Please support our effort by making a small donation. Thank you!

x

August 24, 2016

THE WEEK IN REVIEW

The criminal gangs targeting all of us continue to employ fantastic social engineering tricks, including these two. Would you have fallen for these subject lines or content headings? “FYI – Shocking Predator info” “Find out if your neighbor is a sex offender” from the domain savekidslifes.eu and “12 Ingredients from Holy Scripture cures disease” “Warning: Watch this Urgent Video if You’re a Christian”

1-Sex predator info 2-Ingredients from scripture cure disease

Or how about this vanity scam informing you that “Our CEO has approved YOU for IMMEDIATE Consideration!” and appears to be sent from “Who’s Who Executives and Professionals.”

3-Professional Whos Who Network

NOTE: The coupon scams have continued in earnest. We’ve included several in this week’s Your Money column.

 


Sample Scam Subject Lines:

Affordable Options for Renting Private Jets for Business and Vacation Travels

Alaska Cruises Wild & Wonderful Adventure-Packages

Do you talk like this?

Explore These Remodel Bathroom–Solutions…

Facebook Now Hiring for Work At Home Jobs, See Details 4434569

Gwen Stefani Spills the Secrets

Harvard U – Scientist conquers aging

Harvard University: Live 150 Years (Even if You’re Already Over 50)

How to Sell Or Rent Your Timeshare for the summer (Details) 22132676

Search for SUV solutions

Shark Tank: Don’t Travel Without This Self-Defense Tool

take this to avoid herpes – CBS News

Tire of shaving and waxing?

Sample Scam Email Addresses

AlcoholRehab@articular.stream

CellPhones@tamined.stream

christian.estacio@johnsonstaffing.com

EstatePlanningHelp@particults.stream

Facebook@0niugo.meterim.top

info@betterknowyouth.com

info@cardcreditresults.com

info@homechaoicewarrant.com

LowestInterestCreditCards@carrisode.stream

NewCarQuotes@protropher.stream

Save Big on Prescription Glasses with 50% Off + Free Shipping

TruckDriverJobs@counseed.stream

vunusov@mail.ru (.ru = Russia)

 

Phish NETS: Docusign

This week’s phishing scam was artfully executed. It began with criminals hacking the email account of a Boston business person and sending out emails from her account. “Lynne has shared docs with you on Docusign.” All the email signature information is legitimate. To make this subterfuge harder the link “View Document” points to “docusing.info/docufile” We even had to double-check to make sure it wasn’t a domain that was in use by the real Docusign. Never underestimate the power of a WHOIS tool! It told us that the domain docusing.info was registered on August 18 by someone named “Nikiis Doherty.”

Below are two screenshots of a login webpage. One is for the real Docusign and the other is the phishing webpage at docusing.info/docufile. Can you guess which is the fraud and which is the legitimate login page? Answer is below.

5-Phish-Docusign 2  5-Phish-Docusign 2

Fortunately, VirusTotal.com tells us that many security sites have identified the domain docusing.info as a malicious phishing site…

Answer: The legitimate Docusign website is the graphic on the right. Look carefully at the login screenshot on the left and see that there is a dropdown menu asking you to identify your email service. Docusign doesn’t do that.

Your Money: Auto Coupons, Toilet Paper Coupons, Oil Change Coupons, and Crystal Wash Coupons

Malicious emails disguised as coupons continued to target people’s inboxes. You’ll see by their design that many of these were created by the same criminal gang.

“Get New Auto Coupons Options” says the email from father@cyclicly.dumib.us. Dumib.us was registered in the name of the fake company “Adrenaline Ads” on August 14.

Delete!

“Explore Toilet Paper Coupons Listings” says an email with links back to the domain tlparc.bid. The design and layout of this email is identical to the email above, right down to the paragraph informing the reader that “The advertiser is Gloservices.” A WHOIS lookup of tlparc.bid shows that it was registered through a proxy service in Panama on the day the email was sent.

Just delete.

The criminals who registered the next scam domain must think themselves very clever. The scam is for “Free Coupons for Oil Change Discounts” with links to the domain couponsoilyours.com. Cute, huh? Coupons “oil” yours? This scam was registered in the name of our archnemesis Judy Santiago! To our new readers, we have identified many scams and malicious emails registered in the name of Judy Santiago from Alexandria, Louisiana. By the way, the domain couponsoilyours.com was registered on August 19 and is being hosted in Frankfurt, Germany.

Now delete.

Our last bogus email-made-to-look-like-savings is this pitch for “Crystal Wash” Could this be “the end of laundry detergent as we know it?” The spammy white text against the white background at the bottom says it all about the legitimacy of this email. This email did not come from Crystal Wash. The domain crstallwashh.top was registered on August 17 by “nishant dubey” from Agartala, India. And we all say….

TOP STORY: Pretending To Be Legitimate Businesses

The last email in this week’s Your Money column was trying to deceive recipients into believing that it was a legitimate pitch from the real company/product called Crystal Wash, including the use of their logo, website design and site content. It got us thinking about how often scammers send malicious emails that pretend to be known businesses, including domains that sound or look very similar to the real domain of the real business. Like docusing.info vs docusign.com.

We looked last week at the scams that crossed our radar and found a surprising number of legit-company-pretender-bees, emails pitches and domain names that were clearly pretending to be a legitimate company. Take a look at this pitch from info@treeoflendeingtwo.com instead of the legimate domain lendingtree.com. “See if you could save hundreds each month.” Everything about this email wants the reader to believe it comes from the legitimate and real company Lending Tree, but that is all a lie. Once again, a WHOIS search reveals the lie. It was Judy Santiago who registered this domain on August 16th. ‘Nuf said.

How bout this email sent from fidelitylife@fidelityy.download. It is clearly not from Fidelity.com and does not represent the real Fidelity Life group. It was registered on August 14 using a proxy privacy service in Panama.

As long as people pay close attention to the sender’s domain names in these types of scams it is easy to see right through them. But what about generic domain names that sound like real legitimate businesses? Such as this email sent from officeskills@MyDesktopTrainingCenter.com. We guess that people routinely get pitches from companies to improve their skills in using products like Excel. This email targeted someone by their full correct name. And the email made no effort to disguise or hide the link pointing back to the website mydesktoptrainingcenter.com. Afterall, the domain seems to reflect exactly what the email is pitching… training in the use of software. The email even contained a detailed description of the skills taught in each module of the self-paced online program. Why would we think this was anything but what it seemed to be?

 

We at TDS are naturally suspicious of unsolicited emails and the domain name really caught our attention. When we Googled the domain mydesktoptrainingcenter.com we found very little about this website. In fact, Google never found the website itself. Doesn’t that strike you as odd for a website that appears to offer online educational programs? So we decided to grab the link in the email and ask the Zulu URL Risk Analyzer to check it out. Zulu’s response was very clear. Things are often not what they appear to be online.

 

 

FOR YOUR SAFETY: Emailing Label to You, Shipment Documents and Order Confirmation

The first two malicious emails below have dangerous zip files containing malware, a weapon routinely used by criminals trying to infect your computer. The first one is made to look as though it comes from ups.org and contains the message “The office printer is having problems so I’ve had to email the UPS label, sorry for the inconvenience.”

 

Most people don’t realize that Word documents can carry dangerous coding that leads to computer infections. This next email contains an attached “.docm” file. A docm file is a Word document that contains a macro code that can automatically be executed when the file is opened. This is VERY risky if sent from someone who wants to do you harm.

 

ON THE LIGHTER SIDE: Hoodbrother!

We don’t quite know what a “hoodbrother” is but we’ve heard about the Illuminati in folklore and movies for many years. We just learned that the Illuminati are real! And we’ve been invited to join! We are sooooooooo excited!

From:  hood_brother29@yahoo.com
Time:   2016-08-21 04:47:56
Subject: Dear Friend

WELCOME TO THE GREAT HOODBROTHER. Do you want to be a member of Illuminati as a hoodbrother that will make you rich and famous in the world and have power to control people in the high place in the worldwide .Are you a business man or woman,artist, political, musician, student, do you want to be rich, famous, powerful in life, join the Illuminati hoodbrother cult today and get instant rich sum of. $9000,000,00 million dollars in a week, and a free home. any where you choose to live in this world and also get 10,000,000 U.S dollars monthly as a salary   BENEFITS GIVEN TO NEW MEMBERS WHO JOIN ILLUMINATI.

  1. A Cash Reward of USD $500,000 USD
  2. A New Sleek Dream CAR valued at USD $300,000 USD
  3. Dream House bought in the country of your own choice
  4. One Month holiday (fully paid) to your dream tourist destination.
  5. One year Golf Membership package
  6. A V.I.P treatment in all Airports in the World
  7. A total Lifestyle change
  8. Access to Bohemian Grove
  9. Monthly payment of $1,000,000 USD into your bank account every month as a member
  10. One Month booked Appointment with Top 5 world Leaders and Top 5 Celebrities in the World.

If you are interested of joining us in the great hoodbrother ILLUMINATI +2349059433459 OR ON OUR EMAIL- hoodbrother213@gmail.com YOU ALL ARE WELCOME TO THE GREAT ILLUMINATI CHURCH

Until next week, surf safely.