Please support our effort by making a small donation. Thank you!

x

April 13, 2016

THE WEEK IN REVIEW

Though the number of scams and malicious emails continued to be high this past week, something very strange happened sometime on Wednesday. The volume of spam suddenly dropped by about half and remained low through Saturday. Whatever the reason, we’re grateful. Instead of seeing thousands of scams and spam, we saw about 1200. According to a January report published about spam tactics on Bloomberg.com, 86% of the world’s email is spam (Though spam consists mostly of scams and malicious emails). But “snowshoe” spam is still highly successful at victimizing recipients. What’s snowshoe spam? Read the Bloomberg article!

“Trump got it right again” or so the subject line wants you to believe. (When has Trump ever gotten it right lately? i.e. open mouth, insert…) This is another reminder to readers that social engineering scams are still using fake political emails to generate a click, like this one…

 

1-Trump got it right again

At some point, most Internet users find their way to Craigslist. Should you ever use Craigslist to look for an apartment, beware of an apartment scam we’ve been reporting on for several months now. Fictitious apartments are listed in cities across the U.S. The apartment hunter who inquires is sent an email and told that he or she must pass a credit score check before the apartment is offered. The credit checking site (such as privacylink.info or creditprotection.info) is completely fake and, so far as we can tell, used to collect lots of personal information that can be used for identity theft or hacking the user’s accounts. Read our article about it.

Sample Scam Subject Lines:

Best swing for older golfers

Confirm your registration with the Exclusive Top 100…

Grab a drink and slim down

Have Acid Reflux?

Ladies, lock in your application before time expires!

RE:

Re: Cancellation Notice

Re: Congratulations- you’ve just earned a commission

Red Lobster gift inside – Thursday only

Obama Bombshell May DESTROY Hillary Clinton Campaign

Saturday Only: Dinner is on us at Olive Garden

Search Oil—Coupons Listings…

WILD news report on CNN Thursday (did you see it?)

Sample Scam Email Addresses:

AutoRepairFacilities@vex315.top

DiabetesNews@pntain.top

info@curediiabetesnow.com [Notice double-i]

info@homematterspro.com

care@ultratriim.com [Notice double-i]

GwenStefani@yhugbvc9.avbased.top

HealthSciencesInstitute@apared.top

HomeSecurityReviews@neg518.top

Kohls-2016-Reward@dewsqa8k.shaveok.top

Luxury-Watches@passphrase.pro

RothIRA@separlian.top

WillsandTrusts@ubi431.top

WirelessSecurityCamera@rin722.top

 

 

 

Phish NETS: Mailbox Quota Full, Password Expires in 2 Hours, and Apple GSX

“Warning upgrade your mailbox quota” This is actually pretty lame… “Your mailbox quota is full This may cause your mailbox so Impaired or you may no longer receive more More email” Really? “more More email?” Can you figure out what country the email was sent from? Look at the 2-letter country code at the end of the “from” address.

.pk = Pakistan!

Now delete.

 

How about this email re “URGENT STAFF MESSAGE” “Your Password Expires in 2 hours…” We saw two of these email phishing scams. They were identical except that they came from different senders and the subject line of the other was “RE: ITS HELP DESK” Someone clearly likes CAPS to get your attention. The links in these phishing scams lead to an interesting website for teachers and students called OneVoiceForStudents.org. Their webserver was hacked and is hosting malicious files. We’ve informed them.

Delete.

 3-Password expired-Urgent staff message

 

What’s a week without a phishing email targeting Apple users? Here’s another one targeting computer repair folks who are members of Apple’s Global Service Exchange.

4-Global service exchange-account deactivated

Your Money: Olive Garden Wants to Buy You Dinner, CVS Extracare Rewards, Chili’s Reward

Olive Garden wants to buy you dinner tonite. Get a $100 Olive Garden gift card! That’s so nice of them! The email was sent from the domain fresholivegarden.com. Sound legitimate to you? The real OliveGarden.com domain was registered in 1997 and belongs to the Darden Restaurants Group of Florida. They own several restaurant chains. However, fresholivegarden.com was registered just hours before this scam email was sent by someone listed as “Judy Santiago” from Alexandria, Louisiana. The email had a big black box at the bottom. Take a look at the text we found hidden in that box. Ironic, no?

Delete!

 

Back in late February we saw this very clever scam designed to look like an email from CVS ExtraCare Rewards. If you look carefully it was actually send from the email address Yael@patttobirkse.click . The link “Go Here to Confirm Your New CVS Extra-Care Reward-Card” points to a mysterious shortened link on the service Ow.ly. (Read our article about the risks of shortened URLs.)

This clever wolf is back. Look below to see a nearly identical scam we found this past week. This new one contained another black box at the end of the email with hidden text used in an effort to fool antispam servers. The link also pointed to a shortened link at Ow.ly. We used Unshorten.it to see where that link sent the person who clicked and learned that it forwards you to a very odd domain with several subdomains called wZWzz.oppserror.0379.pics  VirusTotal.com tells us that the service Fortinet has identified this domain as a phishing site.

7-CVS extracare rewards

Would you like a new member bonus for Chili’s Restaurant? Just visit chiliesrewardpro.com and print this coupon to bring with you to Chili’s. Read this scam and you’ll see that the creators have a real problem with spaces. Th ey lik e to bre ak up wor ds. De lete!

 

 

TOP STORY: Deceipt and Lies… Who’s Who, IWLA, and Take A Survey to Get a New iPhone

We haven’t reported on a vanity scam in some months so this next scam is timely. (If you are wondering what a “Vanity” scam is, read our article Recognizing Vanity Scams) In our experience, most email invitations to join a “select group” of executives, top performers, professionals, yada, yada is a scam meant to inflate the ego of the recipient and trick him or her into forking over some money for a worthless certificate or a book of Who’s Been Scammed….er, I mean Who’s Who. Sometimes though, these invitations are simply bogus tricks to engineer a click to a malicious website meant to infect your computer. Can you tell which one of these this email represents?

9-Whos Who -you have been nominated

If you guessed “malicious trick” to infect your computer, you would be right! It’s not the “Valued Nominee” that gives it away. Even real vanity scams don’t usually identify the recipient. “You’ve been nominated as a candidate to represent your professional community in 2012’s Edition of Who’s Who among Executives and Professionals!” 2012?? This is just a recycled scam and the lazy scammer forgot to update the year. Also, a quick look up of the domain WhosWhoProNow.com shows that it was registered on the day this email was sent. Deceipts and lies.

10-Women-lock in your application

We have written several times about the likely value of the International Women’s Leadership Association and their spammy tactics. The question for our readers….. Is this from the questionable but real IWLA or something more nefarious? “The IWLA wants to offer you a spot among the most formidable women fighting to make a difference. Our network gives you direct access to empowered women like yourself.” It doesn’t matter that the recipient of this email was a man, because the IWLA was notorious for sending their invitations out to men and women alike.

Made up your mind yet? Look at the domain the email came from and linked to. 2721971.com. Google can’t seem to find any such domain even though a WHOIS shows it was registered in November, 2015. However, the Zulu URL Risk Analyzer has a strong opinion about the link in this email:

11-Women-zulu score

This email claiming to represent the IWLA is completely fake, and malicious. Zulu shows that the scammers employ a commonly used trick so you are less likely to suspect that your computer has been infected after clicking the malicious link. Look at what we’ve highlighted in the Zulu analysis. The website 2721971.com contains a redirect to the real website to join the real IWLA. After a brief second to infect your computer, you are then sent to join the real IWLA and none the wiser. Deceipt and lies.

Finally, we offer this outstanding opportunity to get an iPhone SE by taking a survey. Hopefully our weekly readers will recognize the bogus company called “Pollution Controls” from Peabody, Massachusetts. We’ve written about this fictitious company recently. But also, look at the link revealed in the lower left-hand corner by the mouse-over. The link points to IP address 72.9.152.181. Where in the world is this web server? Someone is hiding behind a number. We used several tools to analyze the IP and the link in the email. It took us 3 tools before we found one that had identified this IP address as blacklisted and urged extreme caution before visiting it. Check out the report on Vurl Online.

Once again we hope we’ve demonstrated to readers how easy it is to deceive and lie on the Internet. And now we all say….

Deeeeeleeeete!

12-Take survey and get new iPhone


FOR YOUR SAFETY: Claim Your Deposit, Dear Client, and Please Review My Resume

We’ve reported on emails similar to this one from “Elite Profits Trader LLC.” “Claim your deposit” This is as phony as a $3 bill. We reported on a nearly identical email from Elite Profits Traders on March 16, 2016 but the subject line was “Member verification” and the domain it pointed to was subscriber-manage-55.com, not subscriber-manage-318.com. Same junk.

Just delete.

 

Our longtime readers will rightly guess that the attached zip file contains nasty malware meant to infect your computer. Clicking it is like setting off a software grenade in your computer. Ouch! Who is Arthur Lutz anyway?

 

 

Finally we wanted to share this thoughtful gem with you. We have a job opening posted on TheDailyScam.com for a Marketing Director. Unfortunately, the only responses we get are like this one from Reva Laclair sent from Russia (Notice the .ru country code) Reva sent us a virus hidden in her resume. **sigh** We’re guessing her current employer is one of the criminal gangs responsible for the scams we write about. Oh well, maybe Reva will one day be truly interested to work on the side of good, not evil.

 

 

 

 

 

 

ON THE LIGHTER SIDE:

Atheists should be stunned! “Another biblical miracle!” “monumental breakthrough” “taking the world by storm” “A treatment for diabetes hidden in the bible” after all this time? “Click here to see this miraculous story!”

Wow! It’s enough to make us genuflect!

16-Science proves biblical cure

 

Until next week, surf safely!