If you find our resources valuable, please support us by making a small donation. Thank you!

x

April 19, 2017

THE WEEK IN REVIEW

Last week we devoted our “Your Money” column to malicious emails with links to online “videos.” The number and variety of these types of malicious emails is still very high.  Here are a couple more…   “A Single Mom STUNS Billionaire Investors on Yesterday’s SHARK TANK Show” “Watch What Happened” says an email from pogram@ promomicro.com.  The domain PromoMicro.com was registered just 2 weeks before this email was sent and the domain is listed for sale and registered under a proxy service so the identity of the registrant is unknown.

Delete!

Also…. “Jim Rogers: 9 Charts Point to Biblical Collapse” was sent from  robertwilliams@ rogeook.top.  The domain rogeook.top was registered on the day the email was sent by our new best friend, Dev Thakur.  We introduced our readers to this bogus registrant last week.  He’s been busy!

Now delete.


 

 

 

The FTC.gov site posted a couple of links recently about scams targeting citizens that are worth reading.   Our favorite was “I have an emergency and need money!” We’ve heard from a few people in the last year who’ve told us about elderly grandparents falling for this scam.  It’s very clever, and sad to manipulate the eldery in this way.  Another one worth visiting is called “Free Movie, Costly Malware.”

And sadly, we have to report that there are arrest warrants that have been issued against Doug at The Daily Scam.  Something about the IRS and taxes.  He tried to call back both numbers later that day but “the Verizon number you are trying to reach is no longer in service.”  Oh well.  Here’s what the caller’s recorded message had to say… Enjoy!

 

 

And finally, read our latest feature article "Free Airline Tickets!"


Sample Scam Subject Lines:

1 in 4 Will Have Diabetes, Click to Avoid the Risks

ADT is the #1 security solution to prevent burglary during the holidays

Advanced Anti-Aging Treatment

Save on Windows from Renewal by Andersen Windows

Congratulations

Get 5 Dr. Seuss Books for $5.95 + a FREE Activity Book!

Meet Like-Minded Singles Over 50

Mom shocks everyone on ABC Network

New car invite only

Save on Windows from Renewal by Andersen Windows

Sleep Trick for Tinnitus Sufferers

Thinning Hair? We can help!

UPS issue #003209649: unable to delivery parcel

Sample Scam Email Addresses

2016.car.closeout-[YOUR EMAIL]@ isevenring.men

antipasti@ kidsmodels.net

cisted@ chestatlas.net

dr_seuss_books-[YOUR EMAIL]@ ufourhappen.men

Googleflightsimulator@ diabetessystem.us

heartattackdefender-[YOUR EMAIL]@ question8discuss.cricket

lethargic@ citysbest.net

maidan@ DrewExport.com

palmeter-ginger-[YOUR EMAIL]@ ithreelimit.men

photothermal@ GarlicSalt.net

pretraining@ indyriders.com

secure@ apple.ssl.com

spiling@ SiamShop.net

 

Phish NETS:  Bank of America and Apple

Bank of America…  “We’re letting you know that we detected several attempts to sign in to your Bank of America account on 3/29/2016.  For your protection, we need you to review and verify your account details.”  What makes this email from admin @tng.de very funny to anyone closely paying attention is that they refer to a date that is nearly a year old.  The email was sent on March 22.  Mousing over the link  for “Online Banking Service Agreement” reveals that it points to an “ftp” Internet address.  FTP means “file transfer protocol” and is an old fashioned method of transferring files from one place to another across the internet.  We looked up the address at IPlocation.net and discovered that you’ll be logging into a computer located in Bologna, Italy.  Also interesting is the tiny little tracking gif (web beacon) these scammers are using to see who opens the email and how many times.  Look at the very bottom of the email in the lower left corner to find a tiny black box.  That’s how the tracking gif looks at a glance.  We wrote about tracking gifs in our Top Story titled “Online Privacy – Oxymoron, Weapon, or Both?” on March 8.

Now delete.

Yet another Apple phishing email. **yawn**  The scammers were inventive creating their from email address:  secure@ apple.ssl.com.  However, the domain is actually ssl.com in this address and it was spoofed, meaning the email did not really come from this certificate authority called ssl.com.  The “apple.” in front of the ssl.com is actually a subdomain.  Anyone can create a subdomain to say anything at all.  Mousing over “>Click here to validate your account information” reveals a link to reactivate-appleid.com.  That is NOT the same as apple.com.  The domain reactivate-appleid.com was registered two days earlier through a proxy service in Queensland, Australia so we will never know who paid to register this name.

Just delete.

YOUR MONEY:  ADT Monitoring, Silver Coin Giveaway, and This Stock Going Up Fifty Fold

This email looks sooooo legitimate but focus on the from address and where a mouse-over points.  “ADT monitoring is the #1 solution to help prevent burglary”  Get a “Complete Security System for FREE with $99 installation charge and new monitoring agreement.”  Horse doo-doo!  The email came from the domain DrewExport.com and links point back to it.  DrewExport.com was registered just ten days earlier using a privacy protection service to hide the real registrant.  Apparently the site has a long history as selling caskets and related products and was written in Polish.  The domain expired and was re-purchased 10 days ago and used for this scam.

ALERT: $1,000 Silver Coin Giveaway (Legal U.S. Residents Only)  If you are a lawful U.S. resident, participate in the drawing by simply entering email here; winners will be notified by email.

Links point back to the domain 9Longfall.top.  This domain was registered on the same day the email was sent by someone named “Michael A. Turner” from Balcones, Texas.  Totally believable, right?  A company giving away $1000 in silver coins?  There is a legitimate business called “Money Metals Exchange” in Idaho and we visited their website.  We found nothing there about a silver coin giveaway.  This email is phony baloney and doesn’t represent the real company.

 

Pump and dump scams are a dime a dozen.  This particular one caught our eye because of the outrageous claim on the second line…. “They have a cure for cancer.”  Anyone offering a stock tip across the Internet so you can make money is a liar and thief.  Plain and simple.

 

TOP STORY:   Royalty and Responsibility

This story begins with a very special email from Prince and Princess Kabila of the Congo.  After they used Google to find Doug at TDS, their highnesses have selected him to help them move more than 90 million USD to New York.  Of course they offered him a percentage.  Fortunately, we are assured that this delivery is 100% risk free.   But the real story behind this scam here is hidden in one small part of this email…

From:  apaymentcenter@gmail.com
Time:  2017-04-14 04:36:26
Subject: DEAR BELOVED ONE.

DEAR  BELOVED ONE.

I AM PRINCE ROBERT KABILA SON TO THE FORMER PRESIDENT OF CONGO MR LAURENT KABILA, I AND MY ONLY SISTER PRINCESS JENNIFER KABILA ARE CONTACTING YOU TODAY IN REGARDS OF OUR THREE CONSIGNMENT METALLIC TRUNK BOXES CONTAINING THE SUM OF NINETY MILLION FIVE HUNDRED THOUSAND USD ONLY WHICH IS CURRENTLY NOW WITH THE UNITED NATIONS APPOINTED DIPLOMAT PRESENTLY WAITING FOR ME TO GET A BENEFICIARY.

WE WANT YOU TO HELP US RECEIVE THIS BOXES FROM THE DIPLOMAT AS OUR NEW FOREIGN PARTNER DUE TO THE FACT THAT OUR FORMER BENEFICIARY WHO WAS TO ASSIST MY SISTER AND I IN RECEIVING THIS THREE BOXES IN NEW YORK MR MATHEW THOMAS IS A VERY GREEDY PERSON IN THE SENSE THAT WE AGREED TO GIVE TO HIM 20% OUT FROM THE FUNDS AFTER THE DELIVERY OF OUR FUNDS TO HIM BY THE DIPLOMAT BEFORE OUR CONSIGNMENT FINALLY LEFT THE GHANA

KOTOKA INTERNATIONAL AIRPORT VIA NEW YORK ABOUT 7 DAYS AGO, NO SOONER OUR DIPLOMAT ARRIVES AMERICA WITH OUR BOXES THAN THIS MAN STARTS CALLING US SAYING WE ARE TO  SHARE THE FUNDS 50% 50% WHICH WE DO NOT AGREED UPON.

WE HAD TO GO STRAIGHT TO THE UNITED NATIONS HIGH COMMISSION FOR REFUGEE HERE IN GHANA TO MAKE A REPORT ON THE ISSUE, AFTER THAT WE WENT TO GOOGLE WERE WE FOUND YOUR CONTACT INFORMATION TO CONTACT YOU SO WE DECIDED TO CONTACT YOU ON THIS MEDIUM TO ASSIST US RECEIVING OUR FUNDS AND WE SHALL MAP OUT TO YOU 30% FROM THE CONTENT OF THE BOXES FOR YOUR MUTUAL ASSISTANCE IN HELPING US RECEIVING THIS BOXES AT YOUR DOOR STEP AS OUR NEW FOREIGN PARTNER AND ALSO ANOTHER 5% WILL BE GIVING TO YOU FOR ANY EXPENDITURE THAT YOU MAY ENCORE DURING THE PROCESS OF THIS DELIVERY TO YOU AT YOUR DOOR STEP.

PLEASE INDICATE YOUR INTEREST TO OUR PROPOSAL BY PROVIDING TO US THIS BASIC INFORMATION BELLOW.

1) FULL NAME:
2 ) RESIDENTIAL ADDRESS:
3) MOBILE / FAX:
4) INTERNATIONAL PASSPORT:

HERE IS THE CONTACT INFORMATION WITH WHICH YOU WILL USE TO CONTACT THE DIPLOMAT WHO IS RIGHT NOW IN AMERICA AND ALSO THE SECRET CODE NUMBERS TO OUR BOXES .

NAME OF DIPLOMAT- FRANK YOUTH
EMAIL - frankyouth2016@outlook.com
SECRET CODE NUMBERS=
1 ( ZX-1098=FD)
2( AQ- 00231-CG)  3(KH-8753-SV)

PLEASE SIR/MADAM YOU WILL KEEP THIS SECRET CODE VERY SECRETLY FROM EVEN THE DIPLOMAT AS OUR LIVES DEPENDS ON IT RIGHT AS OF NOW ALSO YOU MUST BE ASSURED THAT THIS DELIVERY IS 100% RISK FREE AS ALL VITAL DOCUMENTS BACKING UP THE FUNDS ARE WITH THE DIPLOMAT IN AMERICA AS WE ARE SPEAKING AND THEY CAN BE SENT TO YOU VIA MAIL FOR YOUR VERIFICATION AND PERUSAL.

WE ARE WAITING VERY ANXIOUSLY FOR YOUR IMMEDIATE RESPONDS AND I WILL REALLY APPRECIATE YOU HELP TOWARDS RETRIEVING OUR CONSIGNMENT BOXESFROM OUR DIPLOMAT.

REGARDS.

PRINCE AND PRINCESS KABILA.

We can’t imagine anyone with the intelligence greater than a centipede to fall for this malarky.  But that’s not the point of this week’s Top Story.  This email is another testimony to the lack of responsibility of companies who offer Internet services to us. Their protection against malicious content and fraudulent activities is feeble at best and negligent or complicit at worst.  Look again at the from address of the above email from Prince and Princess Kabila.  It was sent from apaymentcenter@ gmail.com.   “A payment center” @gmail.com?  An email address with this name should have raised red flags at Google and received closer scrutiny to see how it was being used.

The volume of fraud on the Internet is staggering, in great part, because companies who offer Internet services allow obvious fraud to occur.  What minimal protection they provide is typically too little and too late to make a difference.  Our readers know that we often wag a finger of shame at ICANN, the only governing organization with any control over Internet names.  But all providers of Internet services bear some responsibility.  Do you think we’re over reacting?  Then how about this recent email…

From: noreply@treasury.us
Time: 2017-04-15 18:06:14
Subject: Dear Beneficiary

Dear beneficiary,

Your account with account number 265*****79 and closing balance $2.8M (Two million and eight hundred thousand United states dollars) has been dormant and needs to be reactivated. Please let us know if you are still alive by contacting the accountant in charge immediately

Mr John Dela

Email: dele.john@accountant.com

Thank you very much

Winifred Plesin
Coordinator (US Treasury)

Yes Winifred, we’re still alive!

This email was sent from the domain treasury.us.  So far as we can tell, this domain is owned by a legitimate company called Neustar and the domain was likely spoofed and misused.  But why is this domain even allowed to be used by anyone other than the U.S. Treasury?  It is so misleading that it invites fraud.  We believe that ICANN and all companies who offer services on the Internet should be required to provide protection against misuse of their services.  And there should be an entire division of ICANN to focus time, energy, policy and practice to safeguard citizens of the Internet.  Essentially, an Internet police force with laws that companies must follow to safeguard their users.  Can you imagine how risky driving a car would be today without consumer protections?  Here’s another silly but simple example.  Again, focus on the obvious fraudulent email address misuse…

From:  worldbank9866@gmail.com
Time:  2017-03-29 05:37:06
Subject: Attention,

Attn. dear beneficiary,

This is to officially inform you that we have concluded arrangements to effect your winning payment of $4.5 Million United States Dollars through Western Union Swift Money transfer service today, the maximum amount you will be receiving daily starting from tomorrow is $5,000.00 as reflected in our transfer system daily until the funds is completely transferred.

This special arrangement is being used to avoid all scrupulous demands by both the states and Federal authorities that have previously delayed your payment till date; we shall need your maximum co-operation to ensure that straightness and confidence is maintained to avoid any further delays.

Please contact the Accredited Western Union Under World Bank service Agent for the details of your first payment of $5.000 United States Dollars and reconfirm your correct information so that your first transfer will be program with such as Receivers Name, destination where you will like the transfer to be send to and your cell phone number for urgent communication if the need arise.

Fill your details below for reference purpose:

*YOUR NAME:
*YOUR ADDRESS:
*YOUR COUNTRY:
*YOUR TEL:
*YOUR AGE/SEX:
*YOUR OCCUPATION:

Remember: Its your obligation to secure (Fund Legality Certificate) F.L.C that was demanded by United Nation act of (FRT209) the Document will help build and renew your transfer file for record keeping to enable your transfer file to be Legal and authentic to avoid stoppage or interception from your country authorities, So contact the below

Electronic Transfer unit of Western Union Money Transfer for immediate programming of your first transfer:Call Rev. Tony Paul.

+229-6850-2095.

Yours Regards,
Miss Giory john
General Manager of Western Union & Money Gram Department In Collaboration with World Bank.

At TDS, we’ve seen it all.  Again, if you think we’re over reacting, check out these domains that have been registered in the past couple of years without raising any alarms at all with the services that sold them.  They should have!  Every one of these domains was used to maliciously target people.

Reactivate-appleid.com
iapple.com
costcoelections.com
paypai.com
softwareupdateios.com
isdmaapple.com
appleaccountcloud.com
fridayatsamsclub.com
samsclublovesyou.com
samsclubgiftz.com
paypall.com
iapp-upgrades.com
appleaccountid.net
americaexpress.com

It is worth mentioning that one of the Registrars most complicit with abusive domains in the last year is Alpnames.com.  Want to purchase a bogus domain for malicious use?  They’re your company!  No questions asked.  Never mind if you’ve already purchased 300 malicious domains and 25% or more have been outed for being malicious.  They will sell you whatever you want anyway.  Can you guess why?  Sure you can.

FOR YOUR SAFETY:  Please Review My Resume, Delivery Notification, and UPS Issue

“Hey, How’s it going?  Please review my Resume and let me know what you think.”  Attached to this email from Germany (.de = 2-letter country code for Deutschland) is a Word document.  We downloaded that document and asked Sophos anti-virus to have a look.  As expected, it contained Trojan malware. Ouch.

 

 

 

The delivery notifications are still very successful social engineering tricks to infect computers.  Here are two more of this ilk…


ON THE LIGHTER SIDE: Congratulations Lucky Winner!

Thank goodness the Electronic Random Selection System (ERSS) found us!  All we have to do is contact Mr. Angelo through his Yahoo email address in Turkey and we’re golden!  (.tr = 2-letter country code for Turkey)  We certainly don’t want those double claims to be “entertained.”


From:  estudiorodriguez@dxred.com.ar
Time:  2017-04-09 20:40:04
Subject: Congratulations

Dear Lucky Winner,

We are happy to inform you that you have been selected as a lucky winner in our 2017 Samsung Consumer Promotions. Your email address was picked by our Electronic Random Selection System (ERSS) from an exclusive list of 30,000,000 e-mail addresses of individual and corporate bodies in our database. Your email address is identified with Batch Number: SM/12/25/0036 and Serial number 5918/2017 in Category "B" and your claims portfolio is filled with Ref Number:SM/09005/DE. You are therefore awarded a cash prize of $800,000.00 (Eight Hundred Thousand Dollars) from the total payout.

Your prize award of $800,000.00 (Eight Hundred Thousand Dollars) has been insured under a bonded depository policy with your e-mail address and will be transferred to your account upon meeting the claims requirements, statutory obligations, verifications, validations and satisfactory report.

You are advised to contact our Certified and Accredited claims agent with the information below:

*************************************

Name: Mr. Vasselin Angelo
E-mail: vesselinangelov@yahoo.com.tr
Fiduciary Agent

*************************************

Endeavour to provide him with the following information in your contact with him.

Names:
Telephone:
Age:
Occupation:

You are to keep all information confidential, especially your Reference and Serial number. This is important as a case of double claims will not be entertained.

Congratulations once more from all members and staffs of Samsung. Furthermore, should there be any change of address do inform our agent as soon as possible.

Yours Faithfully,
Alan Moore
Promo Co-ordinator.

---

Until next week, surf safely!

 

 

s2Member®