Please support our effort by making a small donation. Thank you!

x

June 29, 2016

THE WEEK IN REVIEW

Our readers know that the weekly TDS newsletter is rated PG or perhaps PG-13. Always has been, always will be. We want younger readers to be able to learn from our newsletters too. But that doesn’t mean that we don’t find malicious or scam emails, posts and texts about sex enhancing drugs, “adult” products, or with subject lines like “get longer and harder.” We see them everyday. By the dozens. **sigh** So, in case it isn’t already obvious to everyone… Any email, web ad, Facebook post, YouTube link, Tweet, or random text that promotes sexual products, sex-enhancing drugs, promises to bring you hundreds of women (they never say “men”), increase your libido, or enable you to defy physics from the waste down… is never going to lead to a good outcome! Don’t click and don’t respond. Delete, quit, close, or go take a cold shower. You’ll be glad you did.

We would like to remind our readers that websites across the Internet are riddled with hacks meant to trick you into making very bad decisions. We have even heard that a few sleazy website owners allow criminals to post their malicious tricks in exchange for money. Most of these malicious popups are similar to this sample… “The last website you visited has infected your Mac with a virus. Press OK to begin the repair process.” You’ll notice that you are not given the choice to cancel. NEVER click OK! Instead quit, or force quit your browser. Restart if you have to. But do not click OK! By the way, the domain used in this scam, “apple.com-store.me” was was recently registered from someone in Hounan, China.

 

 

 

 


Read our new feature article: How Google is Used As a Weapon Against You!

 

 Sample Scam Subject Lines:

Allergies Never Came Back After Doing This:

Biggest DISCOVERY in HUMAN History!

Career Growth

Cooperation with a large firm

Dinner with us at Olive Garden – Gift inside

Employees needed

Get your FREE Terminix Pest Control estimate today

Lock in your 2016 home Warranty price now

Rare Virus Outbreak in Arizona is Spreading Quickly

Second Attempt: Your electric service will be cancelled in June

Secure your home, wirelessly

Updated Document

Urgent Message to US Seniors

WARNING: This could cause trouble!

Sample Scam Email Addresses:

breanna@websiteerror32.com

Get-Skinny-Now@earca7s.tearcci.top

homewarranty@homechoice.top

iMemories@4zb-d.download

info@fridayhealth.com

info@searspromo.com

info@sharktankdietproduct.com

injuryclaimreview@pack-e.download

gift@olivegardenbliss.com

Limitless_Pills@challengednow.rocks

nathaniel@askforphil.com

reversetype2diabetes@sugarrelief.bid

score@creditupdatesusa.com

TerminixPestControl@rac-h.download

 

 

 

Phish NETS: Amazon, PayPal and Apple!

The phishers are after your Amazon accounts again! Like this email from an earthlink.net address with the subject “Action Required.” “Dear Amazon Customer… Unauthorized Logon attempts in your account and We need toconfirm you are the real Owner of the Account” A mouse-over of “Click here” reveals once again that it points to a shortened URL through the bit.ly service. We’ve been seeing a lot of shortened malicious links hidden through the use of bit.ly. Trust us, that bit.ly link will not lead to Amazon! Instead it pointed to a fake Amazon login page.

Delete and be glad you did.

This PayPal phish is well crafted to produce a knee-jerk response “WHAT PAYMENT?! I didn’t send $49.99 to FarmVille games!” “Dear Customer, This charge will appear on your credit card statement as payment to farmville@facebook.com.”  Resist the urge to click “Cancel Payment.” The link doesn’t take you to paypal.com, but to memea2014.ieee-ims.org. (It’s a legitimate domain that has been hacked and misused. We’ve informed them.)

Deeeleeete!

 

 

The phishers also like to target Apple support staff though we have no idea why it is so financially lucrative to do so. We often see phishing scams like these two. Most contain a very dangerous attached web file that recreates Apple’s login for their GSX service. However, the first GSX scam will send your personal login credentials to an IP address in Moscow, Russia (192.162.101.191), while the second scam email sends your personal data to the domain repair.sx. Repair.sx was registered on June 22 in the UK by someone named ALINA BOGDANESCU from Isle of Man (.im) but ALINA listed technical and billing addresses in Bucharest, Romania. Very international.

 

4-Phish-We inform you added  5-Phish-Your GSX access

 


Sometimes our crystal ball is not quite as clear as we would like it to be when we investigate the intent of malicious content. When we recently looked into these next two seemingly-identical scams we couldn’t quite tell whether they were phishing tricks to get into your Amazon account or just common, everyday links to send you to malicious websites to produce a computer infection.

In any case, we are 100% certain that clicking these links will be painful! The first scam email leads to the domain freeselfofelectric.com and the second leads to cutyourbiillls.com. Both domains were registered on June 22 by our nemesis Judy Santiago using the service Enom.com. “Judy” has been very busy! So far as we can tell she has registered more than 3,500 domains and we’re certain that every one of them is malicious. Most have been registered through Enom. Obviously Enom doesn’t seem to care that people are threatened or hurt by their inaction because Enom makes lots of money from the criminals who use their services. If Enom claims that they had no idea any of these 3500 domains registered in the last year were malicious, then they are just stupid.

http://whois.domaintools.com/freeselfofelectric.com

http://whois.domaintools.com/cutyourbiillls.com

Sample domains registered by Judy Santiago:

http://domainbigdata.com/name/judy%20santiago

http://domainbigdata.com/email/jlawsantiago88@gmail.com

6-Phish-Your Amazon order needs urgent attn  7-Phish-your amazon order will be cancelled

Your Money: Cure Acid Reflux, Send and Receive Faxes, and Cancel Your Electric Service

Here is yet another malicious email targeting those dealing with health issues. Robert@heartburn.pro says “Last week, I came across this incredible holistic heartburn cure program…” Don’t believe this trash! The domain heartburn.pro was registered on June 22 using WHOISGuard, the private proxy service in Panama and the domain is being hosted in Frankfurt, Germany. This won’t cure your heartburn but it sure as hell will make it worse.

There is so much online fraud that we think it foolish, even dangerous, to respond to any unsolicited contact no matter how professional it appears. Take this pitch for example. “Send and Receive Faxes From Any Computer.” “Business Solutions for Better Communications” Let’s cut to the chase and point to the company listed at the bottom of the email…. Lemon Juice in Houston, TX. We’ve written about this bogus company many times. (Check out the Your Money column in our March 30 newsletter.)

Now delete.

 

 

Would you have opened an email with the subject line “Service Termination – Jun 25, 2016” ? Cancel your electric service by tonight. New technology is available to slash your electric bill. …Watch this Demo.   This is just smoke and mirrors to trick you into clicking a malicious link. Don’t take our word for it, check out how the Zulu URL Risk Analyzer rated the links in this email.

10-Cancel your electric service

 

 

 

 

TOP STORY: Innocent Offer to Help or Likely Threat? You Decide!

Updated 7-28-2016 – Visit our feature article that exposes this deception!

A few days ago the Director of Communications at a New England school received the following email from someone identified as Jo Carpenter <joc@edu-collaboration.org>

Howdy!

I have recently visited your page and there were links that I couldn’t access… I made a list of them — who’d would be the right person to send them to?

Jo


This email seemed innocent enough, even helpful right? However, the Director didn’t respond but instead contacted us. Less than 30 hours later the Director of Admissions at the same school received this email from someone identified as Albert Parker, albert.parker83@gmail.com.

Hello

Just wondered if you guys are still updating this page? – [school page]/fifth_grade/math/links – I have some resources that mum and I found useful and thought we’d share them with your website. They might be helpful to your visitors. 🙂

Let me know if you’d like to see them?

Many thanks!

Albert


Hmmmmm….. What are the odds of two different people at the same school receiving similar emails from different sources? Does this feel suspicious to you? Do you believe in conspiracy theories? Or is this just a coincidence? Are you thinking “Chill out! Nice people are just trying to do them a favor.”

After learning about the second email we decided to do some digging. You be the judge based on what we’ve learned about these two emails…

Email from Jo Carpenter:

  1. The email came from “edu-collaboration.org” This is a free email service meant for students but anyone can use it to set up free email accounts.
  2. There are 2 reports on the website “Spam-Reports.email” of suspicious emails containing the EXACT same language as above. At least one of them has been connected to malicious links. http://spam-report.email/rose.fisher/studentmailbox.org
  3. There are several people named “Jo Carpenter” who can be found on the Internet but none seem to have the above email address as far as we can tell. In fact, we find nothing whatsoever when searching for Jo’s email address above.

Email from Albert P.:

  1. The email contained a tracking gif from Buzzstream.com. (A “gif” is a type of image.) Tracking gifs are also called web beacons and are capable of informing the sender every time the email has been opened. There is NO REASON whatsoever that this email from Gmail should have contained a tracking gif. Google emails do not normally contain tracking gifs. Buzzstream is a marketing service. Why would “Albert” have purposely hidden a tracking gif in such an email? Here is a screenshot of the code that was linked to the tracking gif:

    11-buzzstream web beacon

  1. Use of the word “mum” suggests that the sender is British or from a former British colony, not that this matters, but it may be relevant to consider the possibility that the sender may be from outside the U.S.
  2. We cannot find anyone associated with the email address used for Albert P.

So what is your decision? Innocent coincidence or malicious intent?

We believe that there is enough evidence to suggest malicious intent with one or possibly both emails. And how might this be malicious? We think that once either Director responds to the emails, Jo or Albert will reply with an email containing links that appear to point to the school’s website. Our readers have seen over and over how easy it is to make a link look like it points to one place when, in fact, it points somewhere else. We think the links will likely be malicious, pointing to malware hidden elsewhere.

By the way, we think Lee Harvey Oswald acted alone.

FOR YOUR SAFETY: Urgent Notice From Google, Confirm Receipt, Payment Not Received and Final Version of the Report

Thank goodness for the lack of English skills by many criminals around the world! “4 broken emails has been found and recovered” says Brooke Adams from Google Service. Yeah, right. And we have land to sell you in Atlantis. A mouse-over of the link “(4) emails” in this Urgent notice 554-6787 points to a hacked website mycoachholidays.com.

 

“Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order…” This email from India is sure to raise questions from someone who pays the bills. (Note the 2-letter country code in the From address = .in) Would you have double-clicked the attached zip file? Of course it contains malware.

Delete!

 

“Our records show that we have not yet received payment for the previous order #A-974146.” This next malicious email containing malware is identical to the one above. Just slightly different content and it was sent from an address in the Netherlands. (See the 2-letter country code .nl in the From address.)

Ditto here! Just get in the habit of deleting this junk….

15-Final version of the report

ON THE LIGHTER SIDE: Confidential Proposal

Any email that comes from goodnews10016@gmail.com can’t be bad, right?

 

 


Until next week, surf safely.