Please support our effort by making a small donation. Thank you!

x

June 22, 2016

THE WEEK IN REVIEW

The criminal gangs who target us are creative and resourceful. They seem to have a good understanding for the content that gets us to push their buttons…. Er, links. They will sometimes use celebrity and pop culture to lure us into their traps such as these two examples disguised to look like products pitched on the popular TV show Shark Tank. Our job is to be skeptical and resist that urge to click!

“Mark Cuban and Lori make a record investment – SHARK TANK”

“This amazing product has just hit the Shark Tank”

“Your electricity bill for June is 0. The Sharks feasted on this!”

“Mark Cuban partnered with this. See it in action.”

1-Shark Tank best product 2016  2-Shark Tank elect invention

 

 

 

 Sample Scam Subject Lines:

Auto Coverage for Families with Multiple Drivers

Be part of the hybrid movement

Claim Your Amazon Gift Card

Go on a stunning Irish vacation

Got a great idea? Patent it now

Hotel Room Prices

Protect your family from Sex Offenders

Ready to fight your Tinnitus?

Save on kitchen cabinets

Transfer your iPad into a laptop replacement

Trump did it again – CNN Report

Urgent message (Open this now!)

Weight Loss Plan For Those Who Want Quick Results

Sample Scam Email Addresses:

addictionhelp@achore.download

BedroomDecoratingIdeas@dro-m.download

BeverlyHillsMD@dee-4.download

care@resultalertbrainpro.com

DrMichaelPhelpsMD@0i7-f.download

HomeRoofingDeals@lhw-d.download

mayohealth@fatabds.pro

Pet_Insurance@2i8-c.download

RenewalByAndersenWindows@cuj-q.download

RiverCruises@k81-k.download

shavingproducts@shavikit.top

TerminixPestControl@czp-8.download

YachtRental@qym-q.download

 

 

 

Phish NETS: Amazon Account, Chase Bank Client

This phish appears to be an email from “Amazon Customers Support Service” but was sent from the odd domain richsrdsen.com. “Dear Valued Customer. We observed multiple login attempt error while login in to your online account…” Thankfully their command of English isn’t very good. A mouse-over of the link “Click here” points to a shortened URL on bit.ly created to appear as though it is related to Amazon.

 

We used Urlex.org to expand bit.ly/1AmzSuppots and discovered that it points to the domain robinsohonmk.com.   A WHOIS lookup shows us that this domain was registered on June 11 (modified on June 15) and is being hosted in Zurich. Certainly not Amazon.com!

Delete!

4-Phish-Amazon-bitly unshortened

 

 

“Dear Chase Client” “Our system detected your account has been compromised and we had no choice than to temporarily suspend your account.” These are pretty upsetting words to read, if they were true. A mouse-over of the link “Click Here to Verify Your Account Info” reveals the link to point to a shortened URL at bit.ly, just like the Amazon phish above. The email wasn’t sent from Chase Bank but from the gmail address Just.Mazika@gmail.com.

 

 We used Unshorten.It to see where the bit.ly address really leads to and discovered that the Chase Bank phishing scam will send you to a fake Chase Bank page on a website in the small Balkan country of Montenegro (2-letter country code = .me)

Now delete!

 

Your Money: Amazon Gift Card, Get Free Quotes…For Everything!

Can you spot the very funny error in this scam sent from Exclusively_for_you@instantrewards.site? You know what re-gifting is? Apparently the scammers had created an identical scam targeting Walmart customers with a fake $100 gift card. Then they tweaked the design to target Amazon users…. But forgot to make one small change.

The domain registered and used for this Amazon Gift Card scam is instantrewards.site. A WHOIS lookup shows that it was registered on June 13 by someone named David Rodriguez. By the way, if you look up the company “RewardsFlow, LLC” in Google (identified as the sender of this email), you’ll see several links identifying that company as a scam. Visit: https://www.google.com/#q=rewardsflow+llc

Then deeeeleeeete!

Many of the malicious emails we see come disguised as “free quotes” and “free consultations” for many different things… Insurance, roofing, window installation, Heating/Cooling installation and much more. They are all engineered to do one thing, manipulate the recipient to click a malicious link. Here is what several of these “free quotes” look like. Notice the odd domains the emails come from and lead to. And in case you had any doubts about our evaluation, look at the Zulu Score about the first quote for “free HVAC estimates.”

 

9-Free HVAC Estimates zulu score

 

 

 

 

TOP STORY: Targeting A Chief Financial Officer for Attack

This week’s Top Story is a company or organization’s worst nightmare.  The Chief Financial Officer of a school was targeted by full name with a malicious email pretending to be from the very real company called Grimley Finance Corporation, an agency that specializes in collecting debt. The signature name and contact information accurately represents the President of Grimley FC. And even the subject line was crafted to target the institution. “Outstanding Tuition Receivables” All the evidence suggests that this incendiary device came from a criminal group in India. Let’s break it down for you…

  1. The email was sent from the domain conceptemails.com. The domain conceptemails.com was registered on April 18 by someone listed as Peter Young in Bangalore, India and this domain is being hosted in Mumbai, India. Visit: http://whois.domaintools.com/conceptemails.com
  1. Our email server could not recognize the IP location of the source of the email. Our experience tells us that this is a sure sign of criminal intent. The IP source was 120.138.9.209. We used the website IPLocation.net to do a reverse IP lookup and learned that this IP is located somewhere in Delhi, India.
  1. The REAL Grimley Financial Corporation is located in New Jersey: 30 Washington Avenue Suite C-6, Haddonfield, NJ 08033.
  1. A mouse-over of the link for “Grimly Financial Corporation” points to the IP: 182.75.244.206. Using IPLocation.net we see that this IP points to a computer in Bangalore, India.
  1. Finally, If you look at the link revealed in the screenshot you’ll find “:81” after the IP. This means that your computer would be connecting to port 81 on that computer in India. We found a report on AuditMyPC.com identifying port 81 as often used to infect computers with a Trojan. Visit: http://www.auditmypc.com/tcp-port-81.asp

As we frequently say, it is easy to deceive people online and it pays to be skeptical!

Now Delete.

FOR YOUR SAFETY: Heinekin Premium Project, Important Message from Help Desk

“You have been selected.” We don’t know why but it can’t be good. Even if you do like Heineken. Anyone can create an email address and this rediculous email from heinekenpremiumproject23@gmail.com is not from the real Heineken company.

 

Criminals are trying to figure out new ways to make it harder for recipients to expose or reveal the tricks they use to target them. This “Important message from Help Desk” is another example. The recipient sees an “EMAIL NOTIFICATION” to read the “attach message from Helpdesk Administrator.” The attached pdf doesn’t carry malicious code, such as a Trojan.

 

However, the pdf carries the message you see below… And a link to “CLICK HERE.” The problem is that many programs that will open a pdf will not reveal the link by a simple mouse-over of the words “CLICK HERE.” Fortunately, Firefox and Chrome will both open a pdf file AND allow us to mouse-over the link to see where it points BEFORE we click. The link points to the domain Whereleh.com. A search in Google for this domain shows many links related to phishing scams, malware and “scumware” in general.

Delete!

16-Important message from help desk2

ON THE LIGHTER SIDE: I Need Your Assistant!

We received the following email from a Mrs. Teresa Mpume with one clear message. She needs our assistant! Well, we need him too and she can’t have him. We’re firm on this point.

17-I need your assistant

 

 

 

Until next week, surf safely.