Please support our effort by making a small donation. Thank you!

x

April 6, 2016

THE WEEK IN REVIEW

Dear TDS Readers, we wish to welcome the many new readers who signed up in the last week to receive our newsletter. We look forward to getting your feedback and receiving any scam texts, emails or social media posts you wish to share. To help you reduce your risks using email, texting, social media and the web we recommend reading our article “If I Could Teach The World of Internet Users” to learn about the 10 most important Internet safety skills.

The past week has been exceptional and risky in so many different ways! We saw many newly designed scams, malicious emails from hacked accounts, targeted emails identifying recipients by first name, Apple computer virus alert scams, and more. It also appears that the criminal scam gangs are turning more of their attention to using politically-centered emails as social engineering tricks to generate clicks to malicious websites. We saw subject lines like “Trump to be arrested” “Trump did it again – CNN Report” and “Donald Trump explosion shocks audience.” Here’s one example of a malicious email preying upon Trump’s hyperbole, sent from these gangs hoping to infect our computers.

 

We also saw another wolf in sheep’s clothing this past week with this email disguised to look like an appeal to all women to join the IWLA. We reported on the questionable spammy tactics of the real International Women’s Leadership Association in our December 16, 2015 newsletter. The email here is not from the real IWLA. It is a malicious email meant to sound like an application to the IWLA (and sent to a man by the way), containing a link to the website jennasstory.com. Jenna’s Story is a story about real domestic abuse. It appears that these links, revealed by a mouse-over, to a directory and file on jennasstory.com are not safe. See the Zulu URL Risk Analyzer’s score. Just another reason to keep a healthy dose of skepticism when it comes to the Internet.

Delete! 

2-jennasstory email 3-jennasstory zulu score

Sample Scam Subject Lines:

Alert: Recommended beautiful Russian single matches (5)

Bathing Suit Trends for Women

Claim your 50 Macy’s V-Day reward today

FaxEmail Fax from 0915035056

Find Sales on Swimsuits

Get Solar Panels for $0 Down in 2016

Grand Canyon Tours

New payment information for (YOUR EMAIL ADDRESS)

Re: You have been selected for a $50 Costco New voucher 5028662

Support Bra Shape Technology Controls Underarm Spillage -2for1 04.02.16

There are many different types of Crewed Yachts available to rent

There’s Still Time for You to Making Cooking Easy Again

You can lower your mortgage with HARP 2.0!

Sample Scam Email Addresses:

Admin776@gmail.com

admin@alfahoster.com

Breast_Augmentations@9shxd6azw.bsgrind.top

+CarInsurance+@operely.top

Cheap-Flights@ejksxq67.seasonm.top

CreditCardProcessing@montactive.download

-EmailToFax-@dissolin.top

kiosk@web.com

Local-Plumbers@utidoe4g.kookyd.top

NewestSkilTool@azlpq4n.jumbod.top

paula@diabdest.pro

Prime-Customer-Award@kpvb8des.coopip.top

-TAXLawyers-@gibration.top

 

 

 

Phish NETS: Google Account

Though we saw a phishing email from the address replyonline@ic.fiona-apple.com, it was incredibly stupid and wouldn’t have fooled anyone with an IQ higher than 1. The opening line of the email was “Due to scheduled maintenance, we need all users to review their information, this includes end-users, masternodes and admins!” (Masternodes have something to do with special online servers). An easy delete. However, we did see this odd email which turned out to be a phishing scam to steal the credentials to your email account….

 

The attached docfile.html is a webfile that our long-time readers will recognize as very dangerous to open. We cracked open the file to strip away the most dangerous code and then opened the file in a web browser as intended to see this fake login to Google.

 

After entering your email address, password, and hitting the blue button, your credentials are sent to a hacked website in Brazil called consermaqrefrigeracao.com.br (Note the 2-letter country code .br to indicate that it is hosted in Brazil.) We checked in with VirusTotal.com to see what it knew about this website and found a lot! This Brazillian website has been hosting malicious content for months. Check out the full report at VirsusTotal.com. And now we all say…

Delete!

Your Money: Caregiver Jobs Online, Grow Your Own Cherries, Shop for Home Treadmills & Bikes

This first scam email came from CaregiverJobs@debtan.download. The email reminds us of the deluge of scams targeting users of the legitimate website Care.com. (If you know anyone using Care.com, tell them to read any of our articles listed on our TheDailyScam.com about these particular scams.) Debtan.download was registered on March 31 by well known bogus company called Futurebright Solutions. As we often find, notice the hidden text (white text against a white background) below the graphic elements of the email. This random text is meant to fool anti-spam servers. Fortunately it rarely works. However it does affirm the email as spam at best or a scam at worst.

“Grow your own delicious cherries” “Grow Your Own Exquisite Cherries, Buy2 Get2 Today Only.” What a great idea! However the link in this email is poisonous. Several references in this email, and in the results from your click, will lead you to believe that it is related to Cherry Hedge. CherryHedges.com appears to be a legitimate website selling cherry trees and more. Clinking the link in this email will even create popup pages from the Cherry Hedge’s website. But hidden in this sleight of hand is malicious content…

We asked the Zulu URL Risk Analyzer to look at the link getitnow.uncutg.top/ redeem. Zulu scored the webpage only 23, meaning benign or low risk. We’ve said that Zulu, though good, is not perfect. Look carefully at the redirects hidden in the code of the web page you’re directed to by the getitnow link. Besides being redirected to the Cherry Hedge website, you will automatically be sent to the website plzentygra.com. We’ve written about this strange website many times because it has been used by a criminal gang for many months to host malware used to attack computers. Look at what Virustotal.com has to say about plzentygra.com! Virustotal identified plzentygra.com hosting malicious software as recently as April 2.

By the way, the hidden white text at the bottom of the Cherry Hedge email comes from a YELP review posted on 8/15/2015 of a restaurant in Watertown, South Dakota called 2nd Street Station. The scammers love to grab Yelp reviews for text to try an legitimize their trash.

DEEELEETE!

 

This next email may look inviting as it seems to offer deals for fitness and exercise equipment but take our word for it, it stinks. Just look below at the “unsubscribe” link and you’ll see it references a bogus company we’ve reported on many, many times called “Lemon Juice.”

Delete!

9-Shop for home treadmills bikes more

 

TOP STORY: Malicious IP Addresses – Hiding Behind a Number

“Donald Trump reveals economy plan ‘Make America Great Again’”

“Will take the trouble of repairing your house-info here”

“MacDonald’s thanks you for your shopping by a $100 giftcard reward. See details”

If you look carefully at each of these three scam emails you’ll see that they all share several things in common but the most obvious one is that they appear to be sent from a company called Pollution Controls located on 300 Andover St (a strip mall) in Peabody, MA at #218. Though we cannot find any such company located at this address, we do find more than 30 very odd domain names registered by Pollution Controls since February, 2015. Visit the list at DomainBigData.com.

Another characteristic these scams have in common is the fact that there is no “from” email address listed and each scam points to an IP address, rather than a domain name. Look at the bottom left corner of each screenshot to see what a mouse-over revealed. (For our newcomers to TDS, mouse-over skills are critical to staying safe on the Internet. Read about these skills and view an instructional video from skill #5 in our article “If I Could Teach The World of Internet Users”) An IP address is a unique string of numbers that represents every computer or device connected to the Internet. Scammers often try to hide their location by providing a link using the IP address rather than the name of a domain.

Here are the three IP addresses found in the emails below:

Trump reveals simple plan
37.230.96.14

Choice Home Warranty
206.225.87.143

MacDonald’s gift card
199.204.46.233

Fortunately there are many tools available on the Internet that make it possible to do a reverse IP lookup. One of our favorites is IPlocation.net When we use it to look up the location of each of these IP addresses we find the following:

Trump reveals simple plan
37.230.96.14
Located in Amsterdam, Netherlands

Choice Home Warranty
206.225.87.143
Located in Overland Park, Kansas

MacDonald’s gift card
199.204.46.233
Located in Montreal, Canada

So we have emails with no apparent “from” address, connected to a company that cannot be found at the address listed yet registering lots of strange domain names, and hiding websites behind IP addresses. Also, there isn’t much credibility in revealing Donald Trump’s “simple plan to help every American earn more money” by having it come from a webserver hosted in Amsterdam, or MacDonald’s gift cards being hosted on a webserver in Canada.

What’s our point? Don’t believe everything you read/see on the Internet or through your smartphones. Don’t be tricked by flashy professional graphics, promises or key words designed to appeal to you in some emotional way. It is so remarkably simple to deceive people online. Yet a little bit of investigating can go a long way to expose fraud, deceit and malicious intentions. And now we all say…

 10-IP -Donald Trump reveals

11-IP -Home warranty coverage

12-IP -MacDonalds giftcard


FOR YOUR SAFETY: Apple Virus Alert, Overdue Invoices, Email from Boston University, and More

One of our readers brought this next scam to our attention. It was a browser popup on her Apple computer when she visited a website. What freaked her out the most was that it included an audio file speaking to her and saying “ALERT! Your computer has a virus!” etc. This is another example of the many tech support scams that target both Mac and Windows users. The soon-to-be victim is asked to call 877-796-1252. We easily found several people across the Internet talking about the scam associated with this number including on 800notes.com and CallerNotes.info These bastards will trick you into downloading malware onto your computer that gives them complete control and charge you for the privilege. Don’t fall for ANY of these alerts to call tech support. If you find that the message does not go away, even after a restart of your computer, it likely means that you have been infected with a “browser hijacker” that any legitimate tech support person should be able to get rid of. And if your Mac doesn’t have anti-malware software installed, get it! A good choice is the free product from Sophos. Visit: https://secure2.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition-legacy/free-download.aspx

 

This next email was also particularly dangerous because it identified the recipient by first name. Notice, too, that the attached zip file (containing nasty malware) also has the recipient’s name on it. It’s another social engineering trick to manipulate the recipient into clicking the file.

14-Dear debbie - overdue invoices

 

 

 

The next email suggests that it was sent from the Boston University IT Help Center and, in fact, contained the name of a real Boston University student whose accound had been hacked. Under Description you can see a link for a domain called brgresorts. Look below to see how VirusTotal.com rated this link. Nasty business!

 16-Email from Boston U virustotal

If you think this email contains a “selfie” picture from MEDRANO36 you’re wrong. The attacked zip file is just another piece of malware.

Delete!

17-Photo picture selfie

 

 

ON THE LIGHTER SIDE: Job Offer vs. “I Need Your Help”

Rather than decide between these two emails, we decided to share both with our readers… We’ve been offered a job! And it is “honest work” or so we are told. We have trouble balancing our own checkbooks but we’re happy to give this job a go and try to balance their books. And it includes benefits after 1 month!

From:       litodigital@servidor1.webcol.net
Time:   2016-03-27 01:57:43
Subject:    JOB OFFER!

FIRST LINK COMPUTER INC, part-time, $400/wk+ I am looking for a few good, motivated, dependable, and goal oriented individuals who are looking for a part time job/side income.This is honest work, and will be a good fit for the right person. This can be worked around another job/done in your spare time.First link Computer Inc.. We are dedicated to meeting the needs of independent dialysis providers around the world by leveraging today’s most innovative technologies to deliver a full spectrum of high-quality services to the business community Your duties would include: Preparation of Balance sheets (Mini), account balancing, invoicing recording,proper data analysis of sales records and recording pay slips into accounting database..I got your email in job listing and i decide to give you the job opportunity which can give you a side/income & you can always do it in your spare time. Can you handle the Job duties? if you are being trained towards it ? You would be eligible to Benefits after 1 months of working with company Benefits offered are Health Insurance / Vacations / Bonuses. Pay is weekly and You are to email & Text the company Hiring Manager ( companiesweb12@gmail.com ) Phone { 347-620-3384 }message him for immediate interview/briefing exercise. Interview starts ASAP, you are to be available online at this time for the job briefing and interview,your swift and timely response matters a lot to this position as the job starts ASAP. I wish you best of luck.

Regards Harry Johnson.

 

——————–

 

We were also contacted by a woman named Anisa Ibrahim Coulibaly and asked for help. How can we turn her down, though we wondered why her email came from Germany (2-letter country code .de) instead of the Republic of Ivory Coast.  All of us Americans know the “evil step mother” story so of course we want to help! Wasn’t is amazingly forward-thinking of her deceased father to require a foreign trustee? We thought so.

From:        ai.bbbbi@aol.de
Time: 2016-03-27 04:15:29
Subject:     Re: please i need your help

Re: please i need your help

Please permit me to introduce myself, i am Miss Anisa Ibrahim Coulibaly 23 years old female from the Republic of Ivory Coast, West Africa, I’m the Daughter of Late Chief Sgt. Ibrahim Coulibaly (a.k.a General IB ). My late Father was a well known Ivory Coast military leader. He died on Thursday 28 April 2011 following a fight with the Republican Forces of Ivory Coast (FRCI).

For more details, please contact me at my private email: anisaibrahim2018@gmail.com

You can read more about my father in the link below:

http://www.guardian.co.uk/world/2011/apr/28/ivory-coast-renegade-warlord-ibrahim-coulibaly

I am constrained to contact you because of the maltreatment which i am receiving from my step mother. She planned to take away all my late father’s treasury and properties from me since the unexpected death of my beloved Father because my mother died during child birth and i was left alone with my step mother to take care of me. Meanwhile i wanted to travel to Europe, but she hide away my traveling documents. Luckily she did not discover where i kept my father’s File which contained important documents like the will and deposit certificate of my Father’s fund which bears my name as the next of kin to inherit the money in his bank account. Now I am presently staying in the Refugee Mission Camp in Burkina Faso. I am seeking for long term relationship and investment assistance. My father of blessed memory deposited the sum of US$ 11.5 Million in Bank Of Africa here in Burkina Faso with my name as the next of kin.

I have contacted the Bank to clear the deposit but the Branch Manager told me that my late father place an instruction on the deposited fund that i must present a foreign trustee who will help me in investment of the fund.

However, the manager advised me to provide a trustee who will stand on my behalf for the transfer of the fund. i wanted to inform my stepmother about this deposit but i am afraid that she will not offer me anything after the release of the money because she threaten to kill me.

Therefore, i decide to seek for your help in transferring the money into your bank account while i will relocate to your country and settle down with you. As you indicate your interest to help me, i will give you the account number and the contact of the bank where my late beloved father deposited the money with my name as the next of kin. It is my intention to compensate you with 30% out of the total money after the transfer for your assistance and the balance shall be my investment in any profitable venture which you will recommend to me as i have no idea about foreign investment. Please all my communications with you should be through email address for confidential purposes.

For more details, please contact me at my private email anisaibrahim2018@gmail.com

Thanks in anticipation of your positive response.

Yours sincerely

Miss Anisa Ibrahim Coulibaly.

 

Until next week, surf safely!