Please support our effort by making a small donation. Thank you!

x

June 1, 2016

THE WEEK IN REVIEW

Last week we showed our readers many email subject lines that were being used to manipulate a click to open and download malicious zip files. That scampaign has continued this week and the attached zip files are meant to infect computers. Check out the listed subject lines this past week….

1-list of malicious emails  1a-List of Account Compromised malicious emails

 

 

We have also recently reported on fake invoice emails sent to businesses as emails with attached malware. These malicious emails have continued as well. Keep a healthy dose of skepticism when opening emails from unknown senders! And when in doubt, never click, download, or open the attached files without consulting someone trained to recognize or investigate malicious emails.

2-List of malicious invoice emails

 

 Sample Scam Subject Lines:

Breaking_News Report Sunday (Must READ)

Explore Car Insurance Quotes Listings

Find Savings on Toilet Paper

Fix Your Back Pain

Forgiveness Programs

Fox News Breaking News – Donald Trump Drops Out of Presidential Race

Fly Anywhere on your Own Time

Low Monthly Payment

My fat sister looks better than you

Sell Your Timeshare Now!

Summer Swimsuits | Find Online

Tax free funds available for senior homeowners

Transform Your iPad Into a Laptop Replacement

Sample Scam Email Addresses:

adhdcenter@ahedout.top

admin@carecreditapproved.com

care@getsmaarterr.com

Cash4caroption@casfrcar.bid

care@probraintopics.com

cookingclasses@culinschool.bid

Homewarrantyspecial@homewarrenty.bid

Homeremodelingestimates@remodgett.bid

keywestfamilytravel@vackeyyy.top

LongTermCarRentals@carrentaldesign.gdn

LuxuryVacationCharters@yatchpriv.download

medicaid@champion.kusid.us

PersonalLifeCoaching@lifecertific.top

 

 

 

Phish NETS: Mailbox Quota is Full

Once again, phishers have turned their attention to PayPal, one of the most and longest phished financial services in the world. We recently found two seemingly unrelated phishing attacks against PayPal account holders but cannot be certain if these are from the same criminal group or simply a coincidence of timing. You be the judge…

The first PayPal phishing scam is a joke if you take the time to read it. “Your Account has limitation!” “It looks like someone else may have acces to your account, so we’ve temporarily locked it to your personal informations in safe.” English is clearly not their strong suit. But what they lack in grammar skills they make up for in effort. The link “Restore Now” points to Google’s shortening service goo.gl. We think they chose to do that because Google’s shortening service is a secure encrypted service and shows up as https in your web browser.

 

Folks may think that the https means their login is safe and secure but it simply means that the shortened URL is secure. Unless you know how to unshorten that shortened link, you have no idea where you will be sent across the Internet until you arrive. We used the service URLEX.org to unshorten it. Much to our surprise the goo.gl /xhuC2v link pointed to another https secure site in Poland (2-letter country code .pl): d-partner.pl /customer-support-center/

 

It turns out that the site d-partner.pl has been hacked and hosting a phishing page meant to look like a login to PayPal. We found a report from a user named “Jangene” on a site called Zone-h.org that d-partner.pl had been reported as hacked and misused as early as April 22, 2016. Take a look at the web page pretending to be a login to PayPal waiting for you in Poland:

5-Phish-Paypal payment sent login

And on the same day was this second PayPal scam. However, this one is extremely clever in the way it manipulates the recipient to hand over his or her login credentials. An email arrives from Payment@service.com (This is obviously not from PayPal.com but service.com may also be a spoofed email address.) to inform you that you sent a payment of $428 to a merchant called BS Group. We determined that the email was actually sent from an internet service company in Alegre, Brazil called Undercloud.net. The email very cleverly states “Issues with this transaction?” “Problem? Go to your account. Login Here.”

We would have a problem being told that we just sent a payment of $428 to someone we didn’t! The link to login to PayPal doesn’t lead to PayPal though. It points to a domain called cgi-paylimitedsolution.com. This domain was registered with a proxy service in Australia on the day the email was sent. Sound like PayPal to you? Delete!

The last phish to swim into our traps was a common fake webmail account email. “Your mail-box Quota is almost full. You will not be able to receive emails…” If you read it carefully you’ll notice that the English grammar is poor, suggesting that English was not the sender’s primary language.

What we found most disturbing about this phishing scam was not the actual attempt to phish your webmail login credentials but the webserver that was hacked and now hosts this scam. A mouse-over of the link CLICK HERE shows that it leads to owssdw-dot-jimdo-dot-com. Jimdo.com is a web hosting service in Hamburg, Germany that offers free web pages. Owssdw is a subdomain the scammers created for the domain.) One would think that a web-hosting service would know that they had been hacked and that someone created a new subdomain on their site! (Subdomains are not easy to hide. All they have to do is look at their domain structure in their accounts.)

Can you figure out where the email came from? The 2-letter country code at the end of the “From” address is easy on this one.

7-Phish-mailbox quota is full

Your Money: Discount Coffee Coupons, Home Depot Affordable Windows, and Cable/Internet Packages

“Start your day off with a fresh cup of roast and browse coffee coupons…” The email came from info@mycomplimentarycoffee.com and the domain mycomplimentarycoffee.com was registered to someone named “Admin Account” from Dubuque, Iowa on May 23, the day the email was sent. We couldn’t help but notice that large black boxy area at the bottom of the email. Of course we dragged our cursor through it and discovered a lot of hidden text meant to get the email past antispam servers. That hidden text alone identifies this as spam at best. A search for the domain in Google only turns up links on other scam sites identifying the same scam email. Read the “unsubscribe” message just above the black box. Scammers will try to modify phrases and spelling to avoid the spam traps and their unsubscribe message below is classic!

Delete!

 

This email from windows@windowplacement.com is meant to look like a promotion from The Home Depot for “Stylish and Affordable New Windows!” but it is malicious junk.  The 19-digit Home Depot store number made us smile though. Does Home Depot really use them? “Please Confirm Your Details” points to the domain windowplacement.com, not HomeDepot.com. Does Home Depot own this domain name we might ask? No! It’s owned by our newest best scammer friend “Judy Santiago!”  We’ve written about Judy several times now and the scam domains registered in her name. This one is being hosted in the Netherlands. Now we all say…

 


How about an email telling you that you can save money by comparing various cable and Internet packages like this one? We’ve already demonstrated to readers in previous emails that the company called “Lemon Juice” is a bogus front for the criminal gangs that push out this junk. Our ownly question is why can’t the Registrars themselves see that they are being used by criminals to harm netizens of the world? Hmmmmm…. Could it be because the Registrars make lots of money from the scammers who use their services?

 

 

TOP STORY: Deception is Easy in the Wild West of the Internet

The Internet is like the old wild west at a time when any laws meant to protect citizens were completely unenforceable. People literally, and figuratively, got away with murder. There are few laws that extend to the world wide web and what few there are, are completely ineffective. To make matters so much worse, the Internet Corporation for Assigned Names and Numbers refuses to make any meaningful changes to protect its citizens or hold the Registrars accountable. (ICANN is the governing body in charge of setting and safeguarding the rules for creating and using domain names) So criminals continue to perpetrate fraud like the 3 samples below. (Read our article How to Make the Internet Safer for Everyone.)

Our first deception doesn’t contain any links to malicious websites or attached malware. It claims to offer “in house workshops” for managers and team leaders to build strategic plans to improve team performance. The trainer is hailed as the founder of a productivity and consulting company, publisher of books used in over 70% of Australia’s companies, and capable of unlocking people’s potential. Faster than a speeding bullet. More powerful than a locomotive! But who is this greater-than-God trainer? We don’t know. He is not mentioned by name in the email. But we’re told to respond by sending an email to Harold@mail3. wecometoyoutrainingworkshops.com. (In our opinion these idiots lost points on the lackluster domain choice they chose to represent this consulting guru. WeComeToYouTrainingWorkshops.com?!)

We used a WHOIS to look up that lackluster domain and discovered that it was registered on May 25, just two days before the email was sent, by a registrant named “Michelle Caneva” from Mumbai, India. And yet the email came from amaunder@acay.com.au (.au = Australia). What makes this even stranger is that Acay.com.au is an Australian company to help citizens meet insurance needs. Is this email starting to smell like rotten fish? We were intrigued enough to peak under the hood and learned that this email was actually sent from a webserver in Huzhou, China. Lies, lies, lies!

 

 

Your Credit Score ‘No Cost’. Yes Really. Easily see your credit in seconds. No strings attached.

Might this email have your attention? It came from report@updatedbureauscore.com and the links lead back to the same domain updatedbureauscore.com. We immediately spotted it as a scam the moment we saw the large unexplained black box at the bottom of the email. We dragged our cursor through it and revealed a lot of tiny hidden black text about Australian social policies. Of course we had to check a WHOIS now! It told us that the domain was registered on May 26 (big surprise) to “Admin Account” from Dubuque, Iowa and the website is being hosted in Amsterdam, Holland. Think about the type of information you’ll be asked in order to get your free credit score? Are you willing to provide it to this shady enterprise? Lies and deceit!

13-Your credit score at no cost

Finally we bring you a cure for diabetes. That’s right. Diabetes has been cured! At least so says the breaking news on CNN from well-known and respected Dr. Sandjay Gupta. Except it is all a lie. CNN did not publish this news. Dr. Gupta never made these claims and didn’t authorize this email. The email was sent from info@liieexpossed.com (The domain looks like “lie exposed” – ironic?) and the link “Dr. Sanjay Gupta: Eradicate Your Diabetes for Good” leads back to this domain.

And who registered liieexpossed.com you ask? It was registered on May 26 but none other than “Judy Santiago!” Judy has been very, very busy! According to DomainBigData.com, she has registered nearly 3000 domains. Hundreds have most recently been registered through Enom.com. Are we to believe that not a single person has ever reported Judy Santiago’s nearly 3000 fraudulent domains to Enom or any other registrar? The ability of ICANN and the Registrars to offer the world any sense of protection is pitiful. It is still a wild, wild west. Where’s the Marshall when you need one?

Delete.

14-Cure for Diabetes released today


FOR YOUR SAFETY: News, Your Package, and Your Fax

Would you have clicked this link to rockinghorsegifts.com after the note “I’ve just read some interesting news about our friend, just look at him, he is a star!” The email seems to have from the University of the Arts, Sciences and Communication in Santiago, Chile (UNIACC.edu).

15-News-link to rockinghorsegifts

How safe is the link that “Torrey” sent you to click? According to the Zulu Online URL risk analyzer, not very safe…

16-News-rockinghorsegifts zuluscore

“Your package will be delivered in the shortest time possible. The tracking number is #74580258. In addition, you can find all the other information regarding your order in the file enclosed. Thanks.” Oh, and did we mention that the attached zip file carries malware meant to infect your computer?

Delete!

17-Your package will be delivered

You have received a new fax. And it’s 51 pages long! Actually what you’ve received is a new computer infection with the long criminal arm ready to reach into your personal information and finances.

18-Your received a new fax

ON THE LIGHTER SIDE: Delivery of Your Debit Card

Credibility is so important online and so hard to find! That’s why we were thrilled to receive this email from Tunisia (2-letter country code = .tn) about our Debit Card. Anyone with email addresses like these must be the real deal, don’t you think?

FastTrackCourierExpress06@gmail.com

ATMMastercardDeliveryService@gmail.com

ATMDeliveryDoorToDoorstep@gmail.com

 

We put that darn card down somewhere like the kitchen counter and it just disappeared. Amazing how it ended up in Tunisia isn’t it?

 

Until next week, surf safely!