If you find our resources valuable, please support us by making a small donation. Thank you!

x

January 10, 2018

THE WEEK IN REVIEW

It was a terribly cold and snowy week in New England and it somehow made the scams we saw feel that much worse.  Criminals continue to fraudulently represent legitimate businesses to trick us into clicking their malicious links.  They steal real business logos, graphics, or trademarked materials and send them to us as booby-traps.  So we routinely remind our readers how important it is to mouse-over links before you click them.  If you don’t see the domain name you expect to see, don’t click.  If you think it may be a link to a marketing firm representing the business, look up the domain name in Google to see if it is a legitimate marketing firm.  If it isn’t, if you are not sure or if are suspicious, don’t click that link!  You can see what we mean if you look at the email below about the Stealth Smart Cam.

Also, we have an important update to people who use Amazon.com or own Apple computer products.  In August of 2017 we first reported on the appearance of fake customer support telephone numbers all over the Internet.  We heard many reports from people who said that the “support” people at the other end had Indian accents and we’ve confirmed this several times ourselves.  We recently discovered and posted thirteen fake Amazon and nineteen fake Apple Computer customer support phone numbers that have appeared online in just the last 4 weeks.  To read more about these landmine phone numbers, visit our articles…

Amazon Customer Support… NOT!

Not Apple Customer Support


Sample Scam Subject Lines:

Amazon New Year’s Reward

Confirmation of Purchase

I think you’ll like this…

Messenger notice

Overdue payment

The 2 girls that received millions on shark tank

We tried calling back

YOU ARE ADVICE TO CONTACT DHL DELIVERY COMPANY FOR YOUR PACKAGE!!!

Your Amazon Gift Card will arrive soon!

Your body wants you to use this discovery

You have a Walmart card waiting to be claimed.

You have rewards (#4082962405) ending tomorrow

Your rewards are ending 1/6

Sample Scam Email Addresses

Amazon <amazon @ yourrewardsrz-DOT-com>

“DHL DELIVERY WORLD”<monitor @ franweb.net-DOT-br>

“FEDERAL BUREAU OF INVESTIGATION”<slimnet @ slimnet.com-DOT-br>

“Home Depot Customer” <home.depot.customer @ wearebackobamas-DOT-com>

“kids airplane games” <kidsairplanegames @ virtualexperience-DOT-club>

“Lower Blood Sugar” <contact @ diabetichealth-DOT-stream>

“Notification Center” <notification_center@youramazion.com>

“Numerologist” <Numerologist@numerologistdotcom.trade>

“Play Now!!” <contact @ proflight4you-DOT-trade>

Samsclubcom <samsclubcom @ newyearlife-DOT-com>

“Sams Club Rewards” <sams-club-rewards @ blueclubgift-DOT-com>

Тhank Υou! Αmazon Ѕurvey <director @ progresstoward-DOT-site>

“Ultra Omega Burn Label” <UltraOmegaBurnLabel @ ultraomegaburns-DOT-cricket>

Phish NETS: DCU

Hard as we tried, we only found two phish in last week’s sea of emails.  Both pretended to be from DCU, Digital Federal Credit Union.  “SUSPICIOUS LOGIN ATTEMPTS PREVENTED” says this email below from mansoft-DOT-com.  If you search Google for mansoft-DOT-com you’ll see many links referring to scams and phishing emails.  We’ve seen these phony DCU emails before as well.  The emails use language meant to pressure you to click the link… “If you don’t’ verify this within the next 48hours, your account(s) may be closed and your balance – plus all interest earned will be lost.”

Yah, yah.  Delete.

YOUR MONEY: Stealth Smart Cam, Amazon & Walmart and Google Award Winners

There is a real product called the Stealth Smart Cam and it is available at stealthsmartcam.com.  However, this next email didn’t come from the real business and isn’t connected to them at all.  Look carefully and you’ll see that this email was sent from the crap domain fdfdesw-DOT-trade, not stealthsmartcam.com.  All links in this email point back to fdfdesw-DOT-trade. This domain was registered to someone named “Daniel Graham” from Livingston, New Jersey on September 24, 2017.  As we sometimes find during a WHOIS look up, Daniel uses an email address with Yandex.com.  Yandex is an email service provider in Russia and Eastern Europe.   Also, interesting to us, if you search Google for the “unsubscribe” address listed at the bottom of this email, you’ll see lots of links from people complaining about spam, scams and even “Russian Beauties.”  Did we mention that the Zulu URL Risk Analyzer identified fdfdesw-DOT-trade  as 100% malicious?

Just delete.

What’s a weekly TDS newsletter without a scam about Amazon, the largest American retailer in history?  We get these by the hundreds every week.  We’re BORED of them!  But we have a responsibility to our readers.  Here’s a peak at a list of 8 scam Amazon emails that hit our honeypot account in just 11 minutes (after 2 fake Walmart emails).

A commonly used tactic by criminal gangs is to register a domain that sounds official or is similar to a real domain, like amznnew-DOT-com.   In 2010, the real Amazon registered the domain AmazonNews.com But the bogus domain used in this scam, amznnew-DOT-com, was registered on January 4, 2018 by the scammer “David Free.”

Speaking of David Free, this (likely fictitious) character also registered Wallmarewards-DOT-com used in this next malicious email pretending to be from Walmart. (i.e. Walmart Rewards)

Here’s something completely new!  This email with subject line “Google Award Winners” came by way of a server in Italy, using a from address at dealer.com.  Apparently, the sender thinks that the U.S. has only one state, Alabama.  It will be immensely clear to you that the sender’s first language is NOT English.

From: “Google Inc” <admin@dealer.com>
Subject: Google Award Winners.
Date: 2018-01-04 11:12PM

600 Dexter Avenue. Montgomery, Alabama. United State Of America.
Winning No: GUK/877/798/2017
Ticket No: GUK/699/33/2017
Notification: December 2017.

GOOGLE ANNIVERSARY WINNING NOTIFICATION

We wish to congratulate you on this note, for being part of our selected winners in our just concluded internal promotion draw this year, this promotion was set-up to encourage the active users of the Google search engine and the Google ancillary services.

Hence we do believe with your winning prize, you will continue to be an active patronage to the Google search engine and services. Google is now the biggest search engine worldwide and in an effort to make sure that it remains the most widely used search engine, we ran an online e-mail beta draw which your email address won Nine Hundred and Fifty Thousand Great British Pounds Sterling (? 950,000.00). We wish to formally announce to you that you have successfully passed the requirements, statutory obligations, verifications, validations and satisfactory report test conducted for all online winners.

A winning check will be issued in your name by Google Promotion Award; for the sum of Nine Hundred and Fifty Thousand Great British Pounds Sterling (? 950,000.00) and also a certificate of prize claims will be sent alongside your winning check cashable at any bank.

You are advised to contact the assigned Google Program Administrator/Coordinator with the following details to avoid unnecessary delay and complications:

VERIFICATION AND FUNDS RELEASE FORM

Your Contact Address/Private Email Address
Your Tel/Fax Numbers
Your Nationality/Country
Your Full Name
Occupation/Company
Age/Gender
Ever Won An Online Lottery?
Comments About Google

Jeffrey Dean – Google Senior Fellow (Program Administrator/Coordinator)
Email:googleukdept@zoho.eu
Alternate Email:googl.claimz@gmail.com

Google values your right to privacy! Your information is 100% secured and will be used exclusively for the purpose of this award only.

The Google Promotion Award Team has discovered a huge number of double claims due to winners informing close friends relatives and third parties about their winning and also sharing their pin numbers. As a result of this, these friends try to claim the lottery on behalf of the real winners. The Google Promotion Award Team has reached a decision from its headquarters that any double claim discovered by the Lottery Board will result to the canceling of that particular winning, leading to a loss for both the double claimer and the real winner, as it is taken that the real winner was the informer to the double claimer about the lottery. So you are hereby strongly advised once more to keep your winnings strictly confidential until you claim your prize.

Congratulations from the Staffs & Members of the Google interactive Lotteries Board Commission.

Yours faithfully,
Sundar Pichai
Co-founder and CEO of Google Inc.

TOP STORY: Scam Phone Popups

Last fall we asked a random group of smart phone users if they ever receive random popups or texts on their phones from sources they do not recognize.  More than 90% said yes!  Last week we heard from a young teen who was savvy enough to recognize two recent redirects as very suspicious and sent us screenshots.  The first one, received January 3, appears to be from Facebook but it is a redirect to the domain “satisfaction-survey-DOT-today.” “You have been selected to participate in an survey about your experiences with Facebook.  At the end of the short 30 second survey, you will be offered some exclusive rewards (worth at least $120) for providing us with valuable consumer data.

   

VirusTotal.com informs us that at least 1 security service has identified this Facebook survey domain (satisfaction-survey-DOT-today) as a phishing scam, though we could not confirm that. The Zulu URL Risk Analyzer calls this link 100% malicious.

Delete!

This next malicious redirect points to the domain x7w4-DOT-pw.  “Congratulations Amazon.com User! You’ve been selected for a chance to get the $1000 Amazon Gift Card, Apple iPhone X 256G or Samsung Galaxy S8!”

A WHOIS lookup says that the domain x7w4-DOT-pw was registered to someone from Australia last November identified as “Cybernate Chris Suffern.”  So far as we can tell, Chris seems like a real person heavily involved in gaming.  We’ve reached out to him for a comment about this domain registered in his name and will let you know what we learn if he replies to us.  A search for this scammy domain in Google shows several other websites complaining about these redirects.  Oddly enough, there are a group of comments on Sporcle.com posted in the last 2 weeks about these and other similar redirects. All feel very scam like.  To add more to this feeling, while researching this Amazon winner announcement, we found an identical one that refers to a Walmart winner. The English is awkward, increasing our suspicions that this is a scam of foreign origin: “Congratulations Lucky User, you have chance to get a gift!”  It goes on to say that there are only 10 prizes awarded each month and 8 of the 10 have already been given away… Meaning, the pressure is on for you to click that link!

Bottom line?  Apply the “smell test!”  Despite what “Frank Miller” says in the screenshot above, the idea that both Walmart and Amazon happen to be giving away $1000, iPhones or Samsung Galaxy phones to ten lucky winners each month who visit a 3-question survey found on a webserver in Palau (an island located in Micronesia) seems highly suspicious to us and smells badly! (.pw = 2-letter country code for Palau)

FOR YOUR SAFETY: Original Shipping Docs, You Have New Notifications

A business sent us this next screenshot of an email with the subject line “Original Shipping Docs.”  It appears to be from the Maersk shipping company, but it is not.  It is in both English and Chinese.  The recipient is asked to open the attached “shipping documents” but the attached file is a web document, capable of doing a lot of serious damage to your computer.

We advise immediate deletion.

“You have new notifications” says an email sent from a server in Belgium (.be = 2-letter country code for Belgium) The link for “View info” points to the domain kingcoin-DOT-info, a site that was registered last October by someone from Vietnam, and hosted in Vietnam.  Virustotal.com found at least one AV service saying that this domain hosts malware and the Zulu URL Risk Analyzer calls it 100% malicious.

Point made.


ON THE LIGHTER SIDE: Forgive My Indignation

We absolutely adore her opening line!  It shows such remarkable sensitivity to our complex emotional well-being.  How thoughtful.  And to think that we might be considered a “foreign reliable partner” makes us gush!  We’ve decided to help and be her “rustee.”

from: Sandra Younes <mamg7610885@angel.ocn.ne.jp>
reply-to: tdavalvse@gmail.com
date: Tue, Jan 2, 2018 at 7:01 PM
subject: Re: A cry for help, please don’t ignore!

Good Day,

Forgive my indignation if this message comes to you as a surprise and may offend your personality for contacting you without your prior consent and writing through this channel.

I came across your name and contact on the course of my personal searching when i was searching for a foreign reliable partner. I was assured of your capability and reliability after going true your profile.

I’m (Miss. Sandra) from Benghazi libya, My father of blessed memory by name late General Abdel Fattah Younes who was shot death by Islamist-linked militia within the anti-Gaddafi forces on 28th July, 2011 and after two days later my mother with my two brothers was killed one early morning by the rebels as result of civil war that is going on in my country Libya, then after the burial of my parents, my uncles conspired and sold my father’s properties and left nothing for me. On a faithful morning, I opened my father’s briefcase and discover a document which he has deposited ($6.250M USD) in a bank in a Turkish Bank which has a small branch in Canada with my name as the legitimate/next of kin. Meanwhile i have located the bank,and have also discussed the possiblity of transfering the fund. My father left a clause to the bank that i must introduce a trusted foreign partner who would be my trustee to help me invest this fund; hence the need for your assistance,i request that you be my rustee and assist me in thi

You will also be responsible for the investment and management of the fund for me and also you will help me get a good school where i will further my education.

I agreed to give you 40% of the $6.250M once the transfer is done. this is my true life story, I will be glad to receive your respond soonest for more details to enable us start and champion the transfer less than 14 banking days as i was informed by the bank manager.

Thanks for giving me your attention,

Yours sincerely,
Miss. Sandra Younes


Until next week, surf safely!