Please support our effort by making a small donation. Thank you!

x

March 16, 2016

THE WEEK IN REVIEW

In the last few newsletters we’ve been having a bit of fun showing readers that certain words and phrases are often used in scams to engineer a click. Words like shocking and scandal. This week we’ll add the word “affordable” as used in these two scams…

1-Find affordable movers in your area 2-Find the affordable airline tickets now

“Find affordable movers in your area” “Find the affordable airline tickets now”

3-Affordable subject lines

Sample Scam Subject Lines:

Apple ID is pending expiration.

Auto response:

Compensation Reference Number #9576803

Drive home in a new car!

How to apply for a VA Loan

Last Chance: Redeem your 50 Costco 2016 voucher

Last Chance: 12 delicious bottles of wine – Save $90 for the New Year

One more Reason to Binge Watch with DISH

Notice: How to not pay for home repairs again!

Save up to 70% on Fidelity-Term Life Insurance, Apply Today

Warning_Signs…….For…Skin_Cancer.

Your Costco reward balance is $50.00

Your Warranty-Expiration Notice 18510278

Sample Scam Email Addresses:

AccreditedPharmacyTechSchools@printscreen.pro

ADHDRemedies@drinkind.pro

AdultOnlyTravel@pennybills.pro

AlaskaCruiseTours@seewow.pro

BeautifulGolfShots@naturesult.download

Bra_Support@ujfbt.awproxy.top

CashLoansOnline@corsair.pro

EmailMarketingSoftware@tr256.top

HomeGuide-KitchenRemodeling@herap.download

JLopez-Miracle-Wrinkle@bbnder.hurryrn.top

Sams-Club-Customer-Service@alcge.pinchtc.top

SeniorHomeStairLifts@blamped.download

TreatPsoriasis@notative.pro

 

 

 

Phish NETS: Apple Doesn’t Catch a Break!

We saw so many rotten Apple emails this week it’s enough to make you question any email that claims to represent Apple Computer! Look at this partial list of phishing emails targeting one email honeypot server on March 10:

Applesupportpoint.com was registered on March 10 using a private proxy service from Australia and is being hosted in Nottingham, England. This phish looks like it was meant to target Europeans. The domain appleconfirmation.org was also registered on March 10 by the same proxy service and is being hosted in Germany. Are you curious to see what might be waiting at the other end of that link “to confirm your Apple ID?” Don’t follow that path. Look below at what the Zulu URL Risk Analyzer and VirusTotal.com had to say about the link.

5-Apple phish

6-Apple virustotal score

7-Apple phish zulu score

Your Money: Your Dog Deserves the Best, Cat Food Coupons, and The Best Life Insurance

Here’s another mix of malicious emails designed to look like coupons, deals and clever marketing pitches. But they are all phony-baloney. The domains they come from, and point to, are all malicious: ezr41.download, counteres.download and lifbetter.date. (Were they trying to spell “livebetter?”) All three bogus domains were registered through Alpnames on the day the email was sent or the day before.

You’ll notice that the first email below saying “Your Dog Deserves the Best” appears to be sent by some marketing company called Audacity Media, LLC.   We see many emails that appear to come from Audacity Media (or a variation of the name.) Frankly, we’re confident that Audacity Media has nothing to do with these malicious emails. Read our review of Audacity Media from July, 2015.  We also found a notification on corporationswiki.com that Audacity Media was dissolved in 2012 according to the Florida State business records office. The second email about cat food coupons was registered by “customer support” from Grandville, MI with an email address for fbrightsolutions@gmail.com for FutureBright Solutions.   We’ve reported on this bogus company before: November 4, 2015 newsletter and December 30, 2015 newsletter.  The final email below was registered by someone named Amit from Indore, India. The website title is “YouTube” which, of course, it isn’t. Yet the email “to get matched with the best life insurance policy” leads you to believe it is related to Fidelity Life. It isn’t.

Just delete!

8-Your dog deserves the best

9-Printable cat food coupons

10-Get matched with the best life insurance

 

TOP STORY: The Power of Social Engineering

We have reported on social engineering tricks in the past and the subject never gets stale because the scammers are inventive people who know how to push our buttons. Or more accurately, how to get us to push their buttons! Check out this small email from an AOL address with the subject “rsvp today.” Not able to display full message. You can view it by clicking here.  The email even contained the name of the institution to whom it was sent followed next to the “error code.” The link is so obfuscated most people can’t even identify the domain it points to. The domain appears just before the .com but after the preceeding period: msg-rt The full qualified domain name is therefore msg-rt.com.

11-RSVP Today 1

A simple Google search for msg-rt.com turns up absolutely nothing. A WHOIS lookup shows that this domain was registered to someone named Glenn C. Ross C. Ross on March 8 and is being hosted in Rotterdam, Holland. Mr. Ross C. Ross (whatever) appears to be from Burnaby, Canada

We invited the Zulu URL Risk Analyzer to look at the link Mr. Ross C. Ross sent us and his intention is crystal clear…. 100% malicious with 7 malicious scripts waiting on another site called forbes-health-news.com to infect our computer.

 

 

13-RSVP Today 3

Invoices are to businesses like gasoline is to a car. They keep the operation running, both sending them and paying them. So ask yourself if you think employees at your organization would have clicked this next social engineering gem…

14-Invoices attached 1

We loved the attempt to reassure the recipient that it is ok to open the attached zip file by stating “this email has been scanned by the Symantec Email Security.cloud service.” Liar, liar! That zip file contains nasty malware. Have a look at the list of these types of emails targeting one organization over the course of a few hours…

15-Invoices attached 2

Finally, would you have been curious enough to click this link from a company called Elite Profits Trader, LLC? A search on Google for this LLC and the listed address shows us that many people received this malicious email and posted warnings online. A mouse-over of “Click Here: Verify Your Account” reveals that it points to a website called subscriber-manage-55.com.

16-Member verification - Elite Profits Trader

Bottom line… These social engineering tricks are so effective because they often seem innocent or engage our attention and curiosity just enough to manipulate that click or download. And then it’s too late. It is our job to keep a healthy dose of skepticism! And now we all say…. Deeeeleeeete!


FOR YOUR SAFETY: Photoshop Web Design Course

Photoshop is the industry standard program for manipulating photos. And it can cost a lot to train someone in its use. When we saw this email from info@promoting-anything.eu it caught our eye as suspicious. The subject line by itself is confusing “210$ Photoshop Web Design Course for 29$! Limited Time Offer.” The email represents itself as coming from a domain in Europe (.eu = European Union). OK. Perhaps someone or a company is offering online workshops abroad to Americans? If so, then why hide your domain name in the link of the email. The email link leads back to a link-shortening service at bitly.com.

17-Photoshop web design course 1

We used Unshorten.it to follow the trail and see where the link leads to and discovered that it points to a domain called udemy-photoshop.eu The domain appears to have been registered with a service in Germany. Because of strict privacy laws in the EU we cannot get much more than that. Except that the registrant has registered many other domains that appear to be similar or have Photoshop in the name.

18-Photoshop web design course 2

So why are we so darn suspicious and think this is a very cleverly crafted malicious email? It turns out that Udemy is the name of an online education marketplace in San Francisco offering more than 30,000 courses including Photoshop training. But the domain is udemy.com, not udemy-photoshop.eu. This domain feels like an attempt to deliberately trick the recipient into thinking they are associated with Udemy.com when they are not. A Google search for this .eu domain turns up nothing. It smells like rotten fish to us.

Best to delete.

ON THE LIGHTER SIDE: What about the Lithuanians?

By our estimate, those 11 words in the email below are each worth $347,272.72 each. You have to give credit to the Lithuanians (.lt 2-letter country code of the sender), they sure are succinct! Can’t wait to arrange our payment.

Until next week, surf safely!