If you find our resources valuable, please support us by making a small donation. Thank you!

x

September 26, 2018

THE WEEK IN REVIEW

Just a few days ago we got an email from a TDS reader who had received a phone call from “tech support” claiming to represent Apple Computer and calling about the man’s iCloud account.  The man was told that his iCloud account was being hacked. The “Apple Tech” told the man not to open any junk mail and also that he might need to provide his Apple iCloud account information to the tech to help him secure access to his account so no one could reach his financial information.  Fortunately, the man receiving the call didn’t believe a word of it! He declined all offers of help and stayed on the line just to see where this would go. Apparently the scammer-pretending-to-be-Apple-Tech-Support got very frustrated and at one point put the phone down to speak to someone else.  Our guy said he heard him say to someone else that “nothing is working, I don’t know what to tell him.“ After multiple attempts of him trying to get the man to open a website on his laptop’s browser, the scammer got very frustrated and just hung up the call! A small but important victory for the good guys!

We’ve been reporting for many weeks now about malicious emails that misuse Outlook servers by using links that appear as safelinks.protection.outlook.com, when in fact they point to malicious sites elsewhere.  Here’s another perfect example. This email pretends to be from the real service called CreditScore360 but it is just a wolf in sheep’s clothing.  The link redirects to the dynamic DNS service that will send you to who-knows-where on the Internet!  (By the way, we can’t endorse the real CreditScore360. We found numerous complaints online about it’s excessive charge of nearly $30/month for services provided for free elsewhere.)


We recently passed our four year mile marker since opening this blog.  It’s been quite a journey and we’re thrilled to know that we have helped hundreds of thousands of people.  From our small beginning of 16,000 page views in our first year, we expect to hit about 375,000 page views this year. During the last three months, these are the articles our readers are most interested in.  They are all scams targeting men who use dating apps or meet women online:

Plenty of Fish Has Plenty of Sharks

Sextortion Scam Via Facebook

Underage Girl Sext Scam

 

The next collection of popular articles mostly represent customer service or tech support scams.  But one other feature article has had a recent surge of interest and concerns Anti-aging face and skin creams.

Anti-aging Face & Skin Creams

Apple Tech Support Scams

Not Apple Customer Support

Not Amazon Customer Support


Phish NETS: Unusual Activity Detected

We showed readers this generic email phish in our last newsletter but they have continued to target people.  This one appears to come from “Administrator” but if you look at the domain that follows the “@” symbol, you’ll see that it was sent from France. (“.fr” = 2-letter country code for France)  The link associated with “Verify Now” points to the shortening service tinyurl.com, like the previous similar phish.

YOUR MONEY:  Coach – You’ll Thank Us For This!

Criminals routinely steal the graphics and photographs posted by legitimate businesses to create their scampaigns.  Such as the photos and products used in this email for Coach products with the subject line “You’ll thank us for this.”  The Coach products may be legitimate but the email is not! It was sent from the oddball domain ugrdg[.]com, which was registered by Alibaba Cloud Computing in China on June 8.  If you look carefully at this email, you’ll notice a very lame effort to get this email past protective spam filters that might notice the word “Coach.”  They’ve written “Coa-ch.” But the most important reason to lunge for the delete button on this email is that all links lead to the domain aysky[.]top which has been identified as 100% malicious by the Zulu URL Risk Analyzer.

TOP STORY:  Giving Away Your Personal Information?

As consumers, we are so used to being asked for our personal, private information online and in brick-and-mortar stores.  Doug recently rented a car and, in addition to providing his driver’s license, address and credit card, he was asked to provide his social security number.  How often do you make a purchase in a retail shop and are asked for your email address and telephone number! Most of us reflexively hand over the information without question. (But we don’t always have to!) Criminals take advantage of this expectation by creating fake online services hoping that we will happily do the same thing for them.  They then use the information to steal our identity, open credit cards and other accounts in our names, or simply sell our information. Such is our concern about this email that seems to come from “Indigo Mastercard” with the subject line “Get the Platinum Mastercard from Indigo.” HOWEVER, we at TDS don’t always understand the inner workings of the scams we uncover!  And, quite frankly, we don’t understand this one. But we see too many red flags to let it pass without attention.

Look at the actual email address in this email from “Indigo Mastercard” and you’ll see that it clearly shows it didn’t come from any address owned by Mastercard or Indigo!  It came from the very strange domain sleepmodestrip[.]org. (Red flag #1) Though this domain was registered one year ago to “Sparkeye Media Group,” Google can’t find anything at all about the domain sleepmodestrip[.]org nor about “Sparkeye Media Group,” not even their website location. Taken at face value, this is not a domain you would expect to be associated with a credit card company.  (Red flag #2) This is especially odd because there is clearly a website for Indigo Mastercard available at IndigoCard.com.  But nevermind, we’re excited to pre-qualify for our Platinum Card “for those with less than perfect credit”  and so we click…

But our virtual journey doesn’t end at Sleep Mode Strip!  After arriving at the oddball subdomain, domain called cezariong.sleepmodestrip[.]org, a redirect script forwards us to another domain called bmafnet[.]com. The ownership of this domain is private and also doesn’t match the ownership of Sleep Mode Strip OR Indigo Mastercard domains. (Red flag #3)  Most importantly, BitDefender has labelled this website as hosting Phishing scams! (BIG red flag #4)

And then something happened that completely confused us….  bmafnet[.]com redirected us directly to IndigoMastercard[.]com, which we had believed to be a legitimate website!   Look carefully at ALL the information visitors are asked to provide Indigo Mastercard… Name, full address, date of birth, social security number, email address, primary and secondary phone.

And so, we are actually confused by what we’re seeing.  Is this a legitimate email offer to apply for a Mastercard or not?  To be completely honest, we’re not sure! However, in this age of extremely sophisticated online deception, we believe it is so important to be skeptical.  We found too many red flags, especially BitDefender’s assessment about one of the domains involved, for us to feel comfortable applying for this Mastercard on the site we’ve arrived at.  We can’t recommend it. Caveat Emptor!

FOR YOUR SAFETY: Revised Purchase Order

We have warned readers many times over the years to be very careful about downloading different kinds of email attachments such as zip files because they may contain malware.  Here’s another one to add to the list. It is an “R02” file which is a type of data file for certain Windows applications (Not Apple computers.)  This email came from a “Kyle Brown” is South Africa (“.za” = 2-letter country code for South Africa) but is signed by someone from “Vishal Pharma” in Gujarat, India.

Looks smelly.  Just delete.


Until next week, surf safely!