Please support our effort by making a small donation. Thank you!

x

May 11, 2016

THE WEEK IN REVIEW

There has been an noticeable increase in the number of hacked websites that produce fake computer infection notices through a redirect or popup. These bogus claims urging you to call technical support can be scary, especially to inexperienced users like children and the elderly. This one below actually came to us from a Middle School student. The potential victim is told that Windows 10 Defender detected a malware infection. The user is urged to call a Microsoft Certified Technician at 888-331-0178. Calling the number is the most dangerous thing you can do! The scammer will trick you into installing serious malware like a rootkit that gives full control of the computer to the scammer, or something equally harmful. If you ever see messages like this, shut down and restart your computer. If they continue to popup then it may mean you have a browser hijacker or similar less evil malware that needs to be removed.

1-Windows malware scam

 

 

For weeks we were telling readers about emails that were taking advantage of politics to trick recipients into clicking malicious links. Even after Kasich and Cruz dropped out of the Republican race, look at this email that came out with several different, but similar subject lines… “Fox Breaking Fox News – Donald Trump Drops out of Presidential Race.” They’ll say anything to generate a click.

2-Fox News-Trump drops out

Sample Scam Subject Lines:

[APPROVED] Payment Has Been Sent

Be Ready for the Pool | Women’s Styles

Commissions Sent Today at 8:00 EST

CNN Health is proud to announce that Alzheimer’s Disease was finally defeated

e-Check Deposit Received

Good news! Please read

Increased Transaction Fee

National Educator Initiative

Someone Might Be Using Your Account 4745B

Trust me. This will cure your DIABETES!

Your Mother’s Day Gift From Macy’s

We’ve received your nomination for inclusion

Women went crazy for this HOT Shark Tank innovation

Sample Scam Email Addresses:

alcoholdetoxprograms@alcorehab.bid

diabetesnews@diabetiprogram.top

fran@samsmembereward.com

info@bloodpressurehelper.com

info@subwaydealalert.com

lid@walmartmaker.com

lig@clubsamsgift.com

lineofcredit@cradit.download

medicare-providers@mediclopn.date

nbctodayshow@getbackmemori.top

rvdeals@torhome.date

usedcaroptions@carused.date

ywa@clubgiifts.com

 

 

 

Phish NETS: Signature Bank, C1 Financial, Glacier Bancorp, and Dear Email Account User

From famine to feast! Last week we reported that we hadn’t seen any phishing scams the prior week. How life online changes in just a few days. We saw four types of phishing scams this past week and wonder how many more we missed. Three of them targeted small banks (as opposed to big banks like Bank of America.) These first two are identical in design but one targets clients of Signature Bank of New York, and the second targets clients of C1 Financial of Florida. Fortunately, a simple mouse-over of the links demonstrate that they don’t lead back to the respective banks. Actually, both links lead to hacked websites and malware at the fake login pages. Below is one of the Zulu URL Risk Analyzer scores and here is a link to the other Zulu score.

3-Phish-signature bank

4-Phish-C1 Financial

5-phish zulu score

And then we saw this phish claiming to represent Glacier Bankcorp, Inc but the link leads to a website in Poland (2-letter country code .pl)

6-Phish-online order submitted

Finally, in this week’s phish nets was another email targeting generic webmail users… “Your mailbox has been compromised, Kindly Authenticate your Outlook Account to prevent closure of this email address…”

The email was sent from an address in Fiji. (2-letter country code .fj)

Delete!

7-Phish-Dear email user

Your Money: Walmart E-card, Myrtle Beach Vacations, and Sam’s Club Bonus

My goodness! Our Walmart Spring e-card is expiring! At Store: 1151828945 no less. And Saturday is the last day the card can be used. Good thing we were sent the link “Your card is available here” to print out our rewards. Guess who registered the domain braiinn.com just 2 days before this email was sent? Our readers may recognize “Judy Santiago” from Alexandria, LA. We’ve identified several other scam domains “she” has registered in our April 13 and April 20 newsletters.

 

Looking for great vacation spot? “Beach resort and rentals that your family will love.” We hear that Myrtle Beach is beautiful but don’t click the link that came with this scam. The domain beachtle.download was registered by “anuj jain” from Houston, Texas on the day the email was sent. The website beachtle.download appears to be hosted on a server in Barcelona and the website identifies itself as Youtube. Sound like a legitimate offer to you?

Delete!


Hey, new member! Are you interested in going on a Sams club Spree? Well… “Start your Wekk off right at Sam’s Club.” These scammers ought to spend as much time into their spelling and grammar as the thoughtful choice of domain… samsclublovesyou.com. Awwwww! How sweet. And we’ll bet you can guess the familiar name of the person who registered this sweet domain! Drum roll….. It’s Judy Santiago from Alexandria, LA!

 Now Delete!

 

 

TOP STORY: Confirm, Complete and Activate. In Other Words… Infect!

In the context of the Internet, “social engineering” is the art of manipulating people into making poor decisions that can result in serious consequences, such as infecting their devices with malware or giving up personal login information to a bank account. The language used in the three emails below are often effective methods of social engineering. The critical question to ask yourself… Had you received these emails, would you have been curious enough to have clicked a link? Do you know someone who would have clicked? We’re guessing the answer is yes. Let’s take a closer look…

Confirm your acceptance. “Your confirmation is almost complete.” This email was sent to us from a TDS reader and it definitely had our attention until we saw “your social networking reputation among your peers and colleagues of your profession entitles you for pre-qualification!” It was at that moment when we knew this was worthless donkey-pucks. Read on, especially the part about being a “buisiness mover-and-shaker.” This begins to look like a vanity scam but we can’t be certain exactly what it is because the domain, aquastove.com, seems to have no information about it that Google can find. Even our best online evaluation tools show nothing lurking just below the surface. And the domain has been around for years, except that no one has a single bit of information about it. The email tells us “you have nothing to lose!” We think you have everything to lose.

Delete!

 

Please Complete Your Registration. “You are now in an elite group” “Already Eight (8) professionals and executives want to network with you due to your new status.”   To quote Groucho Marx is appropriate… “I don’t want to join any group that would have me as a member.” If these elite bozos are so prestigious and want me, why can’t they at least address me by my name in the email. Vanity is often used against people to manipulate them into exercising poor judgement. The domain wonderwhoswho.com was registered on May 6th by a good friend of ours. Can’t you guess? You know it well. Our good friend from Alexandria, LA…. Judy Santiago! And now we all say… deeeeleeeete!

URGENT Account Activation. “Your account has been approved and is now active.” This scam has been very active for the last few weeks and coming out in many variations of the same email. Like a bad penny, it just keeps coming back, over and over. They all seem to represent a company called “Global Millionaires Trader LLC.” We’ve reported on these emails before. On January 19, 2016 a gentleman demonstrated on YouTube that the website for Global Millionaires Trader LLC (and 2 other related company’s websites) were nothing more than vehicles for installing malware onto a visitor’s computer. Check out his 2 minute video.  Ouch. You know what to do…

13-Congratulations - you won again

14-Urgent activation-your account approved

Look at all the ways in which this scammer has been changing subject lines just to entice you to open the email and take a closer look. Our best advice, if you don’t recognize the sender and have some suspicions about the email, just delete.


FOR YOUR SAFETY: Malware-laden Emails, and More

During the last week we also saw a ten to twelve-fold increase in the number of emails containing viruses. Most had attached zip files, but there were a few other types of files as well. They tend to be short, often with little more than the attached malware to go with the subject line. Check out this list of them and the samples below…

16-Malware laden emails

17-Malware laden email2

18-Upcoming payment 1 month notice

19-Urgent - your card has been used

ON THE LIGHTER SIDE: How Lucky Are We!

Dear TDS readers, we must be in BIG trouble because we received, not one, but two notices to appear in court! The first one, from Duane Gibson of TechnoSensations is for May 12, although we don’t know what court or where. I guess we will have to open the zip file to find out.

 

 

 

The second notice is asking us, in Portuguese, to appear in court in Portugal on May 25! We know this because we asked Google to help us translate. Google said “No subpoena . 57432. The Federal Public Ministry in the performance of their institutional duties , based on Articles 229 and 241 , section VI of the Federal Constitution and Article 61, paragraph VII of the supplementary law n 676 of 28 May 1998 INTIMATE Your Lordship to appear in this Republic of the Regional prosecutor”

Oh dear. We’ve got two zip files we’ll have to read carefully. Do you know any good lawyers? I think we’re going to need one.

Until next week, surf safely.