Please support our effort by making a small donation. Thank you!

x

May 18, 2016

THE WEEK IN REVIEW

Did our readers notice a spike in malicious spam hitting their inboxes? We did. Our criminal adversaries were very busy! From Tuesday, May 10 until Thursday, May 12 we saw malicious spam increase by more than 50%. It was a “scampaign” and as certain as the sun will rise tomorrow, we’re sadly certain many people infected their computers with malware as a result. Does your email service have good antispam services? Does your computer have quality, up-to-date anti-malware software installed? We hope the answer to both of these questions is a resounding yes! And to all you Apple computer owners out there thinking “Macs don’t get computer infections,” think again. Though the amount of malware against the Mac OS is significantly less than the amount targeting Windows computer owners, it can still be measured in many thousands of malware files. If you haven’t installed anti-malware software, we can recommend Sophos’ free product found here: https://www.sophos.com/en-us/lp/sophos-home.aspx

Sample Scam Subject Lines:

$10842.81 Payment (Pending)

1 Year MBA – options

African Safari’s – Great Deals – Limited Time

Don’t waste your money on 1 more new battery

Explore, These Garage Door Repair- Options

Explore Cloud Computing Options …

Explore Up-To Top 16 Retirement Planning Listings

Hookup with local singles free!

Renting a Private Jet is less costly than you thought

Scout Woodworking Projects

View 16 Latest Reverse Mortgage Listings

View Lavish Arabian Women’s Dating Profiles Here

You Qualify for Summer Savings on new HVAC Units

Sample Scam Email Addresses:

+HomeInsurance+@rementain.top

-=-CarDonation-=-@stersit.top

=+=MovingCompanies=+=@ryanky.top

Alcohol-Rehab@mo8ju6gas.castkht.top

BlakeShelton-Reveals@kqadio6e.vschord.top

CapitalForYourStartup@mo8fa1mwe.fwaloha.top

GlobalBusinessNetwork@yearcharly.top

importantnews@hollybook.click

malloryquintero@santaclausthemovie.com

PersonalInjuryLawyers@svesey.top

solarpowerforthehome@solarpowr.pro

todayshowlive@memorylong.pro

WirelessSecurityCamera@extreation.top

 

 

 

Phish NETS: Bank of America

Last week we said that we hadn’t seen any big bank phishing emails such as those targeting Bank of America. A few days later we received a fake Bank of America email! Coincidence? Two weeks ago we reported not finding any phishing emails. That announcement was followed by several days of getting many phishing emails sent to our honeypot servers. Another coincidence? Hmmmmm. Could the criminal gangs responsible for most of these scams actually be a subscriber to our newsletter? We’re flattered! Well, we haven’t seen a phishing scam for First National Bank in a very long time. Hello? McFly? Are you listening?

Here’s the Bank of America phishing email we found. It reeks of fraud! The email was sent from www-data@infirmier.fr, not Bank of America. And a mouse-over of the link “click here” reveals that it doesn’t lead to Bank of America. It points to IP address 166.63.122.159. VirusTotal.com reveals that three security sites have identified this IP address as a malicious website.

Deeeeleeete!

1-Bank of America

Enjoy these other links about recent phishing scams from around the web:

Facebook Phishing Scam: http://www.hoax-slayer.net/considered-ineligible-use-facebook-phishing-scam/

University of Vermont Email: http://www.uvm.edu/it/?Page=news&storyID=22886&category=etssecurity

University of Chicago Email: https://itservices.uchicago.edu/page/latest-email-scams

PayPal Phishing Scam: http://www.scmagazine.com/new-paypal-phishing-scam-hooking-victims/article/496157/

Dropbox Phishing Scams: http://www.bbb.org/blog/2016/05/phishing-emails-pose-as-dropbox-share-alerts/

Your Money: Alaska Cruise Options, Macy’s Order, and Ink/Toner Sale!

Criminals have often tartgeted people through offers for coupons, sales and low prices on all kinds of things. The primary purpose of this column has always been to expose these types of scams. We don’t pretend to know the intent of each and every scam, though we can guess that most lead to malware infections. Our goal is to help our readers recognize these malicious emails. Below are three good examples.

“Explore Top 10 Alaska Cruise Options” Would you like to “compare and save?” This email from AlaskaCruises@izcd-qptd.download won’t help. That oddball domain izcd-qptd.download was registered on the day the email was sent by “Customer Support” listing an office address in London, England. Of course it was registered using the registrar service Alpnames. Alpnames seems to care little about how it is being misused, as long as it makes money. And remember, anyone can put anything in front of the @ symbol of an email address. But that doesn’t make it so.

This is a new design for the many retail store scams we’ve seen. “Macy’s wants to thank you with a gift. Your Macy’s order is ready for pickup.” All that is required is for you to click the link to that inviting domain “enjoy.macgiftrewrd.com.Our dear friend Judy Santiago, mentioned in several of our newsletters, registered this domain on May 10 and it is being hosted in Rotterdam, Holland.

Now Delete!


Have you ever heard of the service 1ink.com? It is a legitimate discount service specializing in cheap printer ink and toner cartridges. The email below looks like it was sent from 1ink.com but look closely at the email address of the sender. It comes from 1_ink@sprinci.top. And the links lead back to sprinci.top. Though it wasn’t Judy Santiago who registered it, it was Futurebright Solutions on May 12. We’ve demonstrated in a past newsletter that Futurebright is a fictitious company. In other words, this is just meadow-muffins dressed in a nice graphic, and a phony-baloney 10% off code. And once again, it was registered through Alpnames.

Delete!

 

 

TOP STORY: Exposing Scams and Spam Through Hidden Text

One of the most reliable ways we can empower our readers to identify an email as suspicious spam or a likely scam is to look for hidden text often embedded in email to help it get past anti-spam servers. Let’s revisit that Bank of America phishing email in this week’s Phish Nets column.

We wondered why there was so much empty white space below the “Thank you,” Being naturally suspicious, we usually drag our mouse through large open space like that to see what we might reveal. Have a look what turned up in that white empty space…

Without looking at anything more in the email, that white text against a white background should be enough to catapult everyone for the delete key. Here’s another example concerning an email about an Amazon.com order (#438359). This email contained a peculiar black box at the bottom of it. When we dragged our mouse through the black book look at the political black text that showed up inside it! By the way, you will not risk a computer infection if you drag your cursor through an email’s clear space to see if any text appears. But it is very important to avoid clicking links or attached files.

In case you were wondering that perhaps this Amazon.com order might be legitimate, have a look at the Zulu Risk Analyzer Score below for the link revealed by “Manage your order now.”

7-Amazon order -hidden text

8-Amazon order zulu score

And one more example of hidden text meant to sneak malicious intent past the watchful eyes of an antispam server… “How to Book a Family Vacation on a Budget.” The world is now just a click away! And so is an infected computer. Look below the email’s colorful graphic to the section of blue space. Alas, hidden text. Any time you see large empty space in an email or online advertisement, try dragging your cursor through it and see what you can reveal. If you see hidden text, it speaks volumes about the legitimacy of the email.


FOR YOUR SAFETY: Emailing Photo, New Secure Message, Something Important to Share

You’ve been emailed a photo! What was really strange about this email was the fact that the from address and the to address were both the same. Did you send yourself a photo? Just don’t click that attached zip file to find out.

“Dear , You hae received new secure message please check it”   The link revealed by “Check it now” points to a link-shortening service at bit.ly. We used unshorten.it to learn where the bit.ly link will send you. It sends the visitor to a file buried on a website called comgitewoy.com. Google can’t find a anything about comgitewoy.com but we were able to determine that it is being hosted in Germany.

Just delete!

11-New secure message to bit-ly

“Hello How are you doing today? Pleae I have something very important I will like to share with you in a matured manner.”

….Hmmmm. We’re certainly intrigued by the “matured manner” but not enough to respond to this effort to get a response. But here’s a quiz for our readers…. What country did this email come from? We won’t give it away… Visit this wikipedia page and look for the 2-letter country code pk

12-Something very important to share

ON THE LIGHTER SIDE: Mugged in the world!

OMG Readers! We received an email from someone we know saying he was mugged! How horrible! Of course we rushed in to help, sending Robert hundreds of dollars so he can come home to us. It is surprising how many people seem to be getting mugged all over the world and then asking for money to pay their hotel bills. When we entered “I’m writing this with tears in my eyes” into a Google search field we see thousands of links to people asking for help like Robert!

 

Until next week, surf safely.

 

Good Morning,

I’m writing this with tears in my eyes, my family and i came down here to Marseille on a short trip,unfortunately we were mugged at the park of the hotel where we stayed all cash,credit card and mobile phone were stolen off us but luckily we still have our passports with us.

I made contact with my bank but it would take me 5 working days to access funds in my account,the bad news is our flight will be leaving in less than 8-hrs from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the bills.

I’ll need your help financially and i promise to make the refund once we get back home,Please let me know if i can count on you and i need you to keep checking your email because it’s the only way i can reach you.

I will be here reading and replying your mail asap.

Robert Laporte