If you find our resources valuable, please support us by making a small donation. Thank you!

x

July 19, 2017

THE WEEK IN REVIEW

Do you feel like there has been a small drop in the amount of spam or scams targeting your email, text and social media accounts this past week?  We think so.  Not a big drop, but noticeable.  It makes us wonder if any of the criminals gangs who target us are on vacation.  Of course, we would prefer it if Interpol or local authorities shut them down but any drop in their constant barage is welcome.

We say that criminal gangs and spammers often engineer our clicking behavior by using outrageous and unbelievable stories along with extreme adjectives like “shocking.”  Well, here’s another shocking example… “Cornell University Student Does Something Shocking”  The email goes on to describe how you can sit on the couch and still lose 60 lbs. by consuming apple cider vinegar.  Don’t get excited, it’s just manipulative click bait to get you to buy weight loss products.  The owners of this junk are very heavy handed with their spam tactics.  Check out the list of emails hitting one of our honeypot servers in less than an hour.  These emails came from many different domains and email addresses.

     


Sample Scam Subject Lines:

(Medical Mystery) How Did Their Herpes Disappear?

A Money Back Guarantee On The Newly Discovered Recipe To Get Fit EASILY

A Mouse Click Away From Fantastic Beach Body

Amazon reward – Open immediately!

BREAKING NEWS: USD Currency Collapse

Can I trust you

Does Yoga Burn Calories…. ?

Don’t buy solar panels before seeing THIS

Join thousands of people that are already living a healthier life

Ray Ban Sunglasses sale with 80% discount

Slows down your fat burning hormones

The newest breakthrough in pain management

The Zero to Hero DIY Hack That’ll Build Anything

Sample Scam Email Addresses

OralSexTechniques @ woodmanfine.info

Survivormasterplan @ msterplan.bid

thank-you-amazon-[YOUR EMAIL] @ candycandymail.com

Many scam emails from Brazil (.br) and “.us”:

Deverson.rando @ fap.com.br

Rife @ biotropic.com.br

Suelendeponti @ famema.br

Stetnet @ stetnet.com.br

Victor @ veipecas.com.br

4794-5914901819-1452-[YOUR EMAIL] @ mail.am2soft.us

4785-5914901819-1451--[YOUR EMAIL]  @ mail.floator7.us

322-7-89079-7-[YOUR EMAIL] @ mail.besickkk.us

4779-5914901819-1450-[YOUR EMAIL] @ mail.dryfaci.us

595-8-89079-86-[YOUR EMAIL] @ mail.dheiwk.us

 

Phish NETS:  Chase Bank, Apple Accounts Team and IT HelpDesk

Look carefully at this Chase Bank wannabe.  The email was sent from the domain chase.net, NOT Chase.com.  Chase.net is an email service registered in, and operating out of Canada.  Any time an email says something like “It is mandatory that you verify your account now to avoid total lockout” you know it is phony-baloney.  The link “ACCOUNT VERIFICATION” points to a shortened link on bit.ly.  We used Unshorten.it to unshorten the link and discovered that it points to a website in Indonesia called Gulung-DOT-com.

Delete.

“Hi You have one verification pending.”  Verification for what?  The email was sent from an address in Hong Kong (notice the 2-letter country code .hk)  The link points to a file on the website sarahstiefelmayer-DOT-com.  Apparently this threat is much more than just a phishing attack.  The Zulu URL Risk Analyzer scored the link “100% Malicious” because of the many malicious scripts waiting to spring on you when you arrive on that website.  (See screenshots.)

Ouch!

 

Finally, here’s a generic “HelpDesk” phish that is meant to look like your IT folks offering to help you out.  It’s pretty lame though….

YOUR MONEY:  KidGuard, Amazon Account Gift and Never Squeeze Blackheads Again!

Our Top Story in last week’s newsletter was “Can You See Deleted Texts” and it was written in response to a malicious email targeting parents who have concerns about their children’s use of the Internet. (What parent doesn’t???)  Apparently, criminals continue to target parents by focusing on these concerns.  This email wants you to believe it is associated with KidGuard.com, a very real internet safety product for parents. The email uses the logo and graphics taken from KidGuard.com but it is a wolf in sheep’s clothing!  The email came from, and links point back to, the domain childprotekt-DOT-com. Google finds no such domain.  The only thing it does find are fake emails listed on emailfake.com such as this one. The scam domain was registered by “Darrell Lemley.”  We’ve identified other malicious domains registered in his name during the last few weeks.

“Your Amazon account has a pending gift of $200” says an email from primezonusa-DOT-com. Darrell Lemley has been very busy!  This is another one of his more-than-1,065 registered domains.  And we’ll bet bigly that each and every one of those domains is malicious.

A big fat delete!

This email seems to represent Astrid Skin Solution when it says “Never Squeeze Blackheads Again!”  But the off-beat domain shoppingonlinegood-DOT-com is registered to that mail-drop black hole of criminal misuse…  “Domain Administrator” at 2885 Sanford Ave. in Grandville, MI.  However, we loved the photo used in this malicious email and did a reverse image search for it.  Apparently it has been used on many sites around the internet, including Pinterest and YouTube, though we can’t locate the original source.

 

TOP STORY:  Deception and Perception

We frequently talk about how easy it is to deceive others online and that what we perceive to be true is often far from it.  Here are a few more simple but specific examples of this.  At first glance, these may appear to be something innocuous.

Let’s begin with the fact that many Americans travel to other countries during the summer and, of course, require a passport to enter many countries.  One of our readers sent us this email with the subject “New Passport Rules” that seems to have come from “Government Update.”  “The Ministry of External Affairs just recently announced a new set of rules for applying for a passport.  And we’ve summarized some of the major changes that these new rules have bought in.” (…have bought in?)  But on closer inspection we want readers to notice that the email actually came from an email service called mailerassist.com, not the U.S. government.  We’ve written about another misuse of Mailerassist.com in the Phish Nets column of our May 24 newsletter.

If you look very carefully at the code in the link revealed by mousing over “Continue Reading…” you can make out a redirect designed to send you to the website discountwalas-DOT-com and a page called “new-passport-rules.” Below is a screenshot of what waits for you there.  Apparently along with new passport rules you can click on links for fashion offers, lingerie & nightwear, as well as travel offers.  Does this sound legit to you?  The Zulu URL Risk Analyzer doesn’t think so.  It identified the site as being hosted in Malaysia and says it has an 80% chance of being malicious.  We’ll kick in the other 20%.

Once again, let’s turn to something that seems completely innocuous.  Like a personal email sent from the President & C.E.O. of Amerifi, LLC.  He tells the recipient “Your website made an impression, and a partnership between our two companies could be an excellent fit.”  “My company, Amerifi, is built on trust, customer-service, and consistency.”  That sounds nice, doesn’t it?  Now, how sharp are your eyes?  There are two important things to notice in this email and one of them is critically important!

If you look up “Edward DeAngelis” in Google you will discover that he is indeed the President and C.E.O. of Amerifi, and a well respected professional in the business loan industry.  Check out his LinkedIn page or visit these stellar reviews on TrustPilot.com. So what’s the problem?  Look carefully at both the source of this email and the link at the bottom of the email after we moused over the logo.  Neither of these are Amerifi.com!  They represent a look-alike domain called amerifillc-DOT-com.  Amerifi.com was registered in 2008, an internet lifetime!  But amerifillc-DOT-com was registered in Canada on April 17 of this year using a proxy privacy service.  And take a very close look at the very bottom of the email, following the blue link “here.”  Do you see the tiny square?  That’s a hidden web beacon, reporting your interaction with this email back to the criminal who sent it.

So, once again we ask you to take everything online with a “grain of salt.”  Our perception may really be deception.  Want to try this out for yourself?  Try investigating this short and sweet email representing the Lau Niu Foundation!

FOR YOUR SAFETY:  Congrats – You Have Money!

Besides the many emails saying our parcel post couldn’t be delivered and so click on the attached zip file, we didn’t see much in the way of attached malware or direct association with malware.  Except this little gem…  Hi  Congratulations!  You have access to your free trading cash!  Unfortunately, to those who click “Access Here Now” they’ll find they are hit with malware from another associated website.

Another ouch.

 


ON THE LIGHTER SIDE:  “My wife and I won the Euro lottery!”

Apparently good fortune finds its way to us from many sources.  This lovely couple are celebrating their remarkable win of 41 million British pounds by donating some of it to us.  You’ll just love how they say they found us!

 


From:  gh_madani@univ-mascara.dz
Time:  2017-07-08 12:41:07
Subject: Hello

My wife and I won the Euro Millions Lottery of £41 Million British Pounds and we have decided to donate £1.5 million British Pounds each to 4 individuals worldwide as part of our own charity project.

To verify,please see our interview by visiting the web page below:

http://www.dailymail.co.uk/news/article-2091124/EuroMillions-winners-Gareth-

Catherine-Bull-scoop-41MILLION-lotto-jackpot.html

Your email address was among the emails which were submitted to us by the Google, Inc as a web user; if you have received our email please, kindly send us the below details so that we can transfer your £1,500,000.00pounds in your name or direct our bank to effect the transfer of the

funds to your operational bank account in your country, congratulations.

Full Name:
Mobile No:
Age:
Country:

Send your response to (gcb080771@yeah.net)

Best Regards,
Gareth & Catherine Bull

---

Until next week, surf safely!

 

 

s2Member®