following shows a years-long campaign targeting Mexican citizens with a scam themed as a fast track service for government documents they branded as “Mexican Cita Express” or “Cita Express SRE México”. This scam alleges there is a fast track service to process government documents. In reality there is no official Mexican Cita Express or the like. The scam theme has continued for years using the same branding and themes due to the persistent government inefficiencies maintaining the scarcity for the scam to thrive. Because citizens can’t get appointments through legitimate pathways, citizens will often seek out other ways to access these services. Instead, they end up paying scammers in addition to giving away their personal information in the process.

cita-mx-pasaporte-gob[.]com

Wire Fraud and Identity Theft

To appear legitimate, the initial fraudulent fee ranges from $1,730 to $4,120 MXN, mirroring the real Secretaría de Relaciones Exteriores (Mexican Ministry of Foreign Affairs) passport pricing. After payment, the site fabricates additional bureaucratic obstacles including the need for 'Biometric Validation', 'Identity Depuration' and 'Final Release'. These obstacles pressure victims into making up to five additional transfers totaling $11,360 MXN. All victim data, including their Mexican national identification code, name, email address, phone number, and bank transfer receipt, is sent in real time to an operator-controlled Telegram bot. It is worth noting that older versions of this scam used PostHog site tracking and rrweb-recorder  (Record and Replay the Web) to record every user interaction on the site. The newer Telegram bot approach likely allows the scammer to operate more asynchronously and autonomously by integrating AI workers into their scam workflows.

If all extortion stages are completed, the full per-victim financial exposure is $13,090–$15,480 MXN (approximately $650–$770 USD). Beyond the direct financial loss, the collection of Mexico's primary national identity number, Clave Única de Registro de Población (CURP), creates a downstream identity-theft risk. CURP is used as a Know Your Customer (KYC) control by Mexican financial institutions, meaning harvested CURP data can enable account fraud well after the immediate scam concludes.

The site code was seen to have hardcoded bank info which are likely scammer-controlled Mexican bank accounts the victim sees when they hit the "pay your passport fee" step. However, we suspect these are compromised or mule accounts. The fee for a real SRE passport appointment should go to the Mexican Treasury bank account, but this endpoint substitutes it with a hardcoded mule account. Several of these mule accounts were seen hardcoded into the various scam website’s code and are likely used to receive the stolen money from victims then forward onto laundering services. 

From the site code standpoint, the fraud works in the following order:

  1. Front end: pixel-perfect clone of the real SRE "Cita Express" portal (logo, palette, layout). The clone source is mexformclone.emergent.host. Emergent is an AI no-code app-builder platform used by the attacker to build a passable-enough, low-cost SRE replica there
  2. Inline JS interceptor, planted at the top of <head> BEFORE React loads:
    1. Replaces window.fetch
    2. When the React app calls mexformclone.emergent[.]host/api/bank-details (the real source bank details), this interceptor blocks the external call and re-routes to local /api/bank-details, which then returns the fraudulent CLABE above.
    3. Comments are in Russian such as “КРИТИЧЕСКОЕ ИСПРАВЛЕНИЕ: Блокируем внешний API ПЕРВЫМ ДЕЛОМ! Это предотвращает загрузку чужих реквизитов из внешнего источника”. Translation: "CRITICAL FIX: Block external API FIRST! This prevents loading OTHER people's [bank] details from external source". 
    4. Telegram-bot exfil: Their form data is posted to /api/telegram.php. It captures PII data including names, CURP (Mexican national ID), appointment office, dates, payment amounts.
  3. Session recording of every victim via rrweb library (loaded from a customer-operated CloudFront distribution) and full keystroke/mouse playback for live monitoring and quality control.
  4. Social-engineering urgency layer:
    1. payment-text-replacer.js swaps in an "Aviso Importante" modal saying the victim has 30 minutes to pay or face a 12-month suspension.
    2. confirmation-form-enhancer.js injects extra name fields and locks the "Confirmar pago" button until they're filled, maximizing data collection.
    3. payment-handler.js redirects to /upload-receipt.html after click and exfiltrates again via keepalive POSTs (so the egress survives navigation).

Hints of Russian Speaking Scammer & AI Generated Scam Content

Interestingly, the scam site code sets a +03:00 timezone in an “updated_at” variable, which is Moscow time. There is extensive use of Russian language comments throughout the site along with the use of various emojis. Both the extensive comments and emojis are common identifiers for AI generated content.


Identifiers & Registration Pattern

  • Website Title: Cita Express - SRE México
  • Email domain: 
    • ddos-guard[.]net
    • ordertld[.]com
  • Registrar: CNOBIN INFORMATION TECHNOLOGY LIMITED
  • IP ISP: Iqweb Fz-llc
  • Server Type: ddos-guard

Often, multiple domains are grouped on the same IP addresses (domains list in Appendix)

IP Address IP Address
186.2.175.75186.2.175.63
186.2.175.77185.149.120.203
186.2.175.21186.2.175.17

These scams involving the Mexican government’s official passport application page have been going on for years, and a recent report by ESET in January 2026 mentions similar scam sites followed by an advisory by Mexico’s Ministry of Foreign Affairs. Despite this, the same scam continues, likely because the same government inefficiencies continue to impact citizens in need of those government services.

As it became apparent in this investigation, this activity has been reported on repeatedly with no meaningful change in behaviors by the scammers or changes by the government to address their role in the scams. Instead, we turn our attention to exploring the nature and conditions of these scams and hunting for other government-imposed scarcity scams like this one.

A PostHog token (phc_yJW1VjHGGwmCbbrtczfqqNxgBDbhlhOWcdzcIJEOTFE) is used for operator-side analytics across multiple sites, suggesting the same operator signal. Searching for this string using an internet scanning service like Shodan identifies 12 IPs at the time of this reporting. Though these IPs are suspected of being part of the DDoS-guard service used by the actor, they are useful datapoints to observe the frequent use of the same PostHog token by the actor.

IP Address IP Address
65.21.88.152192.232.50.197
68.178.203.99192.232.50.5
54.149.62.8998.84.79.71
54.212.88.235.158.27.71
167.86.104.83195.250.30.188
212.132.75.102

While PostHog is used for analytics, the HTML snippet also explicitly loads a weaponized version of rrweb recorder via a custom script such as rrweb-recorder-20250919-1.js. One such sample was hosted from a customer-operated CloudFront domain, which was removed by AWS following notification from investigators:

  • hxxps://d2adkz2s9zrlge[.]cloudfront[.]net/rrweb-recorder-20250919-1[.]js

The rrweb-recorder records the user's screen interactions, including every keystroke, mouse movement, scroll, and click in addition to overriding window.fetch and window.XMLHttpRequest to conduct network traffic interception. It does the latter in part by capturing the requestBody and injecting it into the rrweb session log as a custom event. In effect, it uses rrweb as an Adversary-in-the-Middle (AitM) to steal the victim's submitted username, password, and session cookies. It also captures the responseBody so the scammer can steal the resulting authentication token returned by the legitimate server. 

Malicious actors frequently embed variations of rrweb into phishing kits (like Evilginx) to capture credentials and MFA tokens in real-time or to replay the session to study how security analysts are interacting with their landing pages.

Hunting for the Ingredients

Four ingredients lined up to make this scam possible: 

  1. Mandatory government service 
  2. Constrained legitimate access (capacity bottleneck, technical friction, language barrier, geography)
  3. Payment is expected at the .gov site, so an invoice doesn't feel out of place
  4. The signup form happens to harvest a complete identity packet (name, DOB, nationality, doc numbers, address, phone, card). 

Any service that hits all four is fair game for an ideal scarcity scam scenario.

Hunting for the ingredients to scarcity scams such as the Mexico one can be challenging due to the dynamic and ambiguous nature of those conditions. Despite being a widespread scam method, they may affect local populations more and therefore may not surface to security researchers through traditional methods such as looking for common scam strings in newly registered domain names and/or observed website titles. AI augmented hunting, however, is well positioned to seek out and identify candidate queries to identify these scarcity scenarios and search for domains that may be preparing to target those scenarios with scams.

A few hypotheses we wanted to research:

  1. Scarcity is universal, scams are local. The same scarcity dynamics recur across countries (passport backlogs, welfare cycles, tax deadlines, immigration bottlenecks). Each country's scam ecosystem is locally branded but thematically identical.
  2. Scarcity timing predicts scam-infrastructure timing. Announce a new digital service or rule change and scammers begin domain registration before citizens have established mental models of the legitimate portal.
  3. One actor often serves multiple scarcity themes. This was identifiable by shared infrastructure fingerprints (NS, Registrar, IP ASN, SSL Issuer) and re-used templates.

Conclusion

Scarcity scams are likely here to stay. As long as government services do not meet the needs of their citizens, there will be a market for scammers to fill the gap and to address the urgency or frustration citizens feel. The scams don’t need to be complex; it's simply social engineering tied to real-world desperation. Desperation that makes even the most careful, smart, and educated people ignore their own intuition and take a risk.

On the flip side, putting up warning banners on government websites does little to nothing to address the root cause. 

The traditional way of hunting for these scams and playing whack-a-mole with domain takedowns might be to watch for those notification banners, listen for reports of scam domains, and pivot on reported domains to find similar branded scam domains and websites, but we took a different approach. Instead of chasing common scam themes or looking for security alerts, we researched the conditions that create the scam. By codifying the ingredients (mandatory service, constrained access, payment expectations, and PII harvesting) and offloading the heavy lifting of language-specific query generation and visual inspection to an LLM, we can map entire global scam ecosystems rather than just finding isolated pockets of fraud.

The survey findings suggest that while the branding is often localized, the approach is shared. Whether it’s a passport office in Mexico or a tax portal in Brazil, they are functionally similar.

Sample Findings

Domain Screenshot Description
samiaive[.]sbsScreenshot of samiaive[.]sbsVenezuelan health-insurance phishing. Harvests Venezuelan health-insurance credentials for downstream identity/insurance fraud.
certificacion-internacional-gob-ve[.]siteScreenshot of certificacion-internacional-gob-ve[.]siteVenezuelan criminal-record,forged-certificate scam targeting Venezuelan emigrants. Used both for PII harvesting and to sell forged criminal-record clearances for migration paperwork.
constanciasmx[.]onlineScreenshot of constanciasmx[.]onlineMexican criminal-record certificate scam. Targets emigrants and job-seekers needing federal antecedentes penales clearance.
digilocker[.]liveScreenshot of digilocker[.]liveGovernment of India portal with 'New in DigiLocker' cards. Single login captures access to all government-issued digital documents.
epfologinn[.]com
epfoporrtal[.]com
Screenshot of epfologinn[.]comGovernment of India’s Employees' Provident Fund Organisation for direct credential phishing.
aadharcrop[.]comScreenshot of aadharcrop[.]comIndia Aadhaar/PAN/Voter card 'crop tool' phishing. Designed to harvest Indian government ID documents with passwords — direct identity-theft tooling masquerading as a 'crop tool for CSC centres'.
pmkisanstatuschecks[.]infoScreenshot of pmkisanstatuschecks[.]infoIndia PM Kisan Samman Nidhi spoof. Annual Financial Assistance for Eligible Farmers. Harvests farmer Aadhaar and bank details.
m-parivahan[.]info
mparivahan[.]one
mparivahanapp[.]digital
mparivahanapp[.]help
mparivahangov[.]digital
mparivahangov[.]help
mparivahangov[.]work
mparivahanorg[.]help
nextgen-mparivahan[.]digital
parivahanportal[.]live
Screenshot of m-parivahan[.]infoIndia mParivahan Android APK delivery scam. 'NextGen mParivahan / One-stop solution for vehicle and challan services / Check vehicle details, pay traffic fines, and access digital documents — all in one app.’ Downloads an Android Trojan Sha256 hash: 09644b375f92e552653911a6dfda40ada772b6bc15eb4267521bd2c8341af0b1
getschengenvisa[.]comScreenshot of getschengenvisa[.]comSchengen-visa appointment scam.
info-tls[.]net
info-tlscontact[.]net
Screenshot of info-tls[.]netGermany and Czechia visa application centre | TLScontact spoof.
swissvisa-gov[.]comScreenshot of swissvisa-gov[.]comFake visa-lottery scheme — Switzerland does NOT run a visa lottery (unlike the US Green Card lottery). Pure advance-fee scam targeting aspiring migrants.
ukvisa-service[.]comScreenshot of ukvisa-service[.]comUK visa phishing. Includes a Bangladesh-specific link ('Find out about the visas you can get if you or your family member is from Bangladesh') suggesting targeting.
casestatusalert[.]comScreenshot of casestatusalert[.]comUSCIS WhatsApp alerts scam. Targets immigration applicants by promising free WhatsApp notifications on USCIS case status — harvests A-number + WhatsApp phone, then likely monetizes via premium-fee 'expediter' upsells or PII resale.
scis-govt[.]usScreenshot of scis-govt[.]usUSCIS impersonation. 'USA-CIS Independent U.S. Visa Application Assistance.’ Premium-fee fake-immigration-services scam.
ircc-travelassist[.]caScreenshot of ircc-travelassist[.]ca‘IRCC-TravelAssist' Canadian immigration scam.
consulta-gov-sc[.]topScreenshot of consulta-gov-sc[.]topBrazilian Detran Santa Catarina vehicle phishing.
concursoespcex2026[.]sbs
concursopenal-2026[.]sbs
concursopenal2026[.]sbs
espcexconcurso2026[.]sbs
Screenshot of concursoespcex2026[.]sbsBrazilian ESPCEX (Army Cadet Officer School) phishing. Possibly to trick victims into making payments for non-existent applications.
digibansos[.]my[.]idScreenshot of digibansos[.]my[.]idIndonesian welfare credential phishing. Direct harvesting of national ID + password for welfare recipients.
sassastatus-gov[.]co[.]zaScreenshot of sassastatus-gov[.]co[.]zaSouth African SASSA status check spoof. Possibly funnels recipients to credential / banking harvest under the guise of helping them check SRD grant status.
brgovoficial[.]com
gov-brz[.]com
govoficialbr[.]site
govportalbr[.]com
govseguro[.]com
Screenshot of brgovoficial[.]comBrazilian gov[.]br credential phishing. Captures Brazilian government login credential.
mygov-repository-uz[.]inkScreenshot of mygov-repository-uz[.]inkUzbekistan Government document spoof. Phishes the PIN that grants access to an Uzbek citizen's gov-issued document access credentials.
jobici-fr[.]workScreenshot of jobici-fr[.]workFrench remote-work scam targeting French job seekers — typical 'work from home' lure that asks for upfront fees or PII for fake remote positions.
e-visamontenegro[.]infoScreenshot of e-visamontenegro[.]infoMontenegro e-visa spoof. 'Government of Montenegro / Check your Visa status' form requesting Visa reference number, passport number, nationality. Harvests passport + reference data for downstream identity fraud / forged-document sale.
cra-tax-return[.]onlineScreenshot of cra-tax-return[.]onlineSpoofs Canada Revenue Agency (CRA) / Government of Canada.


Appendix

Mexican Cita Scam Domains:

Domain Domain
citas-sregob-mx[.]comonline-mx-cita-gob-express[.]com
mx-citas-gob-sre[.]compasaporte-mexico-express[.]com
cita-online-mx-gob[.]comonline-mexico-cita-express[.]com
express-citas-sre-gobmx[.]comgob-mx-pasaporte-cita[.]com
cita-sre-gob-mx[.]commx-cita-pasaporte-gob-online[.]com
citas-pasaporte-gobmx[.]commx-pasaporte-cita-gob[.]com
citas-gobmx[.]comexpress-mexico-online-cita[.]com
cita-sre-pasaporte-mx-gob[.]commx-online-cita-express[.]com
citas-sje-gob-mx[.]commx-pasaporte-cita-express[.]com
online-pasaporte-cita[.]comonline-mx-gob-cita-express[.]com
gbb-mx-cita-express[.]commexico-online-gob-cita[.]com
express-mx-gob-cita[.]comonline-gob-mx-cita-express[.]com
mexico-sre-cita-express[.]comonline-cita-mexico-express[.]com
mx-gob-express-cita[.]commx-cita-express-online[.]com
gob-mx-cita-express[.]comexpress-mexico-cita[.]com
oficial-cita-express[.]compasaporte-mx-cita-online[.]com
cita-mx-pasaporte-gob[.]comwww-online-pasaporte-cita-mx[.]com
mx-cita-sre-gob[.]commexico-sre-gob-cita-express[.]com
pasaporte-gobmx-cita-express[.]comregistro-cita-express[.]com
online-mx-citas-express[.]comonine-pasaporte-cita-mx[.]com
gobmx-citas-express[.]comexpress-cita-sre-gob-mx[.]com
express-cita-gobmx[.]comonline-pasaporte-express-cita-mx[.]com
gob-online-cita-express[.]commx-pasaporte-express-cita[.]com
gobmx-express-cita[.]comoficial-express-mx-cita[.]com
sre-mx-cita-express[.]commx-online-sre-cita-express[.]com
gobmx-cita-express[.]comonline-gob-cita-express[.]com
express-citas-sre-gob-mx[.]coonline-cita-sre-gob-express[.]com
mx-express-citas-gob-sre[.]commx-sre-express-cita-gob[.]com


Scarcity Scams

Domain Domain
aadharcrop[.]commparivahan[.]one
agilizacnh[.]com[.]brmparivahanapp[.]digital
aires-fgts[.]comparivahanapp[.]help
ameli-secu[.]commparivahangov[.]digital
application-mygovbd[.]onlinemparivahangov[.]help
bolsafamiliabr[.]commparivahangov[.]work
bolsafamilianajustica[.]com[.]brmparivahanorg[.]help
brgovoficial[.]commygov-repository-uz[.]ink
calculafgts[.]com[.]brmygovconnectionassociates[.]com
casestatusalert[.]commygovconnectionbrands[.]com
centralguiaveiculars[.]onlinemygovconnectioncollective[.]com
certificacion-internacional-gob-ve[.]sitemygovconnectioncompany[.]com
cnhdescomplicada[.]com[.]brmygovconnectionenterprise[.]com
concursoespcex2026[.]sbsmygovconnectiongroup[.]com
concursopenal-2026[.]sbsmygovconnectionhq[.]com
concursopenal2026[.]sbsmygovconnectionindustries[.]com
constanciasmx[.]onlinemygovconnectioninternational[.]com
consulta-gov-sc[.]topmygovconnectionmanagement[.]com
contesevias[.]commygovconnectionnetwork[.]com
cscseva[.]xyzmygovconnectionoperations[.]com
detransclaim[.]commygovconnectionpartners[.]com
digibansos[.]my[.]idmygovconnectionresources[.]com
digilocker[.]livemygovconnectionworks[.]com
e-visamontenegro[.]infomygovt-bd[.]co
efazenda-lpva-ms[.]commygovupdates[.]com
epfoin[.]comnextgen-mparivahan[.]digital
epfologinn[.]comnotificationsservicegov[.]ca
epfoo[.]netobtain-uspassports-online[.]com
epfoporrtal[.]comparivahanportal[.]live
espcex2026-seguro[.]sbspartidacnh[.]com[.]br
espcexconcurso2026[.]sbspmkisanstatuschecks[.]info
espcexinscricao[.]sbsportaldetransito[.]site
especexinscricao2026[.]sbsregularizafgts[.]com[.]br
fgts-pan[.]cosamiaive[.]sbs
fgts-up[.]cosassacheckstatus[.]web[.]za
gestoriadigitalmx[.]comsassastatus-gov[.]co[.]za
getschengenvisa[.]comsassastatuscheck[.]bar
gov-brz[.]comsecured-traffic-ticket-portal[.]com
govoficialbr[.]sitesrdsassastatuscheck350[.]co[.]za
govportalbr[.]comsrdsassastatuscheck[.]net[.]za
govseguro[.]comsunat123[.]net
guiadacnhbrasil[.]clickswiftfiscaledge[.]live
info-tls[.]netswissvisa-gov[.]com
info-tlscontact[.]netsyscnh[.]online
ircc-travelassist[.]cauidai-login[.]com
italyforretire[.]infoukvisa-service[.]com
jobici-fr[.]workusacitizen[.]app
m-parivahan[.]infouscis-govt[.]us
meuinsslogin[.]com

Related Content

SecuritySnacks
Cybersecurity Reading List - Week of 2026-06-01
Commentary followed by links to cybersecurity articles and resources that caught our interest internally.
Learn More
SecuritySnacks
SecuritySnack - Hijacking Corporate Sessions
A sophisticated AiTM phishing kit bypassing traditional MFA to steal Microsoft 365 session cookies. Get the full breakdown and IOCs.
Learn More
SecuritySnacks
Cybersecurity Reading List - Week of 2026-05-04
Systems thinking, biolistics, and the danger of mop-up science in infosec — plus this month's reading on ransomware, RPKI exploits, cPanel, and LLM pollution.
Learn More