Please support our effort by making a small donation. Thank you!

x

September 14, 2016

THE WEEK IN REVIEW

Old scams never die. We would love to be a fly on the wall when the criminal kingpin gathers his minions around him for his daily meeting to discuss the day’s fraudulent content designed to engineer that hurtful click on your computer. “Hey Boss.” (Probably said in Russian or some other Eastern European language by our best guess. Or perhaps its Mandarin. Or Hindi!) “Hey Boss, remember when we sent those emails that looked like professional women’s organizations? Let’s do it again!” “But Boss, we really nailed all those religious people with the Biblical Miracle crap, right? How about more of those?” “Yeah and we really tricked people with our credit score emails too, remember?” And the boss says…. “Send ‘em all, but you better give me something new! What the hell do I pay you for? To sit around and eat borscht?” (Read our article “It Hurts to Be Right” to understand why we believe the criminal gangs most responsible for these threats are most likely from Russia or Eastern Europe)

And so, dear readers, we continue to see a lot of the same old tired wolves in sheep’s clothing like these malicious emails. You know what to do….

1-national-assoc-of-pro-women 2-another-biblical-miracle-confirmed 3-get-your-2016-credit-score

 

 

 


Sample Scam Subject Lines:

3X Faster Charging Than Any Other Charger!

Another Biblical Miracle Confirmed? (pg. 1117 King James Bible)

Cash when you need it – Get a line of credit

Costco points are ready to claim!

Discover the job of cooking professionally

Discover the options for Diabetes Treatment

Get Matched with the Best Insurance Rates! Life Insurance Quotes

How to buy 4 windows and get the 5th free today!

Message ID 424

No matter what, rehab can help you beat your illness

Updated points balance

Vacancy #627

WARNING: This could cause trouble (Comment: The certainly spoke the truth!)

Sample Scam Email Addresses

albertoswoodworking@woodprodct.date

alliedcoveragemedicare@covermedic.top

bestcableserviceoptions@cablgetz.date

dropbox@bopo.co.uk

homewarranty@homeeerep.date

important.news-[YOUR EMAIL]@thedark-arts.com

nbctodayshow@getbacck.eu

obamacareinformation@infoguiid.date

restoreoldbatteries@batteryreconditn.date

romanticvacations@vactinncoupp.top

studentjobs@jobalrt.date

voipphone@voippcallng.pro

willsandtrusts@trustyorthy.date

 

Phish NETS: Apple Support and Mailbox Quota

This Apple account phishing email qualifies as a joke that begins with “he was so stupid that…” because we can’t imagine anyone falling for it. The email came from event@adidasspecialysports.fr (in France) with the subject line “(1) new important document…”   We loved the way it was written! If only all the phishing scams we saw were this lame… “Important Notice : We wish to inform you. To complete the problem, you must confirm your email address and information.” At least they were accurate… “To complete the problem…”

A mouse-over of the link “Confirm and continue” reveals that it points to the domain puderhost.com.   As best as we can tell, we think it is the domain for a webdesign firm that has been hacked and is being misused.

Delete!

4-phish-apple-support

And then there was this phishing email from map190@mtashland.net with the subject line “Upgrade Your Mailbox Quota!!!” (We learned from our middle school English teachers that it is incorrect punctuation to use multiple exclamation marks. But sometimes we get so excited about a scam we unravel that we can’t help ourselves either!!!) “Avoid [your email name] suspension” “Kindly Click here to verify and get more secured” We all need to be a little more “secured” don’t we? (Read the “Note” at the bottom of the phish. The scammer could use an English grammar coach in addition to help with punctuation. Perhaps we can find our middle school English teacher!)

By the way, the link “Click here” points to the legitimate, but hacked, Spanish website called “spanishgourmetrestaurants.es” (.es = España = Spain).

Now delete.

5-phish-upgrade-your-mailbox-quota

Your Money: Let’s Click Some Malicious Links!

The criminal gang boss has certainly stirred the creative juices of his criminal team! We found lots of new content intended to manipulate people into clicking the malicious links. Here are just three new topics targeting specific groups of potential victims. How effective do you think these would be? “Engagement ring options” “Meet Jewish Singles on Jdate” “Part time jobs for College students”

Some folks may be excited to see that “engagement ring options are now available.” But this email from the domain nvjohs.bid is a lie. And don’t believe that a click will send you to the fictitious website findengagementringinfo.com because it doesn’t exist either. (The domain findengagementringinfo.com was registered in June, 2016 but Google can’t find any website for that domain.) The link in this scam points back to nvjohs.bid and was registered the day the email was sent by someone using a proxy service in Panama. Thanks to the rules set up by ICANNs, we’ll never be able to find out who really registered this scam domain.

6-engagement-ring-options

The next email wants you to think it comes from the dating site for Jewish singles, Jdate.com but there’s not an ounce of truth to that. Notice the hidden white text against the white background at the bottom of the email. That alone reveals the lie. The email came from, and links point back to, the domain wecurrently.top. This domain represents a potpourri of international bull crap. It was registered on September 9 by someone named “pramod” from Allahabad, India and is being hosted on a server in Sofia, Bulgaria. And the email clearly targets Jewish singles in the U.S. while claiming to represent the site’s owner, Spark Networks in Los Angeles. There is a bit of humor hidden in this scam but it isn’t meant for us. Using the Registrar service Alpnames, the scammer registered it with the name “Pramod.” Pramod means happiness and joy in Sanskrit. Certainly not ours.


This email sent from studentjobs@jobalrt.date (as in “job alert?”) is completely malicious. Nevermind that jobalrt.date was registered on September 10 by someone claiming to represent the firm AVP Digital Media of Anaheim, CA and listed their website title as “YouTube.” (Note: We have seen the name “AVP Digital Media” used many times in malicious emails and wonder about the authenticity of this media company. Though there is a company by this name and an accompanying website, its legitimacy is questionable.) What really grabbed our attention in this malicious email is its conception. What a clever idea it was to think about college students who may be interested in part time employement to earn pocket money or begin to pay off student loans. And we thought the tag lines are well crafted… “Sitting idle won’t help you in your future” “Look for a summer job and make your resume outshine others” We believe that the majority of malicious emails and texts are produced from criminals outside the United States. However, ocassionally we see scam emails like this one that make us wonder if an American who is obviously more familiar with cultural American nuances works for these criminals. Hmmmm…. Food for thought.

 

NOTE: Last week we wrote about a push to trick people into thinking they received coupons or rewards points. The bogus rewards points emails continued in earnest such as this one telling the recipient she has “Walgreens Balance Rewards Points” in her account.


TOP STORY: How Do I Scam Thee? Let Me Count The Ways…

Elizabeth Barrett Browning, who wrote Sonnett 43 “How do I love thee?” is probably turning in her grave as we misuse her opening lines to describe a recent scam email we found. But we simply couldn’t help ourselves. It contains so many lies! Where do we begin? Have a close look at this email with the subject line “#1 Financial Advisor : BREXIT is going to bankrupt US this YEAR” and see how many lies you can find

How many lies did you find? Let us count the ways…

  1. The email contains the header “CNN Breaking News” as if CNN broke this news story. LIE #1. Using Google’s site command as well as quotes to locate literal text, we searched CNN.com for any verification that Suze Orman said the things quoted in this email or that CNN.com posted the text “BREXIT Destroying American Economy.” We found nothing at CNN.
  2. The email came from suzeormanoncnn@suzormangolb.date and suggests that it was sent by some website or email address officially connected to the CNN host, author, and financial advisor named Suze Orman. LIE #2. The domain suzormangolb.date was registered on September 10 by someone identified as Harshita Yardav from Pune, India. The domain was registered with the title YouTube and a screenshot shows a YouTube phony-baloney site.
  3. Suze Orman is quoted as saying “Guys, I hate to say it, but we’re in for rough waters ahead. This global crisis is going to hit everyone hard.” LIE #3. We used quotes again in Google to find the literal text of her quote on the Internet and found it in 5 locations around the globe on Sunday, September 11. The first link points to a scam website named ormanswarning.top that was registered on September 3 through a proxy service in Panama and has the website title “YouTube” again. The other links include a link to the same email above at emails-fake.com, 2 odd blog sites and a strange website in Poland. The domain ormanswarning.top is being hosted in Canada and the ZULU URL Risk Analyzer tells us that it contains a redirect to a bogus domain called cnn.com-finance.site and to a webpage identified as Suze-Orman-Shocks-Audience-Brexit-Warning. If we follow this rabbit a little further into Wonderland we see that the domain com-finance.site was registered on August 31 using the same proxy service in Panama. (Note: “cnn” of cnn.com-finance.site is actually a subdomain. Anyone with a website can create a subdomain to say anything. Subdomains are often created with believable names to support lies and cons online) The website title for com-finance.site is listed as “CNN – Breaking News, Latest News and Videos” but before our readers think that this is just another CNN site and therefore legitimate, consider this… The real CNN.com domain is registered to the very real Turner Broadcasting System in Atlanta, Georgia with a verifiable address and phone number.
  4. Email recipients are asked “If you’d prefer not to receive future emails Unsubscribe Here” and provided with the address 63 East 11400 South #224, Sandy, Utah 84070. LIE #4. This address appears to be for a mailbox at the UPS store in Sandy, Utah. The only information we can easily find associated with mailbox #224 are a set of odd emails about Donald Trump sent in 2015 from disposal email addresses using the disposable email address service in Germany called Discard.Email. These Trump emails look a lot like the malicious emails we’ve seen disguised as rediculous claims about Donald Trump.
  5. Email recipients are also asked “If you might NOT wish to receive this particular Message going forward click here (link is the same as the main content link) and given the address 11407 SW Amu St. Suite #AD666, Tualatin, OR 97062.” LIE #5. When we search for this exact address in Google, the first link to turn up is for a message posted on the website Head-Fi.org warning people to watch out for scam emails. When we search for the address in Oregon with out the Suite number, Google shows us a photo of an empty lot.
  6. The bottom of the email contains lots of white text hidden against a white background so as to appear invisible. We Googled a 3-word unique phrase from this hidden text “Creek suggests edged” and discovered that this hidden text has been used in a handful of scam, spam and oddball emails during the last couple of years. LIE #6. Though the text may not be lying, this scammer’s hidden text immediately reveals the entire email as a lie.

Does any of this inspire confidence in the authenticity of this email and the information it contains? Of course not. So, how do I scam thee? I scam thee to the depth and breadth and height my soul can reach. And so, dear reader, if you’re feeling confident in your ability to investigate and peel away the many layers of lies you find on the Internet, try your hand at either of these two emails and let us know how many lies you can find.

“Terminix Pest Control”

“Dentists Hate These Harvard Dropouts For Inventing Popular Teeth Whitening Kit!”

11-top-story-terminix-pest-control 12-top-story-so-many-lies-2

FOR YOUR SAFETY: Shipping Information, Credit Card, and Debt Payment Invoice Attached

If it were up to us, we would make it a requirement of every company and organization to automatically scan every incoming zip file for malware and viruses before they are delivered to an inbox. These attached zip files all contained malware.

“Our shipping service is sending the order form due to the request from your company.”

13-shipping-information-attached

“We are sending you the credit card receipt from yesterday.”

14-credit-card-receipt-attached

 

 

 

“Dear [Email name], we have attached the debt payment invoice.”

15-debt-payment-invoice-attached

ON THE LIGHTER SIDE: Buffet Foundation Award

Who hasn’t heard of Warren Buffet and the Buffett Foundation, right?! You’re not going to believe it but OUR EMAIL ADDRESS was chosen to receive a donation of $1.5 MILLION DOLLARS! Can you believe our luck?! We’ve contact Mr. Buffet’s representative, Kelly Hayes, at athompson@tpsmail.org and eagerly wait to get our donation. Obviously, Mr. Buffet must be a visitor to TheDailyScam.com!

16-buffett-foundation-donation-award-notice

Until next week, surf safely.