If you find our resources valuable, please support us by making a small donation. Thank you!

x

August 15, 2018

THE WEEK IN REVIEW

WordPress is the most widely used, free, open source software used to create websites anywhere in the world!  It’s wonderful and there are tens of thousands of supporting apps and tools that enhance and improve it. This is also why WordPress users are targeted by criminals hoping to gain access and control of websites for a wide variety of nefarious reasons.  Below is an email we received at TDS a few days ago. Though it says in bold that it came from WordPress.com, you can clearly see that the email address is not from WordPress.  The subject line is “Database Upgrade Required !”

The link for “Click here to Upgrade WordPress” points to malware hidden on the website for a volunteer organization in the UK.  We’ve notified them of their obvious problem. Were you to click that link, you would be greeted by a request to “Continue” that leads directly to a malware infection disguised as a WordPress update….

Please forward this newsletter to friends and colleagues who maintain WordPress websites!


Phish NETS: American Express, USAA Bank and Navy Federal Bank

(Many thanks to the TDS Readers who sent us these phishing scams!) Once again, if the recipient is paying attention, it is easy to see that this email with the subject line “[ Summary News Report ] Confirmation of your American Express account activities” didn’t actually come from American Express at all.  The attached file is a pdf called “AMEX_Account_(numbers).” Most people don’t realize that pdf files can contain malicious code and/or disguised links. This pdf looks official, stating “Secure Update: Please note that starting from August 08, 2018 . We will be introducing new online banking authentication procedures in order to protect the information of our online banking users.”  However, mousing over the provided link for American Express reveals that it actually points to the domain id-amercanxpress[.]com.  This bogus and misspelled domain was registered on August 7 by someone calling herself “Coral L Rix” from Yellowknife, Canada.

Deeeleeeete!

Once again, this next email disguised to look like a security message from USAA Bank didn’t come from a USAA Bank address.  A mouse-over of the link “click here” shows that it points to a hacked women’s clothing website in Japan called Jenidigital.

Delete. Arigato!

Isn’t it nice to discover that someone is trying to pay you money!  That’s what this “Important Notification” says about your Navy Federal account.  Of course it’s just a social engineering phish to a phony bank website. But the phony website LOOKS very authentic! (See below.)

Another big, fat delete!

YOUR MONEY:  Confirm Amazon $50 Reward and Business Proposal From Law Firm

One of our savvy readers was VERY surprised to find this in his email inbox.  It managed to get past the anti-spam filters completely. “Congrats, Please confirm receipt” for a $50 Amazon reward.   If you look carefully at the “from” address, you’ll see that the email came from a domain called firmgalaxy in the European Union (“.eu”).  Like some other malicious emails we’ve seen recently, the link is very cleverly crafted to appear as though it points to safelinks.protection.outlook.com.  However, a careful look at the link reveals that it is encoded to contain a redirect to a file at the website sytes[.]net.  Sytes[.]net is a free dynamic domain service that has been misused many times by criminals to direct unsuspecting folks to malware sites.

Were you to click any of the links in this phony Amazon Rewards email, you would be directed to a big green button on sytes[.]net] saying “Click to continue.”  Clicking would lead you to a web page disguised as a paid survey.

Don’t believe this smelly carp…

We see bogus emails about business proposals by the thousands every year.  But this one, sent by a TDS Reader, caught our attention because it claimed to come from a real lawyer at a law firm in Edinburgh, Scotland in the UK.   This illegal and “utterly confidential proposal” arrived as a pdf from someone identified as “Bruce Minto JD” of Minto Management WS. Like all advance-fee scams, this one claims to share in the profits of many million dollars for a life insurance policy of someone with the same name as the email recipient.  The proposal from “Bruce” contains four references to his website and email at mintwsllp[.]com.  And yet, the recipient of this proposal is asked to contact Bruce through a Gmail address bminws2020 “@” gmail.com or a phone number listed.  We intended to reach out to the real Bruce Minto and inform him that his name, credentials, and firm information were being misused by scammers, but some odd things turned up in our investigation…

When we conducted a Google search for “Bruce Minto JD, Edinburgh, UK” we discovered, according to Wikipedia, that Mr. Minto is a partner of the law firm “Dickson Minto” and using the website DicksonMinto.com  According to our WHOIS lookup, this website was registered waaaaay back in the year 2000 in the UK.   But what about the website listed in this scam proposal…mintwsllp[.]com?  Here is where it gets VERY interesting!  A visit to mintwsllp[.]com shows a website that is nearly identical in every way to DicksonMinto.com, except for a few subtle differences such as phone number and email address for contact.  When we conducted a WHOIS lookup of this second website listed on the business proposal we discovered that mintwsllp[.]com was registered in Russia using a privacy protection service on May 29, 2018 and is being hosted in St. Petersburg, Russia.  Someone has gone to a LOT of trouble to target the real Dickson Minto law firm, while engaging in obvious online criminal activities.  But why? Was this a random choice to select a law firm to use for their bogus business proposal? Or was this a targeted snub against the law firm in Scotland?  We sent an email to the address listed on the real Dickson Minto law firm website to ask them about this look-alike website. We’ll keep you posted if we learn more about this blatant Russian-hosted fake website.  

TOP STORY:  Love From Russia…Again

Ahhhh, Russia.  One of the most maligned countries in the world recently because of their allegedly state-sponsored attacks against democracies like the United States and the UK.  They are also the source of one of the most active Internet criminal enterprises targeting Americans. And so it was not surprising when we received an email that appeared to be from LinkedIn stating that “You appeared in 7 search this week.”  Anyone who uses the professional social network LinkedIn knows about job searches. When someone conducts a search for possible job candidates and you appear in that search, LinkedIn will notify you to say that you appeared in a search.

A close look at the “from” email address obviously reveals this email as fraudulent.  It seems to have come from an email address at attorney.com, though that could easily be spoofed as well.  However, most surprising was the link revealed by mousing over the links for “See all searches,” “Download for free” and “Unsubscribe | Help.”  They all pointed to a website to hire clowns in St. Petersburg, Russia called art-clowns[.]ru.

Using a Russian clown-hiring website to host malware and target Americans certainly suggests that the creators have a sense of humor.  But this targeted attack is one of many thousands that Russian cyber criminals use to target us and others. If you think we might be exaggerating, read this March 6, 2018 report by McAfee titled “A Map of the Most Dangerous Sources of Cybercrime.”  Not surprisingly, Russia leads the world in cybercrime!  Many suggest that this is due, in part, to the fact that the Russian authorities condone their activities as long as they target governments and countries that are not partnered with Russia.  (Check out this February, 2018 article on Slate.com titled “Why the Russian Government Turns a Blind Eye to Cybercriminals” or this May, 2018 article from the Washington Post titled “Trial Exposes Connections Between Cybercriminals and Russian Government.”)

A very real and significant concern by the FBI is a form of malware created by Russian hackers to gain control and access of the Internet routers used by many millions of Americans.  Apparently the malware has been very successful resulting in hundreds of thousands of unsuspecting Americans having their home routers hacked and used as attack tools for Russian botnets.  The FBI is urging us to reboot our routers and improve our password security on them. Read about this in a Washington Post article from late May titled “F.B.I’s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware.”

And then, of course, there was the 2016 U.S. election and the upcoming mid-term elections in November to be concerned about. Though we’re not screaming conspiracy theories, there is a well-documented and growing cyber threat coming from Russia that deserves attention by our government.  Though POTUS seems to be little concerned about these threats, we sincerely hope that the FBI and other law enforcement agencies across the United States up their game and increase focus on these very real threats.

FOR YOUR SAFETY: New Proposal and Critical Security Alert

One of our readers sent us this email that appears to have come from the hacked account of a woman named Catherine.  “Hello, I want you to kindly take a look at this attach file.. Thanks..” Subtle language and punctuation errors suggest to us that the sender’s native language may not be English.  You may not agree with us but you can’t argue with the risks carried by the attached pdf file called “Contract.” VirustTotal.com clearly identified the threats contained in the file!

We’ve shown our readers similar emails to the one below with the subject line “Critical security alert for your account ID 59122.”  The link points to malicious files hosted on a server in Ireland (2-letter country code “.ie” = Ireland)


Until next week, surf safely!