Please support our effort by making a small donation. Thank you!

x

May 22, 2019

THE WEEK IN REVIEW

In our last newsletter we began by saying that we have been seeing lots of malicious or suspicious emails connected to the domains Infoostrich[.]com” and “yourdigital-connections[.]com.”  These continued into lask week as well, such as this “Sam’s Club Survey” that will supposedly earn you a $50 gift card for your feedback. Both domains are involved in this malicious clickbait!  For YEARS, the criminal gang responsible for these landmines have used this $50 gift card trick with a dozen different businesses — Kohl’s, Walgreens, Amazon, CVS, Costco, Macy’s, Southwest Air, Groupon, Starbucks and others.  Sadly, it must mean that they are very successful at engineering clicking behavior with them.

 

Though we are frequently in the “trenches” sleuthing scam details, we sometimes step back for a 30,000 foot view of trends and changes in the way cybercriminal gangs operate.  The last such broad view was September 26, 2018.  We described how criminals were misusing Microsoft’s Outlook servers to target people with links that began with “safelinks.protection.outlook.com” but then redirected them immediately to malicious websites.  We have been noticing another growing trend in the tactics used by cybercrminals. While they continue to link directly to suspicious/malicious websites, they are increasingly using re-mailer services and links that appear as email lists.  For example, though the linked graphics in this malicious email below were broken, you’ll understand our point.

This email for “PrescriptionFreee pain KiIIer” drugs appears to be sent from Sears.com (which is very weird of and by itself). Check out the many misspellings and misuse of letters to try to trick the anti-spam servers that might evaluate it. The links point to the secure (https) domain maillist-manage[.]com, a legitimate email marketing service of Zoho.com.  But Zoho confirmed that the link is malicious several days after their service was misused and posted the message below to those who click.

 

 

 

This is not the first time Zoho Marketing tools have been used by criminals to target people on behalf of criminals.  Zoho email marketing campaigns also use the domain “campaign-view.com.”  We found another suspicious email abusing the Zoho service by redirecting to a website called “ganatuvisa[.]com.”  This is a real website that is used to help people obtain U.S. Green Cards.  However, they have clearly been hacked and are being misused, as this Google search suggests below.  And Sucuri.net found malware waiting for us on the Ganatuvisa website! Sadly, we cannot rely on legitimate marketing services to keep us safe!  Think with a critical eye about the contents and source of emails, text, and online ads!

 

 

 


Phish NETS: Apple iTunes Purchase Confirmation, Paypal

What a difference a couple of weeks can make!  The number of phishing emails we’ve seen, or that TDS readers have sent us, has dried up significantly.  Below are the only two we’ve seen in more than a week, and both were easily spotted. The first appears to come from “iTuness Payment” but the domain that sent it is sampaihe78345s[.]com.

It’s pretty lame!

The email contained a “receipt” as an attached pdf file, shown here with a screenshot.  Of course, you’re expected to click “cancel this purchase.” Notice that the Receipt contains no information whatsoever about the recipient!  No name, or credit card, or AppleID. The link is made to look like it points to apple.com but, in fact, it points to a sub-domain “app1e.com.payment.sec.”  The real domain in that link is gasd784sdf[.]com.

Just deeeleeete!  

We can’t even report where the embedded link points to in this next lame phich because it was stripped away by security software before a TDS reader sent it to us.  However, it contained code for some odd type of animation at the top of the email.

The phish was filled with capitalization and punctuation errors.  And the English is so horribly awkward it’s almost hard to understand!  That and the fact that the email didn’t come from Paypal.com.

This is an easy delete!

YOUR MONEY:  Your June Horoscope and Free Credit Score

“It’s written, something very important is going to happen to you in 2019!” We can predict what that could be!  You’re going to install malware on your computer and get taken for an unfortunate financial ride that’s going to hurt.  According to this email that appears to come from bloomingdales.com “your June horoscope is ready and it’s an odd one.” From Bloomingdales?  The links in this clickbait point to the free web service called Wix.com. **sigh** However, in case you’re disappointed that you won’t find out the real news in store for you, don’t worry.  This crap will then redirect you to a real horoscope site called “chris-answers[.]com.” Although “real horoscope” may be oxymoron, according to our last fortune cookie.

Delete.

We bet that most adults have seen offers for a “free credit score” somewhere in their digital travels over the last year.  This one looks like it came from FreeCreditScore360.com. But closer inspection reveals two serious problems with it. The first is that it came from some oddball Hotmail email account.  And the second is the link in the email. It was soooooo long that it didn’t fully appear as we moused-over it, so we copied it into a text file. Turns out that it points to file server in Italy!

Can you say “buongiorno malware!”

TOP STORY: Stay Away From The “PRO”

Forget this “ground breaking teeth whitening trial” a moment and lets focus on just three letters…. “Pro.” We have also noticed lately an increase in the number of malicious domains that use the Global Top Level Domain (GTLD) “pro.”  You may not be familiar with the acronym “GTLD” but you know many GTLDs!  “.Com” “.org” “.mil” “.edu” “.net” and “.gov” are the original global top level domains that were designed when the Internet was first established.  Today there are hundreds of gtlds. Most are used almost entirely by cybercriminals because the domains purchased for these oddball gtlds are dirt cheap and very unique.  Below is an example of a suspicious email using a DOT-pro. This “smile trial” email came from the domain olivisj[.]pro and links point back to the same DOT-pro domain. (Note that the top directory in this link is hysterically called “solely-churchwomen.”  We’ve written about the criminal gang that likely uses automated software to create these random two word directory names in our April 3, 2019 newsletter.)

A WHOIS directory informs us that olivisj[.]pro was registered on May 14, one day before we received this email in one of our honeypot accounts.  The domain, and link in the email, has been blacklisted by McAfee security service and identified as malicious by the Zulu URL Risk Analyzer.

Here are just a few more DOT-pro gtlds and their registration dates that cybercriminals recently bought and used to create Internet landmines for netizens to step on…

Emporyu[.]pro (May 16)

Annickty[.]pro (May 15)

Cakesiamd[.]pro (May 12)

A reminder to readers… Getting an invitation to visit a brand new domain is NEVER a good sign!  Criminals know that they usually have a very small window of time before their malicious domain gets blacklisted and (hopefully) taken down.  So the next time you see any-website.PRO, don’t click that link without doing the following…

  1. Ask Google if that website is legitimate! Enter it as a question. (DO NOT just enter the domain name into Google and hit return because many web browsers like Chrome will actually send you to the website.  That’s risky!)
  2. Enter the domain name into a WHOIS and see when it was registered.  You are looking to see if the website is at least many months old.
  3. Check with at least two security services to see if the domain is already blacklisted. For example… VirusTotal and Sucuri

What may be the next misused GTLD?  We just saw a malicious-looking DOT-stream called “tranfer[.]stream”  Though it was registered in May, 2018, the misspelling of the word “transfer” is an indication of fraud.

FOR YOUR SAFETY: Confirmation of Purchase and Trivia Genius Not So Trivial!

Someone named “Carl Wolfe” would like you to confirm a purchase but no information is provided.  Fortunately he sent you a “View message” button to your 8 notifications. We hope you notice that the link revealed by mousing-over “View message” and “8 notifications” points to a website in Russia! (“.ru” = 2-letter country code for Russia)  Like a bad horror movie, we can easily predict that this won’t end well for anyone who clicks.

 

 

IMPORTANT FOOTNOTE

We are always very careful before we publish an email, text, ad or other content or website as malicious, fraudulent, or suspicious.  A few weeks ago, a very reliable TDS reader sent us an email identified as being from Trivia Genius but through the domain triviageniusmail[.]com) She said that she never signed up to receive these emails and wondered if it were legitimate or risky.  Below is a screenshot of most of this very lengthy email from TriviaGeniusMail[.]com.  The website found by Google to represent this business is TriviaGenius[.]com.  It isn’t unusual for marketing email to come from a different but related domain than the main domain.

 

 

Marketing services are notorious for grabbing people’s email addresses from the web and spamming them. We couldn’t find anything suspicious or risky about this email, but advised her not to click any of the links, even the “unsubscribe” link until we knew more.  Triviageniusmail[.]com was registered in the Cayman Islands in September, 2018 and is being hosted on a server in Holland.  Triviagenius[.]com was also registered in the Cayman Islands but back in September, 2009 and it is being hosted in the United States.  Though this struck us as odd, we didn’t have any confirmation of malicious intent, or anything else suspicious.

Again, last week, our TDS reader sent us another email she had received from Trivia Genius mail.  This time when we used VirusTotal to check on the link in the email it informed us that ADMINUSLabs reports the link as malicious.  But is this email from the real Trivia Genius? We don’t know. We have reached out to both Trivia Genius and ADMINUSLabs with questions but have not received any responses yet.  Our advice, at this point, is to stay away from Trivia Genius.

We’ll keep you posted.

 


Until next week, surf safely!