If you find our resources valuable, please support us by making a small donation. Thank you!

x

November 22, 2017

THE WEEK IN REVIEW

Internet criminal gangs continue to target Apple computer owners.  One of our TDS readers sent us this email that was sent from “Mac OS” but the full from address reveals the lie.  And, of course, the link doesn’t point to Apple or Adobe.  The “Download now” button for Adobe Flash for Mac points to a hacked Arabic market website in France hosting malware.

We wanted to offer readers both a truthful and fraudulent example of a Google notification.  Can you tell which is real and which is malicious?  It’s pretty easy if you look at both the from address and the link revealed by a mouse-over.  And, to our many new members, if you don’t know what is meant by a “mouse-over” now is the time to learn this extremely valuable skill for staying safe online and recognizing online fraud and deceit.  Visit our links below…

Use mouse-over skills to evaluate links before clicking on them:
Mouse-Over Skills: http://thedailyscam.com/articles/mouse-over-skill/
Mouse-Over Skills Video: http://thedailyscam.com/mouse-over-skills/
Mouse-Over Skills on iDevices: http://www.thedailyscam.com/mouse-over-skills-on-i-devices/


Sample Scam Subject Lines:

CNN Video: Shocking study shows how bad blood pressure medicine are

Get this exclusive offer before we stock out

IRS Announces New Programs for Taxes Owed

Largest investment in Shark Tank History - Try this miracle cream

Piano practice can be fun too!

Re:Re: My Flight itinerary & Booking Accomodation

SamsClub Your Gift No has Arrived!!

Tips on How to Choose Back Pain Relief

UPS Ship Notification, Tracking Number 1Y69889164488369

Why this grandma took everything off on ABC last night?

wow! I've found some great stuff

You have received a fax message

Your account is entitle to a reward worth over $50

Sample Scam Email Addresses

"Amazon Voucher" <amazon_voucher @ giift4amzn-DOT-com>

"Costco USA" <costco-usa @ costcowholesaleus-DOT-com>

"Costco Wholesale" <costco_wholesale @ costkreward-DOT-com>

"Forward-Head-Posture-Fix" <Ace_Kerr @ trejckr-DOT-bid>

"Heart Attack Savior" <heartattackkiller @ hertattk-DOT-com>

"Home Safety " <pipe @ tublightbin-DOT-com>

"Home Safety " <sparks @ welcomewin-DOT-com>

"Regrow Your Hair" <contact @ losehairs-DOT-bid>

SamsClub_CONFIRMATION REQUEST ! <from @ masterdellin-DOT-today>

"Tesla Energy" <teslaenergy @ energygenrator-DOT-com>

Thank_You <from @ bitcoinshop-DOT-today>

"The Interprovincial Lottery Corporation."<webmaster @ kht-DOT-ru>

"Vision-Without-Glasses" <Vision Without Glasses @ hippogr-DOT-bid>

Phish NETS: Docusign and Email Server Notification

We’re finding more and more phishing (and malware-connected) emails disguised as Docusign emails, such as this one that actually seems to be from sign.com, rather than Docusign.com.  You might think that the link points to a hacked website for a concrete company in Appalachia, U.S. but you would be wrong.  That domain for appalachianpavingconcrete-DOT-com is registered to someone from Russia and hosted on a server in Dubna, Russia.

This next Docusign phish is a bit confusing if you look at the from address.  Are you meant to think it has to do with documents from Bank of America?  According to Google, there is no such domain as sendmoneytoyouhsjc-DOT-com.   The link for “View Your Document Here” points to a hacked website for an online classified WordPress website.  Look below and you’ll see a screenshot showing that the link points to a webpage looking like a Docusign login window.

“Due to recent upgrade on our server on, you are required to validate your account on our server urgently”  Seriously? Who talks like this?  Often, one of the best reasons to be suspicious of an email, text, or social media post is poor or awkward English skills.  This is because a very high percentage of the scams that target Americans are produced by criminal gangs in other countries who don’t have the best command of the English language.  This email is trying to appear “official” by coming from a domain called secureserver-DOT-org.

Donkey-poo!

YOUR MONEY: Get a $5 BarkBox, Activate Amazon Rewards, and CVS Promotion

“Give your dog the joy of a million belly scratches with BarkBox.” BarkBox.com is a real website that sells products for your dog and “Cyber MuttDay” is one of their promotions, but what you see below is not from the real BarkBox.com!  Look very carefully at the from address.  This email was sent from barkboxX.com.  This incorrectly spelled domain was registered on September 1, 2017 while the original, real domain for BarkBox was registered in 2009.  More importantly, all the links in this email point to the malicious domain dantalcare-DOT-bid.  It was registered the day after the misspelled BarkBoxX.com domain.  Best to run away from this offer with your tail between your legs.

You think you’ve received a “new voucher with a value over $50 from Amazon.com” sent from the email amazongifts “@” foryoureward-DOT-com.    This misleading domain was registered by our newest arch-nemesis “Cammie McPherson.”  We’ve found many malicious domains registered in her name in the last few weeks.  So don’t believe this pitch when it says “our system still shows that you have a pending reward in your Amazon.com account.”

CVS promotion?  Hardly!  Here’s another phony promotion that can’t make up its mind… Are they offering you $50 or $100?  It doesn’t matter of course.  The only thing waiting for you at the end of that link to lgnextgen-DOT-today is a computer infection!

Deeeleeete!

TOP STORY: Malicious Comment Spam

It seems that this is a topic we return to each year.  Anyone who runs their own website, allowing visitors to post comments, is aware of “comment spam.”  These are comments left by spam bots that try to drive traffic to other websites, sell products/services, or worse.  It can be annoying, forcing website owners to install add-ons to try to recognize and filter out the noise.  However, there is another type of Comment Spam that is both deceitful and dangerous.  Malicious comment spam.

Take this comment from someone identified as “Gabriel Torres” and posted to a blog for fiction writers recently.  She says “I think your website needs some fresh articles” and goes on to describe a useful tool that can help along with a link to a well-known, free web-hosting site called wix.com.  Sound innocent enough, right?  Let’s break it down…

        

“Gabriel” offers the link to the Wix page called Susannah02 at wix.com.  We asked one of our favorite tools, the Zulu URL Risk Analyzer, to check out the Wix page and it informed us quite clearly that there is 0% chance that the Wix page is malicious.  But there is more to this analysis that deserves another look.  Check out what Zulu told us…

No “risk assessment” tool is perfect, not even Zulu.  Though Zulu tells us that the user’s Wix page is harmless, it also identified another external element linked to the page.  It’s a website called browsehappy-DOT-com.  This feels like a dentist saying “it won’t hurt” when you sit down to have 2 cavities filled.  VirusTotal.com says that the “happy” website has been identified as a phishing site by one AV service and their community page shows four people identifying the happy site as unsafe (as of November 19).

BrowseHappy-DOT-com actually has a long history that can be reviewed on Wikipedia but that doesn’t mean it can’t be abused by hackers.  Given the suspicions of others, identification as a phishing site, and oddball way it came to our attention from a comment post, we wouldn’t trust it as far as we can throw it.

        

If you want to read our previous articles about Comment Spam, check out these links on our site:

Comment Spam Targets Teachers (April, 2016)

April 8, 2015 Top Story  (April, 2015)

FOR YOUR SAFETY: View New Fax, New Purchase Order and Emails from Friends

You have a “new fax from 418-437-6447” says an email from ringc-DOT-com.   Ringc is not Ringcentral and the link to see your fax points to malware on a hacked website for Precision Roof Washing in New Jersey.

Delete!

Hey Business Owners, “Hatim Carbon” has sent you a new purchase order “due to our last email conversation toward my new order.”  Do you really think that the attached file is a pdf file?  Look more carefully.  It is a “.jar” file.  That is a very dangerous file to open!  They are like zip files for Javascript, meaning that it can contain coded instructions that you won’t learn about until you open it.  And that will be too late for you!

We hate it when we get emails from the hacked mail accounts of people we know.  **sigh**  It’s the pain that keeps on giving for years!  Like this email to Doug at The Daily Scam from an acquaintance.  “Hi Doug” along with a bit.ly link.  We unshortened that link and followed the breadcrumbs.  Zulu got it right this time…  100% malicious.  Have a look yourself.  And don’t open emails from friends that contain little more than a link.


ON THE LIGHTER SIDE: We’ve Noticed Some Unusual Sign-In Activities on your Apple ID

Many thanks to the Reddit member who posted this recently.  An Apple ID scam targeted his iPhone but as he so succinctly pointed out…  “Fam this is an android.

You done f-d up.”

*Special Thanks to Reddit Member GiffKeplen for posting this scam text

 


Until next week, surf safely!

s2Member®