Please support our effort by making a small donation. Thank you!

x

January 13, 2016

THE WEEK IN REVIEW

Is it just us?  The past week has been quieter than usual and we’re not sure why.  From our perspective the volume of scams and malicious emails is down by about a third.  For many weeks we have reported on a scampaign of very effective short emails with attached malware, disguised as eFaxes, attached invoices, resumés and such.  This scampaign has stopped so far as we see.  We didn’t even find a single phishing attack!  Not even the USAA Bank phish that was rampant for weeks!  We would love to report that “our job is done” but alas, as you’ll see below, there was still a downpour, if not a deluge.

Sample Scam Subject Lines:

Alert: Married but lonely wives are online looking for a date

Ending Soon: Your Amazon 50 2016 customer appreciation reward expires 08Jan2016

Grand Canyon tour discounts

Hi! Look at my hot photos please 😉

High speed internet

Last Chance: You have one more gift to open from CVS

Plan for the future with your will

Re: How Hillary will protect you from ISIS

Re: Tired of feeling sluggish after eating?

Re: You have been selected for a $50 Kohl’s 2016 voucher

Save on Patio furniture Today!

Send and receive Faxes Through email…

Today only: Macy’s $50 2016 voucher

Sample Scam Email Addresses:

AlaskaVacations@butteredfridae.download

Amazon-New-Years-Reward@fanklr.exceedopinion.win

BackPainTreatments@chubed.top

birthcontrol@trutable.date

CarInsurance@readilly.download

ConstitutionalProtectionAgency@vkvjp.top

CVS-Customer-Service@kngf.thebestonlinetennistraining.com

Delveu01@inbox.ru  (Note:“.ru” is the country code for Russia)

HomeSolarDeals@boodupip.top

Meet_Golfers@ygcx.excitemono.faith

Security_Cameras@hmose.top

Stop_Wrinkles@theytil.com

TeacherCertification@hionars.top

 

 

 

Phish NETS: Nigerian 419ers!

This week’s Phish Nets column will honor the hard working 419ers from Nigeria and other countries for their persistent and creative effort to separate you from your money.  For the record, we see these Advance Fee scams every week.  Sometimes every day for days on end.  If you are wondering why these intrepid folks are called 419ers or if you enjoy reading their heartfelt letters, check out these articles on our website.  We’ve posted dozens of their scams!

Sampling of Advance Fee 419 Scams

Advance Fee & Beneficiary Scams

From:  meredithgs@voila.fr             Time:  2016-01-04 17:14:24

To:       [email removed]

Subject: Dear Sir/madam,,

Dear Sir/madam,,

Please don’t be offended, I know you might be surprised on receiving this mail but i plead you to acknowledge and Permit me to inform you my aims of writing to you. Truly I haven’t known you physically but i have my desire of going into relationship with you By brief introduction, I am Miss Meredith Gibbs, Daughter of late Mr. and Mrs. Gibbs Duncan, and I am age of 19 years i contacting you based on the situation which i am about to tell you here because today, i am a complete orphan without mother, without father and without brother or sisters.

I lost my parents in a ghastly road accident in years 2012 which my mother, my little brother and Carol my junior sister died instantly but my father was hospitalized few days before he gave up, my father was holding a strategic Economic post as the C.E President Board of Producers and exporters of Cocoa and coffee in our country and as result, he was a target even to his own blood brother.

So please, the reason why I contacted you is, before my father died, as if he knew what will happen later behind him, there were some documents he secretly directed to me about his investment budget worth of US$7.5 million dollars which he deposited in one of the well known bank here on behalf of his foreign business partner for foreign investments.

Please, i will like to make you my Next of Kin and trustee and to present you to the bank as my late father’s foreign investment partner for the money to be transferred to you so that it can be put into use in your country on joint investment before i could join you over there.

To tell you, since the death of my parents, his brothers / relatives has been seriously chasing me around with constant treats, to suppress and eliminate me and take over all my father’s properties because i have refused to hand them over my late father’s properties. According to our blind custom and tradition, a female child cannot inherit her late parent’s properties.

Now, they have successfully collected all properties from me, yet they never stooped there, but going so far to treat my life brings fear to me now, i need your urgent help and assistance because this is where only everything he labored for in his life time remains for me.

Based on this reasons, I believe I can trust you like i have said before, Show me your goodwill to give me this assistance so that I can handover to you all the documents about the money.

I plead and will appreciate your kindness in order to actualize this immense co-operation; I await your very urgent answer.

Regard,

Miss Meredith.

From:  office13@office323.jp.tn                  Time:  2016-01-08 05:03:25

To: [email removed]

Subject: IS MRS. MARGARET GEORGE YOUR REPRESENTATIVE?

my message…CIMB NIAGA BANK GROUP-INDONESIA (CINB),

Tambang Batubara PT AKT, Tuhup Muara

Teweh Kalteng, Indonesia 73801, Indonesia

Ref: CIMB /NIGA/BANK/2015/2016

Attention: Beneficiary,

Re: instruction to credit your account with the sum of US$10,000,000.00

This is to notify you that your over due inheritance funds has been gazetted to be release to your bank account within 48hrs, via key telex transfer (KTT).

Mean while, a woman came to my office this morning with an application for transfer of the fund into her account on your behalf, claiming to be your representative.

Here are the information’s she submitted for the transfer of your fund

Bank of America

6901 Northwest Expressway

Oklahoma City, Oklahoma 73132

ABA Routing: 026009593

ACCT No: 003042656833

ACCT Name: FMS Investments Inc.

Please, do re-confirm to this office, as a matter of urgency if this woman is truly from you as the federal finance dept or our bank / my office will not be held responsible for paying into the wrong account.

The reserve bank governor, executive, board of directors and the senate committee for foreign over due Inheritance fund have approved and accredited our reputable bank with the office of the director, international remittance/ Director Foreign Affairs , to handle and transfer of all foreign inheritance funds this first quarter payment schedule of the year 2016.

However, we shall proceed to issue all payments details to the said MRS. MARGARET GEORGE, if we do not hear from you within the next 4 working days from today, this fund will be transferred to the account of MRS. MARGARET GEORGE.

Meanwhile, you are advice to get back to my office immediately with the requested details to enable us have your correct details to wire your fund.

  1. Your full name:……………………
  2. Your telephone numbers:……………..
  3. Your full home address:……………..
  4. Your Company address and position………….
  5. Your Age and Sex………….

This fund will be remitted into your bank account within 48hrs as soon as you confirm to this office that you did not send the above name to claim your fund on your behalf, make sure that you get back to us with your above requested information unless you are sure that you send MRS. MARGARET GEORGE to claim the fund on your behalf.

Best Regards

MS INDAH MARIA

International Operations

CIMB NIAGA BANK GROUP-INDONESIA

Your Money: Car Repair Services, Compare Auto Insurance and Cut Electric Bill in Half.

Once again we saw very appealing bargains and deals online that were wolves in sheep’s clothing.  After seeing so many of these types of scams you begin to appreciate how obvious they really are.  They all share several things in common that identify them as likely fraud:

  1. Use a WHOIS tool such as http://whois.domaintools.com/ to search for the domain name that is found in the clickable links of the suspicious email. If this is a scam or malicious you’ll see that the domain was registered in the previous one or two days.  Sometimes it is registered hours before the scam email is sent.  Try using this WHOIS tool to look up each of the three domains in the scams below and look at the “Created on” information.  Then compare it to the date and time stamp in the emails:

a. top

b. outttime.date

c. thaverf.top

2. Use Google to look up the web site domain listed in the links of the email and if you find nothing at all, the website is likely a scam site. Isn’t it odd that Google finds no website and no history of the business?  If you aren’t sure what makes up the domain in a link, read our article How to Surf Safely.

3. Often, though not always, you can drag your mouse through the white space at the bottom of these suspicious emails and you’ll discover random white text against a white background. This text is a common spammer trick to try to fool anti-spam servers into thinking the email is legitimate.  You’ll find an example of this in the 2nd email below about Car Insurance.  The white text hidden in the bottom of the email actually came from an old book posted in Google books called To Have And To Hold by Mary Johnston and originally published in 1899.

4. Sometimes a WHOIS lookup of a domain name representing a business will show that the website was registered in, or is being hosted by a server in a foreign country. This, of an by itself may not be damning.  But when you consider it alongside other suspicions, it often informs you about fraud.  For example, can you use the WHOIS tool http://whois.domaintools.com/ to figure out which of the three scams below is being hosted on a webserver in Istantbul, Turkey?

1-Car repair services near you

2-Compare Auto Ins Polcies

3-Cut your electric bill in half

 

TOP STORY: Malicious Emails Taking Advantage of Politics

If you haven’t noticed that U.S. polictics are heating up then you are either a hermit or dead. Or a dead hermit.  So too has it been in the world of scams.  Criminal gangs are increasingly using Donald Trump and Hillary Clinton as the hooks to manipulate you into clicking a link to cause a computer infection.  This is only going to get worse in the months ahead.  Check out this screen shot of malicious emails produced by a search for emails on one email server with either of the candidates names in the subject line…

4-Political email list

Let’s take a closer look at a few of these emails.  We found that the email below purported to be about “Trump’s secret plan for Americans to triple their income.” It was sent out from many different scam domains and with many different subject lines.  But all the emails contained the same image you see below.

The link in this first email to see Donald Trump’s Simple Plan leads to a web server identified as jointoday.headsturns-up.com.  The Zulu URL Risk Analyzer found several redirects  on this website, one of which sends the visitor to a strange domain named plzentygra.com.  Our loyal readers will recognize this odd-sounding domain.  We’ve reported in the past that this domain has been found to install malware onto visitor’s computers.  Check out our most recent report of plzentygra.com in our January 6, 2016 newsletter!  Read the “Your Money” column.

5-Trumps plan for Americans

“Donald Trump reveals his secret to working longer, more productive hours.”  And YOU can get a free bottle of this pill too, but only if you act in the next five minutes!

Don’t believe this malarkey.  That timer and “Claim Yours!” button is just more social engineering to manipulate your clicking behavior.  No matter how professionally crafted that email looks, it is all a lie.  In fact, the only thing about this email that isn’t a lie is the hidden white text in the bottom of the email.  It was copied from a review appearing in Yelp, TripAdvisor and Facebook on September 29, 2015 about a restaurant called “Red Pepper Diner.” Check out the review!

6-Trump reveals secret to working longer

We love the subject and headlines in the next scam email masquerading as politics. “Can Hillary Clinton protect you from ISIS if elected?”  Look at the email and you’ll see many hot triggers that will surely engineer a click and result in a new victim. “The future of our country is in your hands!”

7-Can Clinton protect you from ISIS

 

FOR YOUR SAFETY: Suspended Account and Meet Beautiful Women Online

As we stated at the top of this week’s newsletter, we couldn’t find any examples of the types of malicious emails that we devote this column to.  So we reached back two weeks to show you one from the end of 2015.  Would the subject line “Suspended Account ID” get your attention?  Notice that the user isn’t identified and neither is the service that he or she is locked out of.  But you can still click “PROCEED TO ACTIVATE NOW.”  We asked VirusTotal.com to check out the link connected to “PROCEED TO ACTIVATE NOW.”  The screenshot below from VirusTotal will come as no surprise.

 

8-Suspended Account ID

 

ON THE LIGHTER SIDE: You’re a very lucky guy! Alert: You have (7) unread messages…

If we were only single, forty years younger, had no social life, money to fly to Russia and Asia, and sh*t for brains.  If this were all true we would love to take advantage of this “invitation to meet Beautiful Asian and Russian Singles.”  Well, at least it came with that great Yelp restaurant review!

10-Meet beautiful Asian and Russian singles

Until next week, surf safely!