Please support our effort by making a small donation. Thank you!

x

October 12, 2016

THE WEEK IN REVIEW

We’ve reported in the past few weeks about scams targeting those looking for love, starting with our September 14 newsletter. Here are two more malicious emails targeting this group. One, disguised as coming from Match.com, says “Your friend has just joined Match.com” and “You have a new message waiting from someone at Match.com.”  The second scam email comes from the domain mail.seniordating.top and targets seniors with the subject line “Find Information on Single Seniors.”  Don’t believe these fools.

 

 

 

 

Both of these scams use the newly created weird global top level domains (gTLD) of “.top” and “.gdn.” Everyone will recognize the original six gTLDs around which Internet names were created starting in the late 90’s. They were .com, .org, .net, .edu, .gov, and .mil.  Some years later a few more gTLDs were added such as .info, .biz, and .tv.  However, in 2013 ICANN began to release all sorts of new gTLDs by the hundreds like .WOW, .date, .asia, .review, .top, and .help.  As of October 7, there are 1,186 newly released gTLDs.  Our experience has taught us that nearly all of these recently added strange global top level domains are being used exclusively by criminals to host malicious files.  So, if you see a website or an email that ends in dot-something-odd our advice is to steer clear.

 

Check out our latest feature article “Plenty of Fish (POF) Has Plenty of Sharks”

 


Sample Scam Subject Lines:

Are anxiety drugs doing more harm than good?

Get your free credit ratings today with free trial

Go Shopping at [Amazon] with a $50 Gift Card!

It might be too late… (open now)

Remove 99.9% of bacteria in your water

Search lenders in your area

Stop paying for expensive auto repairs

This could lower your insurance premiums

This is what you need to track down your keys

Updated Amazon points balance

Your friend has just joined Match.com

Your glasses are KILLING YOU!

Your personalized numerological report

Sample Scam Email Addresses

Accredited-Debt-Relief@gin6eat.teelun.top

Alaska-Cruise-Deals@ahn8eei.fruitei.top

albina@bestcreamsforyoungerskin.com

BloodSugarStudy@nduis7a.renesor.us

efax@easyfaxx.stream

fidelitylife@homwarnty.eu

hdministrator@teletalk.net.br

Important_News@avqem5il.steepex.top

megamillionsalert@lotocrush.eu

nationalalert@nailfunges.eu

TimeshareConsultants@prie8at.sosamen.us

USA.Med.Supply@bos1eia.mustsavemedicare.top

Women_of_Excellence@4niefose.lstring.top

 

Phish NETS: Paypal and Apple (again!)

This smelly phish came from support@transkop.rs, not Paypal.com.  Can you figure out the 2-letter country code in the from address?  Truth be told, we couldn’t and had to look it up…  .rs = Republic of Serbia.  The subject line asks you to “Please Confirm Your Account Information.”  A mouse-over of the link reveals that it points to a hacked website called mediposible.com.

One of our readers sent us this next phish, “Thank you for your order.”  “Dear Client, You recently added…. …as a new rescue email address for your AppleID.”  However, a mouse-over of the link “Verify now” shows that it points to a web page found on GetResponse.com.  But the webpage was created by someone identified as service@ tunisclub.com.  This is a pretty poor phish pretending to be from Apple.

Just delete.

4-phish-thank-you-for-your-order

Your Money: Yoga offer, Your Dog’s Health, and Amazon Gift Card

Now here is good advice… “Maintain your life’s balance with yoga.”  And “5 yoga poses that will slim you down.”   Look closer at this email and you’ll see lots of red flags that should raise suspicions…

  1. The email was sent from one of those newer oddball global top level domains: dot-click (.click) Look for it in the from email address and the link revealed at the bottom of the email.
  2. The email contained a large white space at the bottom. Dragging our cursor through it revealed hidden random white text meant to fool anti-spam servers.
  3. The unsubscribe message at the bottom of the email (which you should never click!) is phrased in such an odd way… “If you might rather NOT receive this particular Message going forward click here”

Of course, a search using a WHOIS tool confirms our suspicions.  Yogburnfat.click was registered on October 2 by someone called “sachin” from Coimbatore, India. And by the way, 18 Taylor St. in San Francisco is a theater.  There’s no such place as “18 J Taylor Street.”

“If you love your dog you must see this!” “You can do more to improve your dog’s health”  What a great idea…. “Doggy Dental Spray” says an email from TruDog_Breath_Spray@ moid1ad.javalex.us.   The domain javalex.us was registered on October 7 by someone named Almus Darrin from Crillon, France.  All the same red flags apply here as they did above.   There is, in fact, a real business called TruDog selling dog products but this isn’t it.  The real site is TruDog.com.  And the company is certainly not located in Costa Rica.

Just delete!

How can we go a week without being offered a coupon or rewards balance points?  This week’s offer is a $50 Amazon Gift-Card (or equivalent Visa gift Card).  All you have to do is answer a few questions to see if you qualify for this promotion.  Bull manure!  That domain amznc.top was registered the same day the email was sent, October 7, by someone named “shweta” from Bhopal, India.

 

Delete!

TOP STORY: Another Reason Why Yahoo Sucks

Yahoo has been in the news in recent weeks after they announced that hackers had stolen millions of account holder’s personal information.  We wrote an article two years ago titled “Why Yahoo is the Worst Email Service on The Planet” specifically because Yahoo seems to do so little and so poorly to protect it’s users. (Picture us shaking our head shamefully if you still have a Yahoo email account.)  Adding insult to injury is Yahoo’s search engine which appears to put ad revenue over your safety.  For many years we have often heard of users getting clickjacked (What is clickjacking?) while using it, or redirected to scam sites, or browser-jacked, or hit with malware installers.  Here is a very recent example why Yahoo still sucks

Hurricane Matthew has been clawing it’s way across Haiti and up the Eastern coast of the U.S. in the last few days.  To track the storm we hopped onto Yahoo’s search engine and typed in the acronym “NOAA,” for the well-known U.S. Government website National Oceanic and Atmospheric Administration.  Yahoo dutifully informed us about NOAA in a convenient little side box on the right, but look carefully at the first two links Yahoo offered us for NOAA…

Notice anything unusual?  The first link Yahoo offers, which is actually an ad, tells us that NOAA is a website at weatherservice.co while the next link below is for the real NOAA at noaa.gov.   With every fiber in our being telling us not to click, we clicked that first link taking us to weatherservice.co

Hmmmm…. This isn’t so bad, right?  Looks legit enough so we clicked “Get Weather Forecast” since it had already identified our location.  Immediately we are presented with a weather map of the entire United States followed by a popup saying they found our weather! (How nice of them.) And “Please install the new free WeatherBlink for Firefox to view local weather conditions and radar maps.”  Gee, we’ve never had to install anything before to look at weather maps.  Why now?

Anytime you are asked to install software in order to visit or use a website you should be suspicious and look with a more critical eye.  And if you are not sure whether this is risky, don’t’ install!  We visited Google and asked “what is weatherblink?”  The response didn’t surprise us…

11-what-is-weatherblink

Even Google had no qualms stating that WeatherBlink is categorized as a browser hijacker or virus.   If we type “weatherblink” into a Google search field the fourth choice to popup automatically is spyware.  Hitting return brings up more than two thousand links with the first few Google pages of links confirming the fact that Weatherblink is malware and advising us how to get rid of it.  Who knew?  Certainly not Yahoo.  It doesn’t take a rocket scientist to see that even though the website weatherservice.co describes itself as NOAA, it is not NOAA.  But Yahoo took their advertizing dollars and didn’t appear to care about their users or check on the credibility of weatherservice.co

12-weatherblink-spyware

By contrast we searched Google for NOAA, looked five pages deep, and never found a link to weatherservice.co.  To be fair, Google has similarly suffered indignities by criminals who have manipulated their search engine to direct people to scam sites, clickjacks and malware.  (This is called Search Engine Poisoning.) However, it was years ago that these events happened in any significant way.  Google makes the security of its users a much higher priority than Yahoo ever did and with a lot more success.  And so, we never use Yahoo for anything…. Except conducting research for our readers. Our advice? Stay away from anything Yahoo, you’ll be safer in the long run.

FOR YOUR SAFETY:  Wrong Paycheck, “This message can only be viewed…” and Visit the Client on Time!

“Hey Felix. They send us the wrong paychecks…“  Are you curious enough to open that file? Don’t.

Now for something completely different but equally dangerous. The email from “paul” using an address in  the United Kingdom says “This message can only be viewed in a browser. To view this message please click here”  That is the same as saying click to go to this website. The link points to a file on the domain maximumcourage.com. (This is a legitimate, but hacked, website about the human gut.)

14-this-message-can-only-be-viewed-in-browser-1

Of course we asked the Zulu URL Risk Analyzer to check out the website and file we were advised to visit.  Much to our surprise Zulu told us it was completely harmless. (0 of 100 points possible.)  But then we noticed that we would automatically be redirected to many sites including Savethechildren.org (as a distraction) and an odd site named bighotvip.com

 

 

 

 

 

So we asked Zulu to check out the redirect link for bighotvip.com.  It took just seconds before Zulu screamed at us… 100% malicious!  That email may not have contained a zip file full of malware but the result is the same.  Infected computer. Ouch.

ON THE LIGHTER SIDE: Some New Computer Viruses

If you haven’t heard about these types of computer viruses, it’s time.  Don’t blame the messengers…

Congressional virus: The computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem.

Congressional virus #2: Runs every program on the hard drive simultaneously, but doesn’t allow the user to accomplish anything.

Donald Trump virus: No matter what file you open, crap pours out.

Until next week, surf safely.