If you find our resources valuable, please support us by making a small donation. Thank you!

x

September 12, 2018

THE WEEK IN REVIEW

There has been a noticeable increase in malicious domains being registered that use the global top level domain “.us” referring to the United States.  We want to caution our readers that seeing a domain ending in “.us” does NOT add any legitimacy to the domain. Nor does it mean that the individual who registered it is even a United States citizen!  Two recent examples include an email from Timeshareexpert “@” option-time[.]us about selling your timeshare.  Option-time[.]us was registered on September 8, the same day we received the scam email.  The second was from a domain called  kides-live[.]us which was also registered on September 8, the same day the malicious email was sent.  Also notice the many “.us” domain names registered by a suspicious character named in this week’s Top Story as well.

We also want to caution readers again about the surveys that appear in their email inboxes.  We drew attention to malicious emails disguised as surveys in last week’s newsletter.  We immediately received samples from our readers about similar surveys they had received.  One person received this email with the subject line “your order survey” that suggests Amazon as the source.  But you can see the email actually came FROM the domain feelpersonal[.]com.  Like so many before it, the link appears to go to Outlook.com but it contains a redirect to a strange domain called exercisecat[.]host.  We tried to follow that link through outlook to its destination.  To their credit, Microsoft’s Outlook server blocked us, saying that the link wasn’t safe.

They got that right!



 

A second TDS reader sent us this colorful email with subject line stating “Congratulations ! You have been selected .” sent through an email address in the European Union (“.eu” = European Union regional code)  Once again, this clickbait claims to be about Amazon. The design and coding of all of these recent surveys lead us to believe they were created by the same criminal gang. We used a URL decoder to see more clearly that the link in this wolf-in-sheep’s clothing will send us to a domain called esClick[.]me.   According to the Zulu URL Risk Analyzer, the link leads to an Amazon-owned website on a server in Ireland.   The esClick[.]me domain was registered by someone in Dnipropetrovsk, Ukraine. (See images below.)  DON’T BELIEVE that the Amazon-owned server legitimizes this email!  The bottom of the email shows two addresses available for people to unsubscribe.  NEVER click an unsubscribe link in a suspicious email! The first address, in Rye New York, is for a marketing firm called Orange Star, Inc.  We’ve emailed them to ask if they had anything to do with the creation or sending of this email but have had no response as of publication time.  The second address is actually to a mailbox at a UPS store in Wheaton, Illinois.

A BIG fat delete!

 


Phish NETS: Chase Online Banking Alert, Email Account Will Be Suspended, and USAA Bank Alert (again!)

Subject… “Message From Chase Bank Online” “We’re writing to let you know that there are recent update in our security features…” blah, blah, blah.  We spot at least four grammatical and punctuation errors in this Chase Bank phish. And of course it didn’t come from ChaseBank.com. It came from the domain fcsource[.]org.  The link for “Sign On” points to the shortening service called Ow.ly.

The shortened link at Ow.ly will redirect you to the free web hosting service called 000webhost.com, like many other phishing emails we’ve uncovered in the last few weeks. But as you’ll see below, that phishing page certainly seems like a real Chase Bank website!

Deeeleeeeete!

Here’s a subject line meant to get your attention… “E-MAIL ACCOUNT!!! [Email address redacted] WILL BE SUSPENDED”  And they chose such a lovely font for their message! “Due to system error code, your accounts will be deleted from our server”  System error code? What does that even mean? This email is meant to generate a knee-jerk emotional response to click and land on that pretty login page you can see below.  According to Virustotal.com, at least two services have identified malware on the website you’ll be sent to.  It doesn’t matter whether it’s malware or phishing or both…

Just delete!

USAA Bank customers are being targeted again this past week.   The email came from Germany (“.de” is the 2 letter country code for Deutschland = Germany) and the link for “Complete your security update” points to a hacked website in Australia. (“.au” is the 2 letter country code for Australia)

Delete.

YOUR MONEY:  Use Your Available Credit Now and Free Trial Keto Has Dispatched

Imagine being informed that a credit is waiting for you and you are asked if you want to use it now.  That’s exciting! Found money! So says this email from “Brooke Parker” at a website called Powersold[.]com.  Before you think to click, let’s explore this a bit deeper.  The link in this email will forward you to a website called HighEndClient[.]com for starters.

On the day we explored this offer we were not informed of any credit but were instead greeted by a pitch for a training session to gain “high net-worth clients” monthly.  And that’s where we stopped. High End Client appears to be a marketing firm. While we cannot speak to their legitimacy, marketing services or value, we can say that their spam-like tactics are misleading and have pissed off other people.  One man posted this complaint on RipOffReport.com about this company.  Do their marketing tactics inspire you to sign up for a webinar?

We didn’t think so.

We’re skeptical anytime we see a “free trial” for anything.  The perfect example of this was a free trial offer for anti-aging face cream reported to us by a consumer last spring. It wasn’t free at all!  Delivery cost $11 and that charge was followed 2 weeks later by $180 in recurring monthly charges! (Read our article Anti-Aging Face & Skin Creams)  So imagine our delight upon getting this email with the subject line “Your FREE TRIAL KETO BOTTLE Order No #453-500562-76555688 Has Dispatched!”  We’re led to believe that the Shark Tank judges wanted to invest in this diet product. Just Click to get your free trial!


But hold on a moment!  That domain, amazingdriver[.]net, you are about to visit is not what it appears to be.  It was registered about three weeks before this email was sent.  And you would expect them to try to promote themselves, but Google can’t even find that website! Perhaps some of our readers have noticed that the domain amazingdriver is another in a LONG list of malicious domains made up of two random words.  We suspect that a criminal gang has created a bot for registering domains because we’ve been seeing hundreds of them during the last year.  Do you see that unsubscribe address at the bottom of the email from Kent, WA? According to Zillow, it’s a small single family home.

Does any of this sound credible?

TOP STORY:  Sensational Religious News

Over the years we have often seen Internet criminals target Americans by sending malicious emails containing outlandish or salacious news stories that mimic real news at the time.  And so it did not feel coincidental when we saw this email recently with the subject line “Church Leaders PRAYED you’d never see this…” Considering how prominently recent news stories have focused on clergy sex abuse in Pennsylvania, followed by the recent announcements from Attorneys General in both New York and New Jersey, it isn’t surprising that someone would use a headline like this.  Recipients are invited to click a link to a short independent documentary that has the “Catholic Church on the ropes.”  It claims to expose the biggest scandal…

But what exactly is this?  Let’s start with the domain the email came from and link points back to, dietday345[.]us.  This oddball domain was registered by someone named “Yogesh Singh” from Bhopal, India on August 26, just a few days before we received this email.   In our August 29 newsletter, we noted that a Yogesh Singh from Bhopal registered a domain that was used in a malicious email pretending to be from the Dollar Shave Club.  And according to DomainBigData.com, Mr. Singh has registered more than 100 oddball domain names recently through a registrar service called NameCheap.  Nearly all of these new domains use the global top level domain “.us.” (During one day in August, the 28th, Mr. Singh registered twelve DOT-us domains!)

But wait, there’s more!  Apparently there is a redirect at the dietday345[.]us website that will forward visitors to a website called aliveafterthefall[.]com.

Aliveafterthefall[.]com was itself registered several years ago by someone identified as Brandon Kelly from an organization called “Tenacious Enterprises,” supposedly located in Colorado Springs, Colorado.  Coincidentally, the registrar service for Aliveafterthefall[.]com is also NameCheap.  This website claims to have shocking news (Doomsday prophecy?) about Donald Trump’s announcement to move the American Embassy from Tel Aviv to Jerusalem, Israel.  There is even a YouTube video titled “Alive After the Fall” that appears to be related to this website’s content as well.

We watched enough of this doomsday prophecy to see that this all seems like promotional material for a book called “Alive After the Fall” by Alexander Cain.  The book no longer seems available on Amazon, a remarkable circumstance by itself, but there are a few reviews on Amazon giving the book a score of 1 out of 5 stars.  Some people claim that links for the book actually installed adware on their devices and two people have called it a scam.  We’re not sure where this is all headed but we do know that there is a rabbit hole beckoning you to jump into this Wonderland.  Regardless of the direction this bible-quoting website takes and your personal belief in it, we want to remind readers how disturbing it is to find a direct connection between this website and Yogesh Singh, a name we have previously associated with sending malicious clickbait emails.  As always, a healthy dose of skepticism is important in our digital lives.

FOR YOUR SAFETY:  Just Sharing This With Friends, Domain Service Notice

One of our readers named Michael sent us this email.  It appears to have come from someone he knows named Eric, but from a different email address.  It turns out that Eric didn’t send it. But the sender sure wants Michael to click that link and we’re sure you can guess why!

For those of you who own and administer domain names, below is a very clever piece of malicious clickbait that has been making the rounds lately.  It claims to be a final notice of your domain listing, informing you that you must act now to renew your domain before it expires at midnight.

Don’t fall for this junk!


Until next week, surf safely!