If you find our resources valuable, please support us by making a small donation. Thank you!

x

September 20, 2017

THE WEEK IN REVIEW

What’s the difference between this hipster trap in the photo and the content we write about every week?

Answer…. Nothing.  Both are nasty traps using common, everyday consumer goods and services as lures.

But then there is also the bait we see weekly and shake our heads in disbelief.  Who would fall for this?  But someone must, otherwise criminals wouldn’t be sending this crap week in, week out.  Like this first email a TDS reader sent to us.  It feels like we’re watching a B-grade horror movie when the young woman descends the basement stairs holding a flashlight to look for the breaker panel hoping to turn the lights back on.  Everyone watching has their hands over their eyes, fingers spread just enough to see what will happen to her and they’re all screaming “don’t go in the basement!”  We’re screaming too… Don’t click the link to “Learn how.”

 

That link to “learn how” was shortened using bit.ly to hide where it really leads.  We unshortened it using Unshorten.it to discover that it leads to a website called retiredmillionaire-DOT-co.  (.co = 2-letter country code for Columbia).  Of course, the website has been identified as malicious.  Stay out of the basement!

 

      

The Criminals creating phony Amazon Support phone numbers are now littering the Internet with phony Apple Computer support phone numbers.  Read our latest feature article!


Sample Scam Subject Lines:

Amazon claim #823502-Fifty dollar reward.

ATTENTION REQUIRED: newly discovered formula to boost your brain activity

Cancelled: Notification of payment by ATM Visa Card @ Wednesday, 13 September 2017

Claim Your $50 CVS Shopper Reward, (Details Inside) ...

Congrats on winning a Walgreens gift card

Costco-Gift Card, $50 Value, Participation Required ..

FW:Attention:Beneficiary(Last Reminder)

Get a fifty dollar preloaded card to Amazon until 9-15.

Hey! It’s shocking

If you're ready to change your life for the better: try this

Import #33406# (order) Netherland

Incoming voice mail, 10:38PM

The Most Realistic Flight Simulator Save 50% off the regular price.

Sample Scam Email Addresses

"Gift card" <Giftcard @ herancer-DOT-stream>

"Grab your Gift" <GrabyourGift @ roorganize-DOT-stream>

Match Offer <MatchOffer @ poliuh-DOT-trade>

"Meaningful Beauty" <MeaningfulBeauty @ tuneduct-DOT-stream>

National Solar Network Offer <NationalSolarNetworkOffer @ ertdwwsd-DOT-review>

"New Cars Online" <NewCarsOnline @ accentrast-DOT-stream>

"Real Life Game" <Real Life Game @ worldpcgame-DOT-bid>

"Reward Coupon" <RewardCoupon @ tienor-DOT-stream>

"Rewards For Surveys" <RewardsForSurveys @ rescendar-DOT-stream>

SeniorPeopleMeet <SeniorPeopleMeet @ ertdse-DOT-trade>

Solar Special Promotion <SolarSpecialPromotion @ mnjiolk-DOT-trade>

The Choice Home Warranty <TheChoiceHomeWarranty @ cxsadwe-DOT-trade>

Vonage Business Partner <VonageBusinessPartner @ tgfrde-DOT-trade>

Phish NETS:  Email Security Alert

Alas, one loney phish in this week’s sea of subterfuge. “FINAL-WARNING: Account Termination Request Notice!” says an email that comes from an address in the Philippines (.ph = 2-letter country code for the Philippines).  The link for “Follow here to verify and protect your email account now” points to a website in Brazil called Electronews.  Just for fun, we visited the site to learn more about this phish.  Look below!  We give these criminals an “A” for their creative use of a timer to try to raise the anxiety level of their victims to make a rushed decision.

Now delete!

YOUR MONEY:   Access Child’s Location Via Phone, Keep Your Mouth Healthy, and Search for BBQ Grill Stands

The lures used by criminals often prey on specific groups of people and their concerns or anxieties, such as parents concerned about the safety of their children.  We wonder if the bastards have actually consulted with psychologists or are naturally clever in choosing their target audiences.  Take this email for example…  “Access your child’s location via phone” says an email that is completely spoofed to appear as though it comes from the service called KidGuard.com.  But a mouse-over of the links in this email don’t point to KidGuard.com, they point to KidGuarrd-DOT-download (Notice the misspelling of “KidGuarrd.”)  This look-alike domain was registered using a proxy service in Panama just hours before this email was sent.  It’s malicious click-bait.  (By the way, before some of you parents consider buying the real app from the real KidGuard.com, you might want to read the many complaints against the company here at ScamGuard.com.

Keep your mouth healthy says this email that appears to come from Listerine.com.  “Get a year supply of Listerine with a complimentary gift card.”  Well, wash my mouth, that’s such bull-crap!  Mouse-over any of the links and look carefully to see that they point to the newly registered domain listrinne-DOT-bid.  Like the scam above, it was registered by a private proxy service in Panama just hours before this email was sent.

Deeeeleeeete!

 

Looking for end-of-summer sales?  How about a new BBQ grill stand?  More malicious click-bait from Monolith Holdings, LLC!  We reported on this phony business last week.  It has no known website and Google can’t find anything about the company besides bogus emails.  Pretty odd for company that claims to promote consumer products.

TOP STORY:  Pain By The Numbers

Humans are much better at remembering names than a random string of numbers.  For example, we ask people to visit TheDailyScam.com rather than our web server address of 77.104.145.208, where our website is hosted.  Every machine connecting to the Internet, including your smartphones and tablets has an address called an “IP” address (for Internet Protocol).  An IP address consists of a string of 4 sets of numbers separated by periods. (IP6, versus the current IP4, will be here in the not-too-distant future.) Fortunately, the engineers of the Internet went to great lengths to make it possible for people to identify devices and websites by name rather than IP address.  And every website across our diverse planet prefers to be identified by name!  So when a website is not identified by name, but instead by its IP address, pain is sure to follow.

On average, we review 1500 to 2000 emails, texts, websites and other web documents each week before creating our weekly newsletter.  That’s nearly 300,000 Internet related sources since opening our doors more than 3 years ago.  In that time, we estimate we’ve seen less than 100 Internet locations identified by IP address, instead of a name.  Like this offer for a job from the very large retail company, Kroger.  “Become a secret shopper” says the email from apply@jobs.kroger.com .   If you read both the benefits listed and “how it works” you’ll find it remarkably enticing!  Most people would want to earn $200 - $400 per assignment.  But don’t click “Sign up” just yet!  Take a look in the lower left corner of the email to see what is revealed by mousing-over the link…

The link points to the IP address of 185.29.11.209, not a named website.  Why would Kroger do this when we easily see online that they use the domain Kroger.com?  The answer, of course, is because this IP address is not Kroger, so the question suddenly becomes who is this and where is this?  We used the site IPLocation.net to look up this IP address and we’re informed that the owner has been located in Riga, Latvia.

We looked up ownership of this IP address using a WHOIS and find that it is part of a group of related IP addresses owned by the business Latvia Riga Virtual Servers and this address is actually being hosted on a server in the Netherlands.  Does any of this make sense or sound like Kroger.com?  By contrast, if we look up ownership of Kroger.com we find that it is owned by the Kroger Company of Cincinnati, Ohio since 1993.  Clearly the IP 185.29.11.209 is not Kroger, even though the email’s from address seems to be Kroger.com.  (It was spoofed.)

So what’s the game here?  What waits for you at this IP in the Netherlands, owned by a company in Latvia?  That’s an easy question to answer…

How do you feel now about providing all this personal information to these unknowns?   Honestly, we’re very tempted to fill out that form with fictitious information and a Google phone number just to play the game, but we have so little time and so much to do, like mow the lawn and feed our pets.  Bottom line… Less than 1% of the hundreds of thousands of web addresses we have seen are listed by their IP address.  EVERY SINGLE ONE OF THEM WAS FOUND TO BE MALICIOUS.  Quite simply…. IP numbers in web addresses lead to pain.  If you see ‘em, don’t click ‘em!

FOR YOUR SAFETY:  Deadly Invoices, Adobe Flash Download, and DHL Shipment

One of our honeypot servers was hammered with thousands of virus-laden emails beginning on September 12.  The emails appeared to come from a CPA firm and all referenced an invoice number.  Someone clearly likes the name “Matthew.” This is what they looked like, followed by a screenshot of just a handful…

 

We were also hit by hundreds of other emails carrying malware.  Subject lines included “Bankwest - You have a new eStatement,” “FreeFax From:1701914910,” and “Missed delivery notification for tracking 1Z6E6Y118.”  Then there were a few of these emails referencing an order and another invoice from “Customer Service.”  Notice the complete lack of information identifying the recipient, product ordered or even the company name or industry!  The link “download” is, of course, malicious.

 

Adobe Flash is notoriously insecure and under constant threat of hacking.  As such, users are constantly asked to update their version number and criminals take advantage of that too.  Like this email from info “@” cccam5-DOT-com.  “The new version of Adobe Flash Player is ready to download.”  The malware waiting for you at the other end of that link is hidden on a hacked Arabic web server and located in France.

Delete.

 

In last week’s newsletter our Top Story was about a unque malicious email disguised as DHL Tracking Service.   Here’s a different type of malicious email disguised again as a DHL notification.  The link leads to a shortening service in Columbia.


ON THE LIGHTER SIDE:  Congratulations From Facebook!

Last time we checked, Facebook used the domain Facebook.com rather than fb.org (which actually represents the American Farm Bureau Federation).  No matter, we’re thrilled once again to be the recipient of the 2017 Facebook Lottery drawing!

 

From: "DAVID MERCHANT"<info@fb.org>
Subject: CONGRATULATIONS FROM THE FACEBBOOK TEAM.
Date: 2017-09-15 02:04P

 

Facebook Corporate Office & Headquarters
1 Hacker Way, Menlo Park, California 94025
International Promotions/Prize Award.
Tele-Phone #: (650) 924-2381
Category: 1ST

Congratulations From Facebook!!!

Facebook Is One Of The Largest Social Networking Site Which Valued More Than $100 Billion Dollars And Also Expecting Its One Billion Users To Come Mainly From Mobile Devices Than Desktop Users By This Year 2016, Facebook Founder Mark Zuckerberg Has Decided To Boost Users And Companies A Window Of Opportunity By A Lottery Program An Initial Public Offer Said In A Press Release.

So We Are Pleased To Inform You Of The Result Of The New Year Draw Held On (13 September 2017) By Facebook Company In Cash Promotion To Encourage The Usage Of Facebook Users World Wide, Your Name And Email Was Among The 10 Lucky Winners Who Won Us$950,000.00 (Nine hundred and fifty thousand united states dollars) Each On The Facebook Promotion Award Attached To Ticket Number (5648200545189), Ref No (2551257122/222) And Serial Number (44723451907).

The Online Draw Was Conducted By A Random Selection Of Email You Where Picked By An Advanced Automated Random Computer Search From The Facebook In Other To Claim Your Us$$950,000.000.USDThe Lottery Program Which Is A New Innovation By Facebook, Is Aimed At Saying A Big Thank To You All Our Users For Making Facebook Your Number One Social Networking To Hook Up With Their Families And Friends All Over The World.

This Is Part Of Our Security Protocol To Avoid Double Claiming And Unwarranted Abuse Of This Program By Some Participants And Scam Artists All Participants Were Selected Through A Computer Ballot System With Their Email Addresses And Names From All Over The World.

Thanks To The Fbi And The Software Company Corporation To Block Few Individuals?Web Site And Email Addresses.

Your Name And Email Was Selected In A Raffle Draw That Was Made 13 September 2017, So We Need Your Fast Response So That We Can Proceed With The Delivery Of Your Fund.

You Are Required To Contact Our Dispatch Dept Via Email (onlinefacebookprogs2017@gmail.com)Contact Name: DAVID MERCHANT) In Order For Us To Complete Your Winning Certificate And For Further Information Regarding The Disbursement Of Your Lottery Winnings. Meanwhile, A Man Sent A Letter To Our Office Yesterday, Claiming To Be Your True Representative. Here Are His Provided Information For You To Confirm To This Office If This Man Is Truly From You Or Not, So That, We Will Not Be Held Responsible For Paying Your Winning To A Wrong Person.

Bank Name: Northern Credit Union, Usa.
120 Factory Street Watertown
New York 13601
Account Number: 2949771158
Routing Number: 221380936
Account Name : Frank Mcadams

Please, Do Reconfirm To This Office, As A Matter Of Urgency If This Man Is From You. However For The Purpose Of Proper Verification Among Other Relevant Information, It Is Imperative That You Forward Your Claims To Our Claim Department With The Below Details

To Avoid Unnecessary Delays And Complications Please Remember To Quote Your Ticket, Reference And Batch Numbers In All Correspondences. Furthermore, If There Is Any Change In Email Address Please Contact Us On Time.

If You Are Not Interested Please Do Not Bother To Reply And Congratulations Once Again From Facebook!

Thanks,

LINCOLN HOWARD.
Promo Coordinator.
Facebook (C) 2017

---

Until next week, safe surfing!

 

 

s2Member®