Please support our effort by making a small donation. Thank you!

x

September 28, 2016

THE WEEK IN REVIEW

Love is in the air and it isn’t even close to Valentine’s Day!  In our September 14 newsletter we reported on scams disguised as a search for engagement rings and the Jewish Dating service called Jdate.   In last week’s newsletter we reported another malicious email disguised as a pitch from CatholicSoulMates.com. Apparently, the love keeps coming!  A few days ago we spotted this fake sexy welcome message and account info for LatinDate, complete with a username and password!  It contained the usual spammy characteristic of hidden (red) text against a similar (red) background.  The text was lifted from several Yelp Reviews starting with a Mexican restaurant called Three Hermano’s in Rockwood, MI (Look for Philip B’s review on Aug. 5)

What we find most funny about this sweet, but mischievous effort to infect computers is how the scammers graphicly portray each scam.  For Jdate the scammers selected a photo of an attractive woman pointing to a poster for the 1994 movie “Serial Mom” as if to say “Hey guys, I’m mom material and ready for marriage!”  The photo used for the Catholic Soul Mate scam was a beautiful woman on her wedding day in her wedding gown with the groom blurred in the background, as if to say “happily ever after.”  Check out the pictures the scammers selected for their bogus LatinDate.com email.  Apparently, they think hot latin women in skimpy bathing suits are the effective way to motivate Latin men to click.

 

 

 

 

Remember our previous commentary about “shocking” words used to manipulate you into clicking malicious links?  How about this email?  It’s a “huge scandal”  “…the industry is in an UPROAR!”  “Click here before the video is taken down!”  Yeah, and we’ve got land to sell you in Atlantis.

 

Read our newest feature article: Scam Targets Online Tutors!

 


Sample Scam Subject Lines:

A big change is taking place in 2016

CNN: The root cause of memory loss is found

FoxNews: Trump Shocks Bill O’Reilly

Have Acid Reflux?

National Alert: Are you infected with this nail parasite?

Save 40% + on hundreds of swimsuits!

The Only Ipad Accessory You Will Ever Need

There’s still time for your Cancun Vacation

This season get IRS assistance

Transaction Details

View Car Insurance Quotes Results

We could not deliver your parcel, #00000635547

Your paper towel is poisoning our environment…

Sample Scam Email Addresses

African.Safari’s@deuisv9t.triedku.top

cnnnews@incresememory.eu

Fidelity_Life@auiae2o.bangwsi.top

glucocil@glucocl.download

Important.News@7ujezea.pagerop.top

nationalsurveypanelinquiry@serchfb.top

newmattressoptions@restsleep.date

nutri-system-affiliate@io8evai.brokerc.top

quibidspennyauctions@getshoping.date

Roofing-Deals@feyus8a.dpclock.top

Solar.Program.Credits@wuio1la.improvesolarquotespost.top

Stop-Eating-This@5vaioki.controlbloodsugarvalue.top

zacharay@foodforfredom.pro

 

Phish NETS: Netflix, USBank, Apple ID and PayPal

It’s unusual for us to see something we’ve never seen before but it happened!  We have never, ever seen a phishing scam targeting Netflix accounts.  Look closely at this email from no-reply@netflix.ssl.com with the subject line “Your Netflix Membership has been suspended [#987534].”  Can you spot the red flags?

First of all, an email from netflix.ssl.com is not the same as an email from netflix.com.  (But from addresses can be spoofed anyway with sophisticated software.)  Mousing-over the green “Continue” button reveals that the link points to the domain renewsub1.com, not netflix.comRenewsub1.com was registered on September 22 by someone identified as Scott Foster from Shoalwater, Western Australia and the site is being hosted in Panama.  Doesn’t sound like Netflix but look at the website waiting for you in Panama…

Just delete.

How about this phishing scam disguised as a Security Alert email to USBank members?  This scam is extremely well crafted but the text contains at least four subtle grammatical errors or errors using capital letters and punctuation.  Another mistake made by the scammers is that they left another business name in this scam email when they recrafted it as USBank.  Can you find it?  And of course, the link “Verify Your Account SIGN-ON” points to a website in Australia called davidjolley.com.au (.au = Australia).

A big fat delete!

5-phish-usbank-important-info

Apple users were targeted again this past week with the phishing scam below.  What an interesting coincidence that it was also sent from a domain that included ssl in the name. (SSL is a secure protocol for the exchange of information between a webserver and a user’s browser like Chrome or IE.)  This email came from the United Kingdom… secure@apple.ssl.co.uk  and included a similar subject line as the Netflix scam above: “Your Apple ID has been suspended [#383728].”  The link “> Click here to validate your account information” points to the very strange domain c-in2.com.

6-phish-your-apple-id-has-been-suspended

If you were to click this link for c-im2.com look at the website that awaits.  It may look like Apple.com but it’s just a clever phishing site.  c-im2.com was registered on September 23 using a private registry service.  It is also being hosted in Panama, like the Netflix phishing scam above.  What do you think are the odds that both of these phishing scams, and maybe the Apple scam too, were created by the same criminal group?  Yeah, we thought so too.

7-phish-your-apple-c-im2-com

It was a busy week for phishing scams!  We also found this phish disguised as a Paypal notice that “Your Paypal account Has been limited” as well as this phony email targeting staff & student email accounts.

DEEEEELEEETE!

8-phish-paypal-account-has-been-limited  9-phish-update-your-email

Your Money: $500 Kohl’s Gift Card, National Survey Panel Poll, Compare Home Alarm Rates

“Get your $500 Kohls Gift card today” says an email from familysavings@kohles.top.   This scam is easily exposed by using a WHOIS tool, just like so many scams.  The WHOIS reveals that kohles.top was registered on September 22 to someone identified as Rajit Tamraker from Guwahati, India.  The site is being hosted in Switzerland.  The text in this malicious email tries to convince you that it comes from an “independent advertizer.”  Meadow muffins!

Delete!

TDS has begun seeing a number of scam emails offering to pay the recipient for their participation in an onine survey.  Just click the link to begin…   While there is indeed a company called National Survey Panel, a Google search for it shows that many are calling the real company a scam, fraudulent and untrustworthy.  But this email below didn’t come from nationalsurveypoll.com.   They entice the recipient with an offer to pay $150 for a survey about his or her Facebook/social media experience.  But the link leads to a domain called serchfb.top (As in “search Facebook?”)  Surprise!  The site was registered by Rajit Tamraker from Guwahati, India and is hosted in Switzerland! (And the site description is YouTube, complete with a fake YouTube-like front page.)

Delete!

11-national-survey-panel-poll-for-150-gift-card

Finally in this week’s Your Money column comes this email from homealarm@securtyqute.eu to compare home alarms rates. (Securty qute? As in “security quote?”  How clever.  .eu=European Union) “Save up to 30% when you compare Home Security Quotes.”

Save yourself the pain, delete now.

12-compare-home-alarm-rates

TOP STORY: We Are All Brian Krebs

Last week the website of one of the Internet’s best investigative journalists on cybercrimes was brutally attacked by a force of such magnitude that it surprised cybersecurity firms.  Imagine a succession of atomic bombs going off every second against a target.  That’s what happened to Brian Kreb’s website, KrebsOnSecurity.com. The attack was so severe and prolonged that it not only shut down his website but Akamai Technologies, the company that was protecting his website and trying to fend off the attack, had to withdraw their support for fear of exposing other clients because most of their resources were tied up fighting this one attack.

As Brian lost his fight to publish his journalistic research all of us lost a remarkable voice of reason and a strong beacon of support against the world of Internet criminals.  Our readers know that we frequently wag fingers at ICANN for their lackluster effort (or more accurately “no effort”) to develop and implement any regulations, rules or protocols to protect netizens from harm.  We have also repeatedly pointed out that our own police, FBI and government don’t have the resources, laws, or political will to battle cybercrime in any meaningful way that helps your average citizen.  This means that people like Brian Krebs are even more valued for their ability to investigate and willingness to expose serious cybercriminals who hurt U.S. citizens daily.  And even though it puts them at risk.  This isn’t hyperbole people.  Were North Korea to suddenly nuke Seoul, South Korea the United States would not stand idly by.  Nor would NATO and much of the world.  They would act.  But that is the digital equivalent of what happened to Krebsonsecurity.com and no cavalry is coming to his rescue.

14-spamnation

Brian is the real deal as an investigative reporter.  (Check out his bio on Wikipedia.) His last book Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door published in 2015, was an eye-opening read into the international underworld of cyber crime.  We strongly recommend it. (Find it on Amazon.)

 According to various sources (See the links below.) there is evidence to suggest that this attack was  revenge for a recent exposé Brian reported about an online company that conducts DDOS attacks for hire. (More about DDOS attacks below.) As in a “hired gun” or hit man.  It is interesting to note that Krebsonsecurity.com was pummelled by the greatest DDOS force ever witnessed just days after Brian exposed a DDOS-for-hire attack dog.  If you, the cybercriminal, wanted to take revenge and make your point “don’t f*** with me” wouldn’t you use the same weapon and turn up the volume?  The most shocking take-away about this attack on Brian’s website is how powerful cybercriminals have become and, like all cybercriminals, they seem to be without fear of being caught or stopped.  As long as Brian’s megaphone is turned off, we all lose.  There are so many important cybercrimes that Brian helped expose including…

Credit Card Skimmers

All About Fraud: How crooks get the CVV code

Tax Fraud and ID Theft

Netizens need a superman, a cavalry to our collective rescue, a gathering of the wagons in this wild west of the Internet but last week one of our best got knocked out.  The DDOS attack is effective because many thousands of computers and Internet-connected devices (or more!) are manipulated to send a steady stream of nonsense data to a web server.  DDOS means “distributed denial of service.”  In this case, so many Internet-connected devices sent so much data at Krebsonsecurity.com that the server was knocked out.  Estimates put the attack at about 620 gigabytes per second (GB/s), more than twice as large as any previous DDOS attacks documented anywhere on the Internet.

15-ddos-attack-ex

By comparison, estimates suggest that a typical 3 minute song in digital mp3 format is 3 megabytes (MB).  Over those same three minutes, Krebsonsecurity.com was hit with 111,600 GB of data, the data equivalent of 111,600,000 MB or about 37 million 2 hundred thousand songs.  No webserver can withstand that kind of data stream and function normally.  Adding insult to injury is the fact that the data used in the attack was sent from average joe’s hacked computers and Internet devices.  The attackers wanted to send a very clear message and it appears they succeeded.  That is sad for the rest of us.  And so we say…

We Are All Brian Krebs today.

Many thanks to BleepingComputer.com and David Bissen for use of the graphic describing a DDOS attack.

Related Articles:

Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net by Dan Goodin at Arts Technica.

Akamai kicked journalist Brian Krebs’ site off its servers after he was hit by a ‘record’ cyberattack by Paul Szoldra at Business Insider.

Cybercrooks-1, Akamai-0: Akamai breaks ties with security expert

More articles from Brian Krebs from SecureWorldExpo.com

FOR YOUR SAFETY: MacOSCleaner malware, Bank Transaction Details, Delivery Notification, and Express Parcel Service

While visiting a recipe website, one of our friends clicked an ad and suddenly got the following popup.  Rather than actually have a virus, this was a malicious trick engineered to get her to download and install malware designed to infect her computer.  Nasty!  These macoscleaner popups have been seen on the Internet since Spring, 2015.  If this happens to you don’t click OK.  Force quit the application.  Then restart your web browser and clear all your browser’s cache.  Finally, run a malware check on your computer using commercial antispyware software like this free product from Sophos.

 

This email from Chile (.ch=Chile) claims to send a requested scan of bank transactions.  Of course the recipient would know that it wasn’t intended for him or her.  But would curiosity kill that cat?  Would they open the file anyway? The attached zip file contains malware.

 

 

 

 

TDS has seen a scampaign of very malicious emails disguised as parcel/package delivery notices during the last two weeks.  All carry attached zip file containing malware.  Here are two samples…

19-parcel-service-we-have-sent-your-parcel

ON THE LIGHTER SIDE: An Epic Story… Yours in Christ

You are in for a real treat!  Below is a remarkable and compelling drama.  It will surely be a top competitor for the 2017 “John Newbery National Hugo Pulitzer Scam Email Award.”  We wrote about the 2016 prize winner in our Top Story on July 20.  The 2016 winner was “Ms. Marilis Mannik” from Estonia.  (By the way, do you notice that June Elizabeth seems to have two different email addresses?)

From:  juneelizabeth4422@gmail.com
Time:  2016-09-21 03:54:21
Subject: How are you?I am Mrs. June Elizabeth from Netherlands

I am Mrs. June Elizabeth from Netherlands

I was married to Dr.Ben June who worked with Chevron Texaco in Libya for twenty years before he died in the year 2011, May be you must have heard about him in the oil firm. We were married for thirty-seven years without a child. He died during the riot that lead to the Nato war in Libya.

He was held hostage and slain to death by protesting youths of the region. Before his death we were both born again Christians. Since his death I decided not to re-marry. When my late husband was alive he deposited the sum of (Seven Million U.S.Dollars) with a diplomat security company in Turkey in a Trunk box Presently, this box is still with the company and the management just wrote me as the beneficiary to come forward to receive my box or rather issue a letter of authorization to somebody to receive it on my behalf if I cannot come over.

Presently, I m with my laptop in a hospital where I have been undergoing treatment for cancer of the lungs. I have since lost my ability to talk and my doctors have told me that I have only a few months to live.

It is my last wish to see that this money is invested and the proceed at the end of every year distributed among charity organization.

I want a person that is God fearing that will use this money to fund churches, orphanages and widows propagating the word of God and to ensure that the house of God is maintained. The Bible made us to understand that blessed is the hand that giveth. I took this decision because I know that there are a lot of poor people suffering from different kind of disease and nobody to come to their aid.

With God all things are possible. As soon as I receive your reply I shall give you the contact of the security company. I will also issue you a letter of authority that will prove you as the new beneficiary of this fund. You are to help me invest these funds into real estate and stocks. You will be entitled to 10% of every profit you make in a year.

Please assure me that you will act accordingly as I stated herein.

Note. You can contact the security company’s Correspondence office in Europe for verification on the consignment as the funds was deposited in a trunk box as a consignment, and the consignment’s code is? 1156? Name of depositor Ben June, present beneficiary Elizabeth June. And please do not let the company know the content of the box for the safety of my funds because my late husband deposited it as a family treasure.

Hoping to hearing from you soon.
Waiting for your reply
Yours in Christ,

MOTHER JUNE ELIZABETH OF NETHERLAND
juneelizabeth48@yahoo.com

Until next week, surf safely.