April 24, 2019


We hope you had a happy Passover and Easter (if you celebrate either) and got money back on your taxes, if you are a US citizen!  Into our TDS honeypot accounts we continued to get the same malicious threats disguised as Easter egg promotions (Amazon – crack the egg) and tax related promotions (Protect your IRA).  Below are two examples. The Amazon promotion points to an Amazon web services account but trust us, it is as malicious as it comes! The only hint that something is wrong is a look at the subject line or the fact that a “reply-to” email address is to an address in Germany (“.de” = 2-letter country code for Deutschland).

On the other hand, that “Protect Your IRA and 401(k)” email is easy to spot as suspicious if you look carefully at the domain it was sent from and has links pointing back to…. “Abz7gtsq[.]cf”   The “.cf” says everything you need to know!  It is the 2-letter country code for the Central African Republic!  Also, a look up of this domain in a WHOIS shows that it was once registered to some Dutch organization in the Netherlands but now there is little information about it.






Phish NETS: An Ocean of Phish!

(This week’s Phish Nets column is meant to accompany this week’s Top Story. So you may want to start there!)

Below are a tiny representative sample of the phishing pages that have been created on four free website building  services: Weebly, Webnode, Wix, and 000WebHost in the last few years.  This sample clearly shows how criminals have tried to fool people into believing that these web pages represent AT&T, Yahoo, Fibre Broadband (a UK company), Canada Service (a Canadian government website), JP Morgan Chase Bank, Mobile Connection (a French company), Habbo gaming/social network, Facebook, Instagram, Instagain (An Instagram promoter & marketing service), Microsoft (misspelled as microsoff) and Outlook365 (misspelled as outl00k365), PayPal, Swiss Airline (misspelled as siwss) and Wells Fargo Bank….to name just a few!

In addition, phishers create lots of official sounding fake web pages on these free services, such as “Administrator update,” “Extra Gift for All,” “Information and Communication Technology (ICT) service desk” (a UK colloquialism), webmail and Staff Payroll Service.

Every one of these former and current phishing links below is a fake, misusing a free service to try to collect account holder’s personal login credentials.  During our research on April 20 we found an active phishing page that was posted on Weebly.com. The fake page pretended to represent an EU company called Instagain.  Instagain is a marketing and promotional service for Instagram users.  For example, you can purchase 15,000 Instagram followers for 150 Euros, demonstrating yet another example how easy it is to deceive people online.  To Weebly’s credit, they removed this fake Instagain site within 2 hours after sending them an email to notify them of its presence. But we grabbed screenshots of the site to show you before it was removed!

Look below:

administrador-update[.]weebly[.]com att-yahoomail7[.]webnode[.]com att-yahoomail28[.]webnode[.]com att-yahoomail29[.]webnode[.]com att-yahoomail51[.]webnode[.]com att-yahoomail275[.]webnode[.]com atthelp[.]webnode[.]com bt-fibre[.]webnode[.]com canadawebserviesz[.]webnode[.]com chasejpmorganalertsp[.]000webhostapp[.]com connexionmobille[.]weebly[.]com creditshabbogratui9[.]wix[.]com extragiftforall[.]000webhostapp[.]com facebookconfirmationcoy[.]weebly[.]com facebook-security-login-confirmation[.]weebly[.]com facebook-security60[.]webnode[.]com facebook0067[.]webnode[.]com facebook82105[.]webnode[.]com facultystaff0013[.]wix[.]com freehabbocoinstoday101[.]weebly[.]com ictservicedesk3[.]wix[.]com instagainpanel[.]weebly[.]com instagramfollowerprogram[.]weebly[.]com login-webmail-orange[.]weebly[.]com microsoff[.]000webhostapp[.]com outl00k365[.]webnode[.]com paypal-verifying-account6[.]weebly[.]com pro-upgrade[.]000webhostapp[.]com security-officers-sigin-info-center-fb[.]000webhostapp[.]com setting-account2019[.]webnode[.]com setting-account35[.]webnode[.]com settingmyfb[.]weebly[.]com siwsscomweb[.]weebly[.]com staffpayrollservice[.]weebly[.]com security-facebook02[.]webnode[.]com suppor-payer4[.]000webhostapp[.]com uni-update[.]weebly[.]com upgradenaukri[.]wix[.]com webmail2sunrisechmessagebox[.]weebly[.]com wellssupportsysreact[.]000webhostapp[.]com

Check out Google’s first page of results after searching for the marketing company Instagain on April 20, 2019:



We visited the “Instagain Booster” site on Weebly (after first making sure there was no malware waiting for us) and found that they were offering up to 50,000 free followers and 25,000 free likes.  There was only one catch… You had to provide them with your account name and login credentials!







YOUR MONEY:  We Buy Homes, Home Warranty, and Amazon Shopper

Though you are led to believe it is possible to obtain a cash offer for selling your home, you need look no further than the FROM address.  The email was sent from the domain pactavid[.]com, which was registered a month before this email was sent and is being hosted on a server in Russia.  However, this malicious email is exemplary of another serious problem taken advantage of by cybercriminals…  Dynamic DNS.  Quite simply, this form of technology makes it much harder to locate and shut down malicious websites because their malicious links point to Internet addresses that are routinely changed.  Cisco wrote a very good article about this abusive threat by cybercriminals titled On the Trail of Malicious Dynamic DNS Domains in 2013.  The links in this email look like they point to Microsoft’s Outlook service but it redirects to the dynamic dns service called myftp[.]org. Also, while there is a “We Buy Homes 4 Cash” business, it doesn’t mean that their website is safe to visit.  Check out what Sucuri.net informed us about the redirect pointing to this business.




Below are two more malicious emails that also made use of a dynamic DNS service called myvnc[.]com.  (Both myftp[.]org and myvnc[.]com are listed in the Cisco article as being in the top 20 dynamic dns services back in 2013.  (Position #12 and #13) However, they were also found to be amongst the most abused dynamic dns services during the time of the 2013 study. (myftp[.]org was in 6th place with nearly 38% of its dynamic domains found to be malicious!)  The first email below appears to be about a home warranty protection plan and the second is another Amazon survey, but this time with a timer counting down from 5 minutes. Both came from the domain cohortsign[.]com.  Google can’t find cohortsign[.]com and a WHOIS tells us that it was registered by a woman claiming to represent a business called “Line Networking” from Las Vegas, Nevada. Google also cannot find anything about Line Networking.






TOP STORY: Misuse of Free Website Services

During the last few months we have documented instances of cybercriminals using free web hosting services to post their phishing web pages with fake login pages to Amazon, credit card companies and bank accounts.  This recently prompted us to ask a simple question… How often are these free hosting services misused by criminals to target the public? We focused our brief research on four free hosting services: 000Webhostapp.com, Wix.com, Webnode.com, and Weebly.com.  The answer was surprising! Here is one small example showing how criminals built two phishing pages on Webnode that were disguised to look like AT&T and/or Yahoo login pages.

Our approach to researching this problem was simple by using Google’s “site” command to direct the search of a particular website for specific content.  As you may have noticed above, PhishTank.com came up in our search for a specific phishing website.  PhishTank is an outstanding and well respected service that documents known or suspected phishing pages across the Internet.  We asked Google to search PhishTank.com’s extensive listings for the appearance of any web pages found on those four free services.  Google returned thousands of results! Below are two screenshot examples taken from the top set of results. Notice that Google states there were 1,500 and 859 results found on these two services, though we can’t say with certainty that all were confirmed phishing pages by PhishTank.  In red, we’ve underlined some of the phishing pages to pay most attention to.



By looking at those underlined links in red, you’ll notice phishing pages that were clearly meant to deceive the public by pretending to be Instagram, PayPal, Dropbox, Santander Bank, webmail and other personal accounts.  In this week’s Phish Nets column we’ve listed a tiny sampling of targeted recognizable businesses and types of login pages we found on PhishTank that have been used by just these four free services. The list includes an example of a phish that was likely very successful at capturing the login credentials of people’s Instagram accounts because of the “lure” that was used as bait! The lesson here is obvious.  However, before you go exploring these phish on your own, please remember that the phishers are sometimes able to plant landmines on these free services. We were reminded of this ourselves when we clicked a link and got this response from our protective software….



FOR YOUR SAFETY: US Postal Service Notice, OKBride Not OK, and Qatar Airways

A TDS reader has sent us several of these very malicious emails disguised to look like notifications from the U.S. Postal service.  Notice that this one was sent from a server in Chile. The links point to a hacked business in India called “Earth Resource Technology” where malware awaits!



This next email is nasty clickbait.  It contained nothing more than two links, one of which looked to be for OKBride.com, a business devoted to bridal shows in Oklahoma.  However, we noticed that built into the link was a redirect to the shortening service bit.do. Unshortening that link shows that you’ll be redirected to a website hosted in Jakarta, Indonesia called alimshare[.]com.

You can figure out the rest.  No happy wedding…





And finally, we leave you with this email from Qatar Airways (NOT!) about your flight information.  It’s such an international email with connections to the UK, Qatar, and Russia!

Just don’t click!


Until next week, surf safely!