Please support our effort by making a small donation. Thank you!

x

March 2, 2016

THE WEEK IN REVIEW

In last week’s newsletter we mentioned scam postings on Facebook as well as scam emails targeting those with health problems. These threats have not abated. Check out this one below about finding relief from acid reflux, or these two “sponsored ads” that recently appeared on Facebook. “Sylvester Gets Arrested!” and “Sean Penn goes to jail.” We are led to believe that the former is from an article at espn.go.com and the latter is for an article on the huffingtonpost.com. However neither is true. We used the “site:” command on Google to conduct a search of both domains and these articles. Can you guess what we found? A big fat nothing. Sylvester’s arrest photo is likely from a 2007 arrest that did take place in Australia (though we cannot confirm that) and the Sean Penn link leads to a sketchy website called lodgeweekly.com that was registered at the end of December and the registrants information is hidden behind a proxy service. We don’t know exactly what these scams are about but both “ads” are lies and mislead the public with their links. **sigh** It’s so easy to deceive others online.

1-Find relief from acid-reflux  2-sylvester-gets-arrested  3a-sean-penn-goes-to-jail

Speaking of deception, we couldn’t resist showing you how many women out there seem to be looking for men! Or at least that’s what this list of emails wants you to believe. Are men really that gullible? (Ladies, please don’t answer that!)

3b-Women want men

Sample Scam Subject Lines:

Accepted: Your Salary Advance

ADHD—Diagnosis and Treatments…

Alert: Your Business Account Info #5115500

Best Swing for Older Golfers

Book the Best-Alaskan Cruises…

Google sent you $4300

Install this to cut power bill in half

Last Chance: Sam’s Club $50 voucher

Last Chance: Save $90 on 12 delicious bottles of wine

Re: Save 50% off remaining 2015 Honda’s inventory

Step-by-Step Simple Woodworking-Projects

Stop wasting money on your phone service

Trump’s Simple Plan to Better Every American

Warning: reduce your chance of a heart-attack by 90%

Sample Scam Email Addresses:

Amazon-Reward@jngvc.heavek.top

CarInsuranceFinder@evidentine.download

Cary.Nelson.MD@jkkmn.kieggs.top

CBN@cbnbank.ph.tn

Costa-RicaResorts@capitulance.download

Diabetes.Video@pcbvg.nobodyu.top

DepressionSymptoms@acqueve.download

Golf.Digest@xsfrs.staffft.top

Private.Jet.Rentals.Specials@opawq.copperl.top

No-Fail-Woodworking@hfiprh.policya.top

po@eyeonsystems.com

UrgentHealthNews@opsif.rtinsel.top

WineHomeDelivery@xdee.bfshout.top

 

 

 

Phish NETS: Webmail and Apple Accounts (Again!)

Most email users don’t know that there is a kind of massive underground email system that uses generic email software provided by web hosting companies known as webmail. These are not the Gmail, Yahoo, or Hotmail of email. But they are no less important. We at The Daily Scam use this software to connect to our readers who personally contact us. This generic email system explains what this first phish is all about….

The email claims to come from blackboard.edu, referring to an online educational service called Blackboard that is used by many universities. However, there is no such domain. All dot-edu domains are administered by Educause and their WHOIS reports no such domain. (Try looking it up yourself.) A simple mouse-over of the link reveals that it points to a hacked WordPress website of the domain trulyundeniable.com.  Virustotal.com informs us that this hacked domain has been hosting malware/phishing attacks for several days now.

(By the way, we loved the way the scammers spelled “cooperation.”)

4-phish-Email notification alert

“Your Apple ID is pending deletion” says an email from applenecessities.com! The phishers don’t even make the effort to hide their scam domain in the links: applesecuritynotice.org and applesupport4853.org. The first bogus domain was registered with a proxy privacy service in Australia and is being hosted in Munich, Germany and a WHOIS tells us that the second domain is not even registered. (How is this possible?)

Delete!

5a-Phish-Apple ID is pending deletion

5b-phish-apple id 2

Last week we reported on many phishing attacks targeting Apple GSX account users. These attacks have continued.

Delete!

Your Money: Compare New Car Prices, Home Security, and Leather Jacket Sales

Also last week we showed you a well-crafted scam email about used car prices. The same scammers have moved on to new car price scams this week with a ridiculous domain called neucarr.date. By now our readers know the drill so well they can recite it…

  1. The domain was registered just hours before the email was sent.
  2. The domain was registered through Alpnames to “Nitin Sharma” representing a company called AVP Digital Media. Sound familiar? Read our “Your Money” column in last week’s newsletter!
  3. Notice the hidden white text at the bottom of the email meant to fool anti-spam servers.
  4. Google can’t find any domain/website by the name of neucarr.date.

And now we all say…. Deeeeeleeeete!

6-Compare new cars and prices

Looking for a home security system? Don’t click on anything in this email. The strange domain umbralam.download was registered using Alpnames to someone with the email address sheisamonsterlalala@mail.com on the day before the email was sent. Doesn’t that email address inspire confidence in home security? Yeah, we thought the same.

7-Home security for protection

Looking for discounted leather apparel? You might like the email below but you’ll find no deals at the end of these links. Viewclick.top was registered, once again using Alpnames.com, to an organization called Digital Technical. We identified Digital Technical as a non-existent entity in last week’s newsletter. They are associated with over 200 domains and our strong guess is that every one of the domains is used in a scam and registered through Alpnames.com. Just delete and move on.

8-Leather jacket sales

 

TOP STORY: The Best Scam Word is… Shocking!

Absolutely shocking! No, we mean it! The most scammy word we see used over and over that guarantees something is a scam is the word shocking. In fact, we can’t really think of a single instance where we’ve seen the word legitimately used in any type of ad, email or online solicitation. Have a look at this list of email subject lines from one honeypot email server over the last few days:

11-shocking email list

Our own knee-jerk response is to reach for the delete key every time we see the word “shocking” appear in a subject line or message. But we forced ourselves not to delete this time and offer our readers a few of these shocking gems. Enjoy.

  1. Shocking Discovery: You’ll never believe what they found growing in your stomach! This email also uses a runner-up to the word shocking…. Life-changing

 

12-shocking discovery

  1. Must see: Shocking new 90-day Alzheimers treatment. This email also uses another runner-up to shocking…. Banned


13-shocking alzheimers treatment

  1. Fox Breaking Report: shocking video reveals massive government coverup No. 7431463. This email also includes a runner-up to shocking… scandal (and banned)

 

14-shocking video of government coverup

So, a little advice…. The next time an ad, email, or social media post tells you that they have something shocking to show you or banned, a scandal, life-changing, proof, or 100% effective… just reach for the delete key, or ignore it and smile because you just dodged a bullet.


FOR YOUR SAFETY: Court Notice, Insurance Documents and Invoice for Your Purchase

Once again we ask our readers…. Would you have clicked on the emails below out of curiosity? “You have to appear in the Court on the February 27. Please, prepare all the documents relating to the case…” and “The Court Notice is attached to this email.” Of course that court notice contains nasty malware in the zip file. The same is true for the Word document in the “Invoice” email below. “Dear valued customer, we are very grateful for your purchase.”

The email about Insurance Documents #414-55089586-414 contains a malicious link hidden by a shortened URL. The link for “click here to view” points to the domain 1642539.pw (The first portion nstawpxrtk is just a subdomain.) Dot-pw is actually the 2-letter country code for Palau in Micronesia. However, in 2013 Symantec published a report identifying .pw as a major source of malicious email and spam. Read their report.  A WHOIS lookup of 1642539.pw shows that it was registered on February 24 by someone named Amina Strom from Landsbro, Sweden.

Just delete.

16-insurance documents attached

last_article

ON THE LIGHTER SIDE:

Our readers know we always like a good deal! That’s why we were so excited to get these laundry detergent coupons by email from AVP Digital Media! Our wives will be so pleased!

17-Laundry Detergent Coupons

Until next week, surf safely!