Please support our effort by making a small donation. Thank you!

x

November 28, 2018

THE WEEK IN REVIEW

We want to warn readers that TDS is seeing an increase in an unusually tricky type of malicious email during the past few weeks.  We don’t pretend to understand exactly HOW they are malicious but we are 100% certain of one thing… These emails are not from the services they claim to represent and are extremely suspicious for several important reasons!  The emails will ultimately deliver you to the legitimate service they pretend to represent. But first you’ll be sent to another oddball website before being forwarded to the legitimate site represented in the sham email.

Take, for example, this email claiming to represent PCH.com, Publisher’s Clearing House Sweepstakes, for the  upcoming drawing on December 21. The sender’s FROM address is actually okokglass[.]com and all links point back to that same website.  This strange domain is not owned or associated with the legitimate PCH.com.  And yet, clicking the link will send you through okokglass[.]com and then redirect you to the real PCH.com:

 

 

 

None of the tools in our usual toolkit could find anything wrong with the link at okokglass[.]com.  This domain was registered in 2013 by a business named “Art Brock Holdings, LLC.”  Art Brock Holdings, LLC is a business registered in Delaware but without any owners, officers, or board members listed.  This business was responsible for registering at least 123 oddball domains between 2012 – 2015 alone.  (Check out the list of them on DomainBigData.com.)  We visited several of the websites registered to Art Brock Holdings, LLC and each consisted of the same single page “Unsubscribe Request Form” as shown in this screenshot:

 

We wonder why an email for the Publisher’s Clearing House Sweepstakes has to come from okokglass[.]com rather than the legitimate and real domain pch.com?  If you look up the Registrant information for pch.com you’ll see lots of information that clearly identifies the domain as owned by Publisher’s Clearing House.  Not the case with okokglass[.]com.  Everything about this email and the domain you’ll be routed through SCREAMS out that it is not legitimate and therefore HIGHLY suspicious.  By the way, the website “Scammed-by” notes a scam email that came from okokglass[.]com in early October.

On another topic, we also want to remind our readers who use Facebook that scammers are still very active on it, despite what Zuckerberg says about keeping people safe!  Here’s a recent ad for Canada Goose down jackets that appeared on the Facebook business page called Dressvipsale1.   Normally, the Emory parka listed in this ad goes for $995 on the CanadaGoose.com website.  This ad represents a sale price of nearly 80% off!  If you visit the Facebook page for Dressvipsale1 you’ll find that this business owner claims to have been in business since 2013 and provides a link to his website at dressvipsale[.]com.  However, a WHOIS lookup of that domain shows that it was first registered in Hiroshima, Japan on May 14, 2018 and the website is being hosted in Holland. Other people have commented on their Facebook page that they sell fake knock-off products and to “steer clear” of purchasing from them!

 


Phish NETS: Bank of America, Paypal, and Wells Fargo (again!)

This was a really lame effort to create an email to look like it was from Bank of America.  It targeted a Cox communications user who then sent it to us. The link for “UPDATE” pointed to the link shortening service x.co.  Enjoy….

As is often the case, smelly phish contain poor grammar, capitalization and punctuation errors.  This phish disguised as a PayPal security alert is no different. Also, let’s not forget that the FROM address is not paypal.com and a mouse-over of “Click Here” reveals the fraud!  That domain servisearchaimbau[.]net was registered in France on the day this email was sent.

Another Wells Fargo tax document phishing scam.  What a surprise….

YOUR MONEY:  Home Appliance Warranty, Take Surveys and Get Paid!

Eliminate the hassles and expenses of home repair with an American Home Shield Warranty!  Except that the real AHS home warranty service can be found at the secure website AHS.com.  This email came from the domain networkcodes[.]org and the links point to the website IPCameraMarket[.]com.  In case you are wondering what waits for you at the other end of that link, the Zulu URL Risk Analyzer makes it crystal clear in the screenshot below.

 Deeeeleeeete!

 

Inviting people to take a survey and get paid for their opinions is a sure-fire way to attract those who aren’t savvy enough to suspect fraud online.  Take this email that appears to be FROM a “Paid Survey Recruiter” via a newsletter from adidas[.]com.  However, if you look VERY carefully at the link revealed by mousing over the graphic in this email, you’ll see that it doesn’t point to Survey Junkie.  It points to a link-shortening service in Russia! (“.ru” = 2-letter country code for Russia)

 

Just like the Publisher’s Clearing House Sweepstakes email we described at the start of this week’s newsletter, this Survey Junkie email WILL send you to the real Survey Junkie website, but only AFTER passing through a website in Russia.  We can’t think of a single reason why this is OK or reasonable at all! Could there be something legitimate about this email that we’re missing? We decided to look more closely at the sender’s email address and looked up Adidas[.]com.  We discovered that it is a sportswear site in the Czech Republic!  Does ANY of this sound the least bit legitimate to you?

Yeah, now delete.

TOP STORY:  Russian Criminals and Clickbait

In addition to the Russian state-sponsored attacks that targeted Americans in the last few years, Russian cybercriminal gangs have also been hard at work making millions of dollars annually by hurting Americans.  “Spam Nation,” a book by journalist Brian Krebs, documented this effort very well and we recommend his book to our readers.   We continue to see lots of bread crumbs that point back to Russian criminal gangs as the likely source of scams and malicious emails designed to infect our computers, such as those mentioned earlier in this newsletter.  Here’s another clickbait that makes our point… “Complete our Survey & Receive a $500 Prepaid Amazon Gift Card.” This email appears to have come as a “Comcast alert” from someone named Jessica, though the header information is in French! (That likely means that the criminal who actually sent this forgot to change the language preferences of his scam program before sending it out to US citizens.  No doubt, a similar email was sent to French citizens!)

Look carefully at the link revealed by the mouse-over to see two important details:

  • The link points to a domain named anpdm[.]com
  • The link contains a redirect that will forward you to a web page on a news service in Russia called nn[.]ru

 

In fact, the service called “Unmask Parasites” shows us that clicking the link in this email will redirect you to MANY other websites including two identical links at two very different domains, flybomb[.]com and onlyhop[.]com.  (FOOTNOTE: Several years ago we saw that a cybercriminal gang –most likely from Russia– had automated the selection of domain names by combining two random words together such as flybomb and onlyhop.  With that in mind, take another look at the 123 domains purchased by Art Brock Holdings, LLC described above!)

The topmost redirect that will open in your browser after clicking the link for this $500 reward is to a website that sounds legitimate… ConsumerRewardsCenter[.]com in Great Britain.  We wondered if this “consumer rewards” website was a legitimate site that was somehow pulled into this subterfuge.  However, when we Google’d it and looked at reviews, we only found very low reviews such as the post below from someone named Sye.  We encourage you to heed her remarks!

The exact form of malicious intent in all of this cybercriminal manipulation is not entirely clear.  However, the security service Fortinet has identified consumerrewardscenter[.]com as a phishing website!  How does that payment for your opinion sound now?

FOR YOUR SAFETY: Resume For Job And Check Order Status

Someone sent TDS a resume, telling us that she was interested in a position.  How lovely! Of course, it took VirusTotal.com only a few seconds to see that it contained a Trojan Horse malware file.  We couldn’t help but wonder if the criminals who sent this email have an immature 7th grade sense of humor by listing the bolded name you’ll see. What have we been shown?

 

 

As long as we’re hyper-focused on Russia, how about this email sent from Poland telling us we have “4 notifieds.”  The link for “View Info” also points to a malicious website in Russia!

 

 


Until next week, surf safely!