If you find our resources valuable, please support us by making a small donation. Thank you!

x

August 29, 2018

THE WEEK IN REVIEW

The Internet has become the single most important resource for commerce and communication in the world, and yet it has no police force, no laws that govern how it is established or maintained, thus making online deception child’s play.  There are even websites and apps DESIGNED to deceive others and this is all OK with ICANN.  (e.g. prank call websites and fake email generator websites)  In last week’s newsletter we lamented how ICANN negligently governs the Internet’s domain naming system. In our opinion, their lack of effort to create sensible rules designed to protect people and hold Registrars accountable means that innocent people are targeted and hurt every day by online criminals.  Just a few days ago we heard from a woman who was financially and emotionally impacted by this ease of online deception. We’ll call her Clara to protect her identity.

Clara is 67, divorced, and described herself as very lonely.  Her son suggested she try the dating site “Plenty of Fish” (POF) where she recently met “John” from Alabama.  She tells us “I saw Johns’ picture. A very nice looking man. We started emailing through POF and after 2 or 3 days he thought it might be better to just email each other [directly] and not do it through the website.  We corresponded back and forth for a week. He gave me some garbage about selling his private plane. Then I didn’t hear from him for 2 days. That is when he gave me a sob story about how the IRS froze all his bank accounts  and that he needed $5,300.00. I wrote back and told him I don’t have it. Then he wrote back “Do you have credit cards?” That is when I lost it. Wrote back and told him I may be 67 but that I hadn’t lost my mind yet.” She told us this was her first and last experience on a dating website.  When we continued our conversation to understand why she was so quick to give up we learned that she had been badly burned just two months earlier by a different scam. She was tricked into clicking a malicious link that locked her out of her computer unless she paid about $220 dollars for the unlock code. (Ransomware)  She says these events have destroyed her trust in people and using the Internet. (Based on what we hear from readers who contact us, POF is the dating service with the highest incidents of scams.)

To read more about dating scams that primarily target women who use dating sites, visit our feature article “I Love You, Send Me Money.”


Phish NETS: Chase Bank Alert, Wells Fargo Notification and Bank of America Suspicious Activity

One of our loyal readers recently received three phishing scams for three different banks. All three phish contained different shortened links for Ow.ly or Ow.li.  Each scam was somewhat mangled in the way their coding was rendered, but you’ll get the idea. Starting with “Chase Detected Suspicious Activity” from “Chase Alerts.”

The Zulu URL Risk Analyzer shows that this shortened link redirects the visitor to a web page located on the free web hosting service called 000WebHost.com.  You can see a screenshot below of this fake Chase Bank page. It looks very professionally created. We found only one small grammatical error on the phishing page.

Can you spot it?

This next phish also contains a shortened link.  Don’t be fooled by seeing From: Wells Fargo.  The domain after the “@” symbol shows that the email came from project-doministration-activityalerting[.]com.  This domain was registered in late March, 2018 through a private proxy service.  It does not belong to Wells Fargo

Just like the Chase Bank scam above, this Ow.li link points to a phishing page at 000webhostapp.com.  Look at the phishing page and you’ll see that it doesn’t identify the account owner or account number, as well as the fact that visitors are not on WellsFargo.com.

Deeeleeeete!

Finally, we leave you with this last email, like the first, but pretending to be from Bank of America, contacting folks about suspicious activity on their accounts.  Once again, the link is through Ow.ly.

Just delete.

YOUR MONEY:  Join the Shave Club, Amazon Commissions, and Ray Ban Best Clearance Sale

There are many shaving clubs available online for buying discounted products.  But this email does not represent any of them, especially NOT the Dollar Shave Club.  This email is malicious clickbait. Don’t be fooled by the graphic or the cheap price!  Look at the domain from which the email came and links lead back to… numroogy[.]us.  This domain was registered by someone named “Yogesh Singh” from Bhopal, India the day before this email was sent. (August 21, 2018) Not that it matters, but there is a redirect on that 1 day-old website, sending visitors to another website called compsabid002[.]com.  This second website was registered three weeks earlier using a private proxy service.  Google can’t find anything about these websites. It can’t even locate the word “shave” on either website!  Step away from these landmines…

This next email from a domain called ConversationFire[.]com falls squarely in the category of “if it seems too good to be true, it is.”  According to the sender, you can make about $3000 every day just by logging into and browsing Amazon.  But to find out how, you’ll first have to pay $37.

Yeah, right. Now delete.

Ray Ban and Oakley Sunglass sales have often been used as clickbait to malware and we’ve reported on many of these malicious ads in the past.  Here’s one more. The Zulu URL Risk Analyzer scores the website as 90% chance of being malicious. How do you like those odds?

TOP STORY:  “Trump Medicare Plans” and Layers of Scams

Let’s begin with a bit of fiction created by criminal organizations to target Americans who are concerned about health care.  Like they often do, these criminals have stolen the name, graphics and content from a legitimate company and dressed it up as their wolf in sheep’s clothing to get you to click a malicious link.  This email uses the stolen content from a company called QuoteLab located in Santa Monica, California. Quotelab is an insurance reseller and they own a website called Trump-Medicare-Plan.com. Were you to visit the real site, you would see that they’ve stolen the graphic used in this email (but flipped it horizontally), icons and content.  The criminals even list the correct address for Quotelab at the bottom of this landmine. Let’s peel back the many layers of this trickery…

  1. This email about “Trump Medicare Plans” with the subject line “Cheaper Medicare May Have Arrived !” came from an email address in the European Union: “@” 81823[.]polished[.]pumptry[.]eu. (“.eu” = European Union)
  2. All links in this email LOOK LIKE they lead back to a website containing the sub-domains/domain safelinks.protection.outlook.com but this is a red herring!  Look just past this text in the link revealed at the bottom of the email.  This link contains a visible redirect to a website named weaker[.]ddns[.]net. We’ve identified MANY malicious emails in the last few months that use this exact trick.  In the link you can see “http” followed by “%3A%2F%2F” which is a form of link encoding called “percent encoding.” This particular percent encoding means “://” and so after url= is a redirected link that begins “http :// weaker[.]ddns[.]net/”

By the way, Microsoft changed their Outlook.com link structure in early October, 2017 specifically BECAUSE they wanted to make it harder for criminals to misuse their services.  However, LOTS of people complained that it actually made it easier for criminals to misuse their links and target Outlook users. You can read some of these complaints in a Microsoft Community blog from last October.

But there are still more layers to peel away from this landmine…

DDNS.net is a dynamic service that can redirect links anywhere in the world in real time, depending on the account holder’s preferences.  When we asked the Zulu URL Risk Analyzer to review the full redirected link hidden after the opening safelinks.protection.outlook.com.  Zulu informed us that the redirected link weaker[.]ddns[.]net will send us to a website located in the Ukraine (“.ua” = 2-letter country code for Ukraine) called ironappworks-inc[.]com.

Ironappworks-inc[.]com was registered on March 15 using a private proxy service.  We used a tool to visit this website and take a screenshot of what we found and were surprised by the content.   The site was presented as Peltmedia offering free streaming of movies and TV shows.  Obviously, this is not the real Peltmedia and even if it were, we do not recommend this free service.  There are many complaints on the Internet saying that this service bundles malware with its software. Check out these two links from May, 2018 about Peltmedia:

https://trojan-killer.net/how-to-block-peltmedia-com-stream-video-ads/

https://deletemalware.net/how-to-block-peltmedia-com-ads/

And so that supposed email for Trump Medicare Plans is nothing more than multiple layers of subterfuge wrapped around a landmine.  How can someone like Clara ever be expected to see through any of this? Someone should notify the Internet police! Oh yeah, there aren’t any…

FOR YOUR SAFETY: FedEx – Please Update Address

To be completely honest, we have no idea exactly what the danger is here.  But we know this is not what it appears to be and is malicious! “Urgent: [NAME REDACTED], please update your address immediately” says an email from Fedexurgentaddressupdates “@” ponytelecom[.]eu.  Clearly this is not from fedex.com!

Buried in the link for “Update Address” are eleven bizarre email addresses that would all receive the information you send it.  (See the mouse-over revealed at the bottom of the email.) None of them are for the domain fedex.com.

Just delete.


Until next week, surf safely!