Please support our effort by making a small donation. Thank you!

x

May 15, 2019

THE WEEK IN REVIEW

We heard from lots of TDS readers last week who sent us so many malicious clickbait emails that we can’t possibly show them all!  Here is a sampling of the content these many emails pretended to represent:

 Auto Warranty Coverage

 Final Expense Life Insurance

 Liberty Mutual Insurance Savings

 Senior Discounts for 2019

 Simple and Sensible Loans

 Your June Horoscope

Also, some of them contained shortened links that redirected to the malicious website we highlighted last week called “jbbrwaki[.]com.”  Below is the “Senior Discounts” clickbait email with links pointing to another website we’re seeing quite a lot now…. Infoostrich[.]com.”  This domain states it is an email marketing service but Google knows absolutely nothing about it.  Furthermore, the link to Infoostrich will forward you to another website called wirednewsalerts[.]com.  Once again, Google can’t even find this website and reports nothing at all about it.  Furthermore, this “wired news alerts” website is blacklisted by McAfee. Plus, there is the domain the email came from… yourdigital-connections[.]com.” Good luck finding that one too.  All 3 domains were registered through proxy services last fall.  Wouldn’t a marketing business WANT to be discoverable so they can grow their business? Hmmmm….What is the likelihood that you or your senior parents would have clicked this link?

 

We also heard from a woman who was told she had won $25,000 through a cash giveaway sweepstakes “by a drawing she had entered at a “local mall, a restaurant or an event you may have attended.”  The caller, named “Brett” has been pushing this scam since 2017 and we’ve reported on it in our article “You Won a Car or $25K!  You can hear “Brett” identify himself by many other names in the many voice messages people have sent us.  The woman was asked to call 866-495-5058. Lots of people have been reporting this phone number online as a scam, such as on 800notes.com.

Click to listen >

Read our newest article about a money scam from a “cold caller.”  Sounds like it might be a ponzi scheme to us… 2019 Cash Flow Call!


Phish NETS: Pre-Qualify for a Credit One Bank Platinum Credit Card

Credit One Bank is a legitimate credit card company based in Nevada, US.  And so it struck us as exceptionally odd that this email, sent to us by a TDS reader, come from an email address @victoriassecret.com and contained a link to a link-shortening service in France. (2-letter country code = “.fr”)  We used Unshorten.it to unshorten that link and discovered that it will redirect you to a website called hexaem[.]com.  A WHOIS lookup of Hexaem shows that it was registered back in 2017 to someone using the email address bibblebobble3 “@” gmail.com.  Does any of this sound even remotely plausible?  Oh, and the fact that McAfee has blacklisted the domain hexaem[.]com.

However, here’s the critical point… We followed that link, as if we didn’t notice these things, wondering what we might find at the other end of our pre-qualifying experience.  Afterall, it takes less than a minute! And we were not the least bit surprised by the amount of personal information you are asked to give up for this phishing credit card scam:

Full name and address

Email and phone number

Social security number

Date of birth

Estimated monthly income

This information can be used by cybercriminals for financial gain and do lots of damage to your credit and personal accounts.  Which is the topic of this week’s Top Story!

YOUR MONEY:  Lifelock Identity Protection, Costco Survey, and Kohl’s Gift Card

Lifelock is a service that offers identity theft protection. (Though according to this October, 2018 article in NerdWallet.com, Lifelock cannot prevent identity theft and you can perform many of the safeguards yourself.)  How ironic it is that Lifelock’s identity should be stolen and used as malicious clickbait. This email didn’t come from Lifelock.  In fact, it came from the same domain used to send the “Seniors Discount” email at the start of our newsletter. Also, a visit to the real Lifelock website shows us that their phone number is 800-416-0599.  The phone number listed on this clickbait is 800-540-7580. When we search for this shady phone number, the first link points to a website called Scammer.info, a place where people share information about scams.  And best of all… The links in this crap all point to Infoostrich[.]com, just like the Senior Discounts email!

Deeeleeeeete!

In case there was any doubt that criminal organizations work hard to target you with scams and malicious intent, we bring you another clickbait from the domain yourdigital-connections[.]com.  This one pretends to be a Costco Shopper Survey, offering to pay you a $50 gift card for your feedback.  No doubt you can already guess where the links in this crap are pointing… infoostrich[.]com!  Coincidentally, a TDS reader sent us another malicious clickbait email disguised as a Costco Survey but the design, coding and source was very different than the first Costco email. It came from a Gmail account.  Might we have competing cyber-gangs using Costco to engineer your clicking behavior? We think so! ‘Nuf said.

Delete them both.

While we’re on the subject of gift cards, how would you like a $500 gift card for Kohl’s!  Except that this offer came from a Target.com email address. And the links point to a link shortening service at page.link.  Of course we unshortened that link.  It points to jbbrwaki[.]com!!!  It’s beginning to look like this cybercriminal gang is putting all its malicious, smelly eggs into one or two baskets (infoostrich[.]com!)

TOP STORY: One Phish, Two Phish, Red Phish, Blue Phish

Consumers are bludgeoned into submitting gobs and gobs of personal information in everything we do online.  We’ve become so accustomed to giving out personal information that we don’t even fight back anymore. Just recently, Doug at TDS purchased tickets to a small venue concert hall and was required to create an account with the venue.  It wasn’t an option. In addition to his email and full address, he was asked to provide his phone number. In protest, he entered 000-000-0000 into the required field. It’s important to remind TDS readers to fight back against this erosion of our privacy, and overzealous effort to put ads and promotions in front of our eyeballs.

We’ve exposed hundreds of smelly phish over the years.  In the last few months alone we’ve exposed phishing emails pretending to be Amazon, American Express, Apple, AT&T Services, Bank of America, Citibank, Cox Communications, Facebook, JP Morgan Chase Bank, LinkedIN, Navy Federal Credit Union, PayPal, SunTrust Bank, TDBank, Wells Fargo Bank and many, many more.  However, as we pointed out in this week’s Phish Nets column, there are other ways criminals go phishing. They also try to capture important personal information which they can monetize in a variety of ways. They can use it to open accounts in your name, use it for identity theft, use it to try to get into your personal accounts including Social Security and financial accounts.  They can use it to file false tax returns netting them a refund! Or they can simply use the information to better target you.

Let’s start with something that may seem small and trivial… Imagine you got an email inviting you to sign up for breaking news.  This seemingly innocent news alert came from “newsletter “@” allbreakingnewsnow[.]com”  “Thanks for signing up for Breaking News alerts! Action is required to verify your email address.”  

RED FLAG #1: We didn’t sign up for breaking news alerts.

RED FLAG #2: Both the sender’s domain (allbreakingnewsnow[.]com) and the domain revealed by mousing over the links (allnewsclick[.]com) were both registered less than 2 weeks earlier through a proxy service in Panama.

RED FLAG #3: Can you identify the source of this news alert? Any legitimate news service would identify itself.

Oh well, we like staying up-to-date with news so we asked Screenshot Machine to follow that link and show us what it found.  This website asks you to provide your name, address and email account information. Google sees that there is a website called allnewsclick[.]com but there appears to be nothing there but a generic website test page.  How do you feel about trusting these folks with your personal information?

We’ve already shown you a seriously nasty phish in this week’s phish net column.  But that is not the only one like this. We often see these fake credit card application emails.  Not only do they phish for your personal details but sometimes they also hit you with malware on the fake application site as well.  Here’s another recent one pretending to be the Hilton Honors American Express Ascend Card that a TDS reader sent to us.  But notice that this email came from the email address news “@” fairanconcept[.]com. The links in this crap point to an Outlook server but that link contains a redirect to the sender’s domain fairanconcept[.]com.  But wait!  That isn’t your final destination.  Fairanconcept[.]com will redirect you to another website called limitedpng[.]com.

(See below.)

Does any of this sound the least bit like Hilton or American Express?  We asked Google what it knew about limitedpng[.]com and the answer was nothing, though it found the website.  Visiting that link to apply for a Hilton American Express credit card shows us how much personal information you’re asked to hand over to these cybercriminals.

A lot!

The first page of this bogus credit card application asks for:

Full name and address

Email and phone number

Social security number

Date of birth

Total income, taxable income and income source

Hilton Honors number

  …and this is just the first page of the application!  We had no problem finding the real American Express web page for this card at AmericanExpress.com.  This blue phish makes it crystal clear how very important it is to look at the FROM email address and evaluate links by mousing-over them before clicking!

If you don’t recognize the web site domain, don’t click!

FOR YOUR SAFETY: Login Report Carries A Landmine

Anyone who owns/operates a website, especially a WordPress website, should get reports that routinely detail any threats, as well as who is visiting your site (from what general location.)  As you can imagine, we have many layers of security and reporting for our site. (Big surprise…. We’re targeted a lot by cybercriminals who want to shut us down. Lately, Chinese hackers have shown a BIG interest!)

We recently saw a new threat that surprised us by its uniqueness.  It was actually quite clever, though we didn’t fall for it. We get an immediate report every time someone tries to log into our website.  Beside the usual “admin,” “administrator,” and “thedailyscam,” accounts that hackers try to use, last week someone tried to log in many times using a full link to a link-shortening service at “is.gd” as the account name.  In our report, that link showed up as a clickable item! We’re sure the hacker who did this meant for us to wonder about this and click that link. NO CHANCE! However, we did unshorten it to discover that it pointed to a website registered in Columbia (2-letter country code “.co”), but a WHOIS tells us that the website is being hosted in Paris, France!  No thank you. We’re not interested in travelling anyway.

 


Until next week, surf safely!