elsbbook.sgesge.com

[IS] Instagram ad pretending to be a known booking service leads to a chinese task scam site elsbbook.sgesge.com scrolling through instagram today i stumbled upon a paid ad supposedly offering remote work filling costumer leads and validating requests from clients towards the service providers. the post offers 95 NIS per hour (im from Israel, the ad copy is designed in hebrew) direct pay per hour. since im currently looking for jobs, i assumed it could be a good idea to try part time remote jobs until i start a full-time one. clicking for more information led me to a Whatsapp business account, the contact vaguely shared more details, didnt explain what the actual job requires and led me to a personal number to continue the conversation, eventually sending me to a URL that is suppsed to be the working platform for filling the costumer leads. The link looked off, so I pulled the site apart before touching anything. the site looks english but the whole backend is chinese. (error messages, field names, even the html tag) the domain was registered 2 months ago, sitting behind cloudflare so you cant see where its actually hosted. in the code i found a bunch of phrases that are textbook task-scam stuff in chinese, things like "must reset tasks to withdraw" and "you have unfinished orders" - which show up later to block you from taking your money out until you deposit more, accepting both crypto and regular bank cards. the way this works: you sign up, do some easy fake tasks, a small balance builds up, they let you withdraw once so you trust it. then the tasks need deposits to "unlock", then the balance gets "frozen" and needs a reset fee, and it loops until you stop paying. **ive seen FTC and malwarebytes both writing about this category.** already reported it to cloudflare (they actually restricted access on their end), instagram, and voted it down on virustotal. figured id post here so other people can search and recognize the pattern if they get the same ad.

[IS] instagram ad pretending to be booking.com leads to a chinese task scam site:(elsbbook.sgesge.com)

[IS] elsbbook.sgesge.com — Chinese shuadan task scam running paid IG ads impersonating Booking.com Got an unsolicited job offer via Instagram today — turned out to be a paid ad impersonating Booking.com. The link looked off, so I pulled the site apart before touching anything. Posting the recon so the IOCs are searchable and other people can spot the pattern in their own DMs or feeds. \*\*Delivery vectors observed:\*\* \- Paid Instagram ads impersonating [Booking.com](http://Booking.com) (Sponsored label, branded imagery) \- Cold Instagram DMs from throwaway accounts pitching "remote reviewer" style jobs \*\*What the site actually is:\*\* \- Domain registered \*\*2026-02-20\*\* through Dynadot (\~2 months old). Verified via RDAP. \- Fronted by Cloudflare (nameservers \`aarav.ns.cloudflare.com\`, \`elsa.ns.cloudflare.com\`). Origin IP hidden. \- Frontend: Vue.js SPA using uView UI (a Chinese Vue component library). \- Backend: ThinkPHP. Confirmed by \`PHPSESSID\` and \`think\_lang=zh-cn\` cookies on the API subdomain. \- Page HTML is \`<html lang="zh-CN">\`. The English you see on the surface is a translated veneer; the bundle underneath is Chinese. \*\*Strings pulled directly from the JavaScript bundle:\*\* \`\`\` 需要重置一组任务才能提取 must reset a set of tasks to withdraw 您還有未完成的訂單 you still have unfinished orders 每天只能取款一次 can only withdraw once per day 邀請碼 invitation code 充值 recharge / deposit 提現密碼 withdrawal password 數據優化服務 "data optimization service" \`\`\` Financial-rail fields in the bundle: \`USDT\_tx\` (Tron USDT withdrawal address), \`bank\_name\`, bank card number. It takes both crypto and fiat. \*\*Why this is diagnostic of shuadan (刷单) / task scam:\*\* The combination of (a) an "unfinished orders" blocker on withdrawal, (b) a forced "recharge" to continue, (c) a separate withdrawal password, and (d) a "task reset" fee is the canonical

[IS] elsbbook.sgesge.com — Chinese shuadan task scam via Instagram job DM