If you find our resources valuable, please support us by making a small donation. Thank you!

x

September 27, 2017

THE WEEK IN REVIEW

How gullible are people?  If someone contacts you, at random, via an email and offers you a chance to make hundreds of dollars in a single day’s work will you believe him?  We hope not.  But someone must or we wouldn’t see this junk over and over again.  Check out our invitation to get “2,500 dollar watching this video.”

The link in the email is to a shortening service (ow.ly).  We used urlex.org to unshorten it and discovered that it will send us to a website registered in Columbia called “thebitcoincode.”  Below is a screenshot of the home page where it says we’re guaranteed to earn $13,000 in exactly 24 hours!  And if you believe this then we have land we’ld like to sell you in Atlantis!

On the other hand, a really good piece of behavioral engineering is this email with the subject line “Is this you in the video?”  Would you have opened it?    The rest of the email is bull-crap and a mouse-over of the link reveals that you’ll wind up at a website in Russia.  We’re not feeling the love for Russia these days so we’ll pass.

      


Sample Scam Subject Lines:

09/2017-21 // RE: INV2839 '1X 20' PAYMENT //RE: MT103

Bonus from Amazon set to expire on Aug. 24th.

DHL shipment-Document:746538695

[FREE SHIRT] Got Me Kicked Out of a "Gun Free Zone"

Fw: more useful info

FW: Your Invoice I117248067 from Advanced Maintenance

Get A $50 CVS Gift Card, Participation Required.

Missed voicemessage, 10:52PM

RE:PO KR200917

SCAN_3415 (or IMG_4158, or JPG_5913, or PIC_8423)

Your Discover Reward Is Inside.

Your Invoice # 259026

Your preloaded Discover gift card is included.

Sample Scam Email Addresses

AIGDirect <AIGDirect @ beroiped-DOT-trade>

Amazon Prime Rewards <amazon.prime.rewards @ pcssforum-DOT-com>

Black People Meet <BlackPeopleMeet @ fdfdesw-DOT-trade>

Ex-Cruise Ship Officer <Ex-CruiseShipOfficer @ pinnjar-DOT-trade>

Home Warranty Special <HomeWarrantySpecial @ spacewar-DOT-trade>

Internationalbrides <Internationalbrides @ swedfd-DOT-trade>

Match <Match @ inderfde-DOT-trade>

MedigapQuote <MedigapQuote @ utresj-DOT-review>

"New Customer Bonus" <NewCustomerBonus @ guthrill-DOT-stream>

Senior People Meet <SeniorPeopleMeet @ oprteh-DOT-trade>

VABenefit Survey <VABenefitSurvey @ vabanidf-DOT-trade>

Vivint.SmartHome <Vivint.SmartHome @ nhcvde-DOT-trade>

Waist Band Holster <WaistBandHolster @ vcxdser-DOT-trade>

Phish NETS:  Chase Bank, DropBox, and Your Apple ID

“Dear Valued Chase Customer, This is a security alert to help you protect your account as we consider it necessary for the purpose of maintaining basic safety tips to help customers secure their account.”  If you read carefully all of this email, you’ll get a sense that English is not the writer’s first language.  There are subtle grammar errors and awkwardness to some of the sentences.  Mousing-over the link “chase.com/authtifictn/cm” shows that the link does not point to chase.com but points to a website called my78692-DOT-com. This domain was registered on September 4 by the alias “Sam Adams” from Kharkivs'ka oblast, Eukraine (near Russia).

Delete, comrade!

This next little gem stood out because of an email address that begins with DR()P-B()X.  Gee, ya think this could be legit?  “You Have Received Seven pdf files attached by dropbox.”  Can you figure out what country the link points to?  We had to look it up….  “.ml” is the 2-letter country code for Mali!

And last, but not least, is this phish for your Apple ID.   “Your Apple ID has been locked.”  If you look carefully you’ll see that the email didn’t come from Apple.com, it came from secure @ appleid.ssl.com.  That’s a big difference!   Also, the link for “Click here to validate your account information” points to a site that seems official, myappleid-secure-DOT-com, but it is not apple.com.  That website was registered on September 21 to a “James Wilson” from London and the website is being hosted in Panama.  Sound like Apple to you?

YOUR MONEY:   Michael Korrs, Ray Ban and Oakley Sales!

If you care for fashion at all, you know about the brands Michael Korrs, Ray Ban and Oakley.  These are expensive products and also heavily targeted by cheap knock-offs from China and elsewhere.  So when you see these next three ads you might think “oh, just knock off products.  Maybe I’ll get one anyway.”  Don’t!  These are much more than knock-offs!  These offers are click bait to sites that are more likely to cause a computer infection.

The first email, seemingly for Michael Korrs products, has links that point to a website identified as 038235-DOT-com.  However, if you look carefully at the link, you’ll see that you will be redirected to a web site called mkoroic-DOT-com.  Both the Zulu URL Risk Analyzer and Sophos anti-virus have identified this site as malicious.

How about this 90% sale on Ray Ban sunglasses, says an email from youmustbuy-DOT-top.  Links in this click bait point back to a domain called zdwff-DOT-loan. Who sells $200 sunglasses for $15.99 anyway?  The Zulu URL Risk Analyzer finds this malicious as well.

 

Finally in this fashion group is this email from johnnie @ yvette.eaiia-DOT-com with the subject “1000s of items ON SALE!”  Links in the email point back to the oddball domain llil.trade.  Both domains (sender and link) are registered to different people in China.  The sites we use to evaluate these websites did not score these as malicious BUT we don’t trust them at all.

TOP STORY:  Fooled on Facebook!

Anyone paying attention to the news and following stories about Russian hackers influencing the last U.S. election may have heard about their manipulation of Facebook.  Facebook recently announced that it had identified more than 3000 polictical ads that were fake and came from sources in Russia.  Anyone using this social media platform should understand that Facebook is often misused to display fake or malicious advertising, Internet hoaxes, and bogus posts.  There have been thousands of fake accounts for both people and companies, as well as ads for crap companies who are trying to appear legitimate.  Over the years we’ve seen all of these examples on Facebook.  Here are some recent ones…

One of our readers sent us this Facebook ad in early September to ask if it were legitimate.  It depends on how you define legitimate, we said.  Is this a real watch that tells time that you can buy and receive?  Yes, as best as we can tell from Internet posts.  However, caveat emptor! Let the buyer beware.  There are lots of online complaints about this company’s advertised products…  “We’re offering watches for free to create word of mouth buzz for Mocelli…”  Just Pay Shipping.  But what if the shipping costs more than the value of the cheap watch?  That’s what some people claim on Reddit.com. And Reddit users are not the only ones complaining.  Onlinethreatalerts.com posted a similar article.

There are also Facebook ads and posts that are completely fabricated click-bait.  Sadly, they are often so far from the truth that people click because they cannot believe such a thing is true and they have to see it for themselves. Some of these posts and ads have been malicious so clicking on them is never a good idea.  It would be better to visit legitimate news sites and look for news to back up the claim being made on Facebook, though you’ll rarely find it.  Take this ad about Sylvester Stalone…

“Goodbye to Stallone!”   “A Legend is Leaving Us After…”  The ad appears to be a post from espn.com but it was phony-balony and those who clicked were directed to a website called Hollywoodsocialtrends, pushing products for “gym supplements.”  This scam was written about in an article from HollywoodinToto titled Facebook Must Lose Its Phony Sponsored Posts. Some FB users have also complained to FB about these ads in the Facebook community forum.  This article on Hoax-Slayer.net tells the sad tale that many of the celebrity death fake news posts seen on Facebook have led to malware infections on people’s computers.

Other posts, though harmless, are misleading and annoying.  There have been hundreds of hoaxes perpetrated by those who get pleasure by seeing how many thousands of people will spread the lies they fabricate.  Just a few days ago one of our friends called us to ask if a post she received from a relative was legitimate.  “Please tell all the contacts in your messenger list not to accept anything from Fabrizio Brambilla.  He has a photo with a dog…”  The text goes on to describe how your account will be hacked if you accept anything from him…

Of course we Googled “Fabrizio Brambilla” and immediately found many articles listed on hoax sites exposing this as an urban legend, such as this article on Snopes.com titled Social Media Hacker Warning

Ironically, during our research for this article on September 24, we also found this fake ad about Melania Trump posted on Snopes.com, the beloved anti-hoax site itself!  So this problem is not just a problem for Facebook!

Google shows precious little information about theorganicandyou-DOT-com, the website you’ll be directed to if you click the Snopes ad about Melania Trump.  And a WHOIS lookup for the domain theorganicandyou-DOT-com reveals that this website was registered through a private proxy service in Panama on July 3, 2017.  Google finds no such quote from Melania Trump either.  Does any of this seem legitimate to you?

As always, our bottom line is this…  Not only is deception far too easy on the Internet, but time and time again there is proof that the Internet and social media are being manipulated for someone else’s agenda or gain.  Keep a healthy dose of skepticism about what you read online or via your smartphone!  Instead of believing everthing, get in the habit of verifying it or believing only what you read on highly trusted websites!  Here are a few related links to this story…

https://www.nytimes.com/2017/09/06/technology/facebook-russian-political-ads.html

https://www.forbes.com/sites/mattdrange/2017/03/02/a-basic-design-feature-makes-it-easy-to-create-fake-advertisements-on-facebook/

https://www.theverge.com/2017/8/28/16215780/facebook-false-viral-hoaxes-trump-malicious-suspicious

FOR YOUR SAFETY:  Remittance from HSBC Bank, Due Payment, and Lots of Viruses

This remittance form presumably comes from a business in Illinois but was sent through a hacked Comcast email account.  The attached HSBC Bank form in zip format contains malware.

Ouch!

“Greetings to you Sir.  Please be informed that we wont be held responsible for any loss of funds.”  Whatever.  The attached file is a hand grenade of malware.

Finally, we wanted to show you how our honeypot email server was, once again, hammered by emails carrying viruses.

 


ON THE LIGHTER SIDE:   God Bless America

Anyone in the U.S. Army, stationed in Afghanistan and reaching out to us has automatically got our attention!  God bless America indeed!  We wondered, though, why Captain Castro sent his email from an email address in Brazil named “janice.”   (“.br” = 2-letter country code for Brazil)

 

From: "Capt.Ivan Castro" <janice@nazanettelecom.com.br>
Recipients <janice@nazanettelecom.com.br>
Subject: Greetings,,,
Date: 2017-09-22 06:55AM

Greetings

I am sorry to encroach into your privacy in this manner. I found your contact particulars in an address journal and I find it pleasurable to offer you my partnership in business. I only pray at this time that your address is still valid. I want to solicit your attention to receive money and gold on my behalf.

I am Capt.Ivan Castro, an officer in the US Army,and also a West Point Graduate presently serving in the Military with the 82nd Air Borne Division Peace keeping force currently deployed in Afghanistan.

We were moved to Afghanistan from Iraq as the last batch just left, and i really need your help in assisting me with the safe keeping of money and gold and to conceal this kind of money became a problem for me, so with the help of a German contact working here, and his office enjoys some immunity, I was able to get the package out to a safe cation entirely out of trouble spot.

You will be rewarded handsomely if you could help me secure the funds until I conclude my service here. If you can be trusted, i will explain further when i get a response from you.

God Bless America.
Capt.Ivan Castro
Kabul Afghanistan
US ARMY

---

Until next week, safe surfing!

 

 

s2Member®