Please support our effort by making a small donation. Thank you!

x

November 16, 2016

THE WEEK IN REVIEW

According to Health Care Market Place health insurance open enrollment began on November 1 for the 2017 year.  That would explain why we’ve seen a spike in scam emails disguised as Medicare enrollment plans and options.  Take a look at this list of emails and notice the scammy top-level domains used in the from addresses… (.top, .bid and .stream)

For crying out loud….Halloween is barely over and we’re starting to see scams about Christmas!  **eye rolls**  This malicious email with the subject “Receive a Personal Letter from Santa for Your Child” is a staple of the Xmas season.  “Make Christmas magical this season and get 30% off with free shipping!”  Don’t fall for this malarky.  The links point back to the scam domain fendirt.top.

 

We have a confession to make.  Dating scam emails have continued for weeks since we last reported on them but we were soooo sick of talking about the same thing over and over.  Overcome with guilt, we decided to offer up just one more.  It looks like an eHarmony invitation.  “Join for free.”  “You could find singles like you.”  Delete and pray we can move on.


Sample Scam Subject Lines:

3-Step Diabetes Destroyer

720? 620? 520? View Your Free-Credit-Scores Today with Free-Trial.

Document from Curry

Eliminate All Types of Clutter in Your Life, Fast and Forever

Herpes Cure Found in Nature

It’s exactly the thing that I wanted!

Local representation

Nancy’s Desperate Fight to Cure Alzheimer’s disease over?

Never lose your keys again!

OMG! 143 Million Americans Didn’t Expect This…

Photography training here

URGENT – Invoice no: KT321U is Overdue!

Your “rapid remedies” gift!

Sample Scam Email Addresses

Amazon.Prime.Service@teu9dos.enjoycardgift.top

association-for-gun-rights-[YOUR EMAIL]@llighthawk.com

Auto_Warranty_Direct@sduea1.glopeck.top

burial.insurance-[YOUR EMAIL]@frenchpolar.men

cheap.energy.generator-[YOUR EMAIL]@nufflock.com

costco.promo.rewards-[YOUR EMAIL]@costcoelections.com

drug-and-alcohol-treatment-[YOUR EMAIL]@huntercat.bid

Federal_Energy_Rebate@uei9mei.solarenergyinfoabout.top

homewarranty@homrepair.download

lendingtree_partners-[YOUR EMAIL]@qyrabeauty.com

mens.health.st-[YOUR EMAIL]@laladeluxe.com

Netflix.Bonus@efve4uu.phobanx.top

reverse.mortgage.info-[YOUR EMAIL]@com-population.com

 

Phish NETS: USAA Bank and Netflix again!

Both Netflix and USAA bank account holders continue to be targeted by phishers looking to capture your login credentials.  Check out this poorly designed email from us1.us @farmers.com with the subject line “Suspicious Account Notice.”  The English grammar in the email is poor.  The link for www.usaa.com/protection ponts to the domain yalovaotel.com, a hacked website being hosted in Bursa, Turkey.

Delete.


We’ve reported on this Netflix phish a few weeks ago.  The email comes from netflix.eu4.com NOT netflix.com!  “Your Netflix Membership has been suspended [#684363]”  “During a routine check of your account we have failed to validate your billing method we have on record for your account.”  This is a scam to steal your credit card information.  The link in the email points to the domain webnew01.com, not Netflix.

DEEELEEETE!

Your Money: Ford Clearance Event, Wall Street Journal Sale, and Coffee Coupons

Car manufacturers offer deals all the time and the fall is one of those times for big incentives as dealers want to clear out their car lots to make room for new year models.  But this email from iMotors2016Fordmodels @uyher8da.beholdi.top is not legitimate!  The scammers want you to think that it came from iMotors.com but the links point back to the domain beholdi.top. A WHOIS shows that this domain was registered on the day the email was sent by someone from Assisi, Italy.

We like deals and we like the Wall Street Journal.  So we were interested when we found this deal from WSJ soon after election day for their “Election Sale – $12 for 12 Weeks.”  Except that it didn’t come from the Wall Street Journal or any legitimate marketing firm.  The design and domain both suggest that it came from the same criminal gang who registered the Ford Clearance Sale.  The domain, yveliad.top, was registered on November 10 to someone in Zurich, Switzerland.

Just delete!

 

We’ve said many times that the generic top-level domain dot-top is so overwhelmingly used by Internet criminals.  Everyone should immediately lunge for the delete key the moment you see any website or email address connected to anything.top.  We can almost say the same thing for any advertisement that contains the address 2885 Sanford Ave, Grandville, MI 49418.  We’ve been writing about the misuse of this mail-forwarding address for a year now and see it used in malicious emails every single week!  There are a dozen reasons to reject this email for “coffee coupons” as being fraudulent or malicious but we’ll focus on just one.  2885 Sanford Ave, Grandville, MI 49418.

Now delete!

TOP STORY: Leaving a Gun on the Coffee Table – FakeMailGenerator.com

Imagine inviting friends and families over for a social gathering.  In addition to putting out the chips and dip, beverages, music in the background and badminton set for the kids, you put a loaded gun on the coffee table.  Does that seem like a good idea?  How about if you turned that get together into a big, open block party with thousands of visitors.  You wheeled out your grill for plans to barbecue, and set up a folding table with a dozen loaded handguns and shotguns for anyone to use.  Good idea?  Apparently, Jacob Allred thinks that it is OK to do the Internet equivalent of leaving a loaded gun on the table.  At least, that’s how we interpret the reason he created and offers the website FakeMailGenerator.com.

The beginning of this story starts with a string of emails that targeted employees of one company recently.  They appeared to have been sent from an “andrew m” at either fairnewz.com or fairmsg.com.  “Alert – Your Credit Card has been charged.”

9-ts-your-credit-card-has-been-charged-list

You can see that all of the emails contained the identical message, regardless of which domain they came from.  “We have just processed your payment against invoice no.DW10453”  The link for “Download Receipt” was similar in each.

10-ts-your-credit-card-has-been-charged-1

Of course we used our favorite tool, the Zulu URL risk analyzer, to check on these links and were not the least bit surprised to see that both fairnewz.com and fairmsg.com were rated as 100% malicious…


12-ts-your-credit-card-has-been-charged-2-zulu 13-ts-your-credit-card-has-been-charged-zulu

We also noticed that both websites contained a redirect to the same zip file hosted at fornewz.com.   For yucks and giggles we invited VirusTotal.com to evaluate this zip file.  No surprise.  VirusTotal.com informed us that 10 different AV services had found the file to be very malicious:

14-ts-virustotal-eval-of-file

Clearly, someone wishes to do people great harm.  We were curious about their selection of related domains names: fairmsg.com, fairnewz.com and fornewz.com.  While Googling each domain, one particular link caught our attention because it appeared to be the exact same malicious email that had targeted people at the top of this story.  And that link lead us directly to a website called FakeMailGenerator.com.

 

15-ts-link-to-fake-email-generator

 

FakeMailGenerator.com, according to the website, “is a website that allows you to circumvent email confirmations by giving you a one time email address to use. Next time a site asks for your email address, give them a Fake Mail Generator address and avoid the spam that is sure to follow.”  This sure sounds like a noble cause but as our readers know, appearances are deceiving on the Internet.  We visited the Google link for andrew-m @fairmsg.com  and found that the malicious emails targeting the company had been created using this FakeMailGenerator.com.  (The andrew-m email has since expired and is no longer available on FakeMailGenerator.com.)  But we also saw many suspicious emails that had recently been created on this website and began to explore some of them.  One email contained this advertisement for Barbecue Grills and Stands.  A mouse-over of the links in the email pointed to the domain zolyrics. com.

16-ts-email-link-to-lyrics

 

Of course we asked Zulu URL Risk Analyzer to check out zolyrics and you can guess what it found…

In fact, we reviewed many emails and learned that criminals were using FakeMailGenerator.com to create LOTS of bullets to target people.  Why would anyone create this service, knowing that it is routinely used by criminals to hurt others?  It is the loaded gun on the Internet-table.  Who would provide a tool like this for criminals to use?  Jacob Allred would.  On FakeMailGenerator.com is a copyright symbol and link to the site’s owner, Corban Works, LLC. And Corban Works is owned by Jacob Allred. We reached out to Mr. Allred to ask why he believes it is important to offer this service (loaded gun) when it appears that the majority (nearly all?) of his users are criminals shooting Internet-bullets at netizens.  So far we’ve had no comment from Mr. Allred.

If you visit Corban Works, LLC. you’ll see that Jacob Allred has created several services that are allegedly used by criminals to hurt people. According to a 2014 article on Forbes.com, Mr. Allred has been questioned by federal investigators about his various websites.  So far as we can tell, Mr. Allred’s defense is that he “is doing nothing illegal.”  Obviously, Mr. Allred feels no moral obligation to his fellow Americans.

When will our government or ICANN wake up to the fact that their lack of any reasonable Internet laws, oversite, or rules to protect citizens of the world causes real harm?  Their inaction allows people like Jacob Allred to put a loaded gun on the table and invite the world to stop over for coffee.

SAFETY FOOTNOTE: If you choose to visit FakeMailGenerator.com, we strongly suggest that you do not click on the advertisements that appear on the site.  During the days we visited, the ads contained graphics of sexualized women with invitations to visit a game site that “is not for kids!”  The links lead to the domain time2play-online.net. This domain was registered on July 1, 2016 by a proxy service in Hong Kong, China.  Google can’t seem to find it.  Seems rather risky to us.

FOR YOUR SAFETY:  Activate Your Card, Health Insurance, Order Delayed, Suspicious Movements, and Claim Your Transfer

The deluge of malicious zip files continue!  Here are three more examples.

18-zip-activate-your-virtual-card 19-zip-health-insurance 20-suspicious-movements

And we saw this exciting email from theclicktrusted .com that we have a direct bank transfer waiting for us.   As you’ll see below, the link is malicious.  Big surprise.

21-please-claim-your-transfer 22-please-claim-your-transfer-zulu-score

 

 

 

 

ON THE LIGHTER SIDE: Email From Donald Trump

On November 9, a Reddit.com user named Jallfairs posted this awesome email he received from Donald Trump!  What a lucky guy.  Wish it had come to us!

Greetings to you dear.

I Donald Trump is writing to inform you that you’re among the 20 lucky winners that will receive the sum of $2,000,000.00 USD, I am very grateful for your support vote, I pledge to be a president for all Americans, and visitors in United State of America please join me let’s come together and achieve all goals for our children. You should kindly reconfirm with me the following information below :

Full Name
Mailing Address
City
Tel
Next of kin

One more thing is this, we have to accomplish a paperwork such as clearance certificate, this mentioned certificate will protect you from both the FBI and IMF. Based on what the attorney said, the clearance certificate will cost you $119 only to accomplish everything together both the obtaining and the signing of the certificate.

You are directed to submit the $119 to Mr Paula Boldery he is in charge of the payment, you can send the money through Money gram transfer, RIA transfer or western union transfer.

Receiver name…..Paula Boldery Receiver country…U.S.A Address……1106 east st Madison INDIANA 47250 City…….. Indiana Question:……Today Answer:…….. Yes Amount: $119

I wish to get your urgent response.

Thanks once again for supporting me, I will make you feel much better than the past, also bear it in mind that your $2 million USD will be peacefully mail to you immediately we accomplish the paperwork as I told you prior.

Best regards,
Donald J. Trump Elect president.

Until next week, surf safely.