August 22, 2018

THE WEEK IN REVIEW

We all know what a “.com” or “.org” is.  These parts of our domain name system (DNS) are called “ generic top level domains” (gTLD) and have been around since the creation of the Internet.  ICANN, (Internet Corporation for Assigned Names and Numbers) is the non-profit organization responsible for overseeing, monitoring, and setting the standards for Internet names, as well as making sure that the thousands of Registrars who sell Internet names comply with those standards.  We have often found evidence to suggest that ICANN operates to enrich themselves (for profit) and does absolutely nothing to safeguard the billions of users who depend on the Internet every day. For example, ICANN makes it easy for shady Registrars to profit from online criminal activity because ICANN itself makes money when criminal gangs purchase fraudulent or malicious domains by the tens of thousands.  We mention this for the umpteenth time because we’re seeing an uptick in malicious emails with links to domains ending in the gTLD “.date.”   We STRONGLY urge our readers to stay away from websites ending in the top level domain “date” and to delete emails that come from an email address ending in “.date.” (Also, see “For Your Safety” below to learn about another “.date” malicious site.)

We won’t publish screenshots of these recent emails we’ve found because they are very sexual in content and we try to keep our newsletters reasonably “PG”-ish.  However, here are a few of the domain names and email addresses we’re seeing so you can better understand what we mean by the gTLD “.date.” (We put brackets [ ] around the dot to reduce the chance that email filters read these as malicious domains and block our newsletter from getting to you!)

Emails from both ” Harold Wilson” <cobham@hishea[.]date> and ” Leah” <dinghy@hishea[.]date>, with links to the domain hishea[.]date

Emails from ” Grace” <sassy@bovrili[.]date> and ” Ernest Coleman” <eikon@bovrili[.]date>, with links to the domain bovrili[.]date

Both of these domains were registered (hishea / bovrili) on the same day that the malicious emails were received by our readers.  It is common criminal practice to register a domain and then use it immediately to send out malicious emails or perpetrate fraud.  They do this before online protection services like VirusTotal.com can identify the source domain as malicious and report it to databases that are used to warn the public

If you want to learn more about how the Internet could be made safer, and how ICANN disregards the safety of netizens around the world, read our article called How to Make the Internet Safer for Everyone. Also, if you want to follow Alice down a rabbit hole and see a clear cut story of abuse and malicious intent made possible by ICANN, check out our article called Taft Technologies and the Truth About Internet Lies.

[hr_invisible]


[hr_invisible]

Phish NETS: Wix Account Suspension Notice, Navy Federal Zelle Pay, and Bank of America Alert

One of our readers sent us this phishing email for a Wix account.  Wix is a free and popular service enabling users to build websites.  The criminals who sent this phish obviously want to steal login credentials to your Wix website.  Anyone looking closely at the “from” address can see that it came from the domain ClassicShapeWear[.]com, not wix.com.  Also, mousing over “REACTIVATE MY ACCOUNT” reveals a link that points to a website hosted in the country called Montenegro (2-letter country code “.me” = Montenegro)

Another one of our readers sent us these banking phish but unfortunately the original emails got a bit mangled and graphics were stripped out.  It’s instructive to show them anyway. Once again, it is easy to see that the domain following the “@” symbol of each “from” address doesn’t represent the source they claim to represent.  The first for Navy Federal appears to have been sent from Rice University. The second email, for Bank of America, appears to come from the domain “yourcompany.com.” The links in these phish were also stripped away so we don’t know where they might have sent you but it’s clear that you won’t be sent to Navy Federal or Bank of America!

— On Thu, 8/16/18, NavyFederal <xcorp@rice.edu> wrote: > From: NavyFederal <xcorp@rice.edu> > Subject: New Payment from Zelle > To: “Recipients” <xcorp@rice.edu> > Date: Thursday, August 16, 2018, 12:57 PM > > Navy Federal Zelle Pay > > Dear Member. > > A new payment was sent to your  account using ZellePay Transfer. > > To accept the payment, You are immediately required to > validate your account. > >   Validate Your Account > > Payment will be posted into your account within 27-72 hours after validation > > Thank you, > > NavyFederal Online Team

 

— On Wed, 8/15/18, Bank of America <urgent@yourcompany.com> wrote:

> From: Bank of America <urgent@yourcompany.com>

> Subject: Bank Of America Alert: Sign-in to Online Banking Locked

> To: [REDACTED]

> Date: Wednesday, August 15, 2018, 10:21 AM

>

> Bank of America Notice

>

> Dear valued customer,

> For your safety some information on your account appears to

> be missing or incorrect.

>

>     Please update your information promptly so that you can

> continue to enjoy all the benefits of your Account.

>

>     If you don’t update your information within 2 days,

> we’ll limit and suspend your  account.

>

>     sorry for any inconvenience caused by our security

> measurements

>

>     Update Account

>

> Like to get more Alerts Sign in to

> your Online Banking account at Bank of America and select

> Alerts from the Accounts tab.

>

> Security Checkpoint

> To confirm the authenticity of messages from us, always look

> for this Security Checkpoint.

>

> This is a service email from Bank of America. Please note

> that you may receive service emails in accordance with your

> Bank of America service agreements, whether or not you elect

> to receive promotional email.

>

>Read our Privacy Notice.

> Please don’t reply directly to this automatically generated

> email message.

>

> Bank of America Email, 8th Floor-NC1-002-08-25, 101 South Tryon St., Charlotte, NC 28255-0001

> Bank of America, N.A. Member FDIC. Equal Housing Lender

> © 2018 Bank of America Corporation. All rights reserved.

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Why Is This Legitimate? And Congratulations Amazon User

We spend so much time and effort peeling back layers of online fraud that we sometimes forget how important it is to show readers a legitimate email and the reasons why it is legitimate!  So, here is a legitimate email from Chase.com. A quick Google search of Chase Bank easily demonstrates that chase.com is the real website for JP Morgan Chase Bank.  However, sophisticated criminals can spoof the “from” address to look like anything they want, so we need to observe other important aspects of this email to confirm its authenticity.

Don’t believe that a trustworthy feature of an email is to see your name in it, though it helps. “Spear phishers” will target people by name!  This trick is easy to do. It is far more trustworthy to see the last 4 – 6 digits (not the last one or two digits!) of your account so you can verify that it is correct.

And perhaps most importantly, does the link you are asked to click, lead to the correct and secure website you expect to visit.  We see in this legitimate email below that a mouse-over of the link for “enroll now” points to chase.com and the link begins with httpS  (s = secure!)  It is important to note that chase.com is NOT THE SAME as these bogus domains:

Chase.com.security-banking[.]net

Chase-bank-alerts[.]com

Chase-notification-com[.]co

“Congratulations Amazon.com user!”  This phone popup came from one of our readers.  “You’ve been selected for a chance to get the $1000 Amazon Gift Card, Apple iPhone X 256G or Samsung Galaxy S8!”  The popup appears to be sent from the domain called kiplingerbestrewardcredit-cards[.]pw and the link points back to it.  (The long domain name did not fit across the small phone screen and forced a dash to be inserted. It is not part of the domain name.)  This domain was registered on August 8, a few days before this appeared on the phone.  The 2-letter country code at the end of the domain indicates the country Palau (.pw) an archipelago in the Pacific ocean.  The domain wants you to think it is related to Kiplinger, the business/finance company, but it is not.  We’re not certain if this is a phishing scam for information or malware waits for you after clicking “OK.”  But we’re certain that it is NOT in your best interest to click OK! It doesn’t even give you the ability to opt-out.  In this circumstance, quit your app.

[hr_invisible]

[hr_invisible]

TOP STORY:  Deceptive Marketing – Round 2

In the summer of 2016 we wrote about a very deceptive marketing practice which has now become extremely common.  On behalf of their clients, marketing firms register legitimate-sounding domain names and then send emails to real website administrators from these domains or referring to these bogus domains.  These fake emails try to trick the administrators into posting a link back to their clients’ websites. By tricking dozens (hundreds?) of other websites into posting these links, the marketers hope to increase traffic and ranking of their clients’ websites.  We find this practice to be sleazy and annoying, in addition to being deceitful. (Our feature article, titled Deceptive Marketing, has been updated multiple times since 2016 and also had the help of a University Professor to understand this practice.)

A few days ago, two of our TDS readers contacted us about these deceptive emails.  Let’s start with this “heartfelt” email from a father named “Wesley Collier” about his son “Spencer.”  Wesley Collier claims to work at the “Harman Library” and spends some quality time with his son to create a family tree to learn about their family history…

Awwwww….Doesn’t this email seem sweet?  Mr. Collier reached out to a very real organization devoted to using technology to explore family history and asked if they might post the link “Spencer” suggested onto the organization’s website. But hold on there, Goldilocks.  Let’s dig deeper into Mr. Sweet Spending-time-with-your-son Wesley Collier’s request…

Did you look closely at the link that “Spencer” suggests should be posted onto the organization’s website?  That “tracking your ancestry” web page of this link is found on a website called Teletrac Navman[.]com. Google says that “Teletrac Navman is a service company headquartered in Southern California with offices in the United Kingdom. It provides cloud-based GPS fleet tracking software and is a subsidiary of Fortive Corporation.”  Basically, it is a trucking company!

And what about Mr. Father-of-the-year, Wesley Collier and the website he claims to represent called “HarmanLibrary.com?” We believe that “Mr. Wesley Collier” is fictitious, as is the library domain he claims to represent.  A search for “Harman Library” shows a legitimate science library in Israel, but with the domain harman.com.  However, “Mr. Collier” sent his email from “HarmanLibrary.com,” a domain that is not associated in any way with the Israel Harman Library. If you conduct a Google search for HarmanLibrary.com you’ll see that Google knows nothing about this site, though it lists the site.  This lack of information about HarmanLibrary.com is on purpose because the people who created it used special coding called a “no index” meta tag on their website.  (We found this in their website coding: <meta name=’robots’ content=‘noindex,follow’ />  This code gives instructions to search engines and it means DO NOT collect information about my website for people to search)  Why wouldn’t a legitimate library want people to be able to search and find information about it? Also, if you visit HarmanLibrary.com (which we did after first running a malware inspection), you’ll find that this library website tells you nothing at all!  There is very little information on it. It is so generically written that you can’t even tell what city or state the library is located in. (As of 8/18/18) In our opinion, the HarmanLibrary.com website is a total red herring and probably used to legitimize many of these marketing requests. (The real Harmon.com library was registered to Harman International Industries back in 1995.  The HarmonLibrary.com domain was registered through a private proxy service and is hosted in England.)

Does any of this sound like Mr. Collier’s request on behalf of his son Spencer is legitimate?  Another TDS reader sent us the next two emails… The first from “Carrie Crecca” <carrie “@” pixtoro[.]com).  What a coincidence! It’s another parent working on a fun genealogy project with her daughter Sarah. She is asking a real genealogy website to post two links she’s discovered…

One of the links that Carrie and her daughter Sarah wanted to suggest points a file on the website called “True People Search” while the other requested link points to a website for a sightseeing company in New York City.  Neither of these websites has anything to do with genealogy. And, by the way, last April we posted a similar bogus email from “Carrie” “@” Pixtoro[.]coml in an update of our article on Deceptive Marketing. Four months ago “Carrie” was also doing a genealogy project with her daughter “Sarah.”  It must be a REALLY LONG project! (Carrie’s domain, pixtoro[.]com, also looks like a bogus generic photographer’s website with many links to places around the web to add legitimacy.  It contains no contact information to reach the site owners and it was registered through a private proxy service and is hosted in Spain.  Wouldn’t photographers want people to see their work and hire them??)

The second email email received by this real genealogy website came from another fake librarian named “Henlee Phillips <phillips “@” sutterlibrary[.]com>.  Henlee is also doing a family history project with her son Elliot. Such a remarkable coincidence! Henlee is asking the genealogy website to post a link to a web page located on a website of a New York City cleaning service!  Does this sound like a credible source of genealogy information? Henlee appears to have a Google Plus account with 1 follower and absolutely no information posted other than her name.  What about Henlee’s library website? There is a REAL Sutter Library with branches located in Sutter County, California.  But Henlee’s website is not any of these real sites. Her site, sutterlibrary[.]com, contains very little information other than links to other websites.  It has a mission statement claiming to represent a community in “Eastern Pennsylvania” but no town is listed, nor any phone number.  We can’t find any “Sutter Library” anywhere in Pennsylvania. There are five employee names with email addresses listed on the Sutter Library website.  We emailed each of them to ask a few questions and all emails were returned as undeliverable because no such email address was found for the domain. Given the recent information sent to us by TDS readers, we suspect these “employees” are located in a New York City marketing firm.

[hr]

FOR YOUR SAFETY: Update Flash Player

Last week over the course of 3 days, we visited the website of a well-known online payment service for the education industry and discovered that their website redirects to malware sites.  (We would rather not embarrass them by naming them.) This is the website we were redirected to last Friday…

The domain “freeofcharge-content[.]date” wanted us to believe we needed an update to our Flash software and to click OK to get it. (We don’t have Flash on our computer for security reasons like this!) Clicking OK would have installed malware on our computer.  We informed the service of this problem. But two days later we visited the online payment service website again and Google Chrome showed us this web page…

We’re glad to see that at least Chrome is paying attention!

[hr_invisible]


Until next week, surf safely!