If you find our resources valuable, please support us by making a small donation. Thank you!

x

March 7, 2018

THE WEEK IN REVIEW

Thank you to all our newsletter readers for your feedback in our recent survey.  Based on reader comments, we’ve decided to remove “Sample Scam Subject Lines,” “Sample Scam Email Addresses” and “On the Lighter Side” as a regular feature.  If something particularly juicy comes our way in these topics, we’ll be sure and let you know.

As we often do, we want to remind readers that life online is often not what it appears to be and we should never make assumptions.  Case in point…. Mercedes Benz.  Look at this obvious scam email claiming we won the Mercedes Benz International Lottery…

 

 

Of course, this is fraudulent.  Especially after seeing that “NB” note stating you’ll have to pay a fee before collecting your winnings.  But look at the domain the email came fromMercedes-DOT-org. One might reasonably think that this is a legitimate website owned by Mercedes Benz.  However, look at what a Google search turned up for this domain:

 

While Mercedes.com and mbusa.com are websites owned by the real Mercedes Benz company, Mercedes-DOT-org is little more than an unknown blip on the Internet.  We can tell you that it was registered by someone from the Cayman Islands using the email address elephantorchestra “@” gmail.com.  Never assume anything when it comes to the Internet!


Phish NETS: Outlook Mail

“Outlook Mail server detected you have undelivered clustered mails…”  This is lame, but a phish nonetheless.  The email didn’t come from Microsoft Outlook and a mouse-over reveals the fraud. But these scammers sure went to a lot of effort to try to fool you.  We used Screenshot Machine to snap a photo of the website waiting for you at the other end of those links.  It sure looks like the login to your Office 365 account.

Now delete!

YOUR MONEY: Seven Minute Secret to Mindfulness, Complete Security System, and Federal Rebates on Solar Panels

The art and practice of mindfulness has become extremely popular as a path to better health, lower anxiety, and dealing with stress in general.  And that is why this email caught our attention immediately!  “The 7 Minute Secret to Mindfulness” was the subject line of an email from Medication_Resistance “@” pottyclube-DOT-us.  Pottyclube?  We looked closer at that “opt-out” email address at the top:  suportcustomarmail “@” gmail.com??  This is clearly not what it appears to be.  We asked the Zulu URL Risk Analyzer to investigate the link in the email and it reported it as 92% chance of being malicious.  We’ll kick in the remaining 8%.

Deeeeleeeete, and take a long walk to lower your stress from this inbox landmine.

Here’s another good example of criminal misuse of a legitimate business to lob hand grenades at you.  “Help Prevent Burglary with ADT Monitoring” says an email sent from the domain adam1-DOT-info.  At t the very bottom of this email is the claim that this is a promotion from the Ad agency TEDMED Inc.  We’ve seen these false claims hundreds of times and knew the email was malicious.  Securi.net confirmed it for us.  But for good measure, UnmaskParasites.com also confirmed that this domain was recently used in no less than 17 spam email campaigns.

Delete!

It is still possible to get a tax rebate on solar panel installation in the United States (Visit: Energy.gov),  but this next email is a red herring. Notice the crap domain after the “@” symbol in the from address: opnyyrew-DOT-us.  According to a WHOIS, that domain was registered by someone named Ben Doan from 1323 Gregory Lane, Frankfort, Kentucky, in August, 2017.  Ben’s email address is listed with Yandex.com, a Russian Internet company.  Isn’t it odd that someone living in rural Kentucky would use an email service in Russia?  It’s also odd that the only thing around 1323 Gregory Road for thousands of feet is a dilapidated, old barn.  (There is no Gregory Lane in Frankfort, Kentucky) ‘nuf said.

Delete.

Here’s what Google shows for 1323 Gregory Road in Frankfort, KY…

TOP STORY: Zillow-Mail Abuse

Thanks to a sharp-eyed TDS reader, we’re seeing a new trick used by Internet criminals to bring you malicious emails disguised as promotional, marketing ads.  To prevent you from seeing your ultimate Internet destination when you click a link, a criminal gang is using a mail service identified as “zillow-mail.com.”  According to a WHOIS look up, this domain Zillow-mail.com appears to be a legitimate domain used by Zillow Group of Seattle, Washington.  They are the realty firm associated with the well-known site, Zillow.comWe feel certain that Zillow Group is completely unaware of the misuse of their email service and have notified them.  We’ve also asked them for a statement about their effort to prevent such misuses and will update you as soon as we hear from them.

This malicious intent is a leap down Alice’s rabbit hole, following multiple redirects.  Stay with us on this journey.  First, we begin with an attractive offer our reader received with the subject line “Congrats ! Your $50 Starbucks Reward is Waiting -ASAP Limited Number.”  But it didn’t come from starbucks.com.  It came from an oddball domain bilamod-DOT-com, which was registered on February 28 by “Domain Administrator” for Eastern Valley Limited, a company in Hong Kong, HK, some hours after the email was received.  “Take a 30-second Starbucks Shopper Survey and receive access to selected offers valued at $50 and greater…”

Nevermind the companies and addresses listed at the bottom of the email, they are meant to mislead you.  The links in the email however, all pointed to a file found on the email service email.zillow-mail.com.  The Zulu URL Risk Analyzer showed us that the links in this email will redirect you to a domain we’ve recently seen before… littlecreatures-DOT-host.  Just last week, we reported in our “Your Money” section about a similar email through Zillow-Mail that directed you to littlecreatures-DOT-host.

(DO NOT VISIT littlecreatures-DOT-host or you’ll risk getting a malware infection!)  We used screenshot machine to peak at this web site and found ourselves looking at a black screen with a single, big green “CLICK TO CONTINUE” button…

This only made us want to dig deeper into littlecreatures-DOT-host.  We asked the website UnMaskParasites.com to peak behind the scenes and were very surprised by what we found…

Visitors to littlecreatures-DOT-host were to be redirected to a webpage at the very odd domain poisonexile-DOT-com and to RewardsConnector-DOT-com!  Screenshot Machine informed us that a visit to poisonexile-DOT-com shows the same “CLICK TO CONTINUE” button and redirect to RewardsConnector-DOT-com.

Throwing caution to the wind, we took a risky leap and jumped into that rabbit hole from the Starbucks survey link all the way to RewardsConnector-DOT-com.  (DO NOT DO THIS OR YOU RISK INFECTING YOUR COMPUTER WITH MALWARE!) After at least 2 redirects, we arrived at RewardsConnector-DOT-com and watched as a light orange bar moved slowly across our browser window.   A percent sign increased from 0 to 100 and instructions said “Loading your reward…”   We felt a bit like 13-year olds in a horror movie waiting for the creaky closet door to open.  At 100% appeared a small popup saying “Welcome: Access Your Starbucks Survey!”  And we clicked “OK.”

…And that’s when we were redirected for the 4th time to yet another website, membersurveypanel-DOT-com and suddenly our Anti-spyware/virus software kicked in!  It grabbed those two 13-year olds unceremoniously by the shoulders, yanked them back, kicked the closet door closed, and yelled “What the hell were you two thinking!”  A visit to membersurveypanel-DOT-com triggered a severe warning, affectionately called “HTMLGen-A.”  It means “a remote website believed to be either malicious (a site whose sole purpose is to infect users with malware) or compromised (a legitimate site, but one that has been hacked in order to infect or redirect users).”

Thankfully, we dodged a bullet.  We suspect many others are not so lucky.  Next time you see emails with links pointing to Zillow-mail.com, and not about real estate, back away!  If it is about ANYTHING related to RewardsConnector-DOT-com, back away faster!  Want to learn more about the deceptive RewardsConnector website?  Read our feature article about this domain.

FOR YOUR SAFETY: Malicious Emails From Hell

Has your email account ever been hacked?  Do you know someone whose email has been hacked? (You can see if you are on a list of known breaches by visiting https://haveibeenpwned.com/ ) One of the many serious threats resulting from a hacked email account is the “From Hell” syndrome.  Criminals will steal your contact list and then send malicious emails disguised as you to the people in this contact list for years!  Look at this list of emails Doug received in just one day from people with hacked email accounts.  Every link is malicious and was delivered from a different email account than the one initially hacked

Here is just one example.  Though the email looks like it came from a friend at Comcast.net, it came through a server in Japan.  The shortened link points to malware hidden on a design website in Poland.  If you receive emails from people you know containing only a link and a few words at best, delete it!  Then call, do not email, the person to tell them their email account has been hacked and misused at some point.  Time for a new email account?  To learn more, visit From Hell,  a feature article about this type of attack.


Until next week, surf safely!