Our cybersecurity team has identified a sophisticated scam campaign involving 10 fraudulent domains that share common infrastructure and target consumers with fake prize notifications and employment opportunities. The campaign centers around domains impersonating CVS Pharmacy, including cvsprize.com, www.cvsperk.com, www.cvsbonus.com, and www.cvsgift.com, all registered through NAMECHEAP INC between August 23-28, 2025. These domains operate alongside deceptive sites like highlandcowplushie.com, capital25llc.com, and bumbatools.com, creating a diversified attack vector designed to appear legitimate while avoiding detection.
The domains demonstrate clear coordination through shared infrastructure connections, with 15 documented relationships linking the fraudulent sites. All CVS-impersonating domains share the same underlying technical infrastructure with confidence levels of 0.50, indicating they are operated by the same threat actors. Notably, highlandcowplushie.com connects to five CVS-themed domains, suggesting it serves as a central hub in the operation. The simultaneous registration dates within a five-day window further confirm this is an organized campaign rather than isolated incidents.
Consumer reports reveal the campaign's dual approach of fake prize notifications and fraudulent employment offers. Victims report receiving voicemails from individuals claiming to be "Jessica" stating that prize dates are expiring and directing them to visit cvsprize.com to claim up to $250 in rewards. Simultaneously, the operation promotes fake vehicle wrap advertising opportunities through domains like casawrap.com, promising victims $700 per week to place decals on their vehicles or bikes. These tactics exploit consumers' interest in both unexpected windfalls and legitimate side income opportunities.
To protect yourself from this campaign, verify any CVS communications by contacting the company directly through official channels rather than clicking provided links. Legitimate companies like CVS will never ask you to visit suspicious domains or provide personal information through unsolicited communications. If you receive suspicious calls or messages, hang up immediately and do not click any links. Report these incidents to the Federal Trade Commission at reportfraud.ftc.gov or file complaints with the FCC for phone-based scams. Before visiting any unfamiliar website, check its legitimacy by searching for the domain name along with terms like "scam" or "fraud" to see if others have reported it.
This campaign represents a moderate to high threat level due to its coordinated infrastructure, brand impersonation tactics, and active targeting of consumers through multiple channels. We recommend immediate blocking of all identified domains and continued monitoring for additional sites that may emerge from this threat group. Consumers should exercise extreme caution with any unsolicited prize notifications or employment opportunities, particularly those involving well-known retail brands like CVS.