THE WEEK IN REVIEW
During the past week we saw a significant increase in malicious emails disguised as a wide variety of consumer products and services. We are certain that they all came from the same criminal gang because they shared so many common characteristics. The most obvious one was the fact that the fully qualified domain names or FQDN (The FQDN follows the “@” symbol.) consisted of random letters followed by “.us” Look at the sample scam email addresses below. Now, in the last few days, we’re seeing similar malicious emails that come from the top level domain called “.club” So, if you receive an email that comes from a .us or .club with random letters in front of it, lunge for the delete key!
Here’s a few of these emails in list form. The first text you’ll see says “This Advertisement is for United States Only.” They meant to say “this scam is for United States only.”
[hr_invisible]
About a year ago we saw many intimidating-style malicious emails that informed the recipient he or she was being investigated. It was fairly effective click-bait to trick someone into clicking a link and infect his/her computer. These click-bait emails are back. Check out this one with the subject line “Someone may have ran a background check on you…” (English is not their best quality.)
[hr_invisible]
Sample Scam Subject Lines: Avoid Slips In The Bathroom – Get A Walk In Bathtub FREE To LOOK: See Photos Of Mature Singles In Your City Get The Best Belt Money Can Buy! Give Away The Fr.e.e “ipac” T-shirt Government Programs May Reduce Monthly Mortgage Payments For Military How To Naturally Cure Your Dog’s Terrible Breath Over 2 million sold and… Protect Your Family With Affordable Insurance Protect Your Home And Family With A Vivint.SmartHome Monitored System + F.r.e.e Installation REVERSE Inflammation And Damage To Your Liver Step By Step LEGO Instructions Your one stop shop for printer ink and toner Your next woodworking project
Sample Scam Email Addresses 1ink coupon inside <1inkcouponinside @ wecksiko.us> CarryFirearmsEveryDay @ wesaq.us FidelityLife @ cvsaweq.us Firstgunt-Shirt @ uhdesw.us KeySmart-KeyOrganizer @ klereu.us Match.comPartner @ saqaews.club STRIKEPEN @ kdajer.club TedsPlan @ sarkass.us TheKeyOrganizer @ yutrem.us VABenefitSurvey @ deswae.us VIVINTPremierProvider @ qioder.us WalkInBathEstimates @ uredsw.club Walk-InTub @ skdrutub.us
[hr]
[hr_invisible] Lots of phish caught in this week’s phish nets. Look carefully at this email sent to us by a TDS reader. The from says iCloud but the actual web address is 1 @ wildan-tamvan-DOT-me. A mouse-over of the link for “Login Now” points to a file hidden on a server in Vietnam (2-letter country code = .vn). Delete! [hr_invisible] This next phish was very sophisticated because it correctly spoofed the address for Apple.com. However, nothing can hide the fact that mousing over the link text for appleid.apple.com shows a website in Russia! (2-letter country code = .ru) By the way, “mouse-over” skills are some of the most important skills you can have to reduce your online risks from threats like these. If you need a refresher or wish to review your mouse-over skills, check out our articles on this skill…. http://thedailyscam.com/articles/mouse-over-skill/ http://www.thedailyscam.com/mouse-over-skills-on-i-devices/ http://thedailyscam.com/mouse-over-skills/ (video) Speaking of Russia, here’s another Apple phish sent to us by a reader that also points to a file on a hacked website in Russia…. Most interesting of all was this phishing email sent to us by another TDS reader. It pretends to be from Amazon.com with the subject line “Your Order Has Been Arrived…!” Clever, huh? Look at the from address and figure out what country the email was sent from? Fortunately, there was a problem with the display of the graphics in the email making it even more suspicious to the recipient. Mousing-over the link for “Amazon : Your Order no #812-4623 Has ARRIVED” shows that it points to an email marketing service called elasticemail.com. But LOOK CAREFULLY at the link that is revealed. You’ll find that you will be forwarded to a link-shortening service in France that begins with the secure protocol https. This shortening service is lc-DOT-cx and it is designed to send you somewhere else. We saw a long rabbit hole in this Wonderland of subterfuge and followed it. Using the tool Unshorten.it we discovered that the next place you’ll be directed is the malicious website happyaccelerator-DOT-com. [hr_invisibile] We found conflicting information about Happyaccelerator-DOT-com. WHOIS.sc said it is being hosted in Quebec, Canada but the Zulu URL Risk Analyzer says it is being hosted in Bulgaria. Either way, we know this isn’t Amazon! A BIG, FAT DELETE!
Phish NETS: iCloud, Apple Security, and Amazon
We realize that we’re geeks but even non-geeks must find a certain amount of fascination with some of the stuff we write about, right? Like $50. What the heck is so special about $50??? During the three years that our blog has been up we’ve identified thousands of scams. Our guess is that about 95% of the scam emails pretending to be vouchers, gift cards, or online coupons to major retail businesses for money are always for $50. Not $40, or $75 or some other value. $50. Like this “Thank you from shopper reward” email with subject line “Receipt Notification: $50 reward inside.” The links in this email will send you to a malicious web page on the oddball website 2tellglamorous-DOT-accountant. It was registered on the day the email was sent through a privacy, proxy service in Panama. Delete! “The Value of Your House May Have Increased… See What It Is Worth” says an email from HomeValueNetwork “@” cmewith-DOT-club. Without equivocation, 99.9% of all links and emails pointing to websites that end in DOT-club are scams and/or malicious! Oh, and just for the record, that Ad Agency listed in this email doesn’t exist. Google cannot find anything about it, nor the address listed for it. It doesn’t exist either. [hr_invisible] This next email is certainly something we’ve never, ever seen before! A match service that claims to connect you to a therapist “who understand what you’re going through.” “Personalized Therapy. All Week.” Oh look! The email came from vinsons-DOT-CLUB! It was registered on the day the email was sent by someone named “Louis Testa” from Texas, hosted in Germany, and Mr. Testa is using an email service from Russia for his registered email address. (Yandex.com) You know what to do. [hr_invisible]
[hr_invisible]
YOUR MONEY: Best Buy Reward, Home Value Network
The Internet is still a wild, wild west without law and order. Criminals brazenly attack citizens of all countries because they can. There are few if any protections for the citizens of the world. There are no Internet police and the Internet is set up to be confusing as to who, what and where. As long time TDS readers know, we place most of the blame with ICANN, the only governing body to oversee Internet rules, registrars and naming system. One of the most vulnerable populations of people using the Internet are the elderly. Below are two perfect examples of targeted attacks that 99.9% of seniors would not likely recognize for what they are. Landmines. Take this email that pretends to be about summer vacation options for seniors. “Meet a mate on themed senior vacation trip.” The word “senior” is mentioned six times in this email while “vacation” is mentioned seven times. It is crystal clear who this is targeting. A mouse-over of any of the links reveal that seniors who click will be sent to a file on the the webserver vcation-DOT-bid. Google finds no such website or any information about this website. A WHOIS lookup shows that it was registered on August 20 using the private, proxy service in Panama. The Zulu URL Risk Analyzer finds nothing wrong with the site (it’s not a perfect tool!) but it DOES find that when you arrive at the site you’ll be redirected to another site called senior-vacation-options-DOT-com. Google cannot seem to find any information on this second site either. And then there is that small, helpful email address listed at the very bottom of the email for “Support.” It points to an address located in India (2-letter country code = .in) Even with our experience, our look into this email raises more questions than it answers. How would most seniors deal with this? They won’t. Many might simply choose to click the link possibly leading to a computer infection, financial scam or phishing effort to steal credit card or other information. How about this next bullet targeting seniors? “F.R.E.E to LOOK: See Photos Of Mature Singles In Your City” says an email from Match “@” diipoo-DOT-club. Looks inviting for single seniors, doesn’t it? Care to guess who registered the domain used in this scam? Louis Testa, just like above! And this site is also being hosted in Dusseldorf, Germany. This pitch has nothing to do with Match.com. It’s just another wolf in sheep’s clothing. So who is going to help our seniors navigate these landmines? That is the point. We all should. If you have a senior parent using the Internet whom you believe isn’t very tech savvy, talk with him or her. Explain how easy it is to deceive others online, even when it appears to be so professionally presented. Urge your senior to ask for your input before clicking on things like this. Better yet, ask your senior if you can sign him or her up to receive our newsletter! [hr_invisible]
[hr_invisible]
TOP STORY: Landmines Targeting Seniors
[hr]
FOR YOUR SAFETY: ‘Sup, Check Your Secure File, and We Cannot Deliver Parcel On August 9
we wrote about the continued dangerous circumstance we called “hand grenades from friends.” Just last week, Doug of TDS received this hand grenade from a user he recognized but with a different email address. He didn’t pull the pin.
[hr_invisible]
Another one of our readers sent us this very dangerous email containing the subject line “Urgent Order” that she received from a “John Lee” of freightinternationalservices-DOT-com. “Hello,Your Order needs review. Kindly check the secure file for more details.” When we looked up this website in Google, we saw several red flags that made us suspicious. (See below) Most importantly, freightinternationalservices-DOT-com provided no information about itself to Google. It was as if it were brand new or didn’t want Google to know anything for consumers/businesses to discover about it. Why wouldn’t this business have any information available online about itself? This email smells badly.
Reach for the delete key.
[hr_invisible]
Finally, we still see lots of email tricks saying that your package or parcel could not be delivered. It is a brilliant piece of social engineering! But don’t click that attached zip file.
Or you’ll be very sorry!
[hr_invisible]
ON THE LIGHTER SIDE: Western Union Screw Account!
Who knew that there was a Western Union “screw account?” We sure didn’t. Apparently, we haven’t been co-operating in the past and they are still holding our $2.5 million dollars. All they ask is that we pay the $150 transfer fee. Seems reasonable, right?
From: “westernunion.com”<test@stv.ua>
Subject: Instant Payment of $5,500, MTCN Available For Pick-Up
Date: 2017-08-19 03:28PM
Western Union Money Transfer@Website: www.westernunion.com
Motto: In God We Trust!!!
+234-8151934105
WESTERN UNION INSTALLMENT PAYMENT ONLY.
This email is coming to you in regards to your unpaid funds due to your lack of co-operation in the past.
This organization has decided to make it known to you that the funds in your ATM has been cleared into an screw account and that you will be receiving your funds through the fastest means of money transfer in the world.
Since you have not been able to claim your funds for a very long time, we have to call back your ATM CARD and make arrangement alternatively to transfer your funds instalmentally through Western Union Money Transfer here today which has been programmed to be transferred at rate of $5,500 daily since Western Union
laws here does not allow transferring funds above $5,500 at once from this country to another, but we will be sending under installment of $5,500 daily till the amount of $2.5 Million usd is completely Paid to you as the beneficiary of the ATM CARD in question.
In other words, We have today transferred your first instalment payment ( $5,500) available for your pickup at any western union office nearest to you, but still placed on hold due to the unpaid endorsement & daily activation file fee amount of $150.00 that you are supposed to pay before your daily transfer will be made available to you.
You will pickup the below installment at any western union office nearest to you with below information as soon as you submit the $150 endorsement & daily activation file fee.
You can track your first instalment payment with the Western Union tracking number 1-800-325-6000 or through the western union global website
(https:wumt.westernunion.com/asp/orderstatus.asp?country=global) so as for you to know that the money is available for pick up but will not be released to
you without the file activation fee of $150 paid by you.
Your Payment Details:
MTCN::::::::::::::: 335-754-6626
SENDERS NAME::::::: Donald Vann
SENDERS COUNTRY:::: Lagos/ Nigeria
TEXT QUESTION:::::: Who Is Great
TEXT ANSWER:::::::: God
AMOUNT::::::::::::: $5,500.00.
The endorsement & daily activation file fee of $150 should be sent to our office here in care to our accounting officer through Western Union Money Transfer nearest to you with payment information below:
Receivers Name: MATHEW AREMU
Address: #4989 gibson tower. Abuja, Nigeria
Amount: $150
Text Question: COLOR
Answer: YELLOW.
As soon as you send the fee, send us the transfer Mtcn/Reference to enable proceed with immediate transfer activation of your first installment payment
Notice: This preference is being given to you to our good name and also to make sure we get your funds completely paid to you with no complication of things or delay.
Note: the Activation Fees could not be deducted from the funds in the ATM CARD as we have no access to the funds due to the Fact that it was placed in an escrew account Please submit your Activation charges with the name of our accounting officer as given to you above and get back to this office with details of your payment to proceed.
To avoid complication of things, you are advise to treat this payment as urgent as possible so we can proceed with the activation of your first installment of $5,500usd so you can get it picked up today in any nearest Western Union Money Transfer outlet near you on time to avoid any internet scam hacking of the Mtcn that is given to you above.
Treat As Urgent and get back to this office with receipt of your payment for fast procedures here.
Respectfully Yours.
Ms. Sarah Clayton.
Payment Department
—
Until next week, safe surfing!