Please support our effort by making a small donation. Thank you!

x

November 9, 2016

THE WEEK IN REVIEW

Scammers continue to marvel us with their hyperbole and penchant for something new, as well as their unimaginative use of the same old, tired content; over and over.  In the category of “been there, done that a thousands times” is this “CNN Special Report” with Warren Buffet’s claim.  It may look official but it’s just another malicious email pointing to a dot-top generic top-level domain (opensty.top).   The hidden black text in the black box at the bottom of the email made us smile though….“cold beer with a frosted glass…”  The hidden text came from a Yelp review of a restaurant in Corvallis, Oregon called Koriander.  We would like to eat there some day!

Did you hear there was a presidential election in the U.S.?  Scammers were taking advantage of election lies right up to election night.  Look at this email with the subject line “Hillary Caught Lying on Live TV.”  The link pointed to the domain newssearch.bid.  According to the Zulu URL Risk Analyzer, the link leads to a malicious website in Bulgaria.

2-hillary-caught-lying

 

And then we saw something new that was meant to appeal to religious Christians.  It’s an email claiming to represent the Christian Marriage Council (though we cannot find any such organization by searching Google).  The email was sent from a ridiculous address in the European Union… wifewontstopflirting @maridplan.eu.  It’s a bunch of malarky hawking herbal medicines for a better sex life. Does anyone really believe this crap?

3-christian-marriage-council

Last week we had fun corresponding with a scammer who was trying to rent us an apartment in Winooski, Vermont that he didn’t actually own.  A reader found it listed on Craigslist and brought it to our attention.  Check out the Craiglist ad for the apartment.  Can you tell why it is a scam?  Read our conversation with the scammer and learn why this was a scam!

4-winooskivt-apt


Sample Scam Subject Lines:

80% Stock Market Crash to Strike in 2016

A Limited Number of $50-Amazon Card are Available, Claim Yours Today 17640825

A trusted source for piano lessons

Asking a quick favor

Auto Warranty Notice: We Will Pay Your Next Auto Repair Bill.

Best thing about sleep is a New mattress

Give the gift of oil change to your engine

Important message about your credit

How to Whiten Your Teeth in 15 Minutes

Just the thing you need!

National Alert: Are You Infected With This Nail Parasite?

Re: CV

White House Commits Financial Crime (New Footage)

Sample Scam Email Addresses

CNN-Interview@ble7aun.vengelo.top

flyairplanegames@flightpor.top

Heart-Health-Warning@ik0fuea.zinoroo.top

iMotors-Ford-Clearance@gumoi8e.zimonds.top

probiotic-america-[YOUREMAIL]@documentedhistory.net

match@memorning.top

Match.com-Partner@mecazu7.lavaihm.top

santaletters@noafternoon.top

SantasWorkshop@ena0ewo.gititio.top

Snoring_Relief@adxewm3i.bornpza.top

The.Timeshare.Professionals@v6uiase.directrenttimeshareduo.top

the.sovereign.investor-[YOUREMAIL]@brencruz.com

Women_of_Excellence@ecujiae7.ribsist.top

 

Phish NETS: USAA Bank and Navy Federal Credit Union

“Incomimg Pending Payment Approve” (Notice the misspelling of incoming) says an email from the University of Utah.  “Dear Usaa Member, A money transfer has just been sent to your USAA account. For security reasons, We have temporarily put a hold on this payment.”  The recipient is asked to “Approve Yoour Transfer.”  This is a pretty lame phish and we’re not too worried that folks would click on it.  If the typos and awkward grammar aren’t enough to send you to the delete key, how about the information in the upper right corner of the email?  This email is in reference to your account ending in XXX!  Seriously?  A mouse-over reveals that the link points to a strange domain mometavonem.tj being hosted in Dushanbe, Tajikistan.

I think we can all say DEEEELEEEETE.

5-phish-usaa-member

This next phishing scam was much better in quality, with nearly perfect English and a from address that appears legitimate.  It isn’t though.  The real Navy Federal Credit Union uses the domain navyfederal.org, not federal.com.  But no matter how well-crafted this phish, we all know that a mouse-over will set you free!  Mousing-over the one and only link in the email reveals that it points to a website in Brazil (.br).

Just delete.

 

Your Money: Credit Report, Open Medicare Enrollment, and Save on Caribbean Cruises!

“Notice: TransUnion, Equifax, and Experian Scores May Have Changed.”  “THIS IS AN ALERT”  “REMINDER: PLEASE CONFIRM/DISPUTE NEGATIVE ITEMS APPEARING ON YOUR REPORT”  This sounds serious! But the first thing to notice is that the email came from the weird domain 0allowgirlm.stream.  A WHOIS lookup of this imaginative domain shows that it was registered on October 30 to someone named “Mark Miller” from Miller Frame Shop in Georgia.  Adding to the mystery of this domain is that it is being hosted in Lanzingen, Germany and has the website title “DotComSecrets.Com – Internet Marketing Strategy, Growth Hacking”   Sound like a legitimate credit reporting company to you?

Sometimes Internet criminals completely plagiarize their malicious designs from American businesses.  Look below at the email stating  “Open Enrollment 2017: You may be eligible to change your Medicare Plain!” It was sent from Medigap-Quote @dfae6ru.hamarri.top.   “Find Medicare Plans …that meet your needs.”  The bottom of the email says that you can unsubscribe by contacting the real MediGapQuote in Hollywood, Florida.  NEVER click unsubscribe on these emails!  However, if you visit the real MediGapQuote.org you’ll see that the criminals lifted all their information and graphics from the real website.  Fortunately, a simple WHOIS look-up reveals that hamarri.top was registered on November 3 to Mina Polaski from Heidelberg, Germany and Google finds no website for hamarri.top.

We would love a Caribbean cruise!  According to this email from CaribbeanCruiseGuide @carebbincrus.top.  The domain carebbincrus.top (yet another dot-top) was registered on November 5 to someone named “navya gupta” from the company named AVP Digital Media.  We’ve written several times about this company.  You can read about them in our February 24 newsletter. It appears that a company called AVP Digital Media is located in India, though no address is actually cited on their website.  Neither is a contact number.  We found two work reviews listed on Glassdoor.com for AVP Digital Media that made us smile.  If you read carefully, you’ll see that these favorable reviews say absolutely nothing.

Delete!

TOP STORY: Engineering the Best Email Mouse Traps

Last week we informed readers about a significant increase in the number of small emails carrying malicious files intended to infect computers.  The deluge continues. Below are many of the subject lines used in these email mouse traps.  We wondered why they seem to be so effective at getting people’s attention and engineering a response.

Bill
Bill overdue
Budget forecast
Credit Card Details
DOC_9611
Document from Denton
E-TICKET 4187
FAX_7176
Flight Tickets
IMG_4379
INVOICE 242098 ATTACHED – Thank you for your business
Message from IRS
Order 72501 (Acknowledgement)
Parcel no. 6743759894
Payment history
Please review
Please verify
SCAN_7444
Thank you very much
Transaction declined
Transactions
Wrong model
Your order has been proceeded
Your shipment

Think of these subject lines as triggers using psychological manipulation to improve the design of a mouse trap.  According to Wikipedia, “psychological manipulation is a type of social influence that aims to change the behavior or perception of others through abusive, deceptive, or underhanded tactics. By advancing the interests of the manipulator, often at another’s expense, such methods could be considered exploitative, abusive, devious, and deceptive.” They certainly have this last part correct!

Using email to psychologically manipulate a potential victim requires two important steps.  Step one is to craft a subject line that will entice the recipient into opening the email.  Back in ancient Internet times of 1999, a lawyer named Jonathan Rusch, while working for the U.S. Department of Justice, wrote a fascinating and detailed (though very dry) research article titled  The Social Engineering of Internet Fraud. In it, Mr. Rusch said that “social psychology experiments have shown that for some people who tend not to scrutinize persuasive messages closely, their post-message attitudes were less dependent on scrutinizing the message when they perceived the source to be more honest. Thus, some fraud victims may tend to rely primarily on their belief or impression that the person with whom they dealt was honest, and to give little thought to the message’s substance.”  Simply stated, Mr. Rusch said that some of us believe in the honesty of our fellow human beings.  Receiving an email saying, for example, “thank you very much” “your shipment” “please review” or “credit card details” would likely elicit a basic human response to engage.  And so the email is opened.

Step two in this psychological manipulation is to generate one of three behaviors from the email recipient:

  1. to click a link in the email
  2. to click an attachment to the email
  3. to reply to the email so as to begin a conversation

It almost doesn’t matter who the emails came from, nor whether or not the recipient feels any connection to the sender.  Have a look at the from addresses used to send out some of these very malicious emails…

10-maiicious-emails-1

11-malicious-emails-2

There is nothing striking about the sender addresses, though many are sent from various countries outside the U.S.  You can identify them by looking for the 2-letter country codes after the domain name; codes such as mx = Mexico, br = Brazil, and nz = New Zealand.  And since they don’t come from criminal @going-to-scam-you.top many people open them.   Here’s the type of things they find…

12-please-verify

13-thank-you-very-much

14-flight-tickets

Mr. Rusch goes on to describe in his article that there are at least six factors that are likely to persuade or influence a person’s behavior.  Of these six, the first is “Authority.”  He writes…. “People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present.”  We wonder if, in a way, each of these short, highly malicious emails represents a person of authority already seemingly engaged in a conversation with the potential victim.  Remember, the potential victim having opened the email is already pre-disposed to believe in the honesty of the sender.

Each of the above emails is worded beautifully, and quite simply, to be an authoritative part of a conversation.  Kind of like playing a game of catch… If I toss you a ball, you instintively reach out to catch it, and anticipate throwing it back…

“Please verify the parts highlighted in the attached document”  You click to verify…

“Please check out all the operations and contact us if you have any problems or concerns.”  You click to check…

“We have received your payment for the flight tickets.  The tickets information is attached” What tickets? You click to check…

These simple phrases of common, everyday types of responses are what create a better mouse trap for Internet criminals.  And we are the mice.  We have to do a better job learning not to take the bait.

FOR YOUR SAFETY:  “Help me choose”

We want to remind our readers that proving malicious intent is not always direct.   Take this email from nigel.roxby @orange.net with the subject line “Re: help me choose” —as if you’ve already been in a conversation with Nigel or Upneesh or whomever this is from…

“I couldn’t make my decision which of these things to choose, pleaes help me….”  We asked the Zulu URL Risk Analyzer to check on the link to lindawderusha.com and it informs us that the link is very safe:

However, look carefully for redirection!  A script at lindawderusha.com will automatically redirect a visitor to another website called worldforbrain.  How does Zulu evaluate the worldforbrain website?  100% malicious!

17-help-me-choose-redirect-zulu-score

 

 

ON THE LIGHTER SIDE: Trump? Really!?

Unlike Donald Trump, we never got millions of dollars from mom and dad and, frankly, it’s been a real bummer!  So imagine our surprise to get this email from Albert Yang.  Clearly he knows something we don’t about our inheritance!

18-regarding-family-inheritance

 

Until next week, surf safely.