April 18, 2018

THE WEEK IN REVIEW

We want to inform our readers of a very clever new scam sent to us by a friend.  He learned of it from the security site called KnowBe4.com. The scam targets Gmail users and starts with a text to your phone like this one posted at Knowbe4:

The scammer tried to trick Todd (the recipient of this text) into sending the verification code to the scammer, which can then be used to take over his Gmail account by resetting the account password. Read the full description of the scam here on KnowBe4.com and then share with your friends/family.

We frequently see malicious emails disguised as something related to the new and growing marijuana industry.  However, this one in particular caught our eye because of the funny misspelling of the word “chronic.”  And while you’re looking at it, notice that it was sent from a Yahoo account and the link points to a webserver in the Central African Republic. (2-letter country code is “cf” though we don’t know why.)

After you have a good laugh at the misspelling, we wouldn’t want readers to decide to click “Continue Reading” so they might laugh some more at other misspellings.  This email is a dangerous landmine, designed to infect your computer.  We dug into it to learn that the destination site has a redirect waiting to send you to a malware website…

[hr_invisible]

[hr_invisible]


[hr_invisible]

Phish NETS: Confirmation of Your Apple Purchase

A TDS reader sent us this phishing email claiming that she had just purchased a subscription to YouTube Red for $14.99/month.  It’s all fiction, of course.  If you look carefully at the from address you’ll see it was sent from the domain myhelpacc-DOT-com, not apple.com.

Does this bogus domain look familiar to our readers?  It should.  On March 14 we posted another, similar phishing scam with links back to the same domain.  What makes this unusual is that phishing domains have a very short life-span.  It is typically hours to a few days before they are reported and shut down.  If they are really lucky, they’ll survive for a couple of weeks.  This one has been operating for at least a month now and likely since it was registered in mid-February.  We’ve reported it to Google (Who hosts the site) and they are investigating.

 

[hr_invisible]

[hr_invisible]

YOUR MONEY: Amora Coffee, Ralph Lauren, and UGG Flash Sale

Criminal gangs targeting Americans frequently steal the graphics and content of legitimate businesses in their effort to manipulate our clicking behavior.  We’ve made this point many times.  Here are two effective examples of this.  The first is an email with the subject line Discover the Difference! Amora Coffee Direct to Your Door!   It was sent from TryAmoraCoffee “@” grtlif-DOT-info.  The domain grtlif-DOT-info was registered back in May, 2017 but don’t let that seemingly long life-span suggest legitimacy.  This is malicious and not related to the real Amora Coffee company.  However, if this peaks your interest to visit the real Amora Coffee company online and try their coffee, you had better first read the hundreds of negative reviews about the real Amora Coffee company posted on PissedConsumer.com!

Other than the broken graphic, this email about a “Spring Break Clearance Sale” for Ralph Lauren products could pass as legitimate.  Until, that is, you look closely at either the from address or the link revealed by a mouse-over.  The email was sent from the oddball domain goodernight-DOT-top and the links point to another oddball domain vr7-DOT-bidGoodernight-DOT-top was registered by “Liang Kai Jun” from China on April 8 and the site is hosted in China.  Mr. Jun also registered the vr7-DOT-bid site last May, 2017.   We wonder why Mr. Jun felt the need to register the Goodernight domain a few days ago to send this email for a website he registered and hosted last year.  None of these shenanigans add any credibility to the legitimacy of this sale, from our perspective.  Are these knock-offs?  Or is this a malicious trick?  Either way, we don’t recommend spinning that roulette wheel to find out.

As long as we’re talking about China, anyone interested in an UGG sale?  This “no subject” email may say it came from UGG but what follows that brand name in the email address is the name “melba” from a domain in China.  Can you spot the 2-letter country code after the @ symbol?  (“.cn” is China, not Canada!). The sender’s website is hosted in Hong Kong and was registered back in 2015.  The links for all these sale items point back to the same link for the crap domain dqcom-DOT-top. According to the WHOIS look up, this domain was registered by Wang Zheng Jun last November, and represents the company called Nexperian Holding Limited.  When we run a Google search for Nexperian Holding Limited, all we seem to find are complaints and scam warnings against this company.  How’s your confidence now that you’ll get those UGG boots for 90% off?

[hr_invisible]

[hr_invisible]

TOP STORY: We Want You to Lose Faith

No, really!  We want you to lose “faith.”  Every time you see an email that comes from any domain ending in DOT-faith, or with links to any domain ending in DOT-faith, lunge for the delete key!  On November 20, 2014, ICANN (the International Consortium of Assigned Names and Numbers) signed an agreement with a registrar named Famous Four Media to offer [.]faith as a top level domain, just like familiar top level domains .com or .org.  Every time someone registers a DOT-faith domain, payment is made to Famous Four Media (though ICANN makes some money too, of course.)

We imagine there are some legitimate uses of this TLD (top level domain) around the Internet, but we have only seen this TLD misused over and over.  Lately, it’s been an avalanche of misuse for malicious purposes.  Take this recent Mastercard promotional email that appears to be from Indigo Platinum card.  According to our research, the domain should be indigocard.com.  However, this email came from IndigoPlatinum “@” hdgs[.]faith.  And all the links point back to hdgs[.]faith.  Everything about this email appears to legitimately represent Indigo Mastercard but it is just click-bait.  As you’ll see below, the Zulu URL Risk Analyzer scored this domain as 100% malicious.

[hr_invisible]

Interested to refinance your home mortgage loan with rates that are near record lows?  Well don’t click on this email with links back to mbno[.]faith.  Despite the reference to Lending Tree LLC in this email, it is also not real and serves as click-bait to a malicious website.  The domain mbno[.]faith was registered by someone named Carol Kaufmann from Philadelphia, PA.  Like many registrants of malicious emails, “Carol” listed her email with Yandex.com, the popular email service in Russia.   She’s also listed her address on Deer Cove Road in Philadelphia, PA but Google can’t find any road by that name in Pennsylvania.

When you look closely at these DOT-faith emails, you notice that they appear nearly identical in layout and design.  We also see similarities in the way they are coded.  Note the similarities in these two that point to qtysa[.]faith and sxcaf[.]faith.

[hr_invisible]

Below are another dozen domains, recently registered and used to send malicious emails.  We believe they were created by the same criminal gang as those above.  We also believe this gang is most likely from Russia or Eastern Europe.  It’s easy to spot the naming pattern of 4 – 5 random letters for the domain name that appears in front of the DOT-faith top level domain.

 

HomeW.a.r.ra.n.tySpecial “@” bfgcs[.]faith ThePaleoSecret “@” vbcas[.]faith UrgentFungusDestroyer “@” rwetu[.]faith Sensual_Touch_Massager “@” vdets[.]faith Match.com “@” fsdhg[.]faith AffordableElderCare “@” bxvs[.]faith TrumpHealthCareReplacement “@” bdsad[.]faith TrumpHealthCare “@” nbtux[.]faith AmericanHealthI.n.s.u.r.a.n.c.e “@” trsas[.]faith MyBestHealthPlanReminders “@” bfgsv[.]faith Homewar_ran_typlan “@” fgdcx[.]faith HightechCbdGummies “@” oujhf[.]faith

The CEO and co-founder of Famous Four Media is Mr. Geir Rasmussen.  We wondered if Mr. Rasmussen and Famous Four Media had any idea how much their global top level domain DOT-faith was being used for malicious purposes to target Americans, and what they were doing about this misuse.  We reached out to this company on April 14 and asked to interview someone in management to learn how the company tries to manage abuse of top level domains such as DOT-faith.  In less than 30 minutes we got the following response… “Thank you for contacting us. One of our representatives will be in touch with you shortly.  Regards, Famous Four Media.”  However, as of Tuesday evening, April 17, we haven’t heard from them.

According to his Linkedin profile, Mr. Rasmussen seems like a very experienced man when it comes to domain names and Internet business associated with them.  So it surprises us to see how much the DOT-faith domain is abused, putting millions of people at risk.  We wonder if he and Famous Four Media simply don’t care about this abuse because they make money from the thousands of purchases of these domain for malicious use.  Once again, there is a greater incentive for companies like Famous Four Media to turn a blind eye while all the rest of us suffer from their profiteering.  You can read an article and brief interview with Mr. Rasmussen posted on RealWire.com in February, 2016.  The article is titled Famous Four Media Hits 2 Million Domains Under Management. For the record, Famous Four Media is also the owner of other top level domains that we’ve found to be badly abused by criminals.  They are DOT-bid, DOT-win, and DOT-download.

[hr_invisible]

[hr]

FOR YOUR SAFETY: That’s all it took to get you?

A reader named Michael sent us this email. Though it came from a name he recognized, it was not the person’s real email address.  Notice that the scammer who created it hoped to entice a click by putting Michael’s full name in the actual linked document.  The link, as expected, is malicious.

[hr_invisible]

Last week a reader reported receiving many emails from “.eu” addresses to thank her for her payment.  Apparently, they continued for days.  We remind readers how important it is to look for details in emails that identify the recipient, sender and your account information.  As you’ll see below, it isn’t even clear what account this email claims to represent.  Nor does it identify the recipient by full name, or what the payment is for.

Deeeleeeete!

Our anti-virus software easily spotted the attached file and identified it as malicious.  We offer this up as a reminder that “zip” files (compressed files) are extremely dangerous and are a staple used by criminals trying to infect our computers.  The email refers to a PDF file but the attached file is a zip file…. Containing malware.

[hr_invisible]


Until next week, surf safely!