Please support our effort by making a small donation. Thank you!

x

January 2, 2019

THE WEEK IN REVIEW

We opened last week’s newsletter with a recording of Doug’s response to a robocall.  We have bad news to share about robocalls. According to the reporter in this recent YouTube channel, “Some More News,” robocalls are getting worse and all signs suggest that this is not likely to change.  His presentation is worth listening to. (Some foul language used.) Check out Why You’ll Never Escape Robocalls.

We’ve been seeing some very interesting clickbait to trick people into clicking very dangerous links, like this week’s Top Story.  Think of them as landmines and be careful where you step! A misstep could send your computer into ransomware hell, for example. TDS readers sent us these first two emails.  While the second is more about your choice to pursue an offer that is truly “too good to be true,” the first email is meant to look like something is your fault…

 

Were you to reply to the request about “sending me your photos” it would certainly include something to the effect of “I never sent you any photos!”  To which “Maggie” would surely say “yes you did, here’s one” and provide a link that looks similar to the link in this week’s Top Story. When you read the Top Story below, you’ll see how well that goes (said with sarcasm).

As for this email from “Pamala Secord,” one only had to look at the source domain (bikelandsl[.]com) to know that it doesn’t represent any legitimate lending institution, unless you need a bike to ride to your bank.  Or that the “reply-to” email address is someone’s Gmail account, or the fact that the fixed rate loan is unrealistically low! (A quick Google search shows loans to be about 4 – 6%) Most importantly, a Google search for the source domain of this email turns up nothing but an empty shell of a website and “trash email.”


Phish NETS: Apple Account Temporarily Locked

Following “FROM” this email may say “Apple Notices” but that information is complete fiction and worthless!  Look at the email address that follows it. This wolf-in-sheep’s clothing email came from the domain accountesresovessas[.]org.  According to a WHOIS lookup, this domain was registered just 4 days before this email was sent by someone named “Ramz Dons.”

In the email you’ll see what appears to be a very legitimate link pointing to a secure Apple server at Apple.com.  Don’t believe what your eyes see! Cybercriminals can create links from any text including a real-looking Apple link.  However, mousing-over that link reveals that it points to a shortening service called t.co.

We used Unshorten.it to show us where that short link will really send you and it is a phishing web page on the free site Blogspot.com.

Now delete!

YOUR MONEY: Milestone Gold Mastercard

Anyone who has ever applied for a credit card knows that you’ll be asked to supply a lot of very personal information, including social security number and possibly other banking information.  Now look at this email to apply for the Milestone Gold Mastercard, offered through the Bank of Missouri. There is only one detail in this email that should raise suspicions, and rightfully so.

Can you spot it?

Did you spot the oddball domain this email came from, and all links point to?  It is sharecu[.]gdn.  We ran a WHOIS lookup of this domain and learned that it was registered just 25 days before we received this email.  That makes this email very suspicious! That and the fact that the link doesn’t point back to the real domain https://www.milestonegoldcard.com which turned up easily in a Google search.  Also, the WHOIS shows sharecu[.]gdn was registered by an organization called Network Counter, LLC located on 7209 Lancaster Pike of Hockessin, Delaware.

We looked up this Delaware address to discover that it points to a mailbox at a postal service business called Postal Connections.  None of this sounded the least bit legitimate so we checked the link in that Mastercard Pre-Qualify invitation with the Zulu URL Risk Analyzer.  It informed us that there was an 80% chance it is malicious. Given the other information we collected, we’re confident this invitation was 100% malicious.  Don’t believe everything you see or read on the Internet. It’s just too easy to deceive others!

TOP STORY: We’ve Known Each Other for Many Years

This week’s Top Story is about social engineering beginning with a simple email saying “We have known each other for many years! This photo was taken 5 years ago.” The email includes a link that appears to be to a jpeg image.  However, two important details to point out…

  • The name in front of the “@” symbol, that follows the FROM does not match the name “Isaiah Ferguson” in any way.  Also, if you look after the “@” symbol you’ll find the 2-letter country code “.de” showing that this email came from an address in Germany (“.de” = Deutschland = Germany)
  • Mousing-over the link for “IMG_84703844.jpeg” reveals that it points to a file on the website tbgfunding[.]com.

Were you to click that link you would suddenly see this warning appear on your screen as the orange line slowly grows left to right towards 100%.  (We’ve seen this design many times before on malicious websites.) And then suddenly, a web page appears that claims to represent an article from Entertainment Today…

This page is completely fake and seems like a trick to interest you in a weight loss product called “Purefit KETO.”  According to this article on the Better Business Bureau website, “Purefit KETO” appears to be making many fraudulent claims, including the fact their product has never been judged by Shark Tank.  The BBB has determined that this photo was taken from an episode evaluating another product. However, the entire scam has not been revealed yet.  Upon visiting this website, and within seconds, a pop-up appears saying that our Flash Player software needs to be updated. But the pop-up isn’t from our operating system software or Adobe, it is from a website called upgradegreatmaintenancetheclicks[.]icu (as in Upgrade Great Maintenance the Clicks?)

That “Install” pop-up is malicious!  Were you to click it, you would be installing malware onto your computer.  Nor is it always safe to click “Later.” The best thing to do is to quit (or force quit if necessary) your browsing software!  And then immediately launch your anti-malware software and run a scan to make sure that nothing was downloaded while visiting that webpage at tbgfunding[.]com.  Speaking of tbgfunding[.]com, we ran a Google search of this domain and were surprised to learn that even Google knows this web site has been hacked.  Also, the meta tags for this hacked website are displaying Asian language characters! We used Google Translate to translate these characters and discovered that they appear to be hawking knock-off Hermes handbags!

This rabbit hole gets deeper and deeper.  TBGfunding[.]com is owned by an investment firm called “The Battery Group.”  We located two email addresses for them and notified them that they had been hacked.  Oddly enough, we never got any reply. Hmmmmm…. A deeper rabbit hole? One thing is clear, we’ll never be lovers with Isaiah!

FOR YOUR SAFETY: Payment Received and Outlook Server Redirects!

Here’s yet another example of malicious clickbait.  No payment was received. No order is arriving today.   Those links point to a shady website being hosted in Thurgau, Switzerland.

Just delete.

We continue to see many emails that appear to point to “safelinks.protection.outlook.com” but each link contains a redirect that will send you to a malicious domain where malware awaits.  Here are just a few more examples including one that appears as an “Amazon Order Confirmation.” According to the email, you’ve sent someone at Hotmail a $250 gift card!  Would you like to “Cancel The Order?

 

 

 


Until next week, surf safely!