Please support our effort by making a small donation. Thank you!

x

May 1, 2019

THE WEEK IN REVIEW

We’ve seen quite a jump in Nigerian 419 scams during the past week.  You know, those are the scams in which someone overseas wants to give you money for one reason or another but there’s a catch.  You’ll have to pay for some customs fees, airport fees, bribe some government official, etc. etc. to get your millions. Most of these scams are accompanied by a “poker tell” that we’ve written about in the past.  It is our understanding that many Africans speak of blessings and use “Dear” a lot. Most of the African scammers use phrases like “be blessed,” “hello dear,” “dear beloved,” “dearest one,” “remain blessed,” and references to Christ and the Lord.  They try hard to appear religious, and therefore seem trustworthy.

Those that aren’t trying to appeal to your belief in God, claim to represent International organizations like the International Monetary Fund.  But instead of having an email address from these organizations, like imf.org, they have a Gmail or other public email account. They would be laughable if it weren’t for the fact that people repeatedly fall for their scams.  In May, 2018, Lily Newman published a fascinating article about these “Yahoo Boys” on Wired.com called Nigerian Email Scammers Are More Effective Than Ever.

According to Newman’s article on Wired, some of the Nigerian scammers are so sophisticated that they will study a business for days or weeks, learning about the employees and how the business operates.  Then they will try to impersonate one of the employees to try to trick another employee into moving money or clicking a malicious link to install malware to further improve their chances for financial gain.  Perhaps these criminals are the ones behind the first email in this week’s Top Story titled “Painful Social Engineering.”  Take a look at one of these un-Godly scams from someone who sounds like “she” is deeply connected to the Lord (we count more than a dozen references to religion.)

Enjoy!

Two years ago, from January 1 to May 1, 2017, The Daily Scam had 61,000 page views.  During the same time period this year we’ve had more than 140,000 page views, greatly exceeding our expectations.  This love of labor started because two guys became fed up and angry with the barrage of scams targeting their friends and family, some of whom fell victim to the leeches who prey on us all.  Since our beginnings in August, 2014, without any budget, plan or direction other than exposing online fraud, we’ve served well over 800,000 pages to people around the world about hundreds of scams.  Every week we get emails from our readers who have valued our effort and/or ask for help to recognize or deal with a scam. To our readers, we are grateful and happy to have made a difference.

Thank you!

 


Phish NETS: Chase Bank, PNC Bank, and American Express

One of our readers sent us this hysterical phishing email, pretending to be from Chase Bank.  Our reader took great pride to say “Well, we Uuable to respond as we have no Chase account.”  This phish is filled with so many grammatical, spelling and other errors that it is a joy to read!

“Your Account We be Locked.”

Another TDS reader sent us this phish meant to look like it represents PNC Bank, based in Pittsburgh, Pennsylvania. The email was sent from chas[.]com. It also contains many errors, such as the fact that your account will be “Temperary Suspended.”  The link “Verify Your Account” pointed to the link shortening service ow.ly.  The short link will redirect you to a phishing page on one of the free web hosting services we wrote about last week in our article “Misuse of Free Website Services.”

Though not current, a TDS reader sent us this American Express phish last week.  Fortunately for all of us, many of the criminals who create these phishing emails don’t have a superior command of English. “We have temorarily locked your account due to missing of detailed information .”  The link for “sign in & update now” points to the tour website of a musician named Jason Aldean. McAfee shows that this website has been blacklisted (as of 4-28-19) so it is probably still being used by cybercriminals.  We’ve notified the hosting service.

YOUR MONEY:  Pre-Qualified for Indigo Mastercard, Shark Tank Shocker, and Ultimate Windproof Umbrella

Everything about this next email looks and feels completely legitimate… except the FROM address and the destination URL for most of the links.  All the graphics and content were stolen from the real business at IndigoCard.com. This email was sent from the domain “vente-exclusive[.]com” which was registered years ago in Belgium and hosted on a server in Brussels.  All “Get Pre-Qualified” links point to a very suspicious domain called “page[.]link.”  You can see below that this link actually redirects you to a website at hatios[.]com, which has also been blacklisted by McAfee.  Does any of that sound the least bit like Indigo Mastercard?

Shark Tank is often weaponized by the cybercriminals who target us.  We think it is either because of the popularity of the Shark Tank series, or perhaps the Cybercriminal Gang Leader loves Shark Tank, or both!  Regardless of the reason, this email came from the domain saludns[.]pro and contains links that point back to it.  It took Sucuri.net just seconds to discover malware waiting on this website for those who click to find out if the Keto Diet Really Works.  An interesting detail to point out is the directory structure created by the criminals as they try to infect your computer with this malicious clickbait.  They’ve created a directory called “subtractors-smashers.” We’ve talked about this cybercriminal gang for years. They are the group that we believe automate the creation of domains and directories in their cyber-scams using software that combines two random words from the English dictionary.

Time to erase-forthwith!

Sometimes we’re surprised by the things we learn about while investigating Internet fraud.  Imagine yourself getting into and out of a car with your umbrella on a very rainy day. Yes, wet interior door, getting wet while folding it up. Did you know that someone designed an upside-down umbrella that actually makes this in-out easier?  It’s called “Better Brella” and there is a video on YouTube about it and a website called BuyBetterBrella.  And then there is this email that landed in one of our honeypot accounts.  It was sent from the domain lotuselan[.]info.  This domain was registered just 3 weeks earlier with a proxy service in Panama and is being hosted in Mumbai, India.

Google can’t find any website posted at this domain.

The links in this bogus “Better Brella” email all point to the website “localtownforums[.]com” which has been blacklisted by both McAfee and Spamhaus.  This “local town forum” domain was similarly registered through the Panamanian proxy service back in late January and is being hosted with the exact same hosting service in Mumbai, India.  In 2018 we published an article titled Criminals in India Target Americans.  We think there is a good chance that this malicious email, using stolen graphics from Better Brella, is their handiwork.

TOP STORY: Painful Social Engineering

According to the cybersecurity service Imperva, social engineering attacks are described as “a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”  Their article nicely explained several attack techniques used against people.  We have a few specific examples from the last week that we believe are particularly successful at causing you pain. Thankfully, all of them were recognized as fraud by the TDS readers who sent them to us!  We’ll begin with the best one…Spear-phishing.

There is a manufacturing business in Massachusetts that does millions of dollars in sales through the Internet.  The employees are heavily targeted by scammers and have become extremely savvy at recognizing fraud and malicious intent.  (Doug had the great pleasure of giving their employees a workshop to help them improve their skills!) One of their top administrators recently informed us that someone tried to spear-phish their sales staff.  Check out this email from Mike, sent to Steve. Both work in the Sales Department at this company. Subject is “verification letter.” Apparently, Mike tells Steve that he is sorry for the delay in getting him this information but Steve can go ahead and pay the receipt (see link) and get this order processed.  However, Steve noticed something critically important about Mike’s email. It wasn’t from their business email address. If you look at the 2-letter country code at the end of Mike’s email, can you figure out what country the email came from?

Mike’s email came from a server in El Salvador. (“.sv”)  To be honest, we didn’t know that and had to look it up. Of course that made Steve suspicious and he checked with Mike.  Though Mike’s full name and correct contact information were listed in the email (with his email signature), he hadn’t sent it.  This feels a bit creepy because it means that some cybercriminal has spent time researching this company and its employees before putting this email together.  Perhaps this criminal actually reached out to each of these employees separately, and via other email addresses, to inquire about their products for the sole purpose of getting their email signatures, contact information, and a bit of their email language.

Besides the obvious possibility of paying for a fake invoice sitting at the other end of that “whalefinance” link, what else could be bad?  A HELL OF A LOT, according to VirusTotal.com!

Kudos to Steve for recognizing this threat!  However, more sophisticated criminals are capable of spoofing the FROM address.  Would Steve have been suspicious if Mike’s email address were correctly shown?

Another effective method cybercriminals use to engineer our clicking behavior is through the content of an email.  They will often write things to evoke an emotional response, hoping that the recipient impulsively clicks a link because she or he is troubled, concerned, or in some way, very curious about the content.  Take this email which claims to be sent from the United States Post Office. Subject line says “an email containing confidential personal information was sent to you.” If the recipient would only pause for a moment and think…

  1. The USPS doesn’t send Americans emails about online content.
  2. Why would the USPS know that my content is personal and confidential?

Being skeptical or suspicious about this email can motivate the recipient to take a closer look.  It came from a server in France and the link for “More information” points to a server in Norway. (Coincidentally, the “whalefinance” link in our first example points to a website on a Gandi.net server in France as well.) Not that it adds anything at all but that “senior university” website in that Norway link has been blacklisted by McAfee.

 

Another effective method we’ve seen to engineer someone’s clicking behavior is to lead someone to believe they have paid for something they did not.  Fake iTunes invoices for gaming software are fairly common and great for getting an immediate angry response from parents. “WHAT? What did my son buy?!”  They come with links to “cancel this order” that point to phishing pages, malware or both. Last week a TDS reader sent us this email thanking her for her Amazon purchase.  She was led to believe that she had spent $560 for a red ceramic table lamp. Notice the large BOLD black and red font asking her to “Click Here” to confirm or cancel with “This is not My Order.”  Fortunately, our TDS reader is plenty savvy and recognized that the email didn’t come from Amazon. It prompted her to look more closely at the links.

We believe this email is a trick to phish your credit card information because you are likely to be asked to provide it so they can “credit your account.”  Look below at all the email addresses your reply would automatically be sent to. Can you recognize the 5 country codes spread across these 15 email addresses?  And of course, none of these were for the real amazon.com.

Our final recent example concerns links to known services, such as Docusign, that may contain important information for review.  Docusign is a well-known company in the world of digital documents. Getting an email saying “you received a protected document” could easily engender a click.  But again, the TDS reader who sent this noticed that it didn’t come from Docusign. It came from someone’s Verizon account, prompting him to take a closer look. Mousing over the link for “VIEW DOCUMENT” revealed a server in the Netherlands.

Deeeleeete!

FOR YOUR SAFETY: Walgreens Shopping Survey

For months we have warned readers about fake surveys offering to pay recipients for their time to participate.  Most of these have pretended to be from Amazon.com. Here is another one, this time claiming to represent Walgreens.  Though it was sent on April 20, 2019, notice that the email content says “2018 Shopping Survey.” Criminals frequently re-use malicious content over and over but are not always good about updating the details.  The FROM and REPLY-TO emails make it easy to spot this as bogus. The link for “Take the Survey” points directly to malware! (See the Sucuri screenshot below.)

 

 

 


Until next week, surf safely!