Please support our effort by making a small donation. Thank you!

x

November 23, 2016

THE WEEK IN REVIEW

Last Wednesday we complained loudly about being sick and tired of email dating scams and shared one final scam disguised as a free invitation to join eHarmony.  **sigh**  Perhaps our readers include the criminal gang who push these scams down our collective throats because a few hours after our newsletter came out we were sent a surge of about 50 eHarmony scam emails in just a few minutes!  The message was pretty clear… they were flipping us “the bird.”

Another topic that we had better get accustomed to in the world of online scams is everything and anything to do with Donald Trump, at least for another four years.  Such as this recent email with the subject line “Trump Is Praying You’ll Never See THIS!” It contains an invitation to watch a controversial video. **eye roll**  What’s next? Russia invades the EU?  This email came from, and links point back to, the domain mirclefarms.date.  The domain was registered by a Panamanian proxy service to hide the real owner and a WHOIS shows that the site is being hosted in Hamburg, Germany.

Delete.

 

 

 


Sample Scam Subject Lines:

70% of Americans qualify for healthcare discounts. Do you?

Browse Our All New Shed-Guides for Fall

Cut down on home repair costs

Experience luxury in the sky

I can’t help showing this off

Local representation needed

Pest Control Plan

Solve your IRS tax debt problems

The HOTTEST Gift This Holiday Season…

This NAUGHTY trick will blow your mind… (Safe for work)

The world’s most realistic flight simulator?

Transform Your iPad Into A Laptop Replacement

Truly disgusting… This scandalous video will make your blook boil

Sample Scam Email Addresses

3.Day.Blinds@desperate.zsotend.top

Doug-Hill@wolf.basedhealthproblem.top

eharmony-partner-[YOUR EMAIL]@cggloba1.com

Forbes-Emergency-Update@descend.alliser.top

health-insurance-[YOUR EMAIL]@sixdicedup.press

LotteryNews@parish.passlotterywinninghelp.top

Meet_Russian_Beauty@branches.pilaunt.top

national-protection-association-[YOUR EMAIL]@ironman6.com

publisherwallstreetdaily@roogrbook.top

simplebrainfix@superbrainc.eu

Substantial-Debt-Service@behave.workgbi.top

touchfire@touchfircase.eu

trackersale@newinvent.club

 

Phish NETS: Apple-ID, Apple GSX Account, and Navy Federal Credit Union

One phish, two phish. Red phish, blue phish. Poor Apple users!  Baited again. Look at the differences between this well-crafted red phish…  “Your Apple ID has been suspended [#3722938]”  “Dear Customer, We recently failed to validate your payment information, therefore we need to ask you to complete a short verification process in order to verify your account.”  A quick glance at the from address suggests that the email came from Apple.com but look closely!  The email was sent from the domain ssl.com.   The “apple” in front of ssl.com is just a subdomain.  Anyone can create subdomains that say anything, like “click-here-to-be-scammed.ssl.com”  Fortunately, a mouse-over of the link for “> Click here…” shows that it points to the website sdid1.com, not apple.com.  These criminals are skilled! Look below at the web page that awaits you at sdid1.com.

4-phish-your-apple-id-site

And then we saw this blue phish.  We showed it to a group of twelve year old kids and even they saw through it in a heartbeat.  They pointed out that the from address isn’t connected to Apple at all and came from the European Union (.eu).  They noticed the poor grammar and multiple errors in the body of the email suggesting that the sender had awful English skills.  And, of course, they noticed that mousing-over the link “Update your information” leads to the website called droid-box.com.ua, not Apple.com. (.ua is the country code for the Ukraine!)  Yay for super-sleuth 12-year-olds!

Now delete.

It’s like pouring salt on an Apple User’s open wound….  We also found this Apple GSX service account phish with an attached html file named form_very.form.html.  “We are updating our security because of the numerous fake emails receivd…”  Once again, look carefully at the from address.  It isn’t Apple.com.  It is apple.co (.co = a website hosted in Columbia)  These criminals are so multi-national.  We cracked open that coded web file and found everything exactly as it would be for an Apple GSX web page except for one line of code.  Look below to see that the data collected upon log in was being posted to a website in Poland: c405.pl

A BIG fat deeeeeleeeeete!

6-phish-apple-service-support-1

 

7-phish-apple-service-support-2

Finally, as if all these phish in the sea weren’t enough, we found more bait targeting members of the Navy Federal Credit Union again.  The mouse-over points to the legitimate, but hacked web site jbayboots.com.  Look what our web browser showed us when we tried to go to their “contact us” page and inform them that they had been hacked.

Ouch!

8-phish-navy-fed-credit-union

9-phish-navy-fed-credit-union-malware

Your Money: 15% Off Ink And Toner and Access Your Home’s Equity

Printer ink is soooooo expensive!  Sometimes we think that printers are sold at a loss because the manufacturers will make loads of money on the ink they sell you.  So we’re always looking for good ink deals.  But this ain’t it.  And if you read carefully you’ll see some things that don’t add up, like the fact that the “free shipping” deal expired 2 weeks after the email was sent and they can’t spell inkjet.  The email came from 123inkjets @inkjettsscoup.org.  A WHOIS lookup of that domain shows that it was registered on the day the email was sent by someone named Nirmesh Tiwari from Pune, India.  And the site is being hosted in Amsterdam, Holland.

We often see scams disguised as “reverse mortgage” deals so it’s time we pulled the covers off one.  This email wants you to believe it came from the legitimate firm called the American Advisors Group. They even include the real address information for AAG at the bottom of the email.  Don’t be fooled by all those “as seen on” endorsements! The from address begins with AAGReverseMortgage but it’s sent from another scam dot-top domain named jouperl.top.  A quick WHOIS lookup of jouperl.top shows that it was registered on the day the email was sent to a Janise Deurj, of Ringoven, Netherlands.  Sound like AAG to you?

TOP STORY: Our Apologies to Grandville, Michigan!

We’re so sorry! We’re sure Grandville, Michigan is a lovely place to live and raise a family.  And there are good people in Grandville, no doubt!  But we can no longer avoid talking about the elephant in the room (Not Trump!) and we said as much in our last newsletter’s Your Money column.  This is officially a “no brainer” and you have only yourself to blame if you fall for any these scams ever again…

Lunge for the delete key the moment you see any email or online advertisement containing the address 2885 Sanford Ave, Grandville, MI 49418.  There should be no hesitation, no “what if’s” and certainly no “but this one might be legit.”  “2885 Sanford Ave, Grandville, MI 49418” is a mail-forwarding address and we have seen a constant stream of malicious emails for more than a year misusing that address.  So let’s make it official.  Repeat after us… I will never, ever believe anything I see on the Internet that contains the address 2885 Sanford Ave, Grandville, MI 49418 (excepting, of course, our newsletters that report on this trash.)  We honestly don’t believe that the criminals who misuse this address actually forward mail to somewhere else.  We don’t think they give a damn about snail mail at all.  But the address provides their emails with some legitimacy by having an address that a netizen can look up.  We say donkey-poo!  Have a look at this tiny collection of scam emails we collected in the past week that contain the address 2885 Sanford Ave, Grandville, MI 49418.

And then delete.

“When dealers compete, you win” says this email that seems to be from Next Car Finder.  But the links point to simple-credit.comSimple-credit.com was registered on August 20 using a privacy service in Panama.  The website title displayed is “Celebrity Gossip and Entertainment News | Just Jared.”

“Will your heating system fail this winter?” says this email from tohandtohome.comTohandtohome.com was registered using the same privacy service in Panama on November 13, 2015 but the domain was updated 3 days before this email came out.  The title listed for this website at the WHOIS says “tripwire magazine | Handpicked goodies for web developers and designers” and Google can’t find any such website.

 

“Don’t delay getting your family’s health covered by insurance”  “It’s better to be safe than sorry.”  The email was sent from health.insurance-[YOUR EMAIL] @sixdicedup.press.  A WHOIS lookup tells us that the site was registered on June 29 by a Daniel Kingston from “IKO Publishing” in Dallas and the website title is “Celebuzz | Celebrity News and Photos.”  Google cannot find IKO Publishing in Dallas.  Nor can it find any website at sixdicedup.press.


And for those of you looking for religious inspiration we have this exciting news from holy-health-breakthrough-[YOUR EMAIL] @linobottaro.com. “3 Things Jesus Said About How to Cure Disease.” “Doctor Jailed Over $10 Diabetic Breakthrough.”  “Watch the Shocking Video Now…”  Where have we heard that before?

And one final example of the curse of 2885 Sanford Ave, Grandville, MI 49418.  “Dentists Hate These Harvard Dropouts For Inventing Popular Teeth Whitening Kit!” says the email from visadz.net.  God help us all! Enough said. “2885 Sanford Ave, Grandville, MI 49418” means Delete! However, out of respect for the real folks who call Grandville, MI their home, here’s a link to the official Grandville, Michigan Facebook page describing things to do while you’re there.

 

FOR YOUR SAFETY:  Odd Text and Payment Confirmation Slip Attached

We love it when our readers send us texts and ask us to check them out!  Like this text that came to a reader from emvgpkrj88 @plpowers.net.  Though we aren’t quite sure what the sender is asking (“Pls hmu” – please hum?), it is clear that he or she wants you to dial 918-600-0580.  We asked the Internet about that telephone number and weren’t surprised when seven other people reported it as unsafe in the past week.  Our experience informs us not to answer calls or respond to texts from numbers we don’t recognize.  If it is important and real, they’ll leave a message.  If they don’t, we block them.

 

“Good morning Payment confirmation slip attached for your kind information.”  They meant to say “your malware is attached.  Click to infect.”

 

ON THE LIGHTER SIDE: BMW Lottery Winner!

We didn’t even know BMW offered a lottery! OMG! New BMW and 1.5 million dollars!  We have no idea what the “international balloting programs” are but we’re grateful to them!


From:  admin@plnjateng.co.id
Time:  2016-11-13 18:20:50
Subject: Dear Winner,

Dear Winner,

This is to inform you that you have been selected for a prize of a brand new 2016 Model BMW 7 Series Car and a Check of $1,500,000.00 USD from the international balloting programs held in the UNITED STATE OF AMERICA.

The selection process was carried out through random selection in our computerized email selection system (ESS) from a database of over 250,000 email addresses drawn from all the continents of the worl which you were selected.

The BMW Lottery is approved by the British Gaming Board and also Licensed by the International Association of Gaming Regulators (IAGR). To begin the processing of your prize you are to contact our fiduciary claims department for more information as regards procedures to the claim of your prize.

Name: MR. DANIEL SMITH
Email:  bmwcompanyinin@gmail.com

Contact him by providing him with your secret pin code Number BMW:2551256003/23. You are also advised to provide him with the under listed information as soon as possible:

  1. Name In Full :
  2. Residential Address :
  3. Nationality :
  4. Age :
  5. Occupation :
  6. Direct Phone :
  7. Present Country :
  8. Email address :
  9. pin code Number BMW:

Mrs. Rachael Adams.

THE DIRECTOR PROMOTIONS
BMW LOTTERY DEPARTMENT
UNITED STATES OF AMERICA.

Until next week, surf safely.