Please support our effort by making a small donation. Thank you!

x

February 22, 2017

THE WEEK IN REVIEW

We are not feeling the love for Russia in the U.S. these days.  For many months federal agencies have been reporting that Russia has been responsible for attacks against our political institutions.  TDS has also seen an increase in the number of threats targeting U.S. citizens that appear to point to Russia as well.  You’ll see evidence of this in the Facebook phish below.  Another example is this ridiculous message that came through a free Russian email service (mail.ru) and landed into the inbox of a school’s online contact form.

“Lose up to 23 pounts of pure body fat in just 3 weeks.” The text offers a shortened link at tinyurl.com.  When we used Unshorten.it to reveal where the link pointed we discovered that it will send you to a webpage created on Clickbank that was blacklisted for doing something bad.  Nothing good here people.

Move on!

 

 

The Daily Scam is thrilled to inform our readers that Doug at TDS has been invited to speak with News  Radio Anchor, Deana Kodiak at WKFBK each week for several weeks about online scams and threats.  You can read the first radio spot about the dangers of email hacking at iHeartRadio.com.


Sample Scam Subject Lines:

Become a Driver

Eliminating Joint & Back Pain, Anxiety and Looking Fat

New Universal Fuel Discovered; Saudi Oil Obsolete

Only $4.95 for shipping. This is the sale of a lifetime!

Please claim your Prime Points

Re: Applicants Needed

Revealed: Hitler’s Deathbed Confession

The coolest Mobile-Camera on the planet!

The dow is about to plunge to 6000!

Trump is doomed, get ready

Try our best razor for a buck

Wait! We have a free sample of {brand} for you!

Your Free Coupons Are Enclosed

Sample Scam Email Addresses

agora-financial-[YOUR EMAIL]@businesspc1.net

amazing@1hit7.gdn

Business_Internet_Provider@square.pritruz.us

cheap-energy-generator-sholch=brookwood.edu@buykawaii.com

daydreamer@vcausesix.bid

diabetes_destroyer-[YOUR EMAIL]@blackportgroup.com

dispirited@thomasgreason.science

embrittlement@0beat3.gdn

January-Email@rp.onlinedoctoratemia.com

January-Validate@rp.personalinjurymiaa.com

lendingtree-partners-[YOUR EMAIL]@educationloving.com

local.window.specials-[YOUR EMAIL]@first-meet.com

simple-blood-sugar-fix–[YOUR EMAIL]@urbaorbilyon.com

 

Phish NETS:  Dangerous W-2 Phishing Scams, Facebook Notifications and USAA Bank

As we get deeper into tax season it’s important for everyone to be skeptical of anyone contacting you or your organization and claiming to represent the IRS or requesting tax information.  On February 2, the IRS published a new article titled Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others We recommend reading it and sharing it with the business office of your company or non-profit.  One of the most creative scams on the rise concerns hackers gaining access to the email account of someone high up in an organization.  The hacker then sends an email to the business office to ask for a lot of personal tax information on employees, information that can easily be monetized.

TDS found three bogus Facebook notifications in a short period of time with the subject line “You have notifications pending.”  None of them came from Facebook.com but all of them want you to believe you have friend requests.  A mouse-over of the link “Go To Facebook” points to a website in Russia called homepilleshop-dot-ru.

We asked VirusTotal.com to check out the link and, as you would expect, it ain’t good!

Both of the other two Facebook phonies contained links pointing to privateherbgroup-dot-ru (Russia again).

Delete!

Check out this “Credit Alert Notification” sent from Safeguard @MailSender.com.  Can you spot the four grammatical and capital letter errors in the email, includng “ff”?  A search for the domain “mailsender.com” shows many phishing fraud alerts in Google.  A mouse-over of the link “Approve Your Payment” reveals that it points to a website called stormofmoneyptc-dot-com, not USAA Bank.  And be sure to take a look in the upper right corner of the email to see that this email concerns “USAA # ending in: – XXXX.”  That, of and by istself, should reveal this as fraudulent.

YOUR MONEY: Milestone Gold Mastercard, CVS Rewards/Pharmacy, and Warning from Amazon

“Get the Gold MasterCard from Milestone”  “Accepted at over 35 Million Locations Worldwide!” This credit card offer looks completely legitimate, except for the fact that it came from the oddball email address highchair @jaxfish9.win and the links point back to the same domain jaxfish9.win.  This domain was registered just hours before the email was sent by someone identified as “Lilly Dranger” from Lake Mary, Florida.

Delete!

We found two malicious emails disguised to look like CVS promotions sent just an hour apart.  First was this offer from CVS Pharmacy for a $50 gift card.  The domain ttreat3.stream was registered by the bogus company Streaming Partners.  We’ve written about Streaming Partners in both of the last 2 newsletters.  The company is fake and its address in Florida doesn’t exist.

The second email for “CVS Rewards” came from the domain voticalf.com.  Like the above email, it was sent within hours of the registration of the domain. None of this has anything to do with CVS or any legitimate marketing firm trying to promote CVS.  Notice the random text at the bottom of the email.

Finally is this bogus warning from Amazon… “Please check your billing address and payment within hours or your account will be removed permanently”  Can you figure out what country this email came from?  The 2-letter country code in the from address is .br   The link for “Update Now” points to a shortened link on the bit.ly service.  We used Urlex.org to unshorten this link and showed that it will send you to a hotel website in Kharkiv, Ukraine (about 25 miles to the Russian border) and called style-hotel. com.ua.  The website is in Russian.

“.br” = Brazil

TOP STORY: Political Roller coaster Masks Criminal Intent

At a recent town hall meeting with their Republican Congressman, a citizen complained loudly.  He described President Trump’s first month in office by saying “I feel like I’m in a car with a drunk driver at the wheel.”   This political roller coaster ride we find ourselves on is also being used as a weapon against us.  Criminal gangs are stoking these fires dispensing provocative FAKE news as a means to infect computers.  Here are just three examples that should not be believed, nor clicked!

“We voted AGAINST her lies. But now she’s plotting one final devastation…  Will this be Crooked Hillary’s secret revenge?”  This email came from, and links point back to, the domain studyoutstate.gdn. This oddball domain was registered on July 3 of 2016 to some organiation called Ghetto Vets and is being hosted in Hessen, Germany.  The registrants address is listed as 2746 Seabreeze Blvd, in Panama City, Florida.  But Google cannot find any address numbers on Seabreeze Blvd beyond the hundreds.  Also Google cannot find anything at all about an organization called Ghetto Vets from Florida… except for a few scam domains registered to them.  To Google, this registrant doesn’t exist.  Look how cleverly the content urges the reader to click the link as soon as possible… “CAUTION: This presentation contains controversial information about the 2016 election and could be taken down at any moment.”

Just delete!

“TRUMP: Has he crossed the line?” “Speaking before a packed auditorium Donald Trump shocked the audience as they stuggled to beleive…”  (Notice the misspelling of “believe”)  At the bottom of the email was a large black box.  Experience informs us that we’ll find hidden text in the box meant to fool anti-spam filters into thinking the email is legitimate.  We weren’t disappointed.

The email came from, and link points back to, a funny domain called “kproblemo.date.”  Anyone with Spanish skills will recognize the somewhat clever transliteration and translation… kproblemo = “que problemo” = “What a problem” in English.  This domain was registered on the day this email was sent. Kproblemo.date was registered to “kishore” from Uttar Pradesh, India.  Does any of this sound the least bit legitimate?  ‘nuf said?

And finally, “The New Trump Economy (it’s not what you think)”  While the stock markets are doing well, this crazy email offers interviews predicting the Dow will hit 50,000!  There are many ways we can expose this fraud but the simplest way is to focus on the scam address in Grandville, Michigan.  In 2016 we reported how badly a criminal gang has been misusing this mail drop in Grandville.  Not only will you see this scam address in the unsubscribe message at the bottom of the email…. 2885 Sandford Ave. in Grandville, MI… but you’ll also see it listed as the address of the person who registered this domain with Enom.com.  Check out this WHOIS listing and you’ll see what we mean.

And then delete.

FOR YOUR SAFETY:  Your Flash Player, You Have a Message, Payment Request and Your Order Has Been Cancelled

“WARNING! Your flash player is out of date. Please install update to continue.” Criminals demonstrate a wide variety of tricks to manipulate you into a computer infection.  A common trick is a pop up to inform you that one of your software applications isn’t up-to-date.  You’re asked to install the update offered to you.  These malicious installs are very dangerous!  Check out this pop up sent to us from a reader who tried to watch a pirated video from an ilegal website.  Notice that he was not given a choice to say “no” or “cancel.”  He dodged this bullet by force-quitting his browser.  Look carefully at the domain in the address field and locate the 2-letter country code.  Can you guess the country that our reader was directed to for this malware trick?

“.pw” is for Palau, an archipelago of islands in Micronesia

“Hello You have a message from Jacquelyn Phan. Click here to view and download.”  We suspect that poor Jacquelyn’s email account was hacked and misused.  The link points to malicious content on the website high-rollerz-dot-com.

Deeeleete!

This very clever bomb-shell says that “we got this from billing@YOURDOMAIN” leaving the recipient to think that someone from their company had sent it.  The link for the invoice points to malware on a webserver in Brazil.

 

 

 

“Your order has been canceled. Your credit card is invalid.”  This would certainly get our attention, if it were true.  The email doesn’t identify the recipient by name or the credit card, or anything else for that matter.  But the attached zip file contains malware.

Delete!

 

 


ON THE LIGHTER SIDE: My Dear Beloved One

Any email that starts with “My Dear Beloved One” better come from our wives or our mothers or we’re in big trouble!  But poor Grace Lee doesn’t have much time left on this earth so may be we’ll go ahead and be her “God fearing someone” and collect her money.

From:  postmaster@infoplus-events.com
Time:  2017-02-13 23:13:52
Subject:  Happy New Week,

My Dear Beloved One,

I am Mrs.Grace Lee and I am 58 years old, I am dropping this short message from my sick bed after been diagnosed from a long time cancer of the breast.

From all indication my condition is really deteriorating, and my doctor has courageously advised that I may not live beyond the next two months; this is because the Seriousness of the cancer has reached a critical stage.

I am looking for a trust and God fearing someone to confide on, a deposited funds and Gold my late husband left with the Bank here into your care.

Please respond to me if you will promise to see that my last wish is been accomplish to the Glory of God and humanity.

Remain Bless,
Mrs.Grace Lee

Until next week, surf safely!