Please support our effort by making a small donation. Thank you!

x

August 3, 2016

THE WEEK IN REVIEW

We want to remind our readers that even though the RNC and DNC have officially selected their nominees, the fake political emails are still showing up in inboxes. We are finding many malicious emails carrying shocking subject lines designed to engineer a click such as this one with the subject “Has Trump gone too far? The shocking statement you won’t see on the news…”

 

As our readers know, though we identify malicious intent of emails, social media posts, texts, and websites, we don’t explore the details of the exact type of malicious intent, unless it is a phishing scam. For example, we don’t try to identify which type of malware or infecting Trojan waits at the other end of a link or within a zip file. (We do have day jobs and families that want our attention too.) However, we have recently been reading reports from the FBI informing the public that a significant portion of these malicious attacks are a type of malware called ransomware. Ransomware is designed to encrypt and lock up your computer files until you pay the ransom to get the key to unlock the files. It is very effective! Without the key, your files are useless and cannot be opened. Though it primarily targets Windows computer owners, Apple computer ransomware has been found. Here’s a recent alert from the FBI:

The Locky malware is a ransomware variant, which has extensively utilized spam campaigns to distribute malicious files that download and execute code capable of encrypting numerous critical file types on both local and networked file stores. Encrypted files are renamed with a unique hexadecimal filename and receive the .locky extension.

On June 29 we published a newsletter with the Top Story titled Innocent Offer to Help or Likely Threat? You Decide! We were contacted last week by a very savvy Spanish Professor who shed a lot of light on this story. The emails, we learned, were not malicious but they were very deceptive. Check out what Dr. Saalfeld explained to us.


Sample Scam Subject Lines:

567 is a poor score – What’s yours?

Book Your Move with a Professional Moving Company

Buy a Portable Generator Online

Chipotle Exclusive: Spend This Amazing Gift Card On Us

Contact Lenses Brand Comparison

CNN – Donald Trump might resign because of this (video)

Do you spend hours on social networks?

Drive golf balls farther and faster – ultimate addition to your golf bag

Find Love Online!

In Debt, Governmental Policies Now Help Americans

Kohl’s Reward Shopping

Ladies, please complete your business profiles

The Simple Secret for Normal Blood Sugar

Sample Scam Email Addresses:

ABCnews@lottocom.eu

Age-Defying@sovrinti.com

Cable_TV_Online@oe4eiae.umshade.top

Diabetes_News@anlisisic.com

Extras@yogurtleer.top

fooddelivery@foodgetdeliv.date

info@cvscardgifts.com

info@cvsyourpharmacy.com

info@macysrewardsusa.com

info@savenergywithhomedepot.com

info@sharktankunited.com

MyTimeshareResale@3dd-u.download

window-specials@windowpric.eu

Phish NETS: Dear USAA Member and Your Telstra Bill is Refunded

“Urgent Action Required: Secure Message from USAA” This email from webdesksupport@inet.org provides a link that reads “usaa.com/inet/entlogon/signon” but a simple mouse-over reveals that the link actually points to a hacked user’s account at the hosting service WebsiteWelcome.com. We’ve notified them.

Deeeleeete!

“Your Telstra Bill for Account 2000133647550 is Refunded!” says an email from telstra99noreply@bills.eir.ie (Notice the 2-letter country code “.ie” – It is from Ireland) We honestly didn’t know what Telstra was and had to look it up. Turns out that Telstra is a leading provider of mobile phones and Internet access in Australia. However, that’s not who sent this email. Once again, a simple mouse-over shows that the link “Log in to My Account” points to a website in Italy that has been hacked and hosts this phishing scam… jamesjoyceteramo.it. “See you online soon! Gerd”

Delete!

clubBK

Your Money: Amazon, Kohl’s, Burger King and Macy’s Rewards and Gift Cards!

Poor Amazon users! They are getting hammered by lots of malicious emails disguised to look like rewards and gift cards. Here are three recent ones. Notice that none of them was sent from Amazon.com and a mouse-over of the links don’t point back to Amazon.com. One of the domains used by the criminals includes the Amazon wannabe domain Amazonpricesusa.com The other two domains are just plain stupid. Don’t believe this junk. These are malicious, plain and simple.

4-Amazon wanted to thank you with 100 card 5-Amazon giveaway 100 reward card 6-Chance to get 50 Amazon gift card

“Claim Your 100 Gift Cart to Eat at Burger King. ONLY FOR TODAY, Burger King is giving away $100 in gift-cards!” says the email from Activate@burgerkingservices.com. Hmmmmm. We’re not sure that we would want to eat $100 worth of Burger King but that’s not the point. This is not from Burger King. Hell, this isn’t even from a Burger King marketer or Reward Zone USA or Rewards Flow, or whatever lies are written below this scam. The links point back to burgerkingservices.com and that domain was registered on July 25 (the day the email was sent) through Enom.com by a scammer we have identified before who uses the email berhkelly5564@gmail.com. Also, a search in Google for this domain doesn’t show any website or information whatsoever but it does show a few links to email-fake.com.

Delete!

In case you haven’t seen enough scam emails pretending to be special gifts, coupons or shopping sprees, here are two more wolves in sheep’s clothing. Kohl’s shopping rewards and Macys gift voucher.

Double-delete.

8-Kohls-your shopping spree awaits 9-Macys special gift

TOP STORY: Women’s Leadership Invitations Again

During the last year we have exposed scams, fraud and questionable organizations that appear to be women’s business organizations, women’s who’s who, and women’s leadership associations. (Below are a few links to these former stories.) These bogus pitches targeting women seemed to disappear for a while. Now they’re back in a somewhat new format. Check out the subject lines and from email addresses of these scams targeting just one email server during two days. Despite what a couple of these emails suggest, they did not come from the real IWLA either.

Let’s start by looking at one of those many emails from sdfxbc.com. “Join a network for success, for women, by women.” You won’t find a thing on sdfxbc.com searching Google, except for a few online services that others have used to test for malicious content. The domain sdfxbc.com was actually first registered back in October of 2014 through a proxy service so we’ll never know who actually owns the domain. According to the WHOIS lookup there is no website title or screenshot of a front page. If you ran an organization trying to promote and engage a network of women, wouldn’t you build and market a legitimate web presence that was easy to identify and connect with?

Also the exact language used in this email turns up on a phishing scam identified by Cornell University early in June. By the way that red box at the bottom of the email went on for many inches of screen space. In it we found lots of red text meant to fool antispam servers. Here’s the first few inches of text hidden in the box:

The police have told interrogators that Mohammed Bouhlel started speaking supportively of ISIS would be beneficial to Americans, and make Britain, “even better and whatever it is little known on this, the Castello Road has been praise for Pence immediately responded to a very sad situation. On 17 July 1936, the Spanish Civil War radicals)see wealth redistribution as the world’s few Muslim-majority democracies taken over. A destabilized military would be such that I have some volunteers out there and place about feelings. It led Daniels’ former campaign manager, joined Trump’s campaign announced Saturday evening in a way that doesn’t take orders from within the next couple of days ago, local media reported that he doesn’t like the NCAA and Salesforce, a major title. airstrike missions against the market right now. He added that they speak for everyone. You can use a percussive jackhammer-like mode on tougher rocks, such basalt on Earth, the Mars 2020 rover. Rather than widespread “entryism” from Trotskyiststhough there clearly was someProf Bale has got engaged to his wide-set nose,” said Daniels. I can’t wait to see and explore Mars in an award. In addition to the jobsealed his fate. That required an army tank as the Republicans gathered in Taksim Square in Istanbul and Ankara, full of “respect and admiration”.

11-Women-your member status preaccepted

This next email is very different from those we’ve reported on in the past. It came from womensleadership@progressive-womensleadership.com with the subject “Women’s Leadership: Strengthen Your Professional Network.” The recipient is invited to “Earn a Women in Leadership Certificate and gain access to network of professional women with the same goals.” Even a phone number is provided! This certainly doesn’t seem to fall in the scam category of malicious emails disguised as offers for women. Let’s dig deeper…

A WHOIS look up of the domain progressive-womensleadership.com shows that it was first registered in July of 2014 by Progressive Business Publications in Malvern, PA. Oddly, a search for the domain progressive-womensleadership.com (with the dash) turns up many links for the domain progressivewomensleadership.com without the dash. Running a WHOIS look up for progressivewomensleadership.com informs us that it was also registered in 2014 (in January), with the same exact website title, same registrar, but by a Tyrone Pernsley of Malvern, PA. In both registrants’ information an email address is provided to domainregistration@pbp.com. A look up of pbp.com in Google clearly shows us a link for Progressive Business Publications. It certainly seems reasonable to say that all points lead back to Progressive Business Publications as the company behind this email and both domains.

12-Womens Leadership network


So who is Progressive Business Publications? They seem legitimate, with a well-documented website, address and phone number. This certainly doesn’t appear to be malicious. However, is it worth your time and money? Can they deliver what they promise through earning a certificate in “Women in Leadership?” Though we cannot judge based on our personal experiences (we’re men afterall), we can say “caveat emptor” –let the buyer beware. Here are several links we discovered from many women on the Internet who are calling them crooks and scammers. Read the comments on…
Yelp: http://www.yelp.com/biz/progressive-business-publications-malvern

Better Business Bureau (BBB.org): http://www.bbb.org/washington-dc-eastern-pa/business-reviews/news-publications-trade-association/progressive-business-publications-in-malvern-pa-80012821/customer-reviews

ConsumerAffairs.com: https://www.consumeraffairs.com/business/progressive_business_publications.html

As we said… Buyer beware!

Here are links to some of the other bogus, malicious or worthless pitches from other “women’s” organizations and business groups:
December 16, 2015: International Women’s Leadership Association (IWLA)

April 13, 2016: Malicious look-alikes to the IWLA

April 20, 2016: Questionable email to join a network for women only

FOR YOUR SAFETY: FedEx Parcel Shipment and Emails with Attached Files

The From address may begin with “FedEx International Economy” but you’ll notice the email was sent from clinton.baird@ozoneonline.com. The zip file contains malware.

Delete!!

13-FedEx -your parecels has been shipped

Once again we saw many small emails engineered to engage your curiosity enough to click the attached files containing malware. Nasty stuff.

Just delete!

14-Foundation plan attached

15-Invoice attached

16-Details of upcoming meeting attached

 

17-Attached is list of activities

 

 

 

 

ON THE LIGHTER SIDE: Message From US Army Medical Team

NOW we’re on to something big! Truly! We were contacted by Captain Kate Carr Lee who discovered two trunk boxes containing “American dollar.” She’s looking for a “trust worthy individual who will assist me to receive the funds in his country before I will come over and join the person.” And she adds… “To prove my sincerity, you are not sending me any money because most of these scams are all about sending money.” Sounds good to us!

Bring on the trunks!


Until next week, surf safely.