THE WEEK IN REVIEW
After losing our primary honeypot server recently, we wondered if we could continue to find enough scams and malicious emails to expose for our readers. We shouldn’t have worried! We’re thrilled to say that The Daily Scam is back in business with two honeypot email servers that are collecting thousands of scam emails weekly! Well, maybe “thrilled” is the wrong word but you get the idea.
BEWARE any emails containing the subject line “Order Payment” and especially “New Voicemail Message.” (see below.) Both carry viruses and we’ve seen hundreds of them blasting our email servers over the course of days.
Also, it is EXTREMELY IMPORTANT that our readers look at our newest feature article about Amazon Customer Service scam numbers! We recently heard from a woman who suffered an emotionally disturbing scam resulting in the loss of her digital privacy and a few hundred dollars. It all started when she Googled “Amazon customer support phone” Don’t call the numbers you’ll find! No joke! Read our article and please share it with friends and family, and across social media! We all use Amazon and we discovered that it is easier to find a scammer’s number pretending to be Amazon customer service than the real Amazon customer service number!
Visit: http://www.thedailyscam.com/not-amazon-customer-support/
[hr_invisible]
Sample Scam Subject Lines: %Second Notice% An important update notice Are You Still Single??? Find Your Next Date Right Here Attention Customer, Dispatch Order-code#: JG1N8875BS Jump-start your weight loss on Nutrisystem Lean 13 LAST & FINAL WARNING NOTICE!!! Re:2017 Universal Travel Adapter(2) The Best Life Insurance Rates in Your State! This Can Do What? URGENT ATTENTION! You Can Save 36% On Your Business Phone Bill Welcome to our new website!
Sample Scam Email Addresses BE WARY of email from 163-DOT-com (Chinese service) and Yandex-DOT-com (Russian service) 1ink.com <1ink.com @ linjhs-DOT-club> “Admin”<elainiiiemoyse @ tiscali.co.uk> [NOTICE this begins with “Admin”] “Blood Health” <BloodHealth @ colormetime-DOT-stream> “Enjoy Real Flying” <ProFlightSimulator @ playerchoice-DOT-bid> Firearms Gun Holster <FirearmsGunHolster @ michles-DOT-club> FORWARD HEAD POSTURE FIX <FORWARDHEADPOSTUREFIX @ qwesa-DOT-club> “Gift card” <Giftcard @ tonsviller-DOT-stream> “Men And Women Defeated By Pain” <contact @ hiddensurvival-DOT-bid> “Perfect Portion Diet” <perfect.portion @ tagtotal-DOT-com> “Summer AirConditioning” <acspecials @ acsavings-DOT-com> Terminix <Terminix @ lafarged-DOT-website>
The Timeshare Professionals <TheTimeshareProfessionals @ wesdsa-DOT-bid> Vonage Business Partner <VonageBusinessPartner @ fhdfgds-DOT-website>
[hr]
[hr_invisible] When it rains, it pours! Let’s start with SunTrust Bank. Look carefully at this email that appears to come from secure@suntrust.com. The from address was expertly spoofed. “Account Temporarily Suspended” “As part of our security measures, we regularly screen activity in suntrust Online Banking System….” The grammatical and spelling errors in this email are subtle. Can you spot them? A mouse-over of the link “suntrust.com” reveals a link to a shortened URL at bit.ly… [hr_invisible] We used Unshorten.it to see that the victim will be redirected to a pet food website in Israel. Not wanting to risk a possible malware infection, we used Screenshot Machine to peek at the page. We weren’t surprised. Look below! [hr_invisible] During the three years we’ve been in operation, we’ve never seen a phishing scam trying to capture credentials for Microsoft Office 365. But we caught this phish just a few days ago! At first we thought it was simply a malicious email until we followed the breadcrumbs. “Due Invoice Wire sent” seems to come from Microsoft but, in fact, it doesn’t. The from address was spoofed. A mouse-over reveals that the links in this email point to a server in India called “akhienterprise-DOT-in”. Look below at the web page that waits for your arrival. It conveniently included the user’s email address for login purposes too. Deeeeleeeete! [hr_invisible] And then there were these three lame emails phishing for your login credentials to PayPal, Bank of America and Apple. The PayPal email had an attached html file that is very dangerous to open! The other two contained links to far-off websites. The Bank of America email was sent from an address in Romania. (.ro = 2-letter country code) and contains a link to a server in Columbia. (.co = 2-letter country code) The email pretending to be from Apple was clever because the scammers made their link look like a secure link (https) with a token (code) for identifying your account. Delete, delete, delete! [hr_invisible] [hr_invisible]
Phish NETS: SunTrust Bank, Microsoft Office 365, PayPal, Bank of America, and Apple ID
There seems to be one criminal gang that is most responsible for the majority of malicious emails disguised as consumer products. We make this claim because so many of them show the same design, layout, underlying html code and domain naming tricks. Take these three… The first came from AutoWarrantyNetwork “@” itrfjfn-DOT-website. Notice that it appears to be a random set of letters following the “@” symbol and before the top level domain “website.” That domain, itrfjfn-DOT-website, was registered by someone named Stephanie Savage from Louisiana on the day email was sent. And the website is being hosted in Bucharest, Hungary. Notice the hidden text at the bottom of the email? Most of our readers know that criminals include it hoping that it will trick anti-spam servers into thinking the email is legitimate. (Thankfully, that rarely ever works.) “A used car may let you skip the state sales tax.” “Get an affordable used car without hassles.” Even though this next email seems to have been sent from caroption.com, a domain registered way back in 2003, don’t believe it! Links in the email point to a webserver identified as direv-DOT-download. This domain was registered using a private proxy service in Panama on the day the email was sent. Delete! There are sooooo many reasons to throw out this next email about “summer specials for A/C replacements” starting with the fact that the domain, acsavings-DOT-com, is listed for sale and Google finds no such website. Or the hidden text at the bottom of the email, or the tech support contact link pointing to India, or that Google maps cannot find the address on Pallet Street that is listed at the bottom of the email, or the fact that the links point to a domain (costguid-DOT-bid) that was registered minutes before the email was sent. Blah, blah, blah… Just delete and move on… [hr_invisible]
[hr_invisible]
YOUR MONEY: Auto Warranty Network, Used Car Inventory and Summer Specials on AC Replacements
In our market-driven economy it isn’t uncommon for businesses to conduct a market analysis and pay people to take a survey or evaluate products. This is exactly what these malicious emails are trying to take advantage of. Take the survey now and earn $50. “You have been selected to take part in an Anonymous Survey about CVS!” says the first email from RewardCheck @ celloway-DOT-stream. Who wouldn’t jump at the chance to take a 30 second questionnaire and earn $50? But at the other end of this link is malware, and statistically speaking, it is most likely ransomware that will lock up your computer and cost you hundreds of dollars to unlock it. The Zulu URL Risk Analyzer took only seconds to determine that the link in this email is 100% malicious. Do you feel like you’ve seen this next one before? “You have been selected to take part in our anonymous survey about Amazon” says an email from GrabYourGift @ navalane-DOT-stream. “Take this 30 second questionnaire and we’ll offer you an exclusive reward worth over $50.” Bull patties! This landmine came from the same creators of the CVS lure above. As did the final email below that was sent from “TargetWinner @ MotorCrane-DOT-stream” and wants you to believe it came from the store Target. [hr_invisible] It’s obvious, once again, that deceipt online is rampant and easy. Which is why we continually emphasize how very important it is to keep a healthy dose of skepticism and check on the authenticity of content before clicking! [hr_invisible]
[hr_invisible]
TOP STORY: Take The Survey Now!
[hr]
FOR YOUR SAFETY: Link to Invoice, Our New Website, and New Voice Message
Our honeypot servers were targeted by two emails, sent hundreds of times and containing viruses. The sender’s email and subject lines were:
From: “Tarr Judit” <tarr.judit @ isguniball.eu> [.eu = European Union]
Subject: RE: RE: Order Payment
From: “Voicemail Service” <vmservice @ [YOUR DOMAIN}.com>
Subject: New voice message 18386190497 in mailbox 183861904971 from “18386190497” <1265883746>
The email below was sent to us by a TDS reader. She recognized the fraud and didn’t fall for this malware trap! The “invoice” is supposedly available in the service OneDrive, but that link points to malware sitting on a server in Brazil. (.br = 2-letter country code)
[hr_invisible]
We collected many emails with the subject line “Our new website.” Each contained an invitation to view some new site that wasn’t identified. The emails were nearly identical and very generic, and clever. They pointed to various websites around the world, and each was malicious. Check out what TrustWave informed us through VirusTotal.com about the link in this email…
[hr_invisible]
[hr_invisible]
ON THE LIGHTER SIDE: Forgive My Intrusion
As Olivia Carlsson points out below, she sent us an unconventional email to seek our friendship. How lovely it is that she wants to be our friend! We’re touched. And we’re impressed with Olivia’s English when Swedish is likely her native tongue. She must be really skilled in languages and a world traveller because her email address “correo @ ferhing-DOT-com” is from a website in Spanish and located in Ecuador. She’s our type of gal!
From: “Olivia Carlsson”<correo@ferhing.com>
Subject: Hi
Date: 2017-08-26 07:37AM
Forgive my intrusion as I know that this is an unconventional way of reaching out to you.
My name is Olivia Carlsson and I am from Sweden. My reason for writing you is to seek your friendship! Just being adventurous and decided to use this letter as a resource tool to get your attention. As a matter of fact, I have been wanting to try this a while now to chat. But I was clueless on how to go about it.
Maybe you find it strange that I am using something as cold as this means to reach you. But this is the best I can do for now.In short: the purpose of this letter is just to ask you if you want to be my friend. And if you agree, just say yes and we can take it on from there.
I look forward to hear hearing from
Olivia.
—
Until next week, safe surfing!