Please support our effort by making a small donation. Thank you!

x

August 10, 2016

THE WEEK IN REVIEW

TDS saw an unusually high number of malicious emails during the last week disguised as either coupons of varying kinds or many different kinds of credit card pitches as you’ll see in this week’s newsletter. But we still saw plenty of ridiculous hyperbole statements meant to engineer a click by pitching “shocking truths” and unbelievable claims. Like these three…

“Jesus Lost Words Stun Christians (Not found in the bible)”

“This Texas mom ditched the pounds and became a model!”

“America’s Frenzy Over This Amazing Product Is Trending!”

18-Facebook group award - you won 

  IMG_0478  IMG_0494


Sample Scam Subject Lines:

0 APR Credit Card – Side By Side Comparison.

credit card rates

Cash Back Credit Cards 2016

Cheap Wireless Security Cameras…

Find the Right credit Card for Your business

Get a Personal Injury Case Review By a Local Lawyer

Inventory Clearance on Tablets, Gaming Consoles and Silver Bars

Make Your Next Credit–Card Close To Interest Free

People in Your Town Are Cutting Their AC Bills in Half

Search Remodel Kitchen Listings

Tempting Travel Deals, To Ireland…

You Won’t Believe It’s A Credit Card…

Your credit score may have updated find out

Sample Scam Email Addresses

blowoutelectronicdeals@getofrz.eu

BusinessCreditCard@muscatelcgm.download

CarSecuritySystems@vinester.stream

filtrationsurvivalstraw@waterfilter.eu

lowcostmovers@movhlp.stream

LowestInterestCreditCards@bioding.stream

LowInterestBalance@bioding.stream

new@creditcardgainer.com

new@gettyourcard.com

new@mycreditdays.com

NewCarDealers@admitrate.stream

RemodelBathroom@deparative.stream

TransferCreditCards@facilies.stream

 

Phish NETS: Apple iCloud Support

Apparently there is an iCloud Support App (Who knew?) and it has been enabled for us. All we have to do is download the attached file. But that file is an “shtml” web document. Our long time readers know that such web documents can be very risky if designed by someone intending to do us harm. In this case it was designed by phishers who want to capture our username and password to our iCloud account. Their web page was designed to look just like Apple’s website with just one important difference.

IMG_0487

When we cracked open the code for this “icloud_request_activation” form we found the following snippet of code highlighted in blue:

IMG_0485

Rather than send our login information to Apple, the form actually sends our data to a website called pigapple.info. Do these Russian criminals actually have a sense of humor? Pig Apple? We say ‘Russian Criminals’ simply because the domain pigapple.info was registered on August 1 through the Registrar Alpnames by a private proxy service and is being hosted in Moscow, Russia. Delete!

And if you want to learn more about recognizing risky file names to attached documents, read our article Filenames Will Set You Free!

Your Money: Applebee’s Gift Card, Tax Debt Options, and Transform Your iPad

How about this email pretending to be from Applebees and sent from dininggiftcards@aplebees.bid? The fine print informs the recipient that this is from an independent advertising program. Do you think an advertiser would misspell Applebees as aplbees? That domain aplebees.bid was registered on July 31 and is hosted in Chile. We hope you like a lot of chile on that food cuz it’s too hot to handle. (Sorry, we couldn’t resist.)

Delete!

IMG_0479

“Do you qualify for a fresh start? The Fresh Start Program is a little-known tax program that helps US citizens with back taxes.” The obvious problem with this pitch is that it was sent from freshtaxhelp@freshtrax.eu. “.eu” is the 2-letter country code for the European Union. When would a legitimate tax firm send an email from the European Union? The “Fresh Start Tax Program” from the IRS is real and you can find it on this secure U.S. government IRS.gov website.  However, the domain freshtrax.eu is being hosted in Dusseldorf, Germany. Sound legitimate to you?

Delete.

IMG_0492

We’ve seen the criminal gangs misuse Touchfire’s products many times through malicious emails in the past. Perhaps they have them and like them a lot, or perhaps it’s because this product has received a lot of high praise. Whatever the reason, this email was not sent from Touchfire.com and the links don’t point back to Touchfire.com. They point to the domain sitime.top which was registered through Alpnames on August 2nd by someone named “pramod” from Allahabad, India. Delete! (Footnote: According to online translation tools “pramod” is Hindi for “enjoyment.” Certainly not for our enjoyment.)

Two reminders to our readers…

  1. If you see a large empty space in an email, click and drag your cursor through it to see if it contains hidden text. If it does, that is a confirmation that you are looking at worthless spam at best or a malicious scam at worst.
  2. Most scam emails contain an “Unsubscribe” link. NEVER CLICK IT! It is just another social engineering trick to infect computers through malicious emails. You should be absolutely certain that an email is legitimate before using such a link. Visit our article Unsubscribe Me Not to learn more.

IMG_0483

TOP STORY: Coupons, Coupons, Coupons!

Wow, did we see an avalanche of coupons during the last week! Each had dozens of subject line variations of the same malicious emails. Lies, lies, lies! These emails won’t save you money. To the contrary, they will cost you a lot of money and pain because they all cause computer infections through malware infections. “Save at the pump with Gas Cards” “View our wide range of grocery coupons” “Review ads for tire coupons” “Coupons for washing detergent” are all malicious. “Why pay more when you can pay less!”

The prepaid gas card email contains a link for the domain bruteyh.top. It was registered on August 3 to Magalie Georgiou using an address in Ilioupoli, Greece using the registrar that doesn’t care, Alpnames.com. The grocery store coupon pitch was registered to Natalie Dupont from Agios, Cyprus on August 3. The tire coupons domain woodsu.top was registered on August 2 to Marielle Gruber from Korkeavuorenkatu, Finland again using Alpnames. And finally, the washing detergent coupon domain used in the email below is the cleverly selected (said dripping with sarcasm) laundrycupn.click. It was registered on August 5 by “Aditya roy” from New York and is being hosted in Dusseldorf, Germany.

http://whois.domaintools.com/bruteyh.top

http://whois.domaintools.com/jfrying.top

http://whois.domaintools.com/woodsu.top

http://whois.domaintools.com/laundrycupn.click

Our long-time readers know that one of the most valuable tools to sniff out online fraud and malicious intent is a standard online WHOIS tool. There are many whois tools across the Internet. Our favorite happens to be http://whois.sc . A WHOIS look up will tell you when and with whom a domain was registered, updated, where it is hosted, and possibly other information such as who registered it, the website title, and more. Some will even give you a screenshot of the website sitting at the domain. Keep in mind that a registrant can lie about his or her information because ICANN doesn’t require or provide any method for Registrars to verify if people are who they say they are. Also, a registrant can hide behind a proxy service and have the domain registered in the name of a proxy service located anywhere in the world, such as Panama. But all of this information is still very useful to evaluate the legitimacy of a domain and it’s website.

Now Deeeleete!

IMG_0496

IMG_0488

IMG_0497

IMG_0489

FOR YOUR SAFETY: Review Urgently, Sales Charts, Budget Reports, and Found Some New Stuff for You

We saw a wide variety of small, but very malicious, emails during the past week. We also saw a very clever campaign to flood one organization with emails that were spoofed to look like they came from people at the organization who were sending internal scanned files. This first email was sent from a user’s hacked email account. Robert didn’t know that criminals targeted his friends and family with this “Review Urgently” message. The link points to a suspicious file on the website livelife-live.org. VirusTotal.com shows that 12 anti-malware services have now identified this site as malicious.

IMG_0482

Check out this list of emails with the subject line “Sales Charts” targeting one company over several hours recently:

10-Invitation to Women

Each email contained a malicious payload.

Deeeeleeete!

IMG_0481

 

And then there were these emails using phrases like “I attached the annual budget reports that you asked me to send to you” and “I found some new stuff for you, I think you’re gonna like it” and each containing malicious links or zip files.

IMG_0493

IMG_0484

 

Once again we saw many small emails engineered to engage your curiosity enough to click the attached files containing malware. Nasty stuff.

Just delete!

ON THE LIGHTER SIDE: Facebook and Hollanda International Awards!

We are very lucky guys! You won’t believe what happened to us! First we learned that we had won $900,000 in the Facebook Group Award Program! How awesome is that?! We know it’s real because the email looks like it came from Facebook and included these two fun photos of a previous winner. How could this possibly be fraud, right?

18-Facebook group award - you won IMG_0495 IMG_0491

 


And then, as if that wasn’t incredible enough, we also won the Hollanda International Award Lotto Program!!! It’s got to be legit because we were sent an official certificate in pdf format. The email came from an interesting address in Iran…. Looza.ir   The sender must have a sense of humor, don’t you think?

Until next week, surf safely.