Please support our effort by making a small donation. Thank you!

x

July 27, 2016

THE WEEK IN REVIEW

What a week! Last week we saw many small malicious emails, many of which came from hacked email accounts. One of the most clever ones looked like it was sent from the copier of a school within the school’s network and into employee’s email inboxes. Many of today’s copiers are network-capable and this is an easy feature to set up for any organization/company. However, this email didn’t come from the school’s copier. It was spoofed to appear as though it did. The attached file is dangerous malware. Nasty trick.

 


Sample Scam Subject Lines:

Cut down on your phone bills

Find friends at Jdate!

From International Company

Helpful article

Hybrid Cars Can Be Yours!

I Had Diabetes Now I Eat Anything I Want

I’m so excited

Ink and Toner cartridges for Laser and Inkjet Printers at a Discounted Price.

Never pay for auto repairs again!

See Photos of Mature Singles New Your Now, FREE at Match.com

Shocking Announcement from Trump: NO ONE saw this coming!

Start your window replacement project today!

Treat Yourself to a New Kitchen

Sample Scam Email Addresses:

apartmentrentals@apartmnt.bid

barbequegrillsonline@brbequestnd.bid

cbsnews@ultimatharp.eu

findaprogram@finicialaid.top

GutterGuards@sqq-a.download

helicopterflightsimulator@flightgo.pro

importantnews@suvivl.top

info@bedbathbodysecrets.com

Info@Toollsfordad.com

mayohealth@bellynight.eu

news@osmunion.com

safewalk-intubs@tubwalk.top

woodworkingsupplies@woodplans.eu

 

 

 

Phish NETS: Capital One Bank, Amazon Accounts and Help Desk Support

Capital One is a widely used credit card company. But this email from chaseweb@gen-woss.com did not come from Capital One. “Action Required! According to general account activities, we have detected unusual activity on your account with us.” We like how the scammers have added “Thanks for choosing Capital One.”   A mouse-over of “Click Here” shows that the link points to a shortened URL at tiny.cc with a name “capitaloneo” Have a look below to see where this link will send you…

We used Urlex.org to unshorten that link. It points right back to the strange domain gen-woss.com which was registered in July 9 using a proxy service.

Just delete!

3-Phish-Capital One - Unshortened


Quite honestly these next couple of examples could be simple tricks to click malicious links to infect computers but VirusTotal.com indicates that these are phishing emails disguised to look like emails from Amazon. They are apparently meant to trick you into handing over your Amazon account information. The first asks you to claim your Amazon giftcard… “Thank you for your recent order with Amazon.com. Your recent order entitles you to a promotional credit which we have added to your account.”

Notice that the email contains no information to identify the recipient or what they recently purchased. The scammers don’t even try to hide the scam domain amazondollarsgift.com. That bogus domain was registered using Enom.com on July 12 by someone using the email berhkelly5564@gmail.com.  The big black box at the bottom of the scam contained black text to try to trick antispam servers into deciding the email was legitimate.

How about this phishing scam from admin@amazonshiips.com with the subject line “Your Amazon Package is on Hold.” The recipient is asked to click a tracking link that points to the bogus domain amazonshiips.com.   We were thrilled to see that JUDY SANTIAGO registered this sweet domain on the day the email was sent. DEEEELEEEETE! (To our many new readers, “Judy Santiago” is a name that a criminal gang has been using for months to register more than 4000 malicious domains, mostly through the often-abused registrars Enom and Alpnames.)

5-Amazon-your Amazon package is on hold

This last phish was a bit of a surprise to us. We thought it was your run-of-the-mill malicious email but according to VirusTotal.com, it is a phishing scam. The email appears to be sent from a real person at Juniata University in Pennsylvania. This is not true of course. The attached pdf file with the “activation procedure” is a ruse to trick you into revealing login information. Look below at the score received by the pdf at VirusTotal.com.

And then delete.

6-Help Desk Support

7-Help Desk Support virustotal score

Your Money: See Photos of Singles in Your Area, Bed Bath and Beyond Gift Card, and Get Your Free Credit Score!

You might think this email is associated with Match.com but you would be wrong! Look carefully at the from address (which includes the recipients email address before the @ symbol.) “Browse mature singles in your area.” Mature? That couple can’t be more than 35! If they are “mature” then we’re ancient history! The email came from, and links point back to, a strange domain com-freejulys.com. According to a WHOIS lookup, this domain is described as “Tech Crunch – The Latest Technology News.” It is neither Tech Crunch nor Match.com. It is, however, malicious. You know what to do!

Remember the proverbial statement “if it seems too good to be true, it probably is?” Check out this next email from info@bedbathbodysecrets.com (Sound like any store you know?) Take a wild guess who registered the domain bedbathbodysecrets.com on July 23! Yes, once again proving that the domain naming system established and governed by ICANN has no mechanism whatsoever to protect netizens from scams like these… (Drumroll….) It was registered by Judy Santiago through Enom.com! “Get a $100 Bed Bath & Beyond Gift Card Reward! Terms Apply (Yeah, like you have to install our malware!) The email goes on to say “Get It Free – Bath & Body Works Samples” “No shipping” “No purchase necessary”

Avoid the pain, delete now.

Many people know that they are entitled to find out their credit rating once per year for free. This, however, is not the place to apply… The email was sent from rooftop@larvae.hahii.us Doesn’t that sound legitimate? It gets more bizarre. A WHOIS lookup of hahii.us reveals that the domain was registered on July 21st to a company called Adrenaline Ads of Phoenix, Arizona and is being hosted in Rotterdam, Holland. We can’t find any business in Arizona called Adrenaline Ads. The email leads you to believe it is associated with the real company called “Free Score 360” but it is not. By the way, we don’t recommend the real FreeScore360.com either because of many complaints against them such as these:

http://www.bbb.org/acadiana/news-events/bbb-scam-alerts/2014/11/bbb-alerts-consumers-to-freescore360.com/

http://www.complaintsboard.com/complaints/free-credit-report-360-c248185.html

Just delete.

 

 

 

TOP STORY: Amazing Opportunities to Earn Big Money!

Our top story this week began with an invitation that came to a reader from someone identified as lisafaiths374@gmail.com. Description in the invite was “Account Balance: 3,492.41 US Dollar” and the location listed is in Bronx, New York. The invitation included a note… “Our business partner shares an amazing opportunity to earn USD500-USD1000 per day. See this =>” followed by a shortened link using Google’s shortening service as well as another link for a calendar event. For our readers who are not familiar with shortened links, we recommend our article Risks of Shortened URLs

There are so many red flags here that anyone with half a brain would leap for the delete key! But stick with us and let’s break them down anyway…

  1. The blind invitation came from an unfamiliar email address at Gmail, not a credentialed company.
  2. An invitation to earn money? Hmmm…..   And who in the United States write dollars as “USD500”? Generally speaking, this is more frequently an international representation of U.S. dollars.
  3. After “See this =>” the recipient is presented with a shortened link. Meaning that the recipient actually cannot see where the link leads until he or she clicks the link. Rather risky.

11-Amazing opportunity event invite

We asked Unshorten.it to tell us where the shortened goo.gl link pointed and it revealed that the link will send you to a website called pushmoneyapp.com, with the description “Push Money App – Making Millionaires.” Now we’re 100% certain this is a scam. Someone is going to turn us into millionaires out of the goodness of their hearts? And if they really, truly know how to make millions of dollars legitimately, why tell the world? Why not just quietly apply their own strategy and retire next year? None of this makes any sense.

If you look closely at the information returned by Unshorten.It you’ll also note that the domain pushmoneyapp.com is rated “poorly” in Trustworthiness and “very poorly” for Child Safety. (Though we don’t quite understand why children can’t make millions too.) And also that the site is blacklisted for “engaging in selling or distributing bogus or fraudulent applications and/or provision of fraudulent services.” Sounds like some serious shortcomings to us.

12-Amazing opportunity event invite unshortened

After all of those bad vibes, we didn’t hesitate to ask VirusTotal.com to evaluate the invitation link we were sent and the response was clear… (see below). Best to stay away. And it isn’t just us saying so. Here are links to several other reviews that have come to the same conclusion:

http://www.quintup.com/push-money-app-review-scam/
(This article presents a very convincing case that pushmoneyapp.com is outrageous fraud.)

http://scambroker.com/push-money-app/

https://binaryoptions2016.com/push-money-app-scam-review/

We realize that none of this is a surprise to our readers. The real story here is not the amazing opportunities to earn big money that we began with. The real story is why are sites like these allowed to exist on the Internet? Why is the Internet a wild, wild, west where anyone can set up a snake oil pushcart and promise that it cures flatulence, psoriasis, diabetes and poverty? Every functioning society has rules and safeguards in place to protect its citizens. Every governing body is expected, at least in principle, to serve its citizenry. But not the Internet. “Caveat emptor” doesn’t sound strong enough.

Footnote: In case you were wondering, any hope of discovering the real owners behind pushmoneyapp.com are squashed. The domain was registered on January 9, 2016 through Domains by Proxy.

13-Amazing opportunity event invite -Virustotal score

FOR YOUR SAFETY: Many Assorted Malicious Emails and UPS/FedEx Shipping Notifications

We actually considered making this week’s top story a story about short malicious emails. We saw soooo many of them, and in many different variations. Some came from real people’s hacked email accounts or from fake accounts using real people’s names. They included dozens of phrases meant to stimulate your interest or curiosity, followed by a malicious link. Here are a few of the phrases used…

 

Dear,
I found that article a couple of days ago and thought you may be really interested in such info, just read it here

 

Hello,
Just wanted to say hello to you and let you know that I found something interesting for you, look at it here

 

Hi,
I wanted to show you something very important to me, just take a look here

 

Greetings!
My friend have just told me such a grest news, I’m so excited, please read it here

 

Hello,
I wanted to ask you if you know anything about that stuff? If that’s happening now, what’s gonna be next? Take a look

 

Dear!
I was looking for some stuff and eventually came across this! Just look here

 

Hello,
Please you have not responded, reply to enable me know what to do next.

 

And a screenshot example…

 

Some of the most effective social engineering tricks we’ve seen used by criminals are the fake delivery notices like these from FedEx and UPS. Of course neither of these actually came from those parcel delivery companies and a simple mouse-over of the links reveal the fraud (as does the from email address). The links lead to malware. Enough said.

16-UPS ship notification

ON THE LIGHTER SIDE: Yahoo has hired us! (Though we don’t know why or for what)

Our ship has finally come in and, frankly, it’s about time! Yahoo is hiring us for $90,000! (Even though the broken graphic says “nike”) We don’t know what we’re going to be hired to do or why. But we don’t mind. Someone finally appreciates our greatness and is willing to pay us big money for it!

 


Until next week, surf safely.