Please support our effort by making a small donation. Thank you!

x

August 26, 2015

THE WEEK IN REVIEW

It seems that CoTap reared its ugly head again this week, sending out spam disguised to look like your company or organization had started to set up an account and you were invited to join in. We reported on this spam tactic last April in our Top Story. Check it out.  There has also been a significant jump in malicious emails that use stolen email addresses from people’s hacked accounts. We reported on this very risky type of email in a feature article called “From Hell.”  On to this week’s sampling of scam subject lines and email addresses…

Scam Email Addresses

ABCNews Report: Students Use Smart Pill to Increase IQ Scores by 77% in 4 weeks

Affortable yacht charters

ATTN: Your Privte Info has been Revealed Record #18555082

Auto accident lawyers- Personal injury attorneys

Cheapter-Cellphone-Plans

Get Better Results When sending Emails…

National Gun Owner Assoc. Recommended Survival Tool, 75% off expires 08/19/2015

Online teaching resources—compare teaching Certification programs

Re: Miracle herpes solution ends herpes in only 2 weeks

Re: Stop rain, snow, and ice from causing mold and damage

Save on luxurious vacation… to Ireland

SHOCKING: Jared is A Predator

View coupons; for Oil Changes

WIRED, Cool New iPad Tool, Limited Supply August 21, 2015

 

 

Scam Email Subject Lines

Amanda-Clarke@publishingvibes.edu

brand@decsions.com

EducationOnline@tructs.eu

Hartygl331@inbox.ru

Harvard-Heart-Cure@aparttour.eu

info@tupreshes.com

info@helpskelep.com (LOTS of emails from “info@” odd domain names)

jobsj@ips.co.uk

Natl.Lib.of.Medicine@Majesticswords.work

questions@bluearan.co.uk

Regina_Wells@plannedsearchforjob.eu

Service@paypall.com (Notice the Paypal misspelling!)

Sport_shirts@123.com

TransformYourShape@famouswebs.work

yourgolfpro@oxil.eu

 

 

 

 

 

 

 

Phish NETS: Outlook, Apple and Paypal…  Again!

We would be thrilled for the opportunity to interview criminal gang scammers! Seriously! One of the dozens of questions we would like to ask is why Apple is such a valued phishing target over so many other targets. Once again, we’ve seen a lot of Apple and Paypal phishing scams like the ones below, as well as a phishing scam targeting Outlook email users. Fortunately, a simple mouse-over of the “click here” links easily reveal the fraud and also the awkward grammar should make recipients suspicious (“Login your PayPal”) However, email recipients will have to look carefully because if you only glance at the Paypal scam link revealed by a mouse-over you might think it is legitimate. Look closely at it. How quickly can you spot the scammer’s clever spelling trick? Domain misspellings are common scam tricks, such as the email address noted above Service@paypall.com.

Now delete.
 

In case readers were thinking they might visit Pakypal.com to see what the phishing site looks like, don’t! Scammers will often hide malware on phishing sites to try to infect computers or they might contain “redirects” embedded in the page to send a visitor to a malware site. The Zulu URL Risk Analyzer,  a valuable online tool, though not perfect as you see above, identifies that this site contains “too many redirects” to follow them all. At least Sophos anti-virus warns visitors about this site. Just delete!

 

3-Paypal account has been limited-VirusTotal

Other phishing emails from the past week also include grammar mistakes and awkward English, once again demonstrating that these scams are likely produced by non-native speakers. Also, Apple computer would never write a subject line saying “Your Apple Termination of Service.”

4-Update your Paypal account

 

 

 5-Apple iCloud service termination

 

 

 

 

 

 

 

 

YOUR MONEY: Vacation Packages, Luxurious Vacations!

Frankly, we should have written about this earlier in the summer. We’ve seen many malicious emails disguised as vacation packages and offers, or “affordable” ways to travel by yacht, private plane or first-class seating. These types of scams have been big over the summer and here are just a few of hundreds. As far as we can surmise, the biggest risk to clicking these links is either infecting your computer with malware or being tricked into handing over your credit card information. If any of our readers have fallen prey to one of these scams, we’re sorry to hear it but would like to hear from you about your experience with them.

 

Though not consistently, we often see that these scams have links back to unusual top-level domains like dot-review, dot-work, and others. Check out this recent list of scam vacation emails from one honey-pot email server and the samples below.

 

Delete, delete, delete!

Neither the Zulu URL Risk Analyzer, nor VirusTotal.com identify the Hawaii vacation email link or its website tuthorco.com as malicious. But in case you had any doubts about this Hawaii vacation offer being a scam or not, let’s point out the issues…

 

  1. The domain tuthorco.com was registered with Enom.com just two days before this email was received and registered from Guandong, China.
  2. The domain was registered by a business named “Bobbie Productions” in Alexandria, Louisiana but a search for this business on Google turns up nothing at all.
  3. A WHOIS lookup shows that the website is being hosted in London, England.
  4. There are at least 5 links on the email and all of them point to the exact same address. Even the weird links that say “Be strong and get it done” and “You have the control” which also reference odd addresses in Texas and Washington state.
  5. There are paragraphs of out-of-context text at the bottom of the email. This is a trick often used by spammers to attempt to fool anti-spam servers into scoring the email as “legitimate.”

Just delete, delete, delete!

 

8-Affordable Costa Rica Vacations

9-Explore Hawaii

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TOP STORY: Your Arrest Record, Employment History, Criminal Info, Public Record, Private Record and Court Report!

For months we have been seeing people targeted by emails that rely heavily on social engineering tricks to produce clicks to malicious websites. Most of these emails are meant to incite concern on the part of the recipient, if not fear. Most of these malicious emails follow the same template as you’ll see below. The text in most of the emails is nearly identical. Here are the opening lines from three recent examples:

Your court and/or public records have been searched (2) times within the last 36 hours.  See access #18259918 for more information. By searching your name, anyone can view your private information, court records, current address, and more. Immediate action is required to secure your records (#18259918): If you did NOT request your background report, please go here:

Your criminal and/or personal records have been requested (3) times within the last 48 hours. See access #6991559 for more information.   By searching your name, anyone can view your personal information, court records, current address, and more.   Immediate action is required to protect your information (#6991559): If you did NOT request your online information, please go here:

Urgent: Your criminal and/or background records have been viewed (3) times within the last 48 hours. See access #14936018 for more information.   By searching your name, anyone can view your employment history, criminal records, current address, and more.   Immediate action required to secure your information (#14936018): If you were not the one who requested your background report|public records, please go here- viewthem. aimscriminalcheck. work (LINK broken on purpose) or To dispute the request for your background info go here:

10-Your arrest report has been viewed11-Your employment info has been requested

To prove our point about the malicious intent of these emails, check out this one below from the domain checknow.thoughprofilescheck.eu. NOTE: Our readers should remember that a dot-eu (.eu) indicates that the domain was registered somewhere in the European Union! You can read more about the dot-eu top-level domain on Wikipedia.

 

12-Your court info has been searched

The Zulu URL Risk Analyzer scored the web address as “benign” or harmless but we noticed that the website contained a redirect to another web address that we’ve seen many times before and the redirected website, enzjptkr.com, is very malicious! Also Bitdefender and Trustwave both acknowledge that enzjptkr.com is risky!

DELETE!

13-Your court info redirect

 14-Your court info redirect is malicious

 

15-Your court info VirusTotal score

 

 

FOR YOUR SAFETY: Courier Unable to Deliver Parcel to You, Please See Attached Purchase Order

Both of the emails below use simple social engineering tricks to manipulate the recipient into clicking a zip file containing malicious software. Both emails came from outside the United States as indicated by the country codes displayed in the “From:” addresses. Dot-pl indicates Poland and dot-ae indicates the United Arab Emerites. Learn more about the risks from zip files and other file types by reading our article Filenames will set you free!

16-Problems with item delivery

 

 

 

17-Purchase order attached

 

 

 

 

 

 

ON THE LIGHTER SIDE: Free Invitation to Join Ashley-Madison!

We are both very happily married and would never seriously consider this offer. Given how much the Ashley-Madison website is in the news, we’re not surprised though that they are inviting people to join. But what’s that website silentaffairmite.site?

Until next week. Surf safely!

18-Ashley-Madison invitation