Please support our effort by making a small donation. Thank you!

x

February 10, 2016

THE WEEK IN REVIEW

Did we actually say things were quieter last week? Slap our faces! The scammers are back with a vengeance this week! Too many scams and too little space to write about it. And those small malicious emails delivering nasty payloads were sent in large numbers as well. So too, were phishing emails. And adding insult to injury, TDS heard from many people who use Care.com and were receiving the fake-check scam offers. The emails or texts usually come from someone moving to their “area” and looking for child care, dog sitting services, etc.  What a week!  Has anyone seen the cavalry riding to the rescue to save the day?  It feels like “open season” on U.S. citizens and law enforcement is overwhelmed, uninterested, or both.  Hang on, your digital life is going to get a bit bumpier…

 

Sample Scam Subject Lines:

8% – Annuity Returns –Start Earning Today!!!

Alert: What is in your drinking water?

Breaking News – Are Probiotics a Scam?

Ending Soon: Your Macy’s V-Day reward balance is $50.00

Have you ever felt lonely on the 9th hole?

Last Chance: 45% of world-class wine, plus gift of 3 free bottles

Over 16,000 Woodworking Projects

Re: HI

Reverse Mortgage FAQ What You Need to Know As a Consumer

Take Care of Your Smile – With Dental—Insurance

Today Only: You have been selected for a $50 Kohl’s V-Day voucher

Veterinarian insurance – Compare coverage plans!

View options for your next oil change

Watching This – Can –  Save Your Life

Sample Scam Email Addresses:

CarNavigationSoftware@ramhya.top

CloudProviders@tjring.top

Diabetes.Cure.Found@fgder.cuprc.win

DonateYourOldCar@datif.top

Fox_News@nbffto.homeyyi.eu

freetrialelectroniccigarette@forheelth.date

Golf-Magazine@ddfgt.dshaky.download

healthsecretexpose@prolsleem.download

homecleaning@homefastt.date

homesecuritycameras@wirlescam.faith

optimataxrelief@taxrebates.date

Macintosh.2016.Clearance@dfhjik.ssweep.accountant

TreatingCOPD@blaota.top

weirdabtrick@absandshapes.bid

 

 

 

Phish NETS: Apple ID and iTunes, USAA Checking/Savings Account

They’re at it again… Targeting Apple account holders.  Most folks don’t realize that access to your Apple account means access to your credit card on file and a whole lot more.  Also, these phishing scams trick victims into revealing a tremendous amount of personal information.

Look at this email from noreply@supportworldwide-ios.com with subject line “[Ticket#6928163] Please review your Apple/iCloud ID.”  The recipient is told the tall tale that “the verification of your iCloud ID is necessary so we can comply with financial service regulations.” The link provided makes no effort to hide the fact that it doesn’t lead to apple.com.  It points to the domain appleicloudsupportticket84752.net.  According to a WHOIS lookup, this domain was registered on February 4, the day the email was sent, to a Privacy Protection Service and is being hosted in France.  The criminal who registered this obvious phishing site used the service called LaunchPad.com.  LaunchPad.com is actually a service created by Hostgator.com.  Hostgator, in turn, is an eNom.com reseller.  We have complained loudly over the last two years that eNom often appears to turn a blind eye to criminal domains as they earn a paycheck from them.  Any idiot with half-a-brain should think that the domain name appleicloudsupportticket84752.net is not legitimate.  This is especially true if the domain hasn’t been registered by Apple Computer.  But there is no financial incentive for eNom to protect us, nor any procedure for this required by ICANN.  ICANN (the Internet’s governing body) doesn’t require eNom to check on suspicious domains or even report them in any timely manner that would be meaningful. (Phishing sites have a useful lifespan of 1-2 days.) And all of us suffer as a result…  We’ll get off our soap box in a moment.  Check out the 2 screenshots of the website for the domain appleicloudsupportticket84752.net.  One day the website looked like the one on top and the next day like the one on bottom.

2-Apple phish site

We believe that we’ve reported many times on the criminal gang that is responsible for these Apple phishing scams because of a single nasty trick these criminals like to play.  They seem to have a sick sense of humor.  Clicking the link, for example, to “Sign in To Apple ID Validation” (which we do not recommend our readers ever do!) requires that your email address match the address used in the email that targeted you.  If you enter any other text or address, and then click “Sign in To Apple ID Validation” you’ll be startled by the behind-the-scenes-scripting that will send you to Google and immediately search for… “How can I download child porn.”  We said they were nasty.  These criminals want to send as clear a message as possible.  “Don’t f#@% with us.”

Now delete.

Check out this next Apple phishing scam containing the subject “Your itunes account has been frozen.”  The email was extremely unusual in the way it was coded and, quite honestly, we’ve never seen anything like it before.  The code somehow prevented a mouse-over from revealing where the links “48 hours” and “Click Here Validate Your Account” pointed to.  (How is that even possible? Can any of our readers explain that to us?)  We had to dig behind the scenes and search the code in order to locate this gem: altrazerodrop. co. nz / js / editarea / Support   Can you figure out the 2-letter country code in the domain altrazerodrop.co.nz?  Answer is below.

The links in this phishing scam above point to a website in New Zealand! (.nz) Of course, looking carefully at the “from” address should make anyone suspicious…  www-data@dakarvoyages.com.  Delete! (IMPORTANT NOTE: If you cannot reveal where a link points to by mousing-over, don’t click it! Forward it to us to investigate.)

Finally, we found several of these odd phishing emails that targeted USAA Bank customers again with the subject line “Your USAA Checking/Savings Account Urgent Profile Update.”  We wanted to inspect the attached pdf file but decided it wasn’t worth the risk after getting the following message from our antivirus software.  It deleted the file for us.

5-USAA Checking Savings account

6-USAA Checking Savings account-threat

Your Money: Car Insurance, Clear Vision,  Find Local Help for Bed Bugs

If we only had more time!  We would love to search through the thousands of scam emails we see in a month and classify all the topics the scammers like to use.  Below are just two of them… Auto insurance (any insurance actually… dental, medical, house, pet, etc.) and vision.  Subject lines “State Farm – Geico & More – Lock-in Lower Rates….” and “Eye drops replace glasses – I can see perfect now.”  But then we got something brand-spanking new! A scam email with the subject line “Find Local Help, for Bed-Bugs.”  You’ll notice that, like so many other scam emails, the Bed-Bugs email contained hidden text to try to fool the anti-spam filters.  This text however was brown against the brown background.

Take note of the strange domains in these emails… parliest.download, hopevision.date, and hamafoot.download.  As our readers know well by now, each domain was registered the day the scam email was sent.  Also, all domains were registered using Alpnames.com as their registrar.  Enom.com used to be one of the biggest tools used by criminals to register scam domains but for the last couple of months it appears to be Alpnames.com.

8-Get clear vision in 5 minutes

 

TOP STORY: Scams Target the Seasons – V-Day and Taxes

Tis the season of love and taxes.  Scammers will always push out scams disguised as holidays and other seasonal events with the hope that people think that these scams are just like the other marketing emails that flood their inboxes.  This is true for both Valentine’s Day and tax season.  Below are a few scam emails that illustrate this point based on the subject line and/or the contents of the email.

The subject line of the first email is “Re: Your Amazon Valentine’s Day reward balance is $50.00” and it was sent from AmazonValentinesDay@hefhfv.flatkm.eu.  Remember that “.eu” refers to the European Union and the very strange domain flatkm.eu is not Amazon.com.  The odd text at the bottom of this email actually came from this Yelp Review of the Homestead Steak House on August 2, 2015.

10-Amazon Valentines Day award

The next two scam emails below are both boiler-plate designs used many times by the criminal gang pushing this junk out.  They just rebranded them for Valentine’s Day by using the subject line “Re: Your Macy’s V-Day reward balance is $50.00” and “Exclusive: Your spouse will love an Apple-MacBook Air this V-Day.”  Also, the second email was sent from LG-Valentines-Liquidation@dxcvf.aequiz.eu.  Both emails contain graphics that have been used many times over many months.  Both emails are malicious.

Delete!

11-Macys V-day award

12-V-day gift for your spouse

Tax season is just around the corner so readers can expect to see an increasing number of scams disguised as tax information, tax document requests and tax ads offering products and assistance.  We wrote an article last year titled Tax Scams in Tax Season that speaks to this point.  Check it out!  And check out the scam below that came out recently.  It was registered by someone named Amit from India and is being hosted in Zug, Switzerland.  Sound like they’ll be experts on U.S. tax law?

Delete!

13-Solve your IRS tax debt problems

We want our readers to be extra vigilant when it comes to emails, posts, texts and ads on social media that target a particular season or holiday.  Hidden amongst the crowd of marketing messages will always be some wolves in sheep’s clothing.

FOR YOUR SAFETY: View Document, Your Parcel Has Shipped

We know of a prominent person in an organization who recently had his email account hacked.  The hacker then used his account to send malicious emails to everyone in his contact list.  Though the email said it contained a link to a shared Google Document, a mouse-over revealed that the link pointed to a hacked website called italianhandcraftedfurniture.co.uk.  Look below to see what VirusTotal.com said about this website.

 

 

15-Amy robbed in Philippines

 

15-View Document virustotal scam

Would you have been cuious enough to click the attached file in this next email? “Hooray, Your Parcel Has Been Shipped Out, Parcel #942409”  We hope not.  The attached zip file contains malware.

DEELEETE!

 

16-your parcel has been shipped

 

 

ON THE LIGHTER SIDE: Get Paid for Talking!

Any email with the subject line that includes “Totally Legit” is anything but legit!  That includes this ridiculous claim below… “Get paid for talking.”  But we’re tempted!  Apparently, Kelvin got paid $110 for 5 minutes of work talking to his computer. We spend hours each week talking to our computers but never earn a penny. Maybe it’s time to get paid for our hot air? And a domain name called successhere.date can’t be bad, could it?

17-Get paid for taking -see proof here

Until next week, surf safely!