Please support our effort by making a small donation. Thank you!

x

November 2, 2016

THE WEEK IN REVIEW

What a week it was! As expected, we continued to see malicious emails disguised as political crap.  All were focused on Trump (big surprise) such as this headline… “BREAKING: Trump Shows Proof It’s RIGGED!”  We have written several times about scams pretending to be professional women’s organizations inviting women to join.  This past week we saw a large jump in these scams such as those with the subject line “A very special invitation for ladies only” and disguised to look like they represent various organizations including the National Association of Professional Women.

And, as predicted, we continued to see lots of malicious emails disguised as Halloween sales and promotions, such as one with the subject line “Save 10% on Halloween Costumes.”  And, as if this deluge wasn’t enough, we saw the number of small malicious emails containing malware triple in number!

Finally, we’ve heard from several readers who’ve informed us of some new scams or variations of old ones.  For example, theunderage girl sext scammers are now targeting Craigslist users in this scam.  And read our newest feature article titled Airbnb Scam Hits User for $2500. Time to take a breadth…


Sample Scam Subject Lines:

CNN Reports on Medical Marijuana by Sanjay Gupta

Discounted ink and toner for your office

Document from Denton

E-TICKET 789316 (or other sets of numbers)

Fax_3157 (or other sets of numbers)

Home Warranty Insurance Plans. $30 Off

IMG_4379 (or other sets of numbers)

Ladies – Join the NPW!

Payment History

Please review

The Christian Marriage Council

The network for working women –join today

Washington – Obama may be forced out of office

Sample Scam Email Addresses

barkbox@barkkboox.date

Compare-Dog-Food@u7iokme.righilh.top

diabetesinfo@beatbiao.club

homecleaning@homclening.top

learn3danimation@3danimationsoft.top

LifeInsuranceQuotes@4cixoret.ihjwarm.top

nortonsecurityspecialsanti-virus@nortonba.top

Pain-Relief@jakiqo9.movieic.top

Public.Health.Campaign@maoi9ax.mrgcast.top

yourbestmedicalbillingcodingoptions@medicalop.top

usa.med-[YOUREMAIL]@clubrenewable.com

US.Solar.Program@haui5era.sweatyf.top

US.Tax.Credits@az4axeo.observedsolarquotes.top

 

Phish NETS: Microsoft Outlook and Email Help Desk

Some of the professional criminals who target us are good.  Really good.  Sometimes we have to pull back multiple layers to reveal the details of their ciminal behavior.  Such was the case in this phishing scam that targeted a business manager of a school in New Hampshire.  Fortunately he recognized the scam and sent it to us to dig into.  It begins with an email and the subject line “Pay Cycle Remittance with thanks.”  The from address is spoofed to look like it comes from Intuit’s service called paycycle.com.  It didn’t.  Dear Customer, Attached is a secure Remittance Advice that we have processed to your bank account…


The attached file named “Secure Remittance Advice.htm” is a very dangerous web file.  Opening that file produces a fake login page to Microsoft’s Outlook Exchange…

3-phish-outlook-login-screen

We wanted to know where the criminals where sending their phished login credentials from victims so we cracked open the html file only to find a mountain of URL encoded information.  URL encoding is simply a method for web designers to “code” unusual characters so that all web browsers can read them and translate them back for visitors to read on a web page.  However, by encoding all of it, the criminals had hoped to make it unreadable to those curious enough to dig into it.  Fortunately, they used an online service to encode their phish and even left us the website name they used… webtoolhub.com.  We visited webtoolhub.com and used the free tool to decode their coded information…

5-phish-outlook-url-decoding

Once the gobbledygook was decoded into basic html (a web page language), we could read the file and investigate further.  It was now easy to find where the criminals were sending all the phished personal information to, but we were surprised to find something else we didn’t expect.  You’ll see in the screenshot below that all the collected data is being sent to a hacked website belonging to a cabinet supply company in Colorado called Flip-Supply.com.  (We’ve already notified them.)  However, we also found that the criminals code was pulling graphics from a School’s email server in Maryland.  (See the blue arrow in the screenshot.) And the code seemed to suggest that the criminals might be using the school’s email server in some malicous way to enable this scam.  We’re simply not sure.  We’ve notified the school’s technology department as well.  These bastards clearly know what they’re doing.

6-phish-outlook-destination

By contrast, here’s a lame phishing scam, also disguised as an Outlook login, that arrived in an email from New Zealand (2-letter country code .nz in the from address.)  Subject: Help Desk.  “As part of our security measure, we regularly update every email account on our database system.  As a web-mail user, Click Here and provide required information…”  A mouse-over of Click Here reveals that the link points to coffeecup.com.  Hopefully these idiots won’t take lessons from the designers of the first phishing scam above.

Delete.

7-phish-dear-email-user-click-here

Your Money: ADT Home Protection, iPhone Photos, and USA Health Insurance

Most homeowners have probably heard about the home security service called ADT.  Here’s a great offer for free installation and a $100 gift card for their basic system.  The only problem is that it’s all lies.  The email looks like a marketing promotion for ADT but it came from, and links lead to, an odd domain named abilityarticulation.com.  Google did find a domain by that name but there is no website to be found and the robot.txt file posted at this domain specfically tells Google not to crawl their site.  “Stay away!” it says.   Hmmmm….. Sound legit to you?  We used a WHOIS, our favorite investigative tool, to see what it can tell us about abilityarticulation.com and it tells that it was registered on March 2 of this year by someone named “Domain Administrator” using a Grandville, Michigan address that scammers often use.  Oh, and guess what is the website title listed by the registrant of that domain?  “Xperia Smartphones from Sony”

Just delete.

iPhone photos you have to see to believe, says an email from Clive Duffy sent on October 23.  And if you order in the next 2 hours and 36 minutes, you’ll have your ProShotHDX mobile accessory by October 25!

Fortunately these scams are so easily exposed if one takes the time to look at the from address, link revealed by a mouse-over, or simply drag your cursor through large white space to reveal hidden spammer text. (See “Awesome vegetable pizza…”)  WHOIS to the rescue!  The domain pboccur.top was registered to “Sharda Moses” from Zagreb, Croatia on the day the email was sent.

DEEEELEEEETE!

Do we even need to say this anymore?  Bogus from address using a .top generic top-level domain!  ANYTHING.top is evil and malicious.

Trust us!

TOP STORY: Breaking Into the Art of the Scam

This week’s top story focuses attention on a phishing scam that tries to trick you into handing over your credit card information to the criminals who are happy to use it.  This social engineering trick  is disguised as an email from Netflix.  Your Netflix Membership has been suspended [#387644]  You are informed that Validation failed.  “During a routine check of your account we have failed to validate the billing method we have on record for your account.” Time and time again, we see malicious emails such as these and roll our eyes and moan.  If only!  If only we could teach the world to focus on two things about an email and understand them fully.  What do you think we’re referring to?  What are the two most important parts of an email that can expose the overwhelming majority of all email fraud?

 

“To continue using the Netflix service you will need to update/verify your billing information.  Please note that failure to complete the validation process will result in permanent suspension of your netflix membership.”  (Notice the lack of a capital N on that last netflix?)

You can improve your Internet safety skills significantly if you get into the habit of doing two things…

  • Closely evaluate the from address
  • Routinely mouse-over links and look to see where they point before clicking them!

The from address in this phishing scam came from auth@netflix.close2.com.  Think this is a legitimate Netflix domain?  Nope.  Here’s the skinny about understanding email addresses…

  1. Never pay much attention to anything in front of the “at” @ symbol because anyone can create an email address saying anything they want in this location. Just look at many of our newsletter scam email addresses above and you’ll see what we mean.  The information there is meaningless when it comes to authenticity.
  2. After the “at” @ symbol, locate the generic top-level-domain (gTLD). For example, in this email address auth@netflix.close2.com , the gTLD is a dot-com.  For years, there were only six gTLDs in use (.com / .org / .net / .mil / .gov / .edu). In the early 2000’s, ICANN released a few more.  And then a few years ago ICANN opened the faucet wide for the creation of gTLDs.  As of October 30, 2016 there are more than 1300 gTLDs!  Check on the comprehensive list by visiting ICANN’s website. In our experience, the vast majority of odd-ball, new generic top-level domains are being used by criminals.  These gTLDs include .top, .date, .faith, .bid, .download, and .club.  But we digress… Once you see the gTLD like dot-com, look for the letters (and possibly numbers) IMMEDIATELY in front of it, separated only by a period.  These characters are called the DOMAIN.  Domains, along with their gTLD MUST be registered and paid for by someone. (A WHOIS tool will inform you who paid for this domain.)  So what is the domain in the Netflix email address?  Is it netflix.com?  Nope.  It is close2.com.  Very different!  A search for close2.com using Google suggests that it is an art and frame company hosted in Vastmanland, Sweden.  A WHOIS look up confirms it.
  3. There may or may not be text in front of a domain name, and separated by a period from the domain name. If there is text (or numbers), it is called a subdomain.  ANYONE can create ANY subdomain.  These criminals could have used Trump, HeyIdiot, BuyMeACar, or whatever they wanted for a subdomain. It doesn’t matter.  But they used netflix hoping that people would think that it means the email came from Netflix.  It doesn’t.

And of course, the second critically important thing to do is mouse-over a link before clicking it.  For those readers who are unfamiliar with mouse-over skills, we have several articles/videos explaining how to mouse-over on laptops/desktops and smartphones and tablets like the iPad.  Check out the links below.  Mousing-over the green “Continue” button in this phony-baloney Netflix email reveals that it points to netupdateeu.com, not netflix.com.  A BIG FAT delete!

Mouse-Over Skills
Mouse-Over Skills Video
Mouse-Over Skills on iDevices

FOR YOUR SAFETY:  Please Review the Invoice, We Apologize, and Your Order

We saw a three-fold increase in malware-laden emails hitting our honeypot servers in the last week.  They poured in!  Here are a sampling of them.  Most included zip files but a some had infected Word documents or documents disguised to look like pdf files but were actually zip files.

 

13-we-apologize-for-sending-wrong-model

14-your-order-has-proceeded

 

 

ON THE LIGHTER SIDE: We Are A Facebook Winner!

Our name appeared on the FACE BOOK ONLINE LOTTERY PROGRAM and we won a half-million dollars!  In case you’ve been living in a cave the last 12 years, the email goes on to say “Face book is the first and ever largest means of meeting both old and new friend.”  We’re glad to hear that!  Looks like “St Leo Mike” is our new best friend!

—-

From:  Facebook@betzera.org.il
Time:  2016-10-25 18:43:07
Subject: FACEBOOK ONLINE 2016 ROUND UP WINNER.
FROM: THE DESK OF THE PRESIDENT.

INTERNATIONAL PROMOTIONS/PRIZE AWARD.
BATCH NUMBER: 2551236002/244
SERIAL NUMBER: 55643451907
TICKET NUMBER: 5647600545189
CATEGORY: 3RD

Attn: Winners,

The Entire Face book Team are very happy to inform you that your name appear on the FACE BOOK ONLINE LOTTERY PROGRAM 2016 and we are giving out the total sum of $500,000.00 (FIVE HUNDRED THOUSAND UNITED STATE DOLLARS) which is what you have just won.

Your name was selected in a raffle that was made for the FACE BOOK ONLINE LOTTERY PROGRAM 2016 with the lucky number (23456895410) so we need your fast response so that we can proceed with the claim process of your winnings.

Your name was selected by Mr Mark Zuckerberg the CEO of Face book (Founder & amp Chief Executive Officer ) The promotion was made to make all face book user to benefit from the profit the company made.

Face book is the first and ever largest means of meeting both old and new friend. The promo was done to serve as a means of appreciation to visitors on our site and also to help people to fight off poverty and to maintain a good standard of living.

Kindly contact St Leo Mike the General secretary of the FACE BOOK TEAM and appointed as your claims officer via this email (facebookonlineprogs2@live.com) immediately with the following information about you below:

Full Name:
Residential Address:
Private Mobile Number:
Age:
Occupation:
Marital Status:
City:
State:
Country:
Zip/Postal Code:
License ID

As soon as he gets your email with all the information stated above he will tell you on what next to do as regards the claiming and receiving of your winnings of USD$500,000.00.

Thank you and More Congratulations.

Agent Name: Greg Holmes for CDAA

Get some Zero paid Gear FBI SCAM PROTECTED

Note: For security reasons and due to the mix-up of some numbers and names, we ask that you keep this notification strictly from public notice until your claim has been processed and your money remitted. This is part of our security protocol to avoid double claiming or unscrupulous acts by non-participants of this program. BE WARNED

 

Until next week, surf safely.