Please support our effort by making a small donation. Thank you!

x

December 7, 2016

THE WEEK IN REVIEW

We’re old enough to remember when the Christmas season marketing and ads didn’t officially start until the day after Thanksgiving.  Those days are long gone.  Included into the mix of holiday special deals posted on web sites, social media, or sent via text and email are scams.  Lots of them!  Check out our latest article on Christmas scam holiday offers.

The bogus Trump emails continue.  “Did Trump actually say that?” And with opening lines like “This is Donald Trumps most shocking statement yet,” we may be inclined to believe them given his behavior.  But this bogus email is just another trick pointing to a malicious domain called worldshop1.com.

The Zulu URL Risk Analyzer says that the link in this email has an 80% chance of being malicious.


Sample Scam Subject Lines:

Christie Brinkley’s Revolutionary Skincare!

Devastatingly effective defense tool!

Dr. Sanjay Gupta Talks on CNN About Medical Marijuana

Drive your pup bonkers with the newest treats, toys, and gadgets

Dropping Mortgate Rates

From International Company

Have you ever wanted to land on an Aircraft Carrier

Most Spectacular Way to Decorate Your Home

Payment Information

Refinance Now Before Rates Rise

Shark Tank exclusive product – works for both men & women

The Economy is in Trouble and Trump cant save it

Urgent: Your 2016 Credit Score may have changed

Sample Scam Email Addresses

Auto-Warranty-Direct@coffee.herasne.top

burialinsuranceoptionnet@greatoption.bid

Harp-Approval_Offer@mammoth.bvtough.top

hayes@gobackpain.bid

homewarrantynetwork@homwarnts.bid

Oz.Miracle.Pill@unique.gyfault.top

removefungus@fungsfree.eu

Santa_Claus@wishful.gychill.top

smartsaw@smartsaws.club

starbucks_coupons-[YOUR EMAIL]@bluelocate.press

thechoicewarranty@greatoption.bid

trump_breaking_news-[YOUR EMAIL]@profitsreport.net

yellospice@turmericsupply.org

 

Phish NETS: Your Apple ID Has Been Locked, Your PayPal Account Has Been Limited, and Your Email Storage Is Almost Full

We’ve seen a lot of phish in the Internet sea during the past week.  Please look carefully at the from addresses and be sure to mouse-over links before clicking them!  Here is a sampling of what we saw last week…

“Your Apple ID has been locked” says an email that looks like it is from the Apple Store.  But it was sent from the domain critsend.com, not Apple.com.  The criminals who created this phish were clever to use a link-shortening service because the service itself begins with https.  The “s” means that the link is secure and might fool some people into thinking it is a legitimate link.  But the shortened link will automatically forward you to the phishing site which isn’t secure and not Apple.com.  Look below to see how we used Unshorten.it to identify that the shortened link sends you to a phishing site hosted on the South Pacific island of Tokelau (.tk).

3-phish-your-apple-id-short-link-exposed

This PayPal phish was sent to us by one of our readers.  Thank you!  “Your account has been limited until we hear from you.”  If you look closely at the from address you’ll know immediately that this is a scam.  The email suggests that it came from service@intl.paypal.com but it actually came from the address within the < > symbols.  A mouse-over of “Resolution Center” reveals that it points to a malicious website buried within a MandrillApp.com tracking link.  (MandrillApp.com is an email app used with the email service MailChimp.)  If you look carefully in the link below, after the number 30273311, you can see that you will be forwarded to a website that begins with services-account.intl.  This Paypal phish actually points to the website www.services-account.intl-scr-DOT-com, not paypal.com.  The MandrillApp tracking link is simply meant to obfuscate the phishing site.

Deeeeleeeete!

“Your Email storage is almost full”  “Your webmail has used 91% of its allowable storage space”  The phishers who created this email didn’t even bother to hide the destination.  This phish is easy to see through.

Just delete.

Your Money: $100 Walmart Gift Card, Get a Kohl’s Friends and Family Gift Card, Fetch a Barkbox, and Never Pay Another Car Repair Bill AGAIN!

One time offer!  Get a $100 Walmart Gift Card.  Just enter your zip code to start, says a promotion from walmartcupm.top.  We say cow poop!  If you want to stop receiving these promotions you are asked to send an email to thesimonrich@gmail.com.  Seriously?  A WHOIS lookup shows us that walmartcupm.top was registered the day the email was sent by someone named “rohit” from Jaipur, India.  Google cannot find any website at the domain.

Delete.

Here’s another malicious email meant to look like a promotion…. “Get a Kohl’s Friends and Family Gift Card”  Just register, complete the survey and get your gift card.  This is just a nasty social engineering trick to infect your computer.  The email came from yourkholsrewards.com which certainly looks official but it isn’t.  Did you notice the misspelling?  The domain name has khols not kohls.  A WHOIS again reveals the fraud.  Yourkholsrewards.com was registered on December 1 to someone named “Marie Newton” using the email address newtongirl75 @hotmail.com and the website description for the site is “The Superficial – Sarcastic, celebrity coverage, bikinis and uncensored photos.”  Also, note the oddball text found in the black box at the bottom of the email.  Sound like Kohl’s to you?

Though Barkbox is a legitimate site selling products for your dog, this “Fetch a Barkbox” pitch for “monthly curated natural toys and treats for your pup” is flim-flam.  The email came from the domain dogboxs.club.  It was registered (can’t you guess?) just hours before the email was sent and the site is being hosted in Mumbai, India.  It was sent by the same criminal group who sent the Walmart scam above.  How can we be certain?  If you want to stop receiving these promotions you are asked to send an email to thesimonrich@gmail.com.

Deeeeleeete!

“Never pay another car repair bill AGAIN!  Save 60% on an extended auto warranty”  And we absolutely love those three little words… “AS SEEN ON…”  As if that makes it all true.

Just delete.

9-never-pay-another-car-bill-again

TOP STORY: Deadly Subscriptions

Do you ever receive online or email pitches for magazine or newspaper subscriptions?  We see many and, as you can guess, some of these are completely malicious.  They are another social engineering trick to cause a computer infection or installation of ransomware.  Using magazine subscriptions as the wolf in sheep’s clothing is a very clever trick to target people of a higher socio-enonomic level.  For example, these are the folks who may be more able and willing to pay a higher ranson to unlock their encrypted files.  The criminals target them by the selected choice of subscription.  The critical question here is… can you tell which of the following subscription pitches are legitimate and which are malicious?  Take your best shot! Your choices are…

  1. Bloomberg Businessweek
  2. The New York Times
  3. The Economist Magazine
  4. Remodelling Magazine

We’ll reveal the truth at the bottom of the column.

12-ts-magazines-com13-ts-thank-you-from-remodeling-magazine

Think you have it figured out?  Let’s see how you did…

  1. Bloomberg Businessweek – Malicious

If you look very carefully at the from address you’ll see the misspelled domain is actually bloomberrg.eu.  Two “r” rather than one.  Also, dot-eu means that the domain is hosted in the European Union.

  1. The New York Times – Malicious

We hope you quickly noticed that the domain being used to represent this email is a dot-top.  Specifically… kcutest.top.  According to a WHOIS lookup, that domain was registered on the day the email was sent by a “Mabelle Malakaney” from Parkstrabe, Germany.   There are at least 4 suspicious redirects waiting for the person who clicks the link in the email.

  1. The Economist Magazine – Legitimate!

This is a screenshot from the very legitimate website Magazines.com.  A mouse-over of the link we show in the screenshot shows that it is for httpS.  The “s” in https means “secure” and the link goes to the place represented in the email.  Most importantly, if you type magazines.com into a Google search field, you’ll see that Google’s search results offer a lot of legitimate content for magazines.com.

  1. Remodeling Magazine – Legitimate!

At first glance, the from address might lead one to be suspicious about the legitimacy of this email, and it should.  The email came from remodelingmagazine@sparkcallcenter.net.  A Google search will inform you that SparkCallCenter.net (and dot-com) is a marketing service that markets magazine subscriptions amongst other things.  And a mouse-over on a link in the email shows that it points to a website called remodeling.hw.net. A WHOIS lookup of hw.net reveals that it was registered way back in 1996 to Hanley Wood, LLC.  Ask Google about Hanley Wood, LLC and you’ll see that this firm develops magazines and more for the building industry.  Completely legitimate!

So how did you do?  Think you can do well consistently?  The criminals targeting us every day certainly hope not.  Equally important, would your spouse, son, mother do well?  The sad truth is that most people won’t do well.  If they are enticed to click a malicious link, it is game over.

FOR YOUR SAFETY: FedEx Delivery Notification, Payment Information, and Yesterday’s Invoice

There are so many red flags about this supposed email about a Fedex delivery.  The from address isn’t fedex.com, the email is dated 2013, and a mouse-over of “Delivery manager” points to a website hosted in Spain (.es = España = Spain).  We checked out that link with VirusTotal.com and no less than four AV services have identified that website as a malware installer.

This next email came from a webserver in Brazil (dot-br after the domain).  “Good afternoon.  Thank you for sending the bill…” The attached zip file is laden with malware.

“Greetings! You paid for yesterday’s invoice – the total sum was $6907.”  That would certainly get our attention!  But once again, that attacked zip file contains nothing but malware.  Delete and live to tell the tale.

 

ON THE LIGHTER SIDE: I Am Elena From Russia

Don’t misunderstand us.  We’re happily married to wonderful ladies but we were flattered nonetheless to get this lovely invitation from Elena.  “How are you?  I am Elena from Petropavlovsk, Russia.”  And she’s an IT specialist! A Geek, just like us!  We’re sad to hear she hasn’t met the love of her life yet and found us during her search for a life partner.  She just wants us to visit with her on a Russian dating site.  Too bad the Zulu URL Risk Analyzer tells us otherwise.

17-i-am-elena-from-russia

18-i-am-elena-from-russia-zulu-score

Until next week, surf safely.