April 4, 2018

THE WEEK IN REVIEW

Criminal gangs who target us across the Internet are often formulaic and predictable.  For example, we’ve recently been commenting to readers how these gangs try to avoid the watchful algorithms of anti-spam servers that look for certain words in the subject lines of their malicious emails.  Have a look at the subject lines of some recent malicious emails sent by the same gang.  See how they use underscores (_) and periods (.) to break up certain words?  It is exactly these techniques that should inform all of us that the email is spam at best, but more likely malicious. \

Lunge for the delete key!

Get 50% Off Now And F_re_e Shipping!

Pain Relief S.e.c.r.e.t Discovered By Chilean Doctor

Quick’ Easy And F.r.e.e No Obligation Home I.n.s.u.r.a.n..c.e Quotes Available Now!

Short On C.a.s.h? We O.f.f.e.r Unsecured L.o.a.n.s.

Why Get A Home W_arr_anty Plan?

These criminals tend to be so formulaic that they often create a template for malicious email and then swap out the content and a subject line to produce many different emails.  The result is that their malicious emails all look nearly the same.  Check out these two recent examples, including the hidden white text in the large empty space below that is meant to avoid anti-spam servers.  You’ll see another couple examples of these emails below.

 

[hr_invisible]

[hr_invisible]


[hr_invisible]

Phish NETS: Webmail Reactivation Required

Is this phish convincing at all?  It targets website owners who log into a generic email account supporting their websites.  “Subject: Warning: Reactivation required for….”  Mousing over “Re-Activate Account Here” points to a travel site in China.  Check out the login screen below waiting for you on that site.  Even Google knows that this travel site has been hacked!

[hr_invisible]

[hr_invisible]

YOUR MONEY: Amazon Gift Card and McDonalds Gift Card

Poor Amazon.  From our perspective, Amazon is the most misused business by criminals who target us with malicious content.  A reader sent us this congratulations email…. “Your_$500_Amazon_Gift_Card_Has_Arrived..”  What makes this scam more interesting to us is that the coders embedded a redirect directly into the clickable link.  Look carefully at the link revealed in the lower left after mousing over the words “CONGRATULATIONS, CLICK HERE.”  It looks as though you’ll be sent to the domain lung[.]org but you’ll see at the end of that link that you’ll be redirected to a link at the shortening service, bit.do.

Urlex.org informs us that the bit.do link will redirect you to a subdomain of the website called topmoboffers-DOT-com.  Apparently ForcePoint’s Threatseeker Service calls this site suspicious.

Ya think?

If you looked carefully at the two side-by-side malicious emails we posted at the top of this week’s newsletter, then you’ll recognize this McDonald’s promotion immediately as one of the same. “Would you fill out a survey for a McDonald’s Reward” gift card for $100? Says an email from “Restaurant Promotions Usa.  This is such BS!  The email came from the crap domain rusakkda-DOT-date.

This email is 100% malicious!

[hr_invisible]

[hr_invisible]

TOP STORY: Security/Malware Alerts!

On March 28, 2018, the FBI put out this warning about Tech Support Scams.  The FBI received more than 11,000 complaints in 2017 about tech support scams, resulting in millions of dollars in losses to consumers.  We’ve posted articles about these scams and they are available here…

Apple Tech Support Scams: http://www.thedailyscam.com/apple-tech-support-scams/

Microsoft Tech Support Scams: http://www.thedailyscam.com/microsoft-tech-support-scams/

NOT Apple Customer Support! http://www.thedailyscam.com/not-apple-customer-support/

In addition, last week a TDS reader sent us a security alert scam and we got hit by a nasty one ourselves, prompting this week’s Top Story about bogus “security” and “malware” alerts.  Let’s begin with this redirect that hit us when we visited a website that had been hacked.  Check out how hard this webpage tries to convince you that they are the real Apple computer company, informing you that “your system is infected with 3 viruses!”  They even go so far as to say that your “personal and banking information is as risk.”  The URL contains the word apple, macbook care, MacOS 10.13, High Sierra, and even mackeeper (a third-party program not made by Apple.). The web page design contains the navigational links you’ll find at the real Apple.com and there is even an icon for AppleCare Protection Plan.  Would this redirect intimidate you?  What about that message saying “We have detected a Trojan virus on your Mac. Press OK to begin the repair process.”  We hope our readers understand that the last thing you should do is press OK!   What you should do is immediately QUIT your browser.  If you can’t, then use the force-quit command to quit the browser! (press all 3: command-option-esc) And if, by chance, this doesn’t work then hold your power button for 15 seconds to shut your computer down and restart.  When asked if you want to reopen the applications that were running, do not click OK.

We are not entirely certain what malicious game the creators of this redirect were playing.  We can confirm that there is another redirect involved but we lost the trail at this point.  However, these criminals were clever to create a domain and sub-domain that looked like it was apple.com.  A careful look at the link shows that the domain they registered was com-macbook-care[.]systems and then added a subdomain called apple.

We also received this security alert email from one of our readers… “Sign-in attempt was blocked for your profile.”  The link points to a hacked educational website in Columbia.

We decided to follow the link for “CHECK ACTIVITY” and were surprised to hear this audio file, in addition to the redirected page that claimed to be from Microsoft, informing us that our Windows computer was blocked because it was infected by a virus.

Security Alert for Your Account

Check out that very scary message in the pop-up informing us about the information being stolen!

The response to this bogus alert is the same as above.  Immediately quit your browser!  In addition, we believe it is prudent to run an anti-virus/anti-malware scan of your computer with your AV software.  We suspect that most of our readers wouldn’t be fooled by these redirects, pop-ups and sound file.  However, our experience tells us that children and the elderly are most at risk for falling for these scams.   Does this describe anyone in your family or circle of friends?  Share this email with them.  Have a conversation and help them to understand that panic messages like these are always scams!

[hr_invisible]

[hr]

FOR YOUR SAFETY: Private Invitation

A TDS reader sent us this private invitation he received to watch a video and learn how to make $500 per day.  Supposedly, he was offered $2500 just to watch the video!  No one should be surprised to learn that this is just a land-mine click bait.  We noticed that the link sent to him was to a shortening service called u.nu.

[hr_invisible]

The redirect is to the lame name domain MyCashNetwork-DOT-net.   It may look exciting but it is social engineering to trick you into clicking a malicious link.  The Zulu URL Risk Analyzer informs us that the site is malicious and contains malware.

Deeeleeeete!

[hr_invisible]

[hr_invisible]


Until next week, surf safely!