Please support our effort by making a small donation. Thank you!

x

July 6, 2016

THE WEEK IN REVIEW

Happy post-4th of July! During the previous week we saw hundreds of work-at-home scam emails making them the perfect choice for this week’s Top Story. We also found lots of phishing scams as you’ll see below. But first we want to remind our readers about emails claiming to be from AES, American Educational Services, such as this first email. The Top Story from our April 27 newsletter covered these suspicious emails offering personal loans and we’re seeing them appear again. There is a real AES company with a longstanding website at AESSuccess.org. Though even the real AES has very poor ratings on ConsumerAffairs.com. But the email below appears to be a mimic sent from a domain registered in Homburg, Germany. We strongly recommend that people never respond to any solicitations they receive online, such as these.

 

 

 

 

 

Here’s another scam email for a loan from ghost_events@outlook.com to call 888-634-9403. The same message was sent from three different email addresses recently. Cornell University IT Security has identified this phone number as a phishing scam.

Just delete!

2-I noticed you have loans - call now

 

3-I noticed you have loans-call list

Sample Scam Subject Lines:

Best rates for 2016!

CNN – Alzhemier’s end is here thanks to this

Dangerour free book

Do your part for the environment and get a hybrid car

Documents copies [or Updated document; requested; report; updated]

Free quote from Terminix – plus 50 off!

Happy grilling!

Hawaii Vacations | Maui, Oahu, Big Island and More

Never Pay Retail Again!

Perfect Gift for Dad

Protect your family. Great rates as low as $15/mo. Get a quote in minutes!

RE: [followed by username]

Responsibly fix your bathroom with your tax refund.

Sample Scam Email Addresses:

alaskacruisepicks@crualaska.download

cullen@homeenergyy.date

DietYourWay@clubteamfly.top

DrOzNewestFatBurner@hsa3ueng.loverch.top

HealthyLookTrial@clubteamfly.top

internal.health.research-[Your email address]@presentfacts.net

Love.Your.BodyAgain@aei6nhs.clampch.top

mobileapps@mobapp.bid

msflightsimulator@flitegam.date

rvdeals@motorhomee.bid

SearchContactLensOptions@bathrommrem.bid

terrance@farmfood.bid

thechoicehomewarranty@chcehome.date

 

 

 

Phish NETS: Amazon, Chase Bank, Paypal, and Webmail

“Your Order Has Been Cancelled!” Our first phish is meant to look like a notice about an Amazon order being suspended because your account information could not be verified. Very sneaky bastards! Recipients are offered a link that appears secure (https://) to “payments.amazon.com/home.” However, a simple mouse-over of that link reveals that it points to the domain telewholesale.co.uk.   Obviously not Amazon.com. There are also many websites exposing malware and phishing scams hidden on telewholesale.co.uk such as this link at Scumware.org.

Deeeleeeete!

Our next phish looks like it was sent from the Chase Fraud Prevention Team at Chase Bank but comes from an email address at sendgrid.net, an email delivery service. The subtle grammar errors should be enough to make readers suspicious… “We have detected a suspicious activity on one or more of the account you have with us.” What was most interesting about this phish is the long strange path the phishers used to hide their destination…

 

 


The link in this phish leads to a page on tracking.service-opt.com. The Zulu URL Risk Analyzer finds absolutely nothing wrong with this link (Zulu isn’t perfect) but Zulu shows a redirect waiting on the page to send you to a shortened URL at tiny.cc called “chaseup” as well as two more links to service-opt.com. We used Unshorten.it to unshorten that tiny.cc link only to find that it sends you right back to a hidden phishing page at service-opt.com. According to Virustotal.com, Fortinet has already identified service-opt.com as a phishing scam.

6-Phish-Chase Bank2

7-Phish-Chase Bank3

“You Must Update Your Account For Security Reason” says an email from service@support.cz (2 letter country code .cz = Czech Republic). A mouse-over of the link “Check My Account” reveals that it points to a shortened link with Goo.gl/FLEPmx. Urlex.org unshortened this link to show that it points to the hacked domain ieee-ims.org. We reported on the misuse of this hacked domain in last week’s newsletter.

8-Phish-Paypal you must update your acct

9-Phish-Paypal url unshortened

Finally, here’s a ridiculous phishing email with a link to a website in Poland that tries to scare the heebie-jeebies out of you. It fails miserably.

Laugh and then delete!

 

 

 

Your Money: Toilet Paper and Coffee Coupons, Delicious Bottles of Wine, and Travel Credit Cards

Toilet paper coupons? Seriously? And made to look like the link points back to GetToiletPaperCouponsTips.com. You need tips for this?? The links point to the domain lattu.top which was registered on July 2 and is being hosted in Rotterdam, Holland. Malicious files wait for you there, not TP coupons.

How about Coffee coupons that seem to be sponsored by coffeecowcoupon.com? “Download & Print Coupons for Your Favorite Coffee” Links in the email point to disinfect.zacie.us. Want to get your coffee from a website that starts with the subdomain disinfect? Yah, neither do we.

Start disinfecting by hitting delete.

 

 

Laithwaite is a very large wine seller in the UK. However, this email didn’t come from them. It came from the weird domain adiod8.fpayoff.top. Remember the expression “too good to be true?” This email ad is the poster child for it. The links take you to a benign website that forwards you to another website rated 90% malicious by the Zulu URL Risk Analyzer. And now we all say….

 

 

Finally in this week’s Your Money column is this inviting email from TravelCreditCards@hotelsology.top to “earn rewards and flyer miles with each swipe.” Hotelsology.top is aleady listed on at least four security blacklists as malicious.

14-Travel credit cards earn points

 

TOP STORY: Looking for Employees to Work Remotely Means ICANN Isn’t Doing Its Job!

Though we often see “work at home” or “job offer” email scams such as this one below from nygcockerboyscek@cockerboys.com, we don’t give them much attention. The HR manager’s link in the first email leads to a hacked Spanish language website for transvestites in the UK. We don’t make this stuff up folks. Does any of this information inspire confidence in the offer to pay you a minimum of $4500 to work for a “big multinational corporation?” But the point we want to make is that ICANN, that lame international organization governing the Internet’s naming system, is indirectly responsible for all the pain we feel by these work-at-home scams. Read on as we connect the dots to explain why…

15-Good news about job

Check out the next scam email “looking for employees working remotely.” “Most of the work you can do from home, that is, at a distance.” We’re very glad they clarified what work from home means. We couldn’t avoid writing about this email scam because the sender has been bombarding our honeypot email servers with hundreds of these emails over several days! They have many different subject lines (see below) and all have spoofed the “from” email address to be the same as the recipients email address. Very annoying.

16-Looking for employees to work remotely

17-Looking for employees email lists

We opened and analyzed a number of these emails as well as the links they offer to “visit Our Site.” We found that they point to many different hacked websites around the world. For example, the link in the email above points to s1radio.com while the one below points to charlesintltransfer.com.

18-Looking for employees to work remotely2

While there is no question whatsoever that these “work at home” emails are cow-poop scams, the issue is that ICANN has done nothing whatsoever to protect citizens of the world against this kind of threat. For example, both Google and the Zulu URL Risk Analyzer easily identify the s1radio.com website as hacked and hosting malicious content. Keep in mind that this malicious content is hurting real people the world over. And yet ICANN has not created any method to hold domain owners, registrars or proxy services accountable.  Nor have they created any process for easy reporting or removal of malicious domains. They should do a better job of policing the Internet. We have offered suggestions on how the Internet could be made safer. No doubt, smarter people than us can suggest dozens of ways to make the Internet safer to use. But ICANN answers to no one at all. They just don’t care. Or perhaps the criminal gangs pushing out most of these scams have paid off the CEO and executive board? At least the latter would explain why they do nothing impactful to protect the world while they get rich.

19-Looking for employees to work-Google hacked

20-Looking for employees to work -zulu score

If you conduct a Google search of CharlesIntTransfer.com Google shows many suspicious links being hosted on their webserver, including Google itself informing you that “this website may be hacked.” Once again, why can’t ICANN have a process in which domains reported as hosting malcious content by two or three trusted security services are automatically taken down? That is a very important question! ICANN holds all the power to the world’s domain naming system but does nothing to protect us. In our opinion, either the leaders of ICANN are stupid and don’t deserve to hold their positions, or they are being paid off by criminals. In either case, we all lose.

FOR YOUR SAFETY: Document Copies, Financial Report Attached

We have repeatedly warned readers about emails containing zip files, such as the two below. Zip files are compressed files whose contents are hidden until the file is open. Leo Notenboom of AskLeo.com did a great job describing the dangers of zip files in his 2014 article “Why Spammers Love Zip Files…”

 

 

22-Financial report attached

 

ON THE LIGHTER SIDE: U.S. Department of Homeland Security

You know it’s a good day when someone from the U.S. Department of Homeland Security and also a Director of the “State Miliary Department Washington Military Dept.” (kinda like the Department of Redundancy Department) sends you an email that begins with “Good Day To You My Dear.”

 

From: bayon@speedy.com.ar
Time:  2016-07-01 05:36:00
Subject:          U.S. DEPARTMENT OF HOMELAND SECURITY,MG

U.S. DEPARTMENT OF HOMELAND SECURITY,MG Timothy J. Lowenbrau, Adjutant General and Director State Military Department Washington Military Dept., Bldg1 Camp Murry, Wash 98430-5000 USA.

Good Day To You My Dear: ,

I hope this email finds you in good spirit and in good health? because i am quite aware of your losses in the past years now through this security office intelligent track devices, it may surprise you that i am also aware of your Consignment Boxes Pursuit In Benin, Ghana, Togo, Nigeria, Spain, France, Malaysia, Indonesia, China, Korea and etc .My name Is Supp. Pullman Neapolitan,the secretary of U.S Department Of Homeland Security , i am in charge to monitor all Foreign Transactions In Africa Europe And Asia and this kept me in constantly traveling round the world.

I have been in The U.S Department Of Homeland Security Secret Service now since The Government of President Barack Obama, monitoring the various transactions going on in Africa, Europe And Asia, most especially Consignments Cases, A.T.M Card Cases And Bank Transfer. I do not intend to spoil your day or to put you under duress.

But you can not receive any of your Consignments Boxes, A.T.M Card And Bank Transfer pursuit, without a Clearance from this U.S Department Of Homeland Security. However, upon my arrival in Benin Republic after series of meetings with our President Barack Obama and United Nations Secretary General Ban Ki-Moon, due to numerous complains from other Security Agencies from Africa Asia, Europe, Oceania, Antarctica,South America And The United States Of America Respectively, and against the Benin Government and Nigeria over the rate of Scam/Fraudulent Activities going on in these Africa Countries and around the World.

When i arrive in the Benin Parliament in Cotonou and going through all cases of unpaid funds, i found your Consignment Box Clearance File lying on the Foreign Affair Office Desk without any attention and on a thorough scrutiny, i discovered that your Consignment have been abandoned by your delivery agent. Meanwhile, i was made to understand that the Foreign Affair Office have tried to reach to you, but no way and they have made several attempts to contact your delivery agent but to no avail.

To my greatest surprise, during my recent routine Re-Checking, i personally discovered that your Consignment Content Declaration Document (C.C.D.D)stated that your Consignment Contains Personal Effects meanwhile, it contains United States Dollar Cash Us$40 Million Dollars, (Forty Million United States Dollars) which made it impossible for the Consignment to be delivered to you earlier before now.

Based on this personal discovery, i am contacting you now to let you know that with my position and power as the secretary of U.S Department Of Homeland Security and now i am presently here in Benin Republic to handle this matter of all unpaid foreign payment to their respective owners like you, i can assist you to legally clear your Consignment Funds and personally make the shipment to you on my traveling back, but you must agree with the following conditions. Because i have called our office in Washington,Dc from here in Benin, who has been intercepting all your E-Mail Communications, telephone Text/Sms messages & all telephone Calls, with the help of Mtn, Tigo Vodafone And Airtel Network Benin.

I also received some information from our Homeland Security Office representing here in Benin Republic, they have confirmed about your emails, & other communications that you have been dealing and sending Money to people in Benin, Ghana, South Africa, Togo, Nigeria , UK & etc who claims to be the Western Union Directors and representative of other unofficial offices. You are also dealing with a Bank, and other names which i am still waiting to be forwarded to me from Our Office In Washington,Dc. My office authority have monitored all your dealings with those Hoodlums.

You are advice to from hence fort stop further dealings with all the above mentioned people, until we complete our investigation. Because your dealing with them is termed as illegal transaction. I wish to inform you that we the Homeland Security is on look out for all the above mentioned names, mostly those who claims to be the director of West African Debt settlement, Western Union And Money Gram And A.T.M Card offices and including the property recovery Benin. All these mentioned people are imposters, and we intend to apprehend them soon.

I want you to please stop communicating, and dealing with them until we complete our investigation. I wish to notify you about the latest development concerning your Consignment Box content of your total USD$40 Million that was already handed over to me today. Your Consignment Box content of your total USD$40 Million was assigned to me today after the meeting held between me and some of the top Parliament members of Benin and the Foreign Affair Minister in the Benin Capital Commercial Headquarters Cotonou, due to the delay by you as nobody has haired from you to receive your Consignment Box For Long time now.

Accordingly, we have waived away all your Consignment Box “Clearance Fees” and authorized the Government of Benin Republic to allow me fly with this your approved Consignment Box to make the delivery to you without any delay which they have agreed. The only Fee you will Pay to confirm Your Consignment Box received in your possession is the “Air Flight Weight Fee” of your Consignment Box which is the sum of $175 USD.

In order words your Briefcase is with me now and i shall be coming to your country to make the delivery to you as soon as you sent me your below shipping details/Address where you will want your consignment be deliver to you.

Your Full Name: ………
Your Full Address: ……
Your Direct Telephone Numbers: ………….

Preferably, you can send us your Mobile Phone number to enable an urgent direct contact with you hence the arrival in your city.

Hence i hear from you also with the MTCN Numbers for the fee payment of the Air Flight Weight Fee of your Consignment Box which is the sum of $175USD, then, i will be coming along with your Consignment Briefcase Box content of your USD$40Million, but remember that as the secretary of The Department Of Homeland Security United States Of America, i am a Us Government Secret Security Agent and i have the power to go through any Airport Customs and security Agents without personal inspection or inspecting what i carry along.

And as soon as i arrive in your state, i will give you a telephone call and instantly send an email to you from my official Ipad Hand Computer which is always with me while traveling around the world so that you will give me a direction on how we can meet Face to Face and i will physically hand over your Consignment Box to you before proceeding back to to my official duty Post in the States.

As soon as i arrive, i shall call you on your Telephone Number following an email to you then when you immediately respond, i will Meet you in person, hand over your Consignment Box to you and all these will end once and for all now.

I have taken this assignment upon myself because i understand that you have really paid so much on the cost of these Delivery which i want to stop now, because, nothing was received by you. So be advised to contact me hence immediately you get this email now because, every thing has been done ok.

Once you send the money, try to immediately notify me with the Mtcn for easy pick up and for the immediate action on the delivery of your Consignment Box,for you to receive your Funds without any further delay Again . Since you was unable to receive it since .

Send the fee of $175 USD via Money Gram Transfer using the below stated receivers name and information.

Receiver’s Name:………KENDO   AMEKA
Country:. . . . . . . . . .Benin Republic
City:. . . . . . . . . . . . Cotonou
Amount:. . . . . .. . . . . . . . . . . . . . . . .USD$175 USD
Mtcn:. . . . . . . . . .
Sender’s Name . . . .
Sender’s Address. . .

As soon as you send the fee, make sure that you send me the MTCN numbers, senders name and other payment information.Once you send the Money, Try to immediately notify me with the Mtcn for confirmation and for the immediate action on the shipping of your Consignment and its Handing over to you. Also you are to forward to us any email that you have been receiving from people for proper verification and investigation before you deal with them okay.

I have a very limited time to stay here so i Will like you to urgently respond to this email message with the fee payment MTCN Numbers ok , my dear, this is the opportunity for you and you have to urgently comply so that your Box shall be deliver to you at your designated address. But remember that after (Some Days) you did not make the Payment, then i Will have not other option than to regard your funds as unclaim and divert it to Us Government Reserve Fund or to Benin Government Treasury. Please treat this as a matter of urgency.

Sincerely Yours,

SUPP. INTELLIGENCY GENERAL,NAPOLITANO SHULLMAN
SECRETARY OF THE DEPARTMENT OF HOMELAND SECURITY USA .

Temporary Tel: + 229 68009122.
Email;(embassyuniited@yahoo.com)
From The U.S Department Of Homeland Security.


Until next week, surf safely.