This scam campaign involves a network of six interconnected fraudulent domains operating under shared infrastructure, with five domains registered through NAMECHEAP INC between February 3-11, 2026. The primary domains include www.cvswinner.com, cvswinner.com, trygoodgrove.com, www.gregordiagnosticsinc.com, lumensale.com, and winner.com. These entities are connected through 18 documented relationships, with 15 instances of shared infrastructure connections and multiple cases of domains being reported together by consumers.
The campaign operates through multiple deceptive schemes designed to exploit different consumer vulnerabilities. The CVS-themed portion uses voicemails and calls claiming recipients have won "customer appreciation" gifts valued up to $250, directing victims to www.cvswinner.com to claim prizes. Community reports document specific tactics including automated voicemails stating "I've received a voicemail saying I was a winner of up to a $250 gift from CVS" and phone calls with messages like "Hi this is Jessica calling about a CVS customer appreciation offer." Meanwhile, trygoodgrove.com operates as a fraudulent e-commerce site claiming to sell Tart Cherry extract capsules, deliberately omitting contact information and addresses to avoid accountability.
The interconnected nature of these domains through shared infrastructure demonstrates a coordinated operation designed to maximize reach while obscuring the true scope of the campaign. The domains www.cvswinner.com and winner.com show particularly strong connections, being reported together multiple times by consumers. All domains sharing the same hosting infrastructure suggests a single operator or closely coordinated group managing multiple fraudulent schemes simultaneously, allowing them to quickly pivot between different scam types while maintaining operational continuity.
To protect against this campaign, consumers should verify any prize notifications by contacting CVS directly through official channels rather than clicking provided links. Legitimate companies do not typically award unsolicited prizes or request personal information through suspicious websites. If contacted by phone about these offers, hang up immediately and do not provide personal information. Before visiting any unfamiliar website, consumers can check domain safety using online verification tools or search for the domain name along with terms like "scam" or "fraud." Any suspicious communications should be reported to the FTC at reportfraud.ftc.gov or to the FCC for unwanted calls and texts.
This campaign represents a moderate to high threat level due to its multi-vector approach combining phone-based social engineering with fraudulent websites, supported by coordinated infrastructure that enables rapid scaling. The use of trusted brand names like CVS increases the likelihood of consumer deception. Immediate action should include blocking the identified domains at network levels, reporting the campaign to relevant authorities, and issuing consumer alerts about the specific tactics being employed. The shared registrar relationship suggests potential for coordinated takedown efforts through NAMECHEAP INC's abuse reporting channels.