August 16, 2017

[hr_invisible]

Phish NETS:  Netflix and ADP Invoice

This first phish was so horribly coded that it was barely legible.  The criminals who sent this are clearly amateurs but it is a phish nonetheless, and we will also address this in our Top Story – Dearest One!

“Important: Update your payment method” says an email from watchoriginal @ moviescheck.com.  We pieced the broken structure together so you can kinda see what it looked like but have also pasted the plain text below.

[hr_invisible]

Hi Dear,

We werent able to complete your last payment for your Netflix membership. Well try charging you again over the next couple of days, but if we arent able to complete a payment soon, youll lose access to Netflix.

 Update payment method now

Need help? Contact support or visit our Help Center. Please do not reply to this email.

View or make changes to your Netflix Red membership at any time. You’ll need a supported device and an Internet connection to stream videos or to save videos to watch offline.

©2017 Netflix, LLC 901 Cherry Ave, San Bruno, CA 94066

You have received this mandatory email service announcement to update you about important changes to your Netflix product or account. View your email options in your Netflix account.

Paid Service Terms of Service

TDS has been a Netflix member for at least six years and we’ve never had them address us in an email with “Hi Dear.”  How sweet!  The link connected to “Update payment method now” leads to a website in France (.fr = 2-letter country code for France).

Laugh, then delete.

This next email was a form of spear phishing.  It was targeted specifically to the business office of a non-profit organization. ADP is a payroll service used by many businesses and organizations.  A mouse-over of the link doesn’t point to adp.com but points to a document at foundationofyet-DOT-info.  This is either an attempt to phish ADP login information or install malware on the victim’s computer, or both.  Either way, you lose.

Delete.

[hr_invisible]

YOUR MONEY:  Learn How to Speak to Your Cat, Vitamin Infused Coffee & Tea, and Term Life Protection

At TDS, Doug and Dave have several adorable cats who own the humans that live with them.  They tolerate us, and command us as needed.  Kind of like Daenerys Targaryen and Cersei Lannister in Game of Thrones command all those around them.  Hmmm…. Now that we think about this, those would have been great names for two of our cats!  But we digress…. We received this wonderful email from CatLanguageBible @ catlsguage-DOT-us with the subject line “It’s Time To Learn How To Speak Directly To your Cat.”  The problem is that we may not really want to know what they are telling us when they meow at us in cat-speak!  But this email, as enticing as it may seem, is nothing more than nasty click-bait.  The domain catlsguage-DOT-us was registered by a “Ben Doan” of Frankfurt, Kentucky just hours before the email was sent.  The WHOIS registry tells us that Ben’s email address is listed with Yandex.com.  We find that interesting since Yandex.com is an email and internet service in Russia and Eastern Europe.

Meow, meow, delete.

VitaCup.com is a legitimate website and product that may interest readers.  It is an interesting idea to infuse your coffee or tea with the vitamins and minerals you might take to supplement healthy eating.  But this next email is a sham and its creators stole the graphics and content from the real VitaCup.com website.  Notice the email address!  It comes from VitaminTea @ opnyyrew.us, NOT vitacup.com!  Below the email content was the random text meant to fool anti-spam servers but never works.  And to confirm this little chirade, the domain opnyyrew-DOT-us was registered the day the email was sent by our new friend Ben Doan with the Russian email address from Yandex!

Now delete!

[hr_invisible]

Once again, we see another wolf in sheep’s clothing trying hard to pretend it is something it is not.  All one has to do is look closely at the email of the sender.  Anyone can create an email that says anything in front of the @ symbol!  This email says it came from AIGDirectInsurance but the domain name following the @ symbol says reiswnt-DOT-us, not aig.com!  This DOT-US domain was registered by Durgesh Tiwari from Bhopal, India on the day the email was sent.  You know what to do.

[hr_invisible]

[hr_invisible]

TOP STORY:  Dearest One

We LOVE travelling the world, meeting new people and immersing ourselves into cultures, languages and traditions that we didn’t grow up with.  The diversity and richness of the people on earth is truly a gift to celebrate.  And it is because of our decades of world travel, and the many friends we have made around the world, that we are able to write this week’s Top Story – Dearest One!

Language is revealing if you travel and pay attention to the nuances it contains.  When you hear someone say “you guys” it may suggest that they lived or grew up in the northeast of the United States.  When you hear someone say “y’all” it generally reflects a southern heritage in our country.  Similarly, when you hear (or read) “Dear One” or “Dearest One” it quite often reflects that the writer is from one of the countries on the continent of Africa.  Doug at The Daily Scam has had the great pleasure to spend several weeks in Africa and has many friends and acquaitances from several African countries.  He has learned that it is very common of Africans who speak English to address someone in writing (less so in speech) as “Dear One” or “Dearest One.”  But in this game of online deception, that opening greeting is like a “tell” in poker.  According to Wikipedia, a “tell” is a change in a player’s behavior that gives clues about their hand.  In our cases, the “tell” informs us that the sender is lying through his or her teeth and this is a scam!

Take this week’s Netflix phish in the first column.  It began with “Hi Dear, We werent able to complete your last payment for your Netflix membership. Well try charging you again over the next couple of days, but if we arent able to complete a payment soon, youll lose access to Netflix.”  We believe this was likely sent by African phishers.  The same can be said for that hysterical Nigerian 419 scam at the bottom of last week’s newsletter that was claimed to be sent by Melania Trump.  It began with the subject line “GOOD DAY MY DEAREST.”

Here’s another Nigerian 419 scam (advance-fee scam) that begins similarly with “Dear Beloved”

From:  pradeepp@sysmind-llc.com Time:   2017-08-07 21:23:18 Subject: RE:

Dear Beloved, my name is Christy Walton and I am a. U.S. citizen, I am a widow and a business woman. I have recently been diagnosed with esophageal cancer and a rare heart disease which has defied all medical treatment. Expert diagnosis has shown that I have few months to live. In June 2005, I inherited the sum of US$18.2 Billion from my late husband Mr. John T. Walton following his death in a plane crash. Presently, I am worth the US $41.7 Billion which rates me as the First richest woman in the world.

I got your contact details in my search for a reputable person that will accept my proposal. The intention of this email is to seek for a charitable-minded individual, who can identify a viable and guarantee reasonable distribution of my wealth to the needy. I cannot rely on family and closest relatives anymore, as they did not show responsible behavior when I entrusted part of my wealth to them to distribute to charitable organizations but instead they used the money for their personal needs.

To prevent any more mishaps, my attorney will act as a check, monitoring every aspect of the Charity. My will is with my Lawyer which my family is fully aware of, but there is 5% of my Bank Worth which is ($2,085,000000.00 USD) which nobody is aware of except my attorney.

Do get back to me for further details and please endeavor to keep this confidential. I await your response.

God bless you.

Mrs. Christy Walton

For some contrast to our point, here is another scam that doesn’t use “dear” anyone in their opening.  We think it is more likely that this scam was not delivered by someone from Africa or African descent.

From:  officeccl@yahoo.fr Time:   2017-08-03 19:32:43 Subject: Message from Manuela Diaha

Greetings.

I am writing this mail to you with tears and sorrow from my heart but I know there is absolutely going to be a great doubt and distrust in your heart in respect of this email, coupled with the fact that, so many miscreants and impostors (scammers) have taken possession of the Internet to facilitate their nefarious deeds, thereby making it extremely difficult for genuine and legitimate business class persons to get attention and recognition. My Name is Mrs. Manuela Diaha a widow suffering from long time illness (Cancer), I am married to Mr. Diaha Lesile a Canadian citizen, who was a Consultant to the mining industry company operating in Cote D’Ivoire West Africa. My husband traveled to japan and was among the death victims of the 2011 Earthquake disaster that happened in Tokyo Japan killing over 9,000 people. He was in Tokyo on a business trip and that was how he met his death, may his soul rest in peace. I have some funds I inherited from my late loving husband, the sum of ($9,900.000,00 dollars ) which he deposited in security company and I need a very honest and God fearing person that can use these funds for Charity work, helping the Less Privileges, and 30% will be for your compensation for doing this charity work.I took this decision because I don’t have any child that will inherit this fund. I don’t want a situation where this money will be used in an ungodly way.That is why I am taking this decision. I am not afraid of death hence I know where I am going. Please if you would be able to use this fund for helping the Less Privileges that will be good, kindly contact me back for more details.

I look forward to your prompt reply for more details.

Thanks Mrs. Manuela Diaha.

We will be the first to recognize that we are generalizing.  No doubt, there are many African scammers who don’t begin their scam with “Dear” or “Dearest” and perhaps scammers from other countries who do.  But, through our lens this tell is revealing and reflects their geography often enough that we think it is worth mentioning.  As always, we invite your comments and disagreement!  Email us at info@thedailyscam.com.

[hr_invisible]