Please support our effort by making a small donation. Thank you!

x

February 6, 2019

THE WEEK IN REVIEW

On January 23 we wrote about the rise of sextortion, including the fact that we had personally received multiple emails from a hacker who threatened to publicly release a video about us that we knew couldn’t possibly exist.  Since then we’ve heard similar stories from a few other readers. One reader sent us this email he received through his architectural firm’s email. These continue to be very similar to the scam threats we reported in our summer, 2018 article Sextortion By Email.  They are all scams sent via email by the thousands.  This particular threat below begins with the sender trying to convince you that he has hacked your email account.  His proof is that this email appears to be sent FROM the account of the person receiving it! Don’t ever fall for this malarky!  It is child’s play for any decent cybercriminal to “spoof” an email address. They can make it look like it comes from anyone, anywhere in the world!  It proves nothing. This scam depends on reaching a few gullible people whose circumstances loosely fit the description in the email. At least the extortionist we heard from a couple of weeks ago granted us 72 hours to come up with the money!

 

Have you ever visited a website that allows visitors or registered users to enter comments?  All of these websites have to deal with malicious comment spam!  This is one of the reasons we don’t allow comments on our blog. (This comment spam came from a school’s blog.)  Considering our content and purpose, we would have to deal with a deluge of malicious comment spam every week. If you look carefully at the messages you’ll see that they are so broadly written that they could be sent to any blogger about any site content, and that the sender’s first language is not likely English.  Though each of the five came from a different email address over a 32 hour period, they all claim to be authored by the same name. Malicious comment spam usually includes a link to a website hosting malware, waiting like a landmine to be clicked on. However, we can’t seem to find the website listed in this particular set of spam and a WHOIS lookup tells us it was never registered as of February 1, 2019.  We still believe it is malicious. Conducting a Google search for that website shows us that a comment spammer has posted hundreds of links to it from dozens of blogs around the Internet. (see graphic below) Lesson here is simple… If you see people’s comments on a web page to include links to other sites, be VERY CAREFUL about clicking them!

 

 


Phish NETS: Chase Bank and Apple ID

Vade Secure is an email protection service (with whom we have no affiliation).  This service puts out quarterly “top 25” lists of the most phished businesses, which you can see written about for the 3rd quarter of 2018 on Komando.com.  Though Vade Secure states that Microsoft claims the top spot as the most phished company during the third quarter of 2018, we couldn’t help but notice that Chase Bank has seen a 352% increase in phishing scams since the previous quarter!  This spike is certainly confirmed by the phishing emails we collect or are sent to us by our readers! Chase occupies the #7 spot of the Vade Secure top 25. Here is one such phish sent to us by a TDS reader. The domain following the “@” symbol is clearly not chase.com and the link “Verify Account” points to a link-shortening service at ow.ly.

A big fat deeeeleeeete!

Apple Computer most recently occupies the #14 spot of the top 25 phishing list.  This was also sent to us by a TDS reader, but without verification where the link “Learn More” points to. (“click here” had no link associated with it.)  However, we’re certain it is a phish because the email came from the domain apple-support[.]org. We reported on this EXACT SAME PHISHING EMAIL in our Top Story on November 14, 2018! The domain was registered last September by someone named “maharot” from the Philippines, where the Filipino language is “Tagalog.”  According to an online Tagalog dictionary, “maharot” means “unladylike” behavior.  On that, we can agree! Does this sound like Apple Support to you?

 

YOUR MONEY:  Amazon Order Scheduled and Make Money

We’ll be the first to point out that there is a lot we don’t know or understand about the threats we see online, though we are confident they are fraudulent or at least highly suspicious.   This next email is a perfect example of this. It wreaks of fraud, but we’re not sure how the senders gain something from their effort. “Your Order From AMAZON was Scheduled” is simply not true!  Nor did the email come from Amazon.com, or any of its affiliates. Nor is the order number a typical Amazon order number. No shipping company name is identified. And you’ll notice that the email came from “Gmayl[.]com!”

Clicking either of the buttons, “Delivered” or “Not Delivered,” serves the same purpose by opening your local email program and addressing an email back to a collection of oddball email addresses, including one at USA Today.  Is this meant to collect the emails of gullible people? Is it meant to open a line of communication with a scammer? We don’t know, and frankly, we don’t give a damn.

Just delete!

“Neda Gelber” tells us our “clock is ticking.”  “There are limited vacancies. Got that?” If we want to learn how to make some simple money we had better click her link to “Learn how.”  But hold on! We recognize a link-shortening service when we see one! That link to goo.gl is going to send us somewhere else in the world.  But where?

Our favorite unshortening service tells us that we’ll be redirected to a website we know well!  It’s called kayolly[.]online and we’ve written about it before.  You’ll want to stay as far away from that website as possible.  The screenshot below from Virustotal.com says it all!

TOP STORY: Free, Absurd, Illegal, and Popular… Clickbait

Arguably, everything we write about is a form of clickbait, meant to trick the recipient into clicking a malicious link that ultimately results in the financial gain of cybercriminals.  However, when you look at thousands of such emails, texts, websites and social media ads every year you see that the criminals will often favor certain types of landmines in their effort to target us.  It makes the most sense that criminals would favor those types of clickbait traps that are most successful at engineering a click. First on this list is to offer something for “free” or at a tremendously reduced price like 80% off.  And hence, born was the expression “if it seems too good to be true.” We all need to keep a healthy dose of skepticism and apply a more critical eye when we see things like this email.

“Winner N15989 please confirm.”  “Get one year of Netflix free.” The FROM address appears as “You are a Winner” but the domain is from Walgreens.  Mousing over the link in the email shows that it points to the domain svel[.]to.  This domain was registered through a service in Dublin, Ireland.  And that address for Mechanicsburg, Pennsylvania at the bottom of the email is a UPS Store!  Does any of this make any sense?  Clickbait.

After “free” we have “absurd.”  Cybercriminals make the most outrageous or ridiculous claims to raise eyebrows.  The idea is to create a landmine so illogical or inappropriate that people will click just to satisfy their curiosity, like this recent email.  “How To Start A Fire By Using… Your Pee.” (Criminals often target “survivalists” and conspiracy theorists as gullible and easy targets.) This email, which says “you know me. I’m always on the lookout for unorthodox survival methods” comes from the domain bushcrrafting[.]us. (You spotted the double “r” right?)  According to Wikipedia, “bushcraft” is a term that refers to wilderness survival skills.  This misspelled domain was on purpose. It was registered on the very same day this email was sent, by someone named “nitin lowanshi” from Jabalpur, India.   The age of this domain, and registration by someone from India SCREAMS out how very malicious these links are likely to be.

Another type of clickbait often used to trick us are ads for something that is illegal or barely legal such as the online purchase of CBD oil, extracted from Cannabis plants.  This ad focuses on the many benefits that CBD oil is alleged to have. But that isn’t the point! All links in this email point to a website that, by name, makes no sense: travelfashion[.]info.  Google finds no such website and a WHOIS lookup shows that it was also registered just a few days before this email was received.  That is NEVER a good sign! In addition, a visit to this travel website brought up a screen for PC Linux repair in which the visitor is asked to download and install a file, another RED FLAG!  (VirusTotal.com has at least one service who has identified this domain as malicious.)

And finally, in the long list of most popular clickbait themes used by criminals is “popular” itself!  Cybercriminals have a long history of focusing on pop culture as a way to entrap victims. Scambusters wrote an interesting article titled “The Celebrity Names Most Likely to Trick You” which illustrates this point.  Here is a different example. Shark Tank is very popular and has been used for years by cybercriminals to entice people to click malicious links.  This email claims to be about a product to help people “drop unwanted body fat.” (Another popular topic used as clickbait!) You’ll find hidden white text underneath the graphic in this email.  It is meant to try to fool anti-spam servers that this email is legit. Fat chance! (pun intended) This email came from, and links point back to keduse[.]info.  Just like the above emails, that domain was registered just a few days before this email was sent and the screenshot of this website displayed by the WHOIS on the day we visited it showed Alec Baldwin in court and the website title was listed as “CBS Local” news.  Clickbait for certain!

So the next time you see that something online is free, absurd, illegal or popular, don’t assume it is real or safe!  Look with a more critical eye!

FOR YOUR SAFETY: View My PO on LInkedIn and You Have a Package

One of our readers sent us this email.  It wants you to believe it came through LinkedIn and is a quote for an order from a trade and services company.  However, none of that is true! Can you find the 2-letter country code buried in that FROM email address? This email was sent from a server in Brazil and the link points to a server in Mali! EIGHT online services found that website in Mali as malicious!

 

 

 

And finally this week, we leave you with an email pretending to be a delivery notice from DHL.com.  Except that the email didn’t come from DHL.com and the links don’t point back to DHL.com! The only thing on its way to you is malware if you “click here to see an invoice.”

 

 


Until next week, surf safely!