Please support our effort by making a small donation. Thank you!

x

January 6, 2016

THE WEEK IN REVIEW

Dear TDS Readers, our 2015 ended with some excitement. On New Year’s eve we suddenly received multiple email notifications from our site’s security software informing us that a hacker was going to a lot of effort to try to hack our website from locations in the U.K. and across the U.S. We sprung into action and put up a BIG message on the top of our site… “Dear Hacker trying to hack our website for the last hour: Buddy, it’s New Year’s Eve! Why don’t you take a break and spend the evening with friends or family. Then stop by tomorrow and let us know why it’s so important for you to damage our website. Happy New Year!”

Welcome 2016! Here’s hoping the forces of good will turn their attention to the Internet and prevail over the forces of evil. And we’re still seeing lots of Xmas and New Year’s scam emails like this one…

1-Kohls 50 gift card

An important reminder to our readers: Every email “from” address and every link pointing somewhere on the Internet contains a domain (e.g. TheDailyScam) and global top level domain –gTLD– (e.g. dot-com). Together the domain and gTLD make up a fully qualified domain name, e.g. TheDailyScam.com. Understanding domain names is critical to avoiding scams and staying safe online. For more information about domain names, visit our articles:

How to Surf Safely

Where its @!

Another note… We just received a tip from one of our readers about the U.S. Treasury scam we have reported on in the past.  Apparently the scammers are still targeting people through this scam and using the phone number 213-286-6011.  A scammer claims to be Agent Dennis Quaid threatening Treasury Dept. enforcement.  Read more about this scam:
http://800notes.com/Phone.aspx/1-213-286-6011
http://www.thedailyscam.com/enforcement-action-from-u-s-treasury-agent/

Sample Scam Subject Lines:

Don’t Let Your Amazon Points expire

Easy Tips to Help with overactive Bladder Symptoms

Ending Soon: Your Macy’s End of the Year customer appreciation voucher expires 12/30/15

How I saved thousands on blood pressure meds

It may be too late… (open now)

New Years LIQUIDATION: Asus 11.6″ 500GB LED Touch-Screen Laptop, $5.61, Until 12/31/2015

Protect Your family From financial burden Information on funeral insurance

Re: Your CVS 2016 reward balance is $50

Senior Care: Find out if Assisted Living is The right option

Simple fix That Lowered Blood pressure Without Drugs

VA Mortgage rates have Dropped???

Visit the Florida Keys for Less!

Ways To Improve Ecommerce Stores

You’ve been selected for outstanding leadership

Sample Scam Email Addresses:

Amazon-Customer-Service@aaqvbh.providescaretempt.faith

AutoInsurance@checkita.download

BirthControl@brthcontrl.top

CableandInternetPackages@releastonic.download

ChronicPulmonaryDiseaseGuide@diseass.download

Daily revenue statement for Dec. 30

estimatedly05@yahoo.com

flawlesscomplexion@wrinkremove.bid

nosyk38@bk.ru

QualityTelevision@tedsmallcold.date

question@talktomycar.co.uk

Sams_Gift@ahbs.strengthkmnc.accountant

timelesshy@mail.ru

Your.Secret.Encounter@lsrdf.productslmhn.webcam

 

 

 

 

Phish NETS: Chase Bank, Apple GSX and USAA Checking/Savings Account

Though the USAA phishing attacks still dominate this week’s phishing scams (see below), we were thrilled to find new phish.  The sender’s address for the USAA phishing scam looks as though someone held down some keys a bit too long. As in most of the other USAA scams we’ve reported on over the last few weeks, the link “Sign on” in green leads to a hacked website in India.

Delete!

ACCOUNT ALERT! But look carefully at the sender’s address below in grey just above the red alert. The email came from “loveforbtc10@outlook.com.” “Due to an unusual number of failed login attempts…” Don’t believe this hyperbole. The link appears as if it is a secure https link to Chase Bank online but a mouse-over reveals that it points to a design firm in Australia called hdesigngroup. Just delete.

Phishers sometimes target certified Apple repair technicians by sending out phishing scams like this one claiming to represent Apple’s GSX service. However, if you look carefully, you’ll see that the email came from apple.jp. jp = Japan. That was not expected. A simple mouse-over of the link to View Permissions shows that it points to a very clever domain that seems to be an Apple domain… idmsa-aut-apple.com but this is not the same as apple.com. We looked up this domain in a WHOIS service and learned that it was registered through Enom by someone named Dumitru Bogdan from Romania.

Delete!

Your Money: Ink & Toner Super Sale, Visit the Florida Keys for Less and Never Pay for Another Auto Repair

We found many interesting deals last week that are sure to interest consumers. But they are all scams. Take for example the first email below about inkjet cartridges and laser toner at a discount. Save up to 85% on printer ink cartridges! Sounds good, right? A simple WHOIS lookup shows us that the domain for this great deal, inngut.top, was registered just hours before this email was sent and there seems to be no website associated with the domain. It was registered by Futurebright Solutions!

We wrote about Futurebright (and Future Bright) Solutions in both our November 4 newsletter and our December 30 newsletter.  The Zulu URL Risk Analyzer scored the domain and link in the email as malicious. Check it out.

5-Ink and toner super sale

The next scam was so disappointing because we were really excited to see a great deal for visiting the Florida Keys. But once again, the domain davidaother.date was registered just hours before the email was sent, is being hosted on a webserver in Istanbul, and there seems to be no website associated with the domain. We could do this all day… Just delete!

6-Visit the Florida keys for less

Finally, we present this seemingly great idea for auto warranty. It looks soooo good and says it was featured by Cars.com, Forbes, CBS, ABC, and others! But again, it’s not what it appears to be. To understand the bigger picture you’ll have to follow a path down the rabbit hole into Wonderland…

  1. A simple WHOIS lookup of the domain exposedcoupons.bid, used for the scam below, also shows that the domain was registered just hours earlier by a “Madeleine May” from Guyancourt, France.
  2. The Zulu URL Risk Analyzer scored the link as a 13 out of 100, which means it is “benign” or safe. We love using Zulu but it isn’t perfect. The Zulu tool informed us that there were two redirects (code that will send you to another website) waiting at exposedcoupons.bid and we’ve seen one of them many times before. Visitors will be forwarded to a strange domain named plzentygra.com. Zulu again scored the new link at plzentygra.com as benign, just 12 out of 100.
  3. However, we’ve learned to use multiple tools to investigate malicious intent. VirusTotal.com reviewed the redirected link to plzentygra.com and found it to be rated as malicious by BitDefender.
  4. Furthermore, if you look at VirusTotal’s history of reviewing links for files on plzentygra.com you’ll see that this domain has been found to host malicious files dozens of times from September 22 through December 27, 2015. Visit their list and be sure to click “more.”

Still interested in the auto warranty? Yeah, neither are we.

7-Never pay for another auto repair

 

TOP STORY: Domain Expiration Notice

This week’s top story is a perfect example of the many kinds of fraud facing small business owners. This scam actually targeted Doug of TheDailyScam.com. Doug used to own the domain ChildrenOnline.org while he was co-director of this organization for 17 years. Children Online was devoted to educating children and parents about Internet risks/issues but Doug let the domain expire in 2015 when he retired from the organization. The email received stated that his domain ChildrenOnline.org was about to expire on January 23, 2016 and he now had the opportunity to renew it through this offer.  The offer was only good until January 9, 2016.


Small business owners with a web presence routinely receive emails like this. And many think that they will truly lose their business domain if they don’t pay the price. Look at the email closely. How many red flags can you spot? We quickly found two…

  1. The email claims to represent the company called Domain SEO Service Registration Corp, from Coconut Creek, Florida. (Look in the details at the bottom of the email.) If you Google this company you find many links to articles and blogs who have identified this company’s services as a scam. Here are just three such links:

http://proadinsight.com/beware-of-domain-seo-service-registration-corp/

http://www.scam.com/showthread.php?638695-Domain-SEO-Service-Registration-Corp

https://www.billhartzer.com/pages/domain-seo-service-registration-corp-domain-registration-scam/

  1. The email was sent from info@wizvi.cn   The .cn means that the email was sent from China. A bit odd since the company lists their address in Florida. It turns out that this is indeed a company based in China, not the United States as they report in their email. If you look up the full Florida address in Google, you’ll easily discover that it is just a mailbox drop at a shipping/packing business in Florida.
  1. Run a WHOIS look up of ChildrenOnline.org and you easily discover that someone listed as “Craig Harper” purchased the domain on April 7, 2015…. Just days after we released the domain. This means it isn’t up for renewal until April of 2016 again!

So the Domain Expiration Notice from Domain SEO Service Registration Corp is a complete fraud meant to steal your money. And yet this group in China puts out thousands of emails like this. Why can’t international law put a stop to it? At the very least, why can’t law enforcement in the U.S. arrest whomever shows up to collect the mail at the Florida mailbox? Or find out who is renting the Florida mailbox (assuming anyone is renting it at all.) This is just one more example how the Internet is still a wild, wild, west where fraud and abuse are rampant. We all need better Internet cops!

You can see and understand many more examples of these type of scams that target small business owners by reading our article Scams Targeting Domain Owners.

 

FOR YOUR SAFETY: Resumes and a Fax

We’ve been reporting on these short, but very dangerous emails, for weeks now. They must be extremely successful because they continue to pour into inboxes. Last week there was a heavier than usual emphasis on emails pretending to carry resumés. Check out the three below, all very similar and all carrying a zip file containing malware meant to infect your computer.

9-Attached is my resume 1

10-Attached is my resume 2

11-Attached is my resume 3

The emails stating that “you have received fax, document…” have also been effective at generating a curious click. If you don’t recognize the sender, if you see a zip file, or have any suspicions about the email, delete it! To learn more, check out our article Filenames Will Set You Free!

12-You have received a fax

 

ON THE LIGHTER SIDE: Your Golf Swing Needs Work

We are so grateful to the Golf Pro who sent us this email because our golf game has been suffering! How did he know that we might “suffer from back, neck, elbow, knee, hip or joint pain during or after rounds?” (This probably describes about 90% of golfers!)

 

If you read the email content about what happened to PGA Champion Doug Tewell you’ll find this email nothing less than miraculous! And this miracle is available to us as well! All we have to do is click that link to the video…

 

Until next week, surf safely!