Please support our effort by making a small donation. Thank you!

x

June 15, 2016

THE WEEK IN REVIEW

We have sometimes thought that one or more of our subscribers may be associated with the criminal gangs who push out the bulk of the scams and malicious emails that target the world. It’s not that we think ourselves so important in the effort to educate netizens against their threats. On the contrary, we’re a little fish in a huge ocean. However, we have seen some very unusual cause and effect during nearly two years of reporting on scams. Like this recent one…

We often show readers how spammers and scammers will hide text in the body of an email hoping that it helps to legitimize the email and pass it through antispam filters. In fact, in our May 18th Newsletter we made this our top story and titled it “Exposing Scams and Spam Through Hidden Text.” Soon after this story we began to notice lots of malicious emails containing large amounts of colored empty space underneath the content graphics of the scam email. We dragged our cursor through the empty space expecting to find hidden text but there was nothing. After seeing many of these types of emails over a couple of weeks we got suspicious and decided to dig deeper into the code that was used to create these emails. Guess what we found? LOTS of random hidden text meant to fool antispam servers. But the criminal gangs had figured out a different way to code the email so that readers can not expose it by dragging their cursor through the hidden text! It was very cleverly done. (See the Pet Insurance email below in the Your Money column) So… To our point, might the criminal gangs be learning from our suggestions to readers on how to recognize malicious emails? We know they have been trying to shut us down for two years. But we’re still here.

Dear Criminals, we would like to interview you! Send us an email at interview@thedailyscam.com and let’s arrange it!

Another reminder to our readers… Criminals continue to send out thousands of malicious email invitations to women (and men) disguised to look like the real, but questionable organization called the International Women’s Leadership Association (IWLA). We have reported several times on the value of this organization. But this email below, for example, didn’t come from the real IWLA. It is a malicious mimic, meant to do harm.

 

 

 

Read our newest feature article… Personal Assistant & Fake Check Employment Scam… and read how a very smart college student realized it was a scam and tricked the scammer into believing he had a new victim!

 Sample Scam Subject Lines:

Find Cancer Treatment here

Get a free quote from Terminix and get 50 off

Get Hepatitis Treatment Options

Happy grilling!

Here is a thanks from Home Depot

How to recondition rechargeable batteries

Injured? Claim Compensation for Your Injuries

Interested in Drones? Find Online Products

Perfect Gift for Dad!

Shocking: Apple Macbook Pro for as low as $23.46? Learn How!

TODAY: Kindle Fires for $24.68? Learn How Now!

Trump Explodes on Sunday Morning Talk Show (Video)

Weekend Getaway for Couples

Sample Scam Email Addresses:

AmazingBotox@w5c-kz.download

AsthmaTreatment@e6j-2p.download

AutoRepair@7ka-9i.download

CheapDentalInsurance@kf8-on.download

GroceryCoupons@zgw-xy.download

HepatitisTreatment@kok-9u.download

inflammatorybowlresources@disesrelif.download

Laser-EyeCare@u92-98.download

Moving-companies@mu1-ip.download

NewRoofingDeals@5pg-l8.download

portablegenerators@portgent.top

rentersinsuranceoptions@rennteer.download

Windows@newerwiindows.com

 

 

 

Phish NETS: PayPal, Blockchain for Bitcoins, and iCloud accounts

We received two PayPal phishing scams of different designs. Fortunately, an easy mouse-over of the links reveal that they don’t lead back to PayPal.com. The first phish below leads to an odd website called budoassociation.be (2-letter country code .be = Belgium). Google finds this website but offers remarkably little information about it. It certainly isn’t PayPal. And the email appears to have come from no-reply.com, not PayPal.com. However, if you want a good laugh, carefully read the paragraph that follows “Your Account Will Be Closed.”   Notice the use of a mistaken homonym? Hear you go…

2-Phish-Paypal

Or how about this email from noreply@ibiol.ro?   Can you figure out the 2-letter country code? (see below). “Re: Important Notice. Unusual activity in your PayPal account.” We especially love how it offers an explanation how to determine wheter PayPal emails are real or phishing. Trust us, this is a smelly phish! A mouse-over of the link points to a shortened URL created on bit.ly. We unshortened it using Unshoreten.it and discovered that it points to a very clever and complex domain called com-webscr.com but the complete subdomain and domain together are:

Secuire-signin.paypcl.com-webscr.com

Can you see the attempt to say “Secure signin” and spelling of paypcl.com to be like paypal.com?

Delete!

3-Phish-Paypal2

 

 

(2-Letter country code .ro = Romania)

We also found this very unusual phish sent from an address in Belgium for a service called Blockchain. “Technical services of Blockchain are carrying out a planned software upgrade. We earnestly ask you to visit the following link to start the procedure of confirmation on customers data.” But the link leads to a website in Brazil, not to Blockchain.com. (We had no idea what Blockchain was and had to look it up. It turns out to be a banking service that uses bitcoins! )

5-Phish-Blockchain for bitcoins

Finally, we wanted to leave you with this obvious phish pretending to offer a link to your iCloud account. The email didn’t come from Apple but from Support@disabled.com and a mouse-over of the link points to another shortened URL on bit.ly, not Apple or iCloud. Also, the English grammar is very poor.

Delete!

6-Phish-iCloud account

Your Money: Coupons for Dining Out, Compare Plumber Services, and Pet Insurance

We don’t know anyone who doesn’t enjoy going out to dinner! “Treat yourself to a nice dinner” says the email from the domain enjoycopn.top, an obvious misspelling of enjoycoupon. Recipients who click on that link won’t be enjoying anything. This is just another social engineering trick to click a malicious link! Hopefully our longtime readers will recognize the bogus company Lemon Juice, Houston, Texas listed at the bottom of the email. We’ve reported on this fake company many times, starting in our March 30 newsletter.

Ever needed a plumber? We have and would love to compare services easily. But this isn’t the way to do it. The domain ausivert.download was registered using Alpnames on the day the email was sent by someone identified as “Singbol Sodimes” from Futurebright Solutions, Grandville, MI. Futurebright Solutions is another bogus company we’ve exposed many times.

Just delete!

 

We love our pets! They love us back and we want to take care of them but this is not how to go about it. “Explore Pet Insurance Solutions” The links in this malicious email lead to the strange domain ko-mj2.download. It was registered through Alpnames on the same day the email was sent by someone named Dianne Zubia from Manchester, Great Britain. The website is being hosted in Denmark.

 

We mentioned in our opening paragraphs that the criminals who send us these threats have figured out how to drop hidden text into an email so we can’t reveal it unless you dig into the code itself. See the 5 inches of red space under the Pet Insurance graphic? We couldn’t reveal any text there. But, look what we found in that location when we cracked into the code….

Now we all say deeeeleeeete!

10-Explore pet insurance -hidden text

 

 

 

TOP STORY: Congratulations! You won! You are the Right Fit! Claim Your Prize from the UK National Lottery!

Experience has taught us that there are many people using digital forms of communication who are very gullible and at risk for being taken advantage of. While it pains us to agree with B.T. Barnum, “a sucker is born every minute.” That’s why there is an endless stream of donkey-do-do emails like these that fill everyone’s inbox. Do you know someone who might be naïve enough to fall for these? Send them this email. Help them sign up for our weekly newsletter!

CONGRATULATIONS YOU WON! YOU WON! Claim your FREE prize right now! …says the email from info@renewskinnow.com. Look up the domain renewskinnow.com in Google and you’ll see many links about fake emails, spam and blacklisting of that domain.

“My name is Alisha Honeyman, I looked at your profile on the LinkedIn, and I guess you can be a proper fit for the job opportunity opening which we now have in your area.” Wasn’t that said with conviction? “…I guess you can be a proper fit?” If you’re going to scam me, at least do a better job of boosting my ego! The link leads to the download of a malicious Word document posted on Microsoft’s service Livefilestore.com.

Delete.

Mr. John Maloney sent us an email with the subject “UK National Lottery, View Attached File And Claim Your Prize.”  The attached file is a pdf.  How dangerous can a pdf file possibly be?  Think REALLY BAD!  We uploaded that pdf to VirusTotal.com to evaluate.  Sixteen services identified the file as malicious! (See below)

13-UK National Lottery-claim your prize

14-UK National Lottery-pdf trojan

FOR YOUR SAFETY: Contract Attached, Read the Attached File

Attached files are so terribly risky. It doesn’t matter if they are Word docs, Excel spreadsheets or pdf files as noted above. They can all contain malicious code, especially a zip file. Below are two recent examples of attached nastiness. The sender of the first says the “Contract” is attached. The second is very dangerous because it came from the hacked email account of an architectural firm to clients along with a malicious Word document.

 

 

16-Read the attachment-Dear friend Word doc

 

ON THE LIGHTER SIDE: Still Single and Willing to Marry

We’re very excited about this email from Ms. Ritamary Bimbo from the Kingdom of Lebanon. (Although we’re confused that the email was sent from a “Mrs Veronica Bright” using Yahoo in India.) Not just because she has deposited more than $30 million dollars in a “Bank House close” to us, but because she’s “Still single and willing to marry.“ We’ve got single sons! Perhaps we can make an arrangement?

 

From:  mrsveronicabright@yahoo.in
Time:   2016-06-10 21:01:08

Subject: RE: PRE-ADVICE IN REGUARDS TO YOUR INVESTMENT ADVERT AND YOUR PAYMENT NOTIFICATION.

Re: My Investment Project

Dear Beloved,

I am looking for your cooperation in building a Tourist Hotel/shopping Mall/Estate in your country, I need an experienced person like you to assist develop this project as beneficiary.

In regards to your advert, I wish to bring to your notice my interest to partner with you on this great business investment opportunity. I am Ms Ritamary Pedro Bimbo, From Kingdom of Lebanon.

This is my offer, provided you can guarantee the security of my investment capital in your conutry.

I intend to make an anonymous investment of Thirty Million Five Hundred Thousand United State Dollars; The Funds are presently with Finance Bank House close to you, where it is deposited for safe keeping. Now the management of the Security house, have just wrote to me as the beneficiary to forward my business partner contact details who is to receive the Fund for business invesment purpose.

If your are interested with this my investment plans, kindly furnish me with your full busines contacts informations and your proposal for a Joint venture partnership. Every detail concerning the genuinety and legality of this fund will be made available to you, the moment we open correspondence.

I’m Looking forward for a good working relationship with you.

Ms ritamary Pedro Bimbo
Still Single and willing to marry

 

Until next week, surf safely.