Please support our effort by making a small donation. Thank you!

x

April 27, 2016

THE WEEK IN REVIEW

Several readers have been contacting us about more apartment scams on Craigslist. While Craigslist is a great free resource, it is also heavily used by scammers to target potential victims. The most common type of scam comes in many disguises but boils down to the same trick… Send a fraudulent check that is so authentic-looking it often takes a week or more before your bank determines it is fake. Here are a few links to articles about Craigslist Scams from around the web…

  7 Types of Common Craigslist Scams to Watch Out For from MoneyCrashers.com

  Multi-State Scam Targets Car Sellers on Craigslist from CNN.com

  Don’t Be Fooled by These Craigslist Rental Scams from WHNT.com

We also have a word of warning to our readers who have Android Phones. The Android phone is more successfully and heavily targeted by criminals, according to NakedSecurity.com. In fact, 99% of mobile malware targets the Android phone. Google recently announced that 29% of Android phones could not be patched to protect against these latest threats. Read more at Naked Security.

Sample Scam Subject Lines:

Breakthrough to reverse Diabetes

Cheap Solar Heating Systems

Compare – Cable – TV –companies

Compare Patio Furniture Options

Explore Alcohol Rehab Listings

Looking for medicare supplement insurance – Look here.

Never Be Without Your Reading Glasses Again

Pet-Deals.. — Cat Food Coupons — Compare Brands…

Re Health Products to buy here

Search Top 19 Options in Childhood Development Degree

The one thing That Could take Down obama Finally

US Health News – Recipe that kills Obesity

White House commits “Financial Crime” (New Footage)

Sample Scam Email Addresses:

AttorneyLegalHelp@elkhornup.download

BloodPressureCure@pharct.top

BlowoutAuctions@spook-u.download

budgetbathroommakeovers@remdling.faith

CaribbeanCruise@extendition.download

fidelitylife@lifecurre.bid

HealthSciencesInstitute@endncy.top

Hemphill_Monty@centerforexecutivecoaching.com

info@prosworkfromhome.com

NewCarDealers@friaso.download

OnlineDoctorateDegree@doctorate-online.pro

PersonalInjuryLawyers@chlrs.top

TradeshowBuisnessTools@cleveral.download

 

 

 

Phish NETS: Email Will Be Deactivated

Though scams targeting Apple Account holders have dropped off significantly during the last week, we continue to see webmail phishing scams like this one. The language in the body of the email is so strange as to make anyone suspicious… “This may cause your mailbox so Impaired or you may no longer receive more More email.” We’ll award 10 points to the readers who can figure out what country the email came from and the country hosting the website that the link points to! (**Answer below…. No peaking!)

And most importantly… “to continue using your mailbox, you Require immediate upgrade your mailbox with Amount.”

**Link in the email leads to France (.fr) and the email was sent from Qatar (.qa)

Your Money: Coupons That Hurt

Everyone likes a deal and coupons are a nice incentive for customers to shop at a business. Not to mention that coupons have long been a part of our economy’s marketing engine. So what’s so wrong with this list of recently emailed coupons to one honeypot email server?

They all came from the same Global Top Level Domain (gTLD) called “download.” Dot-download has been heavily abused by criminal gangs since ICANNs made it available for use in March, 2015, along with more than a thousand other gTLDs. (See a list of new gTLDs released by ICANNs here.) Let’s take a closer look…

The email below came from PrintableCoffeeCoupons@exod-u.download on April 21st. The domain exod-u.download was registered through the registrar Alpnames on the same day the email was sent. The registrant used the name “Customer Support” for an address in London and offered an email address with the free email service Mail.com (a favorite of scammers). The service CloudStat has already identified the domain as malicious.

Just Delete!


 

 

TOP STORY: Deadly Invites and Suspicious Offers to Help with Loans or Expenses

During the last few weeks we’ve noticed an increase in bogus invitations for women to join professional organizations. The scams continued last week and we saw a new pitch sent out to many people at one organization, including men. Does this appear legitimate to you or would you find it suspicious?

 

At first glance the domain uhcy.com seems like it could be legitimate. Perhaps UHCY is an acronym for something like Unusually Healthy-Conscious Youth. It was registered back in 2007 yet Google can’t find any information about this website and nothing seems to be posted there for visitors to read. We reported in last week’s newsletter that another odd email targeting “professional women” was sent by “Electronic Marketing Group” in Lakewood, CO. But Google can’t find anything about this marketing group. We even used the Colorado Secretary of State Business Database Search Engine to locate Electronic Marketing Group but according to the State of Colorado, it doesn’t exist. Considering how glaring these red flags were, we next asked the Zulu URL Risk Analyzer to review the link in the email for the link at uhcy.com. The Zulu score left no doubt…

Have any of our readers received unsolicited offers of assistance such as the emails below? Offers for help with student or teacher loans or reduction of housing expenses? Do you think any of these are legitimate? “Enhancement for Housing Expense Reduction” “Your Education Forgiveness Information” “AES Teacher Forgiveness Program” Do you see any peculiar language used in these emails that raises suspicions?

7-Education Forgiveness Plan

8-Education Forgiveness program

Let’s investigate the first email above from someone indentifying himself as Joe Anderson, States Coordinator from psaResearch, using the email address psar@psaresrchedu.info.

  1. A search for Joe Anderson of psaResearch turns up this warning at the University of Arizona identifying this email pitch as a phishing scam.
  2. The links in the email lead to the domain blaaepsa.com. Google easily finds this domain and identifies its web name as psaResearch.org (from Raleigh, NC) followed by the text “If you are a full-time employee of a school/educational system, and you own a home, Freddy Mac has special mortgage terms for you as an aid to reduce your…” A WHOIS lookup  confirms that blaaepsa.com has the website title psaResearch.org and was set up through a web-hosting service in Burlington, MA called Homestead Technologies. It is being hosted in Canada and blaaepsa.com was registered on January 19, 2016. However, no information is available about the real owner/registrant of this domain. If you follow this rabbit by looking up psaResearch.org you’ll learn that there are many other domains associated with the company/organization psaResearch including:
    psaresearch.com (registered in 1997 to William Goodwill from Lorton, VA)
    mitomy.com
    (registered via proxy on January 25, 2016)
    usedupsa.org
    (registered via proxy on January 31, 2016)
    psamedpro.info
    (first registered via proxy in June, 2015 but was modified on January 31, 2016)
  3. The Zulu URL Risk Analyzer gives com a score of 33/100, meaning “Benign” (Not malicious.)
  4. Suspicious language used in this email, and often seen in other malicious emails or spam, include:
    “In appreciation for your contribution to community” and yet the recipient is never identified, nor is the “contribution” described.
    “Find answers… …by pressing here” (Instead of clicking here)
    “To find out if you are eligible *press here” (Instead of click here)
  5. Only a Post Office box is provided, not a real address or telephone number.
  6. We searched the North Carolina Secretary of State Corporations website  for both psa research and psaresearch and found no registered business listed.
  7. Finally, we searched for the domain the email appeared to come from, psaresrchedu.info. Google found a website but can’t find any information whatsoever on it. A WHOIS lookup shows that it was registered on April 13, 2016 to Joe Anderson of Raleigh, NC of 4000 Southall Road, using the email address joe@4southall.com. We also discovered that Rutgers University antispam server blacklisted the domain psaresrchedu.info on April 16, 2016.

Considering all of this information, do you feel that psaResearch is a legitimate business worth contacting to see if you qualify for a housing expense reduction? You know what we would advise!

Our next email came with the subject line “Your Education Forgiveness Information” from “Susan Dammann” (email: dammannsnkz610@gmx.com) and the phone number 855-259-9345.

  1. We found the telephone number associated with an address in Rancho Cucamonga, California.
  2. We found many people by the name Susan Dammann, and one in California was also associated with several other names.
  3. The email does not list any registered business or business address we can verify.

Does this email inspire confidence to call for help reducing your student loans? You know what to do with it.

And lastly, we have that email from info@uspublic.org addressing “All School Personnel” from AES.

  1. The domain uspublic.org was registered in April, 2014 through a proxy service in Panama and recently updated on April 14, 2016.
  2. A Google search of uspublic.org turns up precious little information as you can see here:


9-uspublic-org

  1. A Google search of “AES Forgiveness Program” turns up many links to the American Education Services, connected to the Pennsylvania Higher Education Assistance Agency, and at a different domain aessuccess.org. This other domain appears to be the legitimate AES with an address in Pennsylvania and a different phone number to call than the one shown in the above email. By the way, a WHOIS lookup of aessuccess.org shows the same information, including address and phone, that is found on the aessuccess.org website. And all this info is verifiable.
  2. See the unsubscribe link at the bottom of the email pointing to the domain org? Google doesn’t show any information for this website and a WHOIS lookup shows that the website title of serviceemployee.org is “American Educational Services – Home Advisor.” It was registered in September, 2015 by a proxy service in Panama.

Once again, there are many red flags that should make readers suspicious! All are many reminders how easy it is to deceive others on the Internet… unless you are willing to dig.

A final note… We couldn’t help but notice that the last two emails in this week’s Top Story both use phone numbers with the area code 855. We searched Google for the phrase “855 area code” and learned this… “Area code 855 is a non-geographic area code, meaning that it is not associated with any particular city, state, province, or country. Area code 855 is a toll free number, that recently joined the list of 800, 888, 877, 866, and 844 toll-free numbers. Possibly Cambodia.”

None of this information inspires confidence in the authenticity of these emails and what they claim to represent. Caveat Emptor. Let the buyer beware.


FOR YOUR SAFETY: Strictly Confidential, Past Due Invoice, and Trouble Contacting Accounting

We saw a string of emails targeting people disguised as “strictly confidential” files or unpaid invoices with stronger language than usual like “please stop ignoring invoice requests.” Look at this list from one of our honeypot email servers during a 31 minute period:

We want to remind our readers that Word and Excel documents, even pdf files, can contain hidden malicious code designed to infect your computers. Each of these emails contained malicious code.

Deeeeeleeete!

 

12-Re past due invoice

13-Trouble contacting accounting dept

 

 

 

ON THE LIGHTER SIDE: Charity Project Text

TDS is proud to tell our readers that we’ve been invited to assist in a charity project worth $3 million dollars! This text told us so. We’ll let you know how it goes next week! Until then, surf safely!