Please support our effort by making a small donation. Thank you!

x

October 26, 2016

THE WEEK IN REVIEW

We warned readers recently to expect holiday scams to begin targeting them and with Halloween coming up in a few days we weren’t disappointed.  During the past week we saw many scams like this one from treatsforhalloween @halowengifft.online with the subject line “Fun Halloween Gifts for All Ages.”

Just delete!

1-fun-halloween-gifts

We have also written in the past about scammers who try to raise the credibility of the donkey-poo they send us by making it look like it represents credible news organizations or other well-known institutions.  Check out these two emails made to look like a news story and report from CNN.  Both are malicious. “CNN: The End of Memory Loss” and “CNN Enonomic Report” (We noticed small black and red boxes at the bottom of the emails.  When we dragged our cursor through them we discovered hidden text meant to fool antispam servers. **what a surprise**)

 

 

 

Finally….. **sigh**  Another online dating scam email (please make them stop) pretending to be from Match.com.  “Someone from Match.com is looking for you.”


Sample Scam Subject Lines:

Claim Your Amazon Reward Points Today 23234596

Collect your Costco Cash Card (inside)

Compliments

Controversial Video Exposes “Dead Water”

Ensure your home never runs out of energy

Forbes: Stop Paying for Expensive Auto Repairs

Online Quiz: See How Much You Can Receive With A Reverse Mortgage

O’Reilly Asks Trump The Secret to his $4B Fortune.

Tinnitus Cure: Get Tinnitus Relief Today

Uber driver positions need to be filled ASAP

We’re in TROUBLE

You have a new Match.com request

Your Costco membership points

Sample Scam Email Addresses

caribbeancruiseadventures@cruisesearch.top

CNN@su7ione.vcowned.top

couponsfordogfood@dogfod.top

credit.report.center-[YOUR EMAIL]@forcecwhen.bid

Fox-Business@usn8ae.mirecap.top

healthylife@geteasweight.bid

Hearing_Problem_Solution@aki7eef.backearlossalthough.top

Important.News@uszaof2.dumpwzb.top

NaturalDogFood@zesia1o.beadtie.top

seniorhealthresearcherlaissezfaire@dearwatereality.eu

Tinnitus.Cure.Uncovered@0lpeads.zargere.top

Used-Car-Ads@fe9aune.quronne.top

Warren_Buffett_On_CNN@edu5oio.tracudo.top

 

Phish NETS: Deceit Is The Practice Of Concealing The Truth

We actually found no phishing attacks this past week.  Hallelujah! But we did see an interesting email that speaks volumes about the ease with which people can deceive others on the Internet.  It begins with a simple “Hope you are well.”  The email claims to be from lisa@bestgoogleranking.org and seems to be a personal note about the recipient’s website ranking.  “Lisa” claims to have spent time studying his or her website and even makes a heartfelt personal plea in her P.S. message.


Lisa states that she is with a “reputable SEO and Web Development Company.”  OK, you have our attention! We’re impressed with that claim, and the fact that you have the domain BestGoogleRanking.org.  So let’s dig deeper…

  1. We looked behind the email into the header information to discover that this email was sent from an Internet address identified by it’s IP (Internet Protocol) as 103.196.221.9. We wondered where in the world this address was located and conducted a “reverse IP lookup” for it.  We also asked the Zulu URL Risk Analyzer to take a look the IP address.  Both tools told us that they could not find any such address on the Internet!  That seemed strange for a “reputable SEO and Web Development Company.”

  1. Next we conducted a WHOIS lookup of the domain to see who registered it and when. The WHOIS at Domaintools.com tells us that bestgoogleranking.org was registered on January 5, 2016 by Rohit Kumar of Delhi, India.  Also, the WHOIS tool informed us that it cannot find any website at that domain.
  2. Finally, we asked Google itself about this company since it is, afterall, a “reputable SEO and Web Development Company.” Do you know what it found? Nothing. That is to say, Google found no business or website or reviews of bestgoogleranking.org.  Google did find 2 nearly identical emails posted on email-fake.com including this one that looked nearly identical to the email above.

If this were truly from a reputable SEO and Web Development Company, wouldn’t you think they would have a website you can find to explore their services, or call them, or look at a list of their clients?  Is there anything about Lisa’s email that leads you to believe it is truthful?  We can’t find anything.

Your Money: New Fashion Polo, Printable Grocery Coupons, and Costco Reward Points

New Fashion Polo for you!  Polo Ralph Lauren… Hot savings up to 71% off!  Sounds great if the email from heidi@honorsmedical.com were true.  Mousing-over the link in the email reveals that it points to a website identified as qqlet.cn.  In last week’s Top Story we wrote about the importance of recognizing 2-letter country codes in website domains or email addresses.  .cn is the 2-letter country code for China.  Step away from the polo shirt and live another day!

7-new-fashion-polo-for-you

“Printable Grocery Coupons. View Our Wide Range of Grocery Coupons” says an email from Grocery.Coupons @oaliue4.globekc.top  “Choose from the latest discount coupons…”  This email is malicious through and through.  We have seen the misuse of the global top level domain “.top” thousands of times!  We believe we can say with 99.9% certainty….  If you ever see an email address that ends in .top or containing a link to a website that is something.top, JUMP FOR THE DELETE KEY!

“Notice: Costco reward points expiring.“ Yes, this email sent from the domain historycarefuly.gdn is so clearly a scam but we simply had to include it because we loved how personally it was written.  You must  read it.  You practically get a life story about why this woman “Lindsay” loves Costco so much!  It’s a great work of fiction.  The links in the email point back to historycarefuly.gdn, not Costco.com.  A search of this domain in Google pull up a bunch of strange links, including the website itself, in German, and a scam email that, oddly enough, is about someone searching for you on Match.com.

Just delete!

TOP STORY: Good Spammer or Bad Spammer is Still Spammer.

Here are two recent spam campaigns targeting an email server.  Look carefully at the subject lines and from email addresses.  The first list of emails about “benefits” shows 31 emails coming from at least 10 similar domains and representing at least twelve email addresses.  All of these emails are essentially the same.  The second list of 30 emails are identical and came from at least 24 different email addresses and domains.  One of these two lists of emails is completely malicious while the other set of emails, so far as we can tell, comes from a real, legitimate marketing company using very questionable and spammy tactics.  Can you tell which is which?

 11-ts-email-list-looking-for-employees

Think you’ve got it figured out?  Here’s a sample email from each group.  From the “benefits” list of emails is this email stating “School Employees: A comprehensive list of education discounts available to you can be found here. As a school employee, you can get discounts on hundreds of products and services…”

From the second set of emails is this sample email stating “We are looking for employees working remotely.”

 

Think you now know?  Email list 2 with subject lines like Re: CV, Salary, Local representation and Welcoming speech are all 100% malicious!  We’ve seen hundreds of these for many weeks now and the content of each email we’ve opened is nearly identical every time.  What varies is the name following “My name is…” and the line that follows after.  The salary varies a little, and the link destination varies.  As far as we can tell, the links for “Our Site” almost always point to legitimate, but hacked web server accounts.  For example, GerberAccounting.com seems to have once been used legitimately but has since been hacked and now hosts malicious files.  (Even Google identifies the site as hacked.  According to this 2013 article in Forbes Magazine about 30,000 websites are hacked every day!)

But what about the “benefits” emails to school employees?  We asked Google to search for these many similar domains and here is what Google informs us about myediscount.net and myediscounts…

14-ts-myediscounts-google-listing

“A description for this result is not available because of this site’s robots.txt”  Do you know what that means?  (Details can be found here on Google’s website.) It means that the owner of these domains has specifically asked Google not to visit the domains to gather information and post it for visitors to see before they arrive at the website.  Does this inspire trust and confidence in these websites?

We asked the Zulu URL Risk Analyzer to check on two of the links in some of these “benefits” emails and Zulu informs us that these don’t appear to be malicious…

15-ts-myediscount-zulu-score  16-ts-myediscounts-smtp-redirct-zulu-score

Though spammy, we couldn’t find any evidence to suggest that these emails were malicious.  We took a leap of faith, clicked the link to one of these domains and found ourselves facing a somewhat strange request to provide our personal information in order to receive educator discounts.

17-ts-myediscount-net-website

Looking carefully at the text on this website, we find yet another domain name that seems to be part of this potpourri of domains: myeducationdiscount.com.  This time a lookup in Google shows us a lot of information as one would expect of a legitimate domain.  Besides links and information we can explore, we find that MyEducationDiscount.com offers the subtext “My Education Discount is a comprehensive directory of all education discounts and teacher discounts available to teachers, faculty and staff.”  Looking further down the Google links we see that they also have a Facebook and LinkedIn page, though the physical address for this company appears to be a post office box in Ohio.  We were beginning to feel a bit better about this service and wanted to find reasons why we should trust it, so we turned to WHOIS to look up the domain MyEducationDiscount.com.  Unfortunately, WHOIS informs us that the domain was registered using a proxy service in 2006, thereby hiding the identity of the person behind the company.  What colors the reputation of this education discount domain even more is that it appears to be registered using a company called Crosscert Inc. (but “doing business as” DBA: Cosmotown, Inc.)  Searching for information about Crosscert and Cosmotown reveals some odd connection to Korea. (2-letter country code = .kr)

In other words, while MyEducationDiscount.com appears to be a legitimate marketing firm offering discounted products to school employees, everything about this company seems obfuscated.  Their email and web practices appear to be no different than the criminal spammers we routinely investigate.  Do you think there is any difference between a “good” spammer and “bad” spammer afterall?  Based on their tactics and the information we’ve learned about them, do you feel inspired to trust them with your personal information and anything they might do with it?  Our advice to them is simple… If you’re going ask people to trust you, change your business model to be more trustworthy.

FOR YOUR SAFETY:  Michael Kors text

We recently received the text below for up to 80% savings on “Michael.Kors” products from the phone number 219-237-8721.  The text contained a link to a link-shortening service called bit.do.  We have  repeatedly warned readers about the risks from clicking shortened links from unknown sources. (Read our article about these risks!)

So rather than click the bit.do link, we visited our friendly unshortening service called Unshorten.it and asked it to tell us where the link pointed to on the Internet.  Unshorten.it tells us that the link points to a web site that looks like it sells discounted Michael Kors products.  BUT the website domain is also pretty short… mk2016-us-DOT-com.

 

Why didn’t the text simply point us directly to the dot-com domain? And why couldn’t Unshorten.it find and load a screenshot of the website as it normally does? Hmmmmmm….. We smelled a rat. Time to use the Zulu URL Risk Analyzer once more to investigate that mk2016-us website…. BUSTED! VERY malicious! Ouch.

 

20-michael-kors-text-zulu-score

 

ON THE LIGHTER SIDE: Captain Kate Carr Lee was right.

We were very surprised to hear from her!  And we are skeptical to “reply her based on what is happening on the internet world.”  But she says she’s a member of the US ARMY Medical Team so we think we can trust her afterall, especially since she says she won’t ask us for money!  We’ve entered the information she requested below.

From:  zhpt13p@cplonetie.me
Time:  2016-10-22 07:10:06
Subject: Re:Message From US ARMY Medical Team

Greetings,

I know you will be surprised to read my email.  Apart from being surprise you may be skeptical to reply me because based on what is happening on the internet world, one has to be very careful  because a lot of scammers are out there to scam innocent citizens and this has made it very difficult for people to believe anything that comes through the internet. My name is Capt. Kate Carr Lee. I am a member of the US ARMY Medical Team deployed to Iraq because of the current ISIS problems. I discovered 2 trunk boxes containing American dollar.  Am looking for a trust worthy individual who will assist me to receive the funds in his country before l will come over and join the person.  To prove my sincerity, you are not sending me any money because most of these scams are all about sending money.

For reference click the link below:

en.wikipedia.org/wiki/2014_military_intervention_against_ISIS

www.cnn.com/2014/08/08/world/iraq-options

www.cnn.com/2014/08/20/world/meast/iraq-crisis/

Information below is neccesary,

  1. Full Name… P.T. Barnum
  2. Address…. Ringling Brothers Circus
  3. Occupation… Flimflammer
  4. Age………. 206
  5. Your Telephone Number. 111-222-3333

As soon as i received these information i will send more details.

Best Regards
Capt. Kate Carr Lee

Until next week, surf safely.