Please support our effort by making a small donation. Thank you!

x

May 8, 2019

THE WEEK IN REVIEW

We’ve been enjoying the work of Nigerian 419 scammers lately because they continue to pour into our inboxes and they are just so….. Well, scamish!  They are also very funny sometimes, such as this email from “Ling Lung” with the subject line “Confidential.” It was sent to us from a server in Brazil, though she is asking us to contact her via a different email address at Gmail.  No matter. Our cut is going to be $13 million!

But Ling lacks creativity or drama, and doesn’t connect with her reader emotionally. Sometimes it is important to recognize real talent when you see it!  In July, 2016 we adjudicated a writing competition for the best Nigerian 419 scam in our Top Story “The Best Award-Winning Scam Story Evah!”  We may have a new contender for this year’s John Newbery National Hugo Pulitzer Scam Email Award!  It has all the elements we look for in a scam…. Drama, connection to family, emotional connection to the reader’s circumstance that pulls at our heartstrings, and much more! It has “Joy.”  See if you agree. TDS is proud to present Ms. Stella Wilson’s literary work “Urgent Letter From Hospital”….


Phish NETS: Bank of America

We have but one very lame phish in this week’s Phish Nets column, sent to us by a TDS reader.  The email came from a business (tnvllp[.]com) located in the northern Indian province of Uttar Pradesh, though it says “Bank of America.”   It informs us that “unusual activity” has been detected on our account. Thank goodness for security alerts like this! We certainly don’t have any recollection of buying anything at Walmart for $323.67 or a $50 Samsung gift card.  The links in this email point to a hacked Italian website that translates to “Free Replacement Vehicle.” It must be Italy’s way of saying Bank of America.

YOUR MONEY:  Lose Weight, Free $50 Gift Card and Bluetooth Speaker 50% Off

India again. **sigh** This email seems to represent ABC.com’s Shark Tank but it came from another website in India representing the Madhupur community. (Although this is also suspicious since the domain madhupurmanch[.]com was registered just 32 days before this email was sent.  It’s a malicious clickbait landmine pointing to malware on the website, binbaker[.]com, that was registered just 11 days before this email was sent.

Speaking of malicious clickbait, can you figure out what country this next email came from, and links point to?  Our longtime readers will know to look for a 2-letter country code that appears somewhere after the “@” symbol and separated from the domain name by a period.  Or look at the link revealed by mousing-over and find the 2-letter country code just in front of the first forward-slash. This email includes several social engineering tricks meant to rush you into a click without evaluating this crap more critically…

“24 hours left to claim”

“You are 1 of 5 customers selected to participate”

“4 participants have already claimed their $50”

“Hurry! Your code AZ2019 expires…”

The Boom7 Pro bluetooth speaker is a real product and the company’s website is easy to find at boom7.pro.  This next email wants you to believe it represents this company but it is another wolf in sheep’s clothing.  Notice that the email came from the domain aceousna[.]pro.  This domain was registered just hours before this email was sent and that is NEVER a good sign!  This malicious email was created by the “2 word” gang. If you look at the link you’ll see that the top directory on their web server is called “dissipating-explain.”  According to Sucuri.net, both McAfee and Spamhaus have blacklisted the site.

TOP STORY: When All Roads Lead To…jbbrwaki?

Back in Roman times it was said that “all roads lead to Rome.”  Apparently, a cybercriminal gang has created a digital variation of this expression. Last week we found lots of digital roads leading to an odd-ball website called jbbrwaki[.]com.  Take this offer for one free year of Amazon Prime. It came through an email from souq[.]com.  “Souq” mean “market” or marketplace in Arabic.  The domain was registered waaaay back in 1996 and appears to be owned by Amazon in the United Arab Emirates.  But that’s not where the links point. They point to a link-shortening service in Germany (2-letter country code = “.de” = Deutschland).  When we unshortened that link using Urlex.org we discovered that it points to jbbrwaki[.]com.  Google can’t locate this website, though it finds several references to it around the Internet.

Then there was this email that appeared to come from fiftyflowers[.]com with the subject line “Get a year of Amazon Prime.”  Again… “Get 1 year FREE!” but the link points to a link shortening service at page.link.  Again, Urlex informed us that the shortened link points to jbbrwaki[.]com.

In case you think this is a vendetta levelled against Amazon, we also discovered that “Your Shocking 2019 Horoscope is ready.”  Just click on your sign to get your free horoscope. But hold on! Look more carefully at this malicious clickbait and you’ll see that these lazy cybercriminals neglected to change the 2018 date in the middle of the email graphic.  This road also leads to Rome. The shortened link in this email redirects to jbbrwaki[.]com.

Clearly, jbbrwaki[.]com is special and meant to be the center of last week’s cybercriminal universe.  We asked VirusTotal.com to tell us what the security services knew about this website and the response was immediate and clear. Stay away from this wacky site!

FOR YOUR SAFETY: Google Photos and “Updates Servises”

One of our readers sent us this email that appears as “Google Photos Share” with subject line “Your photo takes first place.”  The email came from a server in Germany and is just another landmine waiting to be stepped on.

 

 

And finally we have this…. Whatever it is, but it can’t be good.  A Google search for “Jeremiah Buttrey Service” turns up nothing so we have no idea what this claims to represent.  We only know that the poor grammar was the first clue that our TDS reader picked out as odd. That and the fact that the email came from France (2-letter country code = “.fr”) and has a link pointing to a server in Spain. (2-letter country code = “.es” = España = Spain).

Deeeeleeete, por favor.


Until next week, surf safely!