THE email advertised a service called Credit Resources Vault and urged recipients to click a button labelled Check Eligibility Now, coming from the address anna@cosmosshift[.]org. There are immediate red flags: the sender domain cosmosshift[.]org has no clear connection to credit services, and the message uses urgency around credit approval as a social engineering tactic. The email even uses a personalised greeting based on the recipient’s address, suggesting data may have come from a data broker or past breach.
When clicked, it leads to yourcreditvault[.]com, a polished site that nevertheless shows signs of poor banking-grade security, with no obvious encryption indicators and heavily obfuscated JavaScript behind the submission form. The form collects extensive data—personal details, full banking information, tracking data, and a drawn signature — which could enable fraudulent PAD charges of $20 per week.
Our analysis traces the campaign infrastructure across multiple domains, including cosmosshift[.]org as the email sender and yourcreditvault[.]com as the landing page, with data routing to Supabase, Brevo, Google Drive and Sheets; according to Scam Guard, these tactics are typical of phishing and scams.