Crossposted from my personal Facebook, where this is on Friends' lock, but like ... probably everybody needs this PSA and I just didn't feel like dealing with all the notifications in ONE timeline, mmkay??
Somebody posted a question about this earlier today in a web developer group I belong to. The developer, to be clear, is not (intentionally) involved in the scam; he's overseas, didn't know what an SSN was, and got hired to make a website that asked for these. Developer Guy, presumably, is just hired to do a job, and all other things being equal he probably doesn't care about the details except insofar as they present interesting problems or, contrariwise, make it difficult to get the job done and get paid.
I FEEL YOU, Developer Guy.
Then the same client wanted him to make ANOTHER website, same thing, under a different name. Then number three.
This is weird behavior, because normally you don't want to divide your traffic that way; you might claim multiple domains to cover all your bases, but at most you'd be redirecting the secondary domains to your primary domain to ensure that all your traffic ended up on your main site.
I'm guessing there's a step in the middle here where Developer Guy gets suspicious and Googles; his English, based on his posts in the group, isn't great, but he obviously gets enough to tell (because he puts this part in his post) that the acronym "has something to do with" US social security.
If you're doing gig work, it often doesn't pay to be overly curious about what your work is being used for ... but Developer Guy is beginning to get a Bad Feeling about this one, and he's either scared enough about the repercussions or just a decent enough human being (column A, column B) to follow up on his nose.
He puts up a post asking us as a group, but especially those of us in the US (who actually HAVE the SSNs the site is asking for and can therefore tell him if asking for these is a normal thing for a random website to do) if we think that somebody wanting to set up a whole bunch of websites all asking for SSNs is a little weird, especially since he's being asked to link them to something that just says "secure site."
TLDR: YES, we think it's incredibly weird.
We ask for more details, and there's a language barrier and also probably some concern about liability (I genuinely think this guy didn't know, and only became suspicious over time; it's just that if you've had the misfortune to become even an unwitting party to someone else's unsavory scheme, you often feel a little defensive about your circumstances), but it comes out in the thread that the website owner is offering to send a check for $50 to people who click on the link and enter their SSNs.
If Developer Guy is on the up-and-up, like I think he is, he will probably have taken this to the hosting service by now, because a hosting service can and absolutely will yank your site for this kind of chicanery. But that only gets us so far, because if the site owner was hiring ONE guy on ONE hosting service to make multiple copies of this shady website ... I'm betting he will also have hired OTHER people, with other hosting services, to make a whole bunch more.
Shady dudes looking to create multiple websites for obviously nefarious purposes are probably not putting all their eggs (or SSNs) in one basket.
So keep your guard up out there. Check the domains. Don't enter your whole-ass social security number on random websites.
Watch your six (well, your sixes).