Please support our effort by making a small donation. Thank you!

x

September 7, 2016

THE WEEK IN REVIEW

Every once in a while we see a an email and scratch our heads wondering what is the scammer’s game. Below is one such email. But is it a phishing scam? A malicious email meant to infect? An advance-fee scam? Or some other malicious intent? We’re not sure. What do you think? One thing we can all agree on… This is a scam sent from “mailer.box.com” with the subject “Chase trust Security Company sent you a file on Box.” The same scam email was listed on 419Scam.info.

 

 

 


Sample Scam Subject Lines:

Cut Your Energy Bills by up to 60%; Limited Time Offer

Do you have these symptoms? (fully animated video)

Explore New Cholesterol Management Options

Get New Hawaii Vacataions Solutions

Get your Extra Bonus Bucks before they expire

Mortgage documents

National Alert – Are you infected with this nail parasite?

See clearly this September w/ new contact lenses

Shed The Pounds With These Recipes

Shipping information

This is the Future of Teeth Whitening – 75% off

Travel expense sheet

WARNING your Amazon bonus points are about to expire

Sample Scam Email Addresses

adultbipolardisorder@disebipole.date

AirlinePasses@beira.stream

AmazonsSurveyRewards@cloddy.stream

comparenewcars@newcaar.pro

discountairfaretickets@aairlinetickt.bid

distancelearningcourses@accrediteddeg.bid

getapersonaltrainer@weihtttloss.top

HealthyLiving@esqa.stream

homecooling-deals@estimfree.bid

Multiple-Sclerosis@pment.men

sharktank@fitinday.eu

Surveynotice@cloddy.stream

WinnerSearch@doser.stream

 

Phish NETS: Paypal Again!

In our last newsletter we reported on a Paypal phishing scam. We continued to see the same phishing scam last week, though the details on each scam below is slightly different. However, the pitch is the same… “your account has been limited.” If you read each carefully you’ll find some awkward grammar and incorrect use of capital letters, once again indicating that English is not likely the scammers original language. But what makes this scam even more interesting are the websites revealed by each mouse-over. The first phish contains a link to a website called thepainpros.com while the second phish points to a website called projectstone.com. What they both share in common is that they are legitimate sites that have been hacked and are hosting phishing scams (and possibly other threats too). We’ve informed both site owners and hosting services. Phishing scams depend on a hacked website to host the phish.

Our long time readers know that mouse-over skills are critially important to staying safe online. If you are not familiar with mouse-over skills or not sure about your skill level, check out these articles on our website:

Mouse-over skills

iDevice mouse-over skills

Mouse-over skills explained (video)

An important note about mouse-over risk… One of our readers informed us that the programming language called javascript created a serious security risk recently for Windows computer users (not Apple computers). A programmer can use javascript to change the link revealed by a mouse-over! This makes it possible to completely trick someone into thinking they are about to visit one web site when, in fact, they are directed to another. Obviously this is a serious security risk. We understand that these security risks are patched but sometimes occur again. It is one of many reasons why we at TDS recommend Apple computers purely from the standpoint of less risk for online threats and hacking. But to be VERY clear, Apple computers CAN get malware infections and need anti-malware software installed! Good free software to install can be found at Sophos.

3-Phish-Paypal 2

Your Money: More Bogus Coupons and Rewards Points

The Top Story in our August 10 newsletter was about malicious emails disguised as coupons. Lots of coupons! We’re seeing an increase once again in malicious emails disguised as coupons and rewards points such as this group of bogus restaurant coupons over a two day period…

Check out this email from WinnerSearch@coucher.stream with the subject line “CONGRATULATIONS, Claim Your Bath & Body Words Gift-Card, Act Now, Details Apply.” But before you enter your zip code to see if you qualify, look at what a WHOIS tool reveals about the domain coucher.stream. The domain was registered on September 2, the day the email was sent, by “Customer Support” and Google can’t find a single thing about coucher.stream.

Here is an identical email pushed out by the same criminal gang that created the Bath & Body Works scam. The scammers simply swapped out one name for another. Walmart. Both had white text against the white background at the bottom of the email to try to fool antispam servers (it doesn’t work).

6-Walmart Gift Card

 

How about this coupon for gift baskets? Look legitimate to you? “Are you looking for gift basket products online?? – Gift Basket Coupons search results for you” The small print at the bottom says “sent by Tech Migrit in Indore, India” and a WHOIS look up shows that the domain was registered by someone from Indore, India. We asked the Zulu URL Analyzer to review the link for those wonderful gift basket coupons and it’s evaluation was crystal clear: 100% malicious

Check out these two emails about your CVS Rewards Points. It’s important to see that the emails don’t come from CVS.com and the links don’t point back to CVS.com. Yet the recipient is informed that her “CVS Balance Rewards Points are now updated in your account” and they are set to expire days before the email was sent. These are just social engineering tricks to manipulate the recipient into clicking a malicious link.

Deeee leeeeete!

8-CVS points about to expire

9-Click here for CVS balance reward points

TOP STORY: Looking for Employees… A New Perspective

Though we’re certain most of our readers would never respond to a random pitch for a job that will earn you hundreds or even thousands of dollars every week, we want you to look at these scams with fresh eyes to see what we see. Every week we see donkey muffins like this list of emails, telling the recipients that there is a job waiting for them…

They are as phony as $3 bills. Take a closer look at these three which are nearly identical and were emailed to different people on August 27. How many differences can you spot between these nearly identical emails?

11-Looking for employees 1

12-Looking for employees 2

13-Looking for employees 3

ANSWER: The three emails from the “personnel manager of a large International company” were sent from three different email addresses, use three different names (Estela, Darcy, and Terrance) and a mouse-over of “Our Site” points to three different websites. Here are some facts about these websites based on lookups using a WHOIS tool and a simple Google search…

  1. melindaellsworth.com: Google’s description of this site will likely be offensive to some readers and begins with “Plump Latina Bitch.” A WHOIS lookup shows very little information about the registrant besides the name. (Why is this even allowed by ICANNs and the Registrar?)
  2. kupikuper.su: This domain was registered in 2010 by someone in Russia and is being hosted in Moscow, Russia. A search for this domain in Google informs us that “this site may be hacked” and Google Translate tells us that the site title means “Union of Success – Samara.” By the way, the 2-letter country code “.su” indicates the Soviet Union.
  3. vip-split.com: This domain was registered in Moscow, Russia by a proxy service in 2015 and is being hosted in St. Petersburg, Russia. The website title in Russian translates to “site suspended.” Though Google can’t seem to find a website for this domain, a Google search returns a suspected phishing link posted on PhishTank.com when we search for vip-split.com.

It is an understatement to say this information reflects poorly on the integrity of the email sent about job opportunities. But once again this speaks loudly to our point that it is so remarkably easy to hide who you are and your intent on the Internet. Through our lens, ICANNs (The Internet’s governing organization over domain names) has created an Internet environment that favors the criminals and offers no meaningful protection to users.

What about a completely different type of job offer such as this one from alert@jobs68.com. Jobs68.com appears to be a legitimate website for searching employment opportunities and this email seems to be from jobs68.com with links pointing back to jobs68.com. But is that the whole truth? Look carefully at this email…

14-Your vacancy available jobs

Did you notice the link revealed by mousing over “please login here” in red? Although every other link we checked points to jobs68.com, the login here link points to obs68.com. At first we thought this was an embarrassing typo but then we found another email also with a link pointing to obs68.com. While jobs68.com was registered in the United States, obs68.com was registered in April of 2016 by a company called Cogini Hong Kong Limited and it seems to be hosted in Roubaix, France. We asked the Zulu URL Risk Analyzer to review obs68.com it told us there was “0%” chance of risk. However, Zulu also said that obs68.com contained a redirect automatically sending visitors to survey-winner.net. A search on Google for survey-winner.net shows a website called EpicMovies.org. Does any of this inspire confidence about job offers? Yeah, we didn’t think so either….

15-Your vacancy available jobs Zulu1

16-Your vacancy available jobs Zulu2

Here are a few more of these deceptive pitches for your reading pleasure…

17-Looking for employees 4

18-New vacancies in our company

FOR YOUR SAFETY: Answer Survey For A Chance to Win $350

This week’s For Your Safety column focuses on one very slick email that is a clever wolf in sheep’s clothing. The subject line says “answer for a chance to win” and the contents of this email does a good job leading you to believe it is an opportunity to earn $350 from NationalSurveyPanel.com. But this email wasn’t sent from, or contain links pointing back to NationalSurveyPanel.com. (Note: This is not a commentary on whether or not the real National Survey Panel is legitimate or not.) Have a look. We expect many recipients would click the link hoping that a few minutes of their time would earn them a chance to receive $350.

 

 

 

 

 

 

 

We copied the link location found in the email for “Click Here Now” and asked the Zulu URL Risk Analyzer to evaluate it for malicious intent. You’ll never guess what it said… “0%” probability of malicious intent. Completely and entirely benign….

20-Answer for a chance to win Zulu 1

But we noticed that Zulu found a redirect waiting for us on the website. The redirect automatically sends all visitors to another website called sweeterfaster.com. So we asked Zulu to evaluate if there are any risks associated with sweeterfaster.com. And what did it find? 95% Malicious with malware sitting in wait for you! In a recent conversation with one of our readers over the age of 80, he informed us that he deletes all emails that come from addresses he doesn’t recognize. Not bad advice.

21-Answer for a chance to win Zulu 2

ON THE LIGHTER SIDE: Mystery Shopper!

Our readers know we’re always looking to pick up some extra money so we were excited to get this email from David Tyler stating “you are needed if interested.” At $250 per shopping assignment, we’re interested!

22-Mystery Shopping Company

Until next week, surf safely.