Please support our effort by making a small donation. Thank you!

x

February 8, 2017

THE WEEK IN REVIEW

Internet criminals are taking full advantage of the political polarity in the United States to target Americans.  During the past week we saw dozens of malicious emails disguised to look like some shocking, revealing, or embarrassing content about Hillary Clinton’s response to Donald Trump’s first days in office.  Check out this sample with the subject line “Hillary EMBARRASSED in leaked tape (watch here).”  This email was sent from, and all links point back to, the domain pandastoryl.gdn.  There no information available via Google about this website.  A WHOIS lookup of pandastoryl.gdn shows that it was registered by a company called Streaming Partners, located on 136 Grand Central Drive, Daytona Beach, Florida 32124.  According to Google, neither this address nor the company exist.  Check out the list below to see the subject lines of just a few of these malicious emails disguised as stuff about Hillary Clinton.

 

 

Last week our top story was about hackers using people’s personal email accounts as weapons against others.  The trend continues, such as this email “bullet” from a hacked account.  Also, the Docusign phish in this week’s Phish Net column came from a gentleman’s hacked AOL account.


Sample Scam Subject Lines:

Alert: Limited Trump Coin Offer

Boast your Trump support with THIS!

Break this bad bathroom habit

DON’T IGNORE THIS

Good hearted asian-woman looking for an honest loving man!

In 1944, an experiment was done in this Nazi medical center

OPEN – This proves everyone was wrong!

Penny Pot Stocks Set to Explode NOW!

Shipping Delayed – Confirm address

Status of your UPS delivery ID:002069684

The #1 Heart Attack Myth That Will Cost You Your Life

THIS Is How You Celebrate A Trump Victory!

Uh-oh, your prescription is expiring

Sample Scam Email Addresses

3_Day_Blinds@radish.shapedd.us

Airfare-Upgrades@protect.unplugk.us

apparels@althoughtoe.win

bestsellers@butini.win

constitutionalist@whetherfori.win

hoosierizes@thoughona.win

impulsions@whetherbyi.win

Nutrisystem.Partner@ghost.planynq.us

OnlineRoofingDeals@telephone.llswise.us

presidential.news-[YOUR EMAIL]@whenitpours.com

Relax-and-Sleep@scream.fundedm.us

trump.breaking.news-[YOUR EMAIL]@whenitpours.com

Vineyard_Elite@look.liveljh.us

 

Phish NETS:  Docusign, Google, and Blackboard Accounts

We spoke to the owner of this AOL account just moments after the hacker sent out these phishing emails.  He had no idea his account had been hacked and was misused.  Having your email account hacked is one of the most risky and upsetting things that can happen to your digital life.  (Read our article on how to recover from a hacked email account.)

A mouse-over of the link “View Document” does not send you to DocuSign, but to a newly registered domain called clearoad7.org.  The site looks exactly like DocuSign!   Logging in with your DocuSign credentials will hand over your keys to the criminals.

Nasty trick.

This next phish was extremely well crafted! The email came from a Gmail account and appears to contain a familiar image you might see in your Google Docs account.  The name of the linked image suggests it is an invoice or statement in pdf form.  But the link points to a shortened link made using the shortening service bit.ly, instead of pointing to Google.com.

We had trouble unshortening that link.  Eventually we found that urlex.org could do it, but urlex.org immediately gave us a warning about the unshortened link.  It turns out that the shortened link directs the visitor to a web page on a site in Russia called myjino.ru.

Being curious about that destination, we used Screenshot Machine to visit the site and take a picture for us.  This is what it found waiting in Russia…  It may look like Google but, believe us, this ain’t Google.

A very, very BIG Deeeeeleeeete!

Ever heard of Blackboard? It is an online learning community used at many colleges, universities, and high schools, as well as businesses.  Apparently, criminals think it is important enough to try to steal account information from Blackboard users.  We found this rotten phish pretending to be a document for students from “Your Faculty.”  The link leads to the hacked website called sparkedimagination.com.  We used a page peeker to follow the link and, sure enough, it looks like a Blackboard login, but it isn’t.  Delete!

YOUR MONEY: Tire Coupons, Warranty Expiration Notice, and Explore Window Blind Choices

“New tires can be a worthwhile investment (Tire coupons)”  While this may be true, don’t believe that these coupons will get you the discount you hope for.  The email was sent from the domain chanodo.us. Someone named “Despina Tran” from Edmonton, Canada registered this domain on the day the email was sent, a sure indicator of a scam domain.  Also, note the hidden white text at the bottom of the email.  The hidden text came from a Yelp review of a restaurant called “Tap & Vine” in Wallingford, Ct.  Apparently the scammers love to eat because they often grab Yelp reviews to hide at the bottom of their emails.  We hope they choke on their food.

And while we’re talking about cars, how about this Warranty Expiration Notice, ALERT #99201702.  “Your auto warranty from your manufacture will expire soon.  You will be responsible for repairs and you will pay full price….”   The links point to the domain genergy2.loan.  You know the drill.  You can probably recite it as well as we can… The domain was registered the day the email was sent.  This domain was registered to a “WILL AARP” from an organization called “Brian Trust, LLC” at 4383 Martha Ellen Drive, Stagecoach, Nevada.  Google finds no such business and no such address on a map either.

Delete.

“Discover the benefits of blinds” says an email from Cellular_Blinds @color.qthreat.us.  Actually, if you take the time to read the extensive description underneath the picture, it will make you smile.  English is clearly not the scammer’s first language.  Our dearly departed sixth grade English teacher would be rolling her eyes at the errors!  But the scammer tries really hard to convince you of the value of searching for new blinds.  They really put their heart into it and, for that, we applaud their effort.  The domain qthreat.us was registered by someone named “Correy Jolly” from Madrid, Spain on the day the email was sent, blah, blah, blah.

Now delete.

TOP STORY: Turning Amazon’s Popularity Against You

There is no denying that Amazon is a commercial behemoth in the world and criminal gangs understand this too.  Our guess is that millions of Americans have made purchases from Amazon, stream video through their Prime account, or at least look up the price or availability of something on it.  So we weren’t all that surprised to see hundreds of fake emails recently from a variety of bogus addresses looking like Amazon promotions.  They pretended to be about Amazon Prime points, Amazon gift cards and Amazon notices thanking visitors for searching or shopping at Amazon.  Have a careful look at this list of emails that hit one server in just a 26 hour period.

Let’s take a closer look at three of these emails… “Thank you for shopping with us in 2016 – Gift Card” says an email from brigade @wombatothersr.gdn.  Wombat other sr??  What? Like “wombat other, senior?  “Hello, Amazon would like to thank you. Get this gift card today.”  RESIST that urge to click!  Look at the sender’s address!  It makes no sense.  Neither does the link revealed when you mouse-over Get My Gift Card.  We were surprised to see that the domain wombatothersr.gdn was registered by the fake company Streaming Partners using the same address-that-doesn’t-exist.  Amazon, this ain’t!

 

Or this pitch from the domain beeweeke.gdn using the subject line “Your Amazon rewards.”  “Hello, You can redeem your $100 gift card to your account for future orders by visiting this link.”  Both “LINK HERE” and “Your Account” point back to the domain beeweeke.gdn.  Take a wild guess who registered this bogus domain.  That’s right, our new friends at Streaming Partners in I-Don’t-Exist, Florida.

And finally, we have this email from aimed @judget.win with the subject line “Your Amazon Prime February points are updated.”  The text in the email is very similar to the text above.  But judget.win was registered on the day the email was sent by a Nicholas P. Baez from Torrence, California.  The domain is being hosted in Baden, Germany.  Does any of this sound like Amazon yet?

So the next time you get an unsolicited email from Amazon, please look carefully at both the sender’s address and what is revealed when you mouse-over the links.  And if you are looking to review your mouse-over skills, check out our articles…

http://thedailyscam.com/mouse-over-skills/ (video)

http://thedailyscam.com/articles/mouse-over-skill/

http://www.thedailyscam.com/mouse-over-skills-on-i-devices/

FOR YOUR SAFETY:  You Received A New eFax and Click Here to View Message

We’ve seen this malicious email many times before but this one is so convincing and detailed that one could easily be fooled by it.  It needs another look because it is still being used to target people.  “You received a new eFax from…” and the from address is correctly spoofed to be from the real efax.com.  Thankfully, mousing-over reveals the fraud.  The link in this email points to a server in Brazil.

Now delete.

This email, sent from an AOL account, seems innocent enough but that link is deadly.  A mouse-over reveals that it points to a server in France called “free.fr” but that’s not the endpoint.  The Zulu URL Risk Analyzer doesn’t identify this server as harmful but does identify that there is a redirect waiting on the server.  The redirect will forward you to another domain called brainhotshop-dot-com and that second domain is deadly!

ON THE LIGHTER SIDE: U.S. INTERNATIONAL MONITORING FUND AGENCY

The lovely letter that follows was submitted to us by a TDS reader named Sherrill and we’re grateful.  Apparently, Mr. Napolitano was appointed to his lofty postion when Donald Trump took office.  Mr. Napolitano is the “Supp” of the International Monitoring Fund Agency of America.  We wondered what a “Supp” is.  As in “What’s up?”  But we were intrigued, and we think you will be too!  His email must be important because he capitalizes nearly every word and manages to name nearly 20 countries or geographical regions.  We can see he’s trying really hard to convince you he’s the real deal.  And so, to honor America’s Supp, we present his heartfelt letter instructing us to wire him $55 so he can send us a box containing more than $5 million dollars. You can’t make this stuff up people.  Enjoy!

 


NAPOLITANO SHULLMAN
U.S. INTERNATIONAL MONITORING FUND AGENCY,
MG Timothy J. Lowenberg, Adjutant General and Director State Military
Department Washington Military Dept., Bldg1 Camp Murry, Wash 98430-5000 USA.

Good Day To You:

I Hope This Mail Finds You In Good Spirit And In Good Health? Because I Am Quite Aware Of Your Losses In The Past Years Now through this security office intelligent track devices, It May Surprise You That I Am Also Aware Of Your Consignment Boxes Pursuit In Benin, Ghana, Togo, Nigeria, Spain, France, Malaysia, Indonesia, China, Korea and etc . My Name Is Supp. Shullman Napolitano,The International Monitoring Fund Agency Of America , Am In Charge To Monitor All Foreign Transactions In Africa Europe And Asia and this kept me in constantly travelling round the world.

I Have Been In The International Monitoring Fund Agency Of America Now Since The Government Of President Donald Trump, Monitoring The Various Transactions Going On In Africa, Europe And Asia, Most Especially Consignments Cases, A.T.M Card Cases And Bank Transfer. I Do Not Intend To Spoil Your Day Or To Put You Under Duress. But You Can Not Receive Any Of Your Consignments Boxes, A.T.M Card Cases And Bank Transfer  Pursuit, Without A Clearance From The U.S International Monitoring Fund Agency. However, Upon My Arrival In Benin Republic After Series Of Meetings With Our President Donald Trump And United Nations Secretary General Ban Ki-Moon, Due To Numerous Complains From Other Security Agencies From Africa Asia, Europe, Oceania, Antarctica,South America And The United States Of America Respectively, Against The Benin Government And Nigeria Over The Rate Of Scam/Fraudulent Activities Going On In This Countries And Africa. When I Arrive In The Benin Parliament In Cotonou and going through all cases of unpaid funds, I Found Your Consignment Box Clearance File Lying On The Foreign Affair Office Desk Without Any Attention On A Through Scrutiny I Discovered That Your Consignment Have Been Abandoned By Your Delivery Agent. Meanwhile, I Was Made To Understand That They Have Try To Reach You, But No Way And They Have Made Several Attempts To Contact Your Delivery Agent But To No Avail.

To My Greatest Surprise, During My Recent Routine Re-Checking, I Personally Discovered That Your Consignment Content Declaration Documents Stated That Your Consignment Contains Personal Effects Meanwhile, It Contains United States Dollar Bills Worth Over Us$5 Million Dollars, Which Made It Impossible For The Consignment To Be Delivered To You Earlier Before Now.

Based On This Personal Discovery, I Am Contacting You Now To Let You Know That With My Position And Power As The Secretary Of U.S International Monitoring Fund Agency, I Can Assist You To Legally Clear Your Consignment Fund, But You Must Agree With The Following Conditions. Because I Have Called Our Office In Washington,Dc From Benin, Who Has Been Intercepting All Your Telephone Calls, With The Help Of Mtn, Tigo Vodafone And Airtel Network Benin.

I Also Received Some Information From Our Homeland Security Office In Benin Republic, About Your Emails, That You Have Been Dealing And Sending Money To Peoples In Benin Ghana South Africa Togo Benin And Nigeria , Who Claims To Be The Western Union Director. You Are Also Dealing With A Bank, And Other Names Which I Am Still Waiting To Be Forwarded To Me From Our Office In Washington,Dc. My office authority Have Monitored All Your Dealings With This Hoodlum.

You Are Advice To Hence Fort Stop Further Dealings With All The Above Mentioned People, Until We Complete Our Investigation. Because Your Dealing With Them Is Termed As Illegal Transaction. I Wish To Inform  You That We The Homeland Security Is On Look Out For All The Above Mentioned Name, Mostly Those Who Claims To Be The Director Of West African Debt Western Union And Money Gram And A.T.M Card offices and including the Property Recovery Benin. All This Mentioned People Are Impostor, And We Intend To Apprehend Them Soon.

I Want You To Please Stop Communicating, And Dealing With Them Until We Complete Our Investigation. I Wish To Notify You About The Latest Development Concerning Your Box Of Consignment That Was Already been Handed Over To Me today After The Meeting Held Between Me And Some Of The Top Parliament Members Of Benin And The Foreign Affair Minister In The Benin Capital Headquarters Cotonou, Due To The Delay For You Not To Have Received Your Consignment Box For Long Time Now.

Accordingly, We Have Waived Away All Your Consignment Box Clearance Fees And Authorized The Government Of Benin Republic To Allow Me Fly With This Your Approved Consignment Box To You Without Any Delay Which They Have Agreed. The Only Fee You Will Pay To Confirm Your Consignment Box Received In Your Possession Is The Air Flight Weight Fee Of Your Consignment Box Which Is Sum Of $55.00 Only.

In Order Words Your Box Is With Me Now And I Shall Be Coming To Your Country As Soon As you sent me your below shipping details where you will want your consignment be deliver to you.

Your Full Name:………
Your Full Address:……
Your Direct Telephone Numbers:………….

Preferably, you can send us your Mobile Phone number to enable an urgent contact with you hence the arrival in your city. Hence I Hear From you also with The MTCN Numbers to receive the Air Flight Weight Fee Of Your Consignment Box Which Is Sum Of $55.00 Only, Then, I Will Be Coming Along With Your Box Of Consignment,But Remember That As The Secretary Of The International Monitoring Fund Agency United States Of America, I Am A Us Government Security Agent And I Have The Power To Go Through Any Airport Customs Without Inspecting What I Carry Along.

And As Soon As I Arrive In Your State I Will Give You A Phone Call For You To Give Me Direction To Your Home Address So That We Can Meet Face To Face And Hand Over Your Box To You Before Proceeding Back To The States.

As Soon As I Arrive I Shall Call You On Your Telephone Number Then Meet You In Person And Hand Over Your Consignment Box To You Before I Return Back To Washington Dc.

I Have Taken This Assignment Upon Myself Because I Understand That You Have Really Paid So Much On The Cost Of Delivery, But Nothing Was Received By You. So Be Advice To Contact Me Immediately You Get This Email Now Because Every Thing Has Been Done Ok. This Is Directly From Our President Donald Trump.

Once You Send The Money, Try To Notify Me With The Mtcn For Easy Pick Up And For Immediate Action On The Delivery Of Your Consignment Box,For You To Receive Your Inherited Funds Without Any Further Delay Again . Since You Was Unable To Receive It Since .

Send The Fee ViaWestern Union or Money Gram Money Transfer.
Receiver’s Name:….Marcel Nwachi
Country:. . . . . . . . . .Benin Republic
City:. . . . . . . . . . . . Cotonou
Amount:. . . . . . . . . . . . . . . .$55.00
Question:. . . . . . . . Urgent
Answer:. . . . . . .Today
Mtcn:. . . . . . . . . .
Sender’s Name . . . .
Sender’s Address. . .

As Soon As You Send The Fee Make Sure You Send Me The Payment Information.Once You Send The Money, Try To Notify Me With The Mtcn For Confirmation And For Immediate Action On The Handling Over Of Your Fund To You.Also You Are To Forward To Us Any Mail That You Have Been Receiving From People For Proper Verification And Investigation Before You Deal With Them Okay.

I Have A Very Limited Time To Stay Here So I Would Like You To Urgently Respond To This Message With The Payment , My Dear, This Is The Opportunity For You And Have To Comply And Your Box Shall Be Deliver To Your Designated Address.But Remember That After (3 Days) You Did Not Make The Payment Then I Will Divert Your Funds To Us Government Fund Or Benin Government Treasury. Please Treat This As Matter Of Urgency.

Sincerely Yours,
SUPP. INTELLIGENCY GENERAL,NAPOLITANO SHULLMAN
Email:(imf9856@gmail.com)
From The U.S International Monitoring Fund Agency.

 

Until next week, surf safely!