April 18, 2018

[hr_invisible]

Phish NETS: Confirmation of Your Apple Purchase

A TDS reader sent us this phishing email claiming that she had just purchased a subscription to YouTube Red for $14.99/month.  It’s all fiction, of course.  If you look carefully at the from address you’ll see it was sent from the domain myhelpacc-DOT-com, not apple.com.

Does this bogus domain look familiar to our readers?  It should.  On March 14 we posted another, similar phishing scam with links back to the same domain.  What makes this unusual is that phishing domains have a very short life-span.  It is typically hours to a few days before they are reported and shut down.  If they are really lucky, they’ll survive for a couple of weeks.  This one has been operating for at least a month now and likely since it was registered in mid-February.  We’ve reported it to Google (Who hosts the site) and they are investigating.

[hr_invisible]

[hr_invisible]

YOUR MONEY: Amora Coffee, Ralph Lauren, and UGG Flash Sale

Criminal gangs targeting Americans frequently steal the graphics and content of legitimate businesses in their effort to manipulate our clicking behavior.  We’ve made this point many times.  Here are two effective examples of this.  The first is an email with the subject line Discover the Difference! Amora Coffee Direct to Your Door!   It was sent from TryAmoraCoffee “@” grtlif-DOT-info.  The domain grtlif-DOT-info was registered back in May, 2017 but don’t let that seemingly long life-span suggest legitimacy.  This is malicious and not related to the real Amora Coffee company.  However, if this peaks your interest to visit the real Amora Coffee company online and try their coffee, you had better first read the hundreds of negative reviews about the real Amora Coffee company posted on PissedConsumer.com!

Other than the broken graphic, this email about a “Spring Break Clearance Sale” for Ralph Lauren products could pass as legitimate.  Until, that is, you look closely at either the from address or the link revealed by a mouse-over.  The email was sent from the oddball domain goodernight-DOT-top and the links point to another oddball domain vr7-DOT-bid.  Goodernight-DOT-top was registered by “Liang Kai Jun” from China on April 8 and the site is hosted in China.  Mr. Jun also registered the vr7-DOT-bid site last May, 2017.   We wonder why Mr. Jun felt the need to register the Goodernight domain a few days ago to send this email for a website he registered and hosted last year.  None of these shenanigans add any credibility to the legitimacy of this sale, from our perspective.  Are these knock-offs?  Or is this a malicious trick?  Either way, we don’t recommend spinning that roulette wheel to find out.

As long as we’re talking about China, anyone interested in an UGG sale?  This “no subject” email may say it came from UGG but what follows that brand name in the email address is the name “melba” from a domain in China.  Can you spot the 2-letter country code after the @ symbol?  (“.cn” is China, not Canada!). The sender’s website is hosted in Hong Kong and was registered back in 2015.  The links for all these sale items point back to the same link for the crap domain dqcom-DOT-top. According to the WHOIS look up, this domain was registered by Wang Zheng Jun last November, and represents the company called Nexperian Holding Limited.  When we run a Google search for Nexperian Holding Limited, all we seem to find are complaints and scam warnings against this company.  How’s your confidence now that you’ll get those UGG boots for 90% off?

[hr_invisible]

[hr_invisible]

TOP STORY: We Want You to Lose Faith

No, really!  We want you to lose “faith.”  Every time you see an email that comes from any domain ending in DOT-faith, or with links to any domain ending in DOT-faith, lunge for the delete key!  On November 20, 2014, ICANN (the International Consortium of Assigned Names and Numbers) signed an agreement with a registrar named Famous Four Media to offer [.]faith as a top level domain, just like familiar top level domains .com or .org.  Every time someone registers a DOT-faith domain, payment is made to Famous Four Media (though ICANN makes some money too, of course.)

We imagine there are some legitimate uses of this TLD (top level domain) around the Internet, but we have only seen this TLD misused over and over.  Lately, it’s been an avalanche of misuse for malicious purposes.  Take this recent Mastercard promotional email that appears to be from Indigo Platinum card.  According to our research, the domain should be indigocard.com.  However, this email came from IndigoPlatinum “@” hdgs[.]faith.  And all the links point back to hdgs[.]faith.  Everything about this email appears to legitimately represent Indigo Mastercard but it is just click-bait.  As you’ll see below, the Zulu URL Risk Analyzer scored this domain as 100% malicious.

[hr_invisible]

Interested to refinance your home mortgage loan with rates that are near record lows?  Well don’t click on this email with links back to mbno[.]faith.  Despite the reference to Lending Tree LLC in this email, it is also not real and serves as click-bait to a malicious website.  The domain mbno[.]faith was registered by someone named Carol Kaufmann from Philadelphia, PA.  Like many registrants of malicious emails, “Carol” listed her email with Yandex.com, the popular email service in Russia.   She’s also listed her address on Deer Cove Road in Philadelphia, PA but Google can’t find any road by that name in Pennsylvania.

When you look closely at these DOT-faith emails, you notice that they appear nearly identical in layout and design.  We also see similarities in the way they are coded.  Note the similarities in these two that point to qtysa[.]faith and sxcaf[.]faith.

[hr_invisible]

Below are another dozen domains, recently registered and used to send malicious emails.  We believe they were created by the same criminal gang as those above.  We also believe this gang is most likely from Russia or Eastern Europe.  It’s easy to spot the naming pattern of 4 – 5 random letters for the domain name that appears in front of the DOT-faith top level domain.

HomeW.a.r.ra.n.tySpecial “@” bfgcs[.]faith ThePaleoSecret “@” vbcas[.]faith UrgentFungusDestroyer “@” rwetu[.]faith Sensual_Touch_Massager “@” vdets[.]faith Match.com “@” fsdhg[.]faith AffordableElderCare “@” bxvs[.]faith TrumpHealthCareReplacement “@” bdsad[.]faith TrumpHealthCare “@” nbtux[.]faith AmericanHealthI.n.s.u.r.a.n.c.e “@” trsas[.]faith MyBestHealthPlanReminders “@” bfgsv[.]faith Homewar_ran_typlan “@” fgdcx[.]faith HightechCbdGummies “@” oujhf[.]faith

The CEO and co-founder of Famous Four Media is Mr. Geir Rasmussen.  We wondered if Mr. Rasmussen and Famous Four Media had any idea how much their global top level domain DOT-faith was being used for malicious purposes to target Americans, and what they were doing about this misuse.  We reached out to this company on April 14 and asked to interview someone in management to learn how the company tries to manage abuse of top level domains such as DOT-faith.  In less than 30 minutes we got the following response… “Thank you for contacting us. One of our representatives will be in touch with you shortly.  Regards, Famous Four Media.”  However, as of Tuesday evening, April 17, we haven’t heard from them.

According to his Linkedin profile, Mr. Rasmussen seems like a very experienced man when it comes to domain names and Internet business associated with them.  So it surprises us to see how much the DOT-faith domain is abused, putting millions of people at risk.  We wonder if he and Famous Four Media simply don’t care about this abuse because they make money from the thousands of purchases of these domain for malicious use.  Once again, there is a greater incentive for companies like Famous Four Media to turn a blind eye while all the rest of us suffer from their profiteering.  You can read an article and brief interview with Mr. Rasmussen posted on RealWire.com in February, 2016.  The article is titled Famous Four Media Hits 2 Million Domains Under Management. For the record, Famous Four Media is also the owner of other top level domains that we’ve found to be badly abused by criminals.  They are DOT-bid, DOT-win, and DOT-download.

[hr_invisible]