If you find our resources valuable, please support us by making a small donation. Thank you!

x

March 22, 2017

THE WEEK IN REVIEW

During the past week we saw a resurgence of malicious emails disguised as dating services from Match.com and eHarmoney, as well as bogus emails to connect men with Asian women.  Here’s one email telling the recipient he has 3 messages from Match.com but the link points back to a file buried on the domain wwarn2.stream.  This oddball domain was registered to the phony company called Streaming Partners of Daytona Beach, Florida.  We wrote about this fake company and its non-existent address three times in newsletters from February, 2017.

 

 

In our March 8 newsletter we told readers many reasons why “online privacy” is an oxymoron, such as web beacons that tattle-tale on your email behavior.  Web beacons are little snippets of hidden code that let the sender of an email know you’ve opened an email, how many times you’ve opened it, and when you open it.  Have a look at this email meant to appeal to gun enthusiasts. It’s malicious, of course.  It was sent from the pacific island nation of Palau and contains links that will take you back to a website hosted in Palau.  See that tiny box at the bottom of the email?  That’s a web beacon informing on you.  The code for this little informer follows the email.

 

 

We would like to pass on to our readers two recent resources about scams posted on the FTC.gov website. 

  1. “Don’t Bank on That Check” about phony checks According to the Better Business Bureau, phony check scams were the second most common type of scam.
  2. “Scammers Even Impersonate Kidnappers” about a phone scam in which criminals trick you into thinking they’ve kidnapped a relative and con you into sending them money. You can’t make this stuff up people!


Sample Scam Subject Lines:

2 delicious foods proven to reverse hair loss

Asian girls looking for serious dating

Can You guess which spice Im talking about?

Can’t sleep? You have to see this!

Goodbye to Moles and Skin Tags

New Alert: Is your Town Next? Corpus Christi Water Crisis.

Protect Your Home With a Home Warranty. First Month Free

Refinance your car and start saving

REMINDER: Claim Your AmazonRewards

The #1 Choice to QUIT SMOKING!

These Two Spices Reverse Inflammation Fast…

You got a dollar? You get our best razor

Your friend has just joined Match.com

Sample Scam Email Addresses

ABCNewsHealth@avoid.sspouch.us

activehealth@gmail.com

agora_financial-[YOUR EMAIL]@northenscimitar.com

Airfare-Upgrades@language.druense.us

blackoutusa@newbetry.bid

fix-your-blood-pressure-[YOUR EMAIL]@regularmedsreport.com

freerateupdate-mortgage-rates-[YOUR EMAIL]@35invest.com

freerateupdatecom.mortgage.rates-[YOUR EMAIL]@drexelformula.com

Grand_Canyon_Travel@bubble.talljoo.us

home_solar_power-[YOUR EMAIL]@hessadvocates.com

kohls.shopper-[YOUR EMAIL]@yellowstripestore.com

rewards.amazoncom-[YOUR EMAIL]@primeshippin.com

Sleep_Tips@guard.melonbp.us

 

Phish NETS:  Apple ID, Amazon Account, and Facebook

Here’s a phish that’s easy to spot.  The email was sent from reply175 @limited-resolving.com with the subject line “Your Account was Logged from Another Browser.”  The email address is obviously not from Apple and even the subject line is suspicious.  Mousing-over the link that reads appleid.app.com/Verify reveals that it points to a shortened URL at ow.ly. We used urlex.org to unshorten that link and discovered that it will send the user to a phishing page at the domain services-cases.com. That domain was registered through a private Canadian proxy service on January 26 and is being hosted in Lausanne, Switzerland.

Delete.

Here’s another phish that should be easy to spot from ass.direction @debateatr.com.  “Account Response Required”  “We are unable to validate important details about your Amazon account.  Your account has been on hold pending additional verification.”  A mouse-over of the link “Click Here to Unlock Your Account” shows that it points to another shortened URL, this time with bit.ly.  If you are paying the slightest bit of attention to the from address and the link revealed by a simple mouse-over, these phish are easy to spot.

Finally, though we’ve reported on them for many weeks, we continue to see lots of these fake emails that appear to be Facebook notifications.  For weeks, these phony baloney emails all point back to websites in Russia.  This one is no different and points to a website called luckyrxgroup-dot-ru.  Take a look below at what VirusTotal.com said about the Russian site!

YOUR MONEY:  Send Flowers, Discover Better Wines, and Shop Glasses

“Are you looking for information about giving flowers? Compare options today.”  What follows is a very well written argument why you should give flowers.  But the criminals who crafted this email didn’t write this.  Most of it was lifted from an article called “The Benefits of Sending Flowers” on the blog named “Flowers of the Field.”  If you read the first sentence in this email, you’ll see that the word “know” is missing.  This wolf-in-sheep’s-clothing has links to the domain camolvd.us. This odd domain was registered to someone in Providencia, Chile on the day the email was sent.

A big fat delete!

We’re sooooo sorry that this next email is soooooo very long but it’s really worth a look.  The sender wants you to believe that it represents the legitimate site called WSJwine.com. but it does not.  The email came from, and links point back to the domain ttreat3.stream.  As impressive as this wine deal looks it is malicious, through and through! The domain ttreat3.stream was registered by the fictitious company Streaming Partners!

A big fat delete!

We know people shop for eyeglasses online because of the discounted prices they find.  Just enter your prescription information and voila!  So, at first glance, this next email is intriguing… “$60 Off Progressive Glasses & Free Shipping!”  The email was sent from filbert @childintoafford.gdn.  This strange domain was registered by the make-believe organization called Ghetto Vets.  This is another can’t-be-found organization from a doesn’t-exist-address and we reported on them in our February 22 newsletter.

We vet you can ghetto your finger to the delete key.

TOP STORY: Not Just Any Phish!

The phish we reported on in this week’s Phish Nets column are easily exposed.  But sometimes we see phishing scams that reflect much greater skill and planning.  One such artful phish, sent to us by a TDS reader, is the topic of this week’s Top Story.  Like most phish we see, this clever phish targets Apple users.

To be really good at fooling people, a phishing attack must contain four important elements.  They are…

  1. A from email address that appears to be legitimate or is spoofed to look real.
  2. A compelling and seemingly legitimate subject line that will generate enough interest to open the email
  3. Email contents that are convincing, grammatically correct, and without errors.
  4. A very convincing link that appears legitimate when the recipient mouses-over to see where it leads before clicking. By the very act of being a phish, no link can actually be legitimate because the criminal is sending you to his disguised website, not the real website you think you’re logging in to.

If you return to this week’s Phish Nets column you’ll see that all of them fail miserably in both the from address and link revealed by the mouse-over.  In addition, there are some subtle errors in the contents of the first two phish.  However, the phishing email below is nearly perfect and we think would fool a higher percent of people.  But it does contain one subtle error.  Can you spot it?

The from address is not spoofed to look like a real apple.com address, but it makes use of a clever domain that seems plausible.  The email comes from applemail.support.  That domain was registered on March 10 by someone named “stephen onions” from Bilston, Great Britain.

The subject line is compelling enough…. “Your Apple ID was logged into from a new browser” You say “no, it wasn’t!”  Was it?  You feel compelled to look.  Is this true or not?  And so you open the email.  Remarkably, the email doesn’t contain a lot of information but what you see is concerning.  Your account was locked up because someone tried to log in from Moscow.  The email is informing you of a possible threat, thereby misleading you from noticing that it IS the threat.  So you move your mouse over the link to see where it points.

Notice that the link in the email begins with https where s means “secure” protocol.  This is critically important if you’re going to log into an account.  Now look at the link revealed by the mouse-over.  It, too, begins with https, and this is practically unheard of for criminals to fake because it requires a tremendous amount of information for any website to receive a trusted secure protocol of “https.”  We may be mistaken, but we think there have been less than 5 instances in the last ten years that criminals have successfully acquired and used the https protocol.  So if you see a malicious link that begins with https it typically means that the criminals have figured out how to misuse someone else’s legitimate secure service.

Look again at the link revealed by the mouse-over… https: //mail.partners/apple-account…  This email came from applemail.support, so why not lead back to a domain containing the word mail followed by apple-account?  Who registered the domain mail.partners?  Can you guess?  None other than “stephen onions” from Bilston, GB on March 3.  Of course, the real login for an Apple account must point back to apple.com.  And if you have any doubts, take a look at what VirusTotal.com reported about that link:

Here’s one more recent phish pretending to be an email from SunTrust Bank.  Look it over and ask yourself… how many of the 4 criteria does it meet well and would you have been fooled?

FOOTNOTE: The link “Click Here to Resolve” points to an https link because the website, which has a legitimate and secure connection, was hacked.

FOR YOUR SAFETY:  You Have New Private Snaps and Subpoena

This eye-catching email pretending to be a snap from Snapchat or Snapbabes is malicious!  The link in it points back to the domain cutestk.us.  The Zulu URL Risk Analyzer informs us that there is an 80% chance that the link is malicious AND that there are many redirects waiting for you on the site to send you to other sites.

Sex sells.

 

 

We certainly don’t like to be targeted by criminals but do they have to swear at us too?  “Here you go, you f-ing theif.  Here is your subpoena:”  Of course, this is just social engineering to get you to click that link to a malicious file on a server in Japan.  Six services inform VirusTotal.com how nasty this link is.

No arigato!


ON THE LIGHTER SIDE: An Email From James Comey, Director of the FBI

Considering how busy Director Comey has been in the last week or so trying to investigate Russia’s hacking of the last election, possible ties to folks in the Trump administration, and former President Obama’s alleged wire tap of President Paranoid, we’re really impressed that he had time to email us from a school in Indiana.  We’re thrilled!


From: fbidept@shenandoah.k12.in.us
Time: 2017-03-17 09:43:55
Subject: FEDERAL BUREAU OF INVESTIGATION

Federal Bureau of Investigation (FBI)

Counter-terrorism Division and Cyber Crime Division

  1. Edgar. Hoover Building Washington DC

Dear Beneficiary,

Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of Eight Million and Five Hundred Thousand United State Dollars ($8,500,000.00) due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reasons and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund. The National Central Bureau of Interpol enhanced by the United Nations and Federal Bureau of Investigation have successfully passed a mandate to the current president of United States Of America his Excellency President Donald Trump to boost the exercise of clearing all foreign debts owned to you and other individuals and organizations who have been found not to have receive their Contract Sum, Lottery/Gambling.

Now how would you like to receive your payment? Because we have two method of payment which is by Check or by ATM card?

ATM Card: We will be issuing you a custom pin based ATM card which you will use to withdraw up to $3,000 per day from any ATM machine that has the Master Card Logo on it and the card have to be renewed in 4 years time which is 2021. Also with the ATM card you will be able to transfer your funds to your local bank account. The ATM card comes with a handbook or manual to enlighten you about how to use it. Even if you do not have a bank account.

Check: To be deposited in your bank for it to be cleared within three working days. Your payment would be sent to you via any of your preferred option and would be mailed to you via DHL. Because we have signed a contract with DHL which should expire in next three weeks you will only need to pay $310 instead of $600 saving you $290. So if you pay before the three weeks you save $290. Take note that anyone asking you for some kind of money above the usual fee is definitely a fraudster and you will have to stop communication with every other person if you have been in contact with any. Also remember that all you will ever have to spend is $310.00 Nothing more! Nothing less! And we guarantee the receipt of your fund to be successfully delivered to you within the next 48hrs after the receipt of payment has been confirmed.

Note: Everything has been taken care of by the Federal Government, The United Nation and also the FBI including taxes, custom paper and clearance duty so all you will ever need to pay is $310.

DO NOT SEND MONEY TO ANYONE UNTIL YOU READ THIS: The actual fees for shipping your ATM card is $600 but because DHL have temporarily discontinued the C.O.D which gives you the chance to pay when package is delivered for international shipping We had to sign contract with them for bulk shipping which makes the fees reduce from the actual fee of $600 to $310 nothing more and no hidden fees of any sort!

To effect the release of your fund valued at $8,500,000.00 you are advised to contact our correspondent, the delivery officer Bar Williams Darvis with the information below,

Name:  Bar Williams Darvis
Email: bar.williamsdarvis@gmail.com
TELEPHONE: +1 (415)-494-8827

You are advised to contact him with the information's as stated below:

Your full Name :..............
Your Address   :..............
Home/Cell Phone:..............
Preferred Payment Method (ATM / Cashier Check)

Upon receipt of payment the delivery officer will ensure that your package is sent within 48 working hours. Because we are so sure of everything we are giving you a 100% money back guarantee if you do not receive payment/package within the next 48hours after you have made the payment for shipping.

Yours sincerely,

JAMES COMEY
FEDERAL BUREAU OF INVESTIGATION
UNITED STATES DEPARTMENT OF JUSTICE
WASHINGTON, D.C. 20535

Note: Do disregard any email you get from any impostors or offices claiming to be in possession of your ATM CARD, you are hereby advice only to be in contact with Bar Williams Darvis (bar.williamsdarvis@gmail.com) of the ATM CARD CENTRE who is the rightful person to deal with in regards to your ATM CARD PAYMENT and forward any emails you get from impostors to this office so we could act upon and commence investigation.

Until next week, surf safely!

 

 

s2Member®