THE WEEK IN REVIEW
We’ve been hearing reports from a local neighborhood watch group that people are getting calls on their cell phones from a man with a very authoritative voice who is soliciting donations for a police association. One woman reported it to her local Police Department and they told her it was a scam. Their advice to her was NOT to give any personal information, especially financial information, over the phone, even if it seems like it could be legitimate.
We agree!
Rather than a solicitation for money, last week we received a donation. Someone donated money to our website effort but it was the source of the donation and the amount that got our attention. Our longtime readers know that we often malign Internet criminal gangs in Russia and Eastern Europe as one of the top three sources of Internet crime targeting Americans. And so we found it very odd to receive a donation from someone named Dmitri, through a Russian email address, for one dollar. $1.00? That amount seems more like a message than a real donation. We just can’t figure out what the message is.
We see thousands (literally) of scams from Nigerian 419 scammers pretending to be someone giving away money. Most of their emails contain a “poker tell” by using variations of the word “bless” e.g. Blessings to you, God Bless You, or May you be blessed. Here’s a perfect example making this point. The reason we mention it is because the Nigerian scammer who created this scam was stupid enough to use a Nigerian email address, even though he claims to be a U.S. Army Staff Sergeant. Look for the 2-letter country code that appears at the end of his email address. It is “.NG” which indicates Nigeria. You can find a complete list of 2-letter country codes and the countries they represent here at NationsOnline.org. You can also read a long list of scams like these in our article Advance Fee Scams.
[hr_invisible]
[hr_invisible] Once again, the grammatical errors, errors of capitalization, and awkward English reveal that the creators of this American Express phish do not have very good English skills. We especially loved the subject line “We found suspicious in your account.” However, the creators were clever enough to build a redirect into the link. The link for “Login” looks like it points to a web page on Microsoft’s Outlook.com but if you look carefully you’ll see a second “https” in that link. The criminal obfuscated the redirect by using a URL encoded format, making it hard to spot. We used a decoding site to reveal the redirect. (See below.) That American Express phishing link will send you to a website called lopped[.]link. Lopped[.]link will also redirect you to another website called oreenakloh[.]com where the phishing page is located: This email CLEARLY didn’t come from PayPal! If you look at the end of the “from” address you’ll see that it was sent from domain called amparamparpisang[.]tech. This domain was registered the day before this email was sent. “We declined your last transaction for your safety” The link, revealed by mousing over “Confirm Now,” points to a shortening service associated with MySpace.com! (That’s a blast from the past.) We unshortened the mysp.ac link (using URLEX.org) and followed it to a phishing page on a hacked website called nyeribeuteungah[.]live. [hr_invisible]
Phish NETS: American Express and PayPal
We’ve received so many phishing emails from our readers in the last week that we need to use the “Your Money” column in addition to our Phish Nets column! Let’s start with these fake emails for Bank of America. “ACCOUNT SUSPENSION” The link “update now” also points to a link shortening service through x.co. We used Unshorten.it to reveal that this link points to a hacked website for a dermatologist’s website in Peru. Look at the VERY personal questions the phishing page asks you to provide the scammer! Here’s another phish claiming to represent Bank of America, but with a broken graphic. This phish also linked to a link-shortening service, but this one is through ow.ly. The scam phishing page looks extremely official! This final phish correctly spoofs the “from” email address to appear as notify.wellsfargo.com but don’t believe it! Once again, the English in the email should make you suspicious. And the fact that a mouse-over of “Update” points to a shortened link through x.co. Unshorten.it shows that the link points to a page on the hacked website called FEHUGROUP[.]com, a marketing service in Bogota, Colombia. [hr_invisible]
[hr_invisible]
YOUR MONEY: More Phishing… Bank of America and Wells Fargo
There is a growing alternate Internet universe created by marketing companies who pretend to be real people as they try to promote websites and gain the attention of readers. Though they are not criminal scammers, they are purposely deceiving, lying, and increasingly annoying! It’s time we “outed” these marketers and their auto-bots. Anyone who runs or controls a website likely receives emails like the ones below. Let’s begin with this email sent on behalf of a “treatment of addiction” center in the UK, with the subject line “Can you help me?” The email shown is actually the second email, sent after their first email received no reply or action. A follow up second email is typical by these marketing bots. “Oliver” (the supposed sender of this email) informs the recipient that his website aims to educate people about Internet porn addiction. He says he’s created an infographic titled “The Stats on Internet Pornography” and is asking the recipient to post a link to it on a web page owned by the recipient and containing related information. However, if you look carefully at “Oliver’s” request, you’ll see that the recipient of his request is an elementary-middle school! So Oliver wants this elementary school to post a link on their school website to his information about Internet porn addiction?? As you might expect, “Oliver” never responded to an email from the school’s representative, most likely, because “he” is an unmonitored bot. Here’s a set of emails that came to us at The Daily Scam, allegedly from someone named “Grace” who represents a website about mesothelioma. “Grace” really respects and admires our work and wants us to post a link to her website because she thinks we provide some information about fire safety… We immediately sent the following reply back to Grace… “Grace, or whatever your name is. Do you even look to see the websites that you send your spam requests to? We EXPOSE scams and fraud. We don’t have fire safety info on our site and we certainly won’t post your link. I suggest you do your homework next time when you send out a spam mailing and refine your list.” We never got a response to this email but about 5 days later we got a follow up request to post that link. This was our second response… “Grace, You are clearly a mass mailing bot or an idiot. You didn’t even look at my last email, which proves my point. Perhaps our group will do a story on spam email solicitations such as yours.” “Grace” didn’t reply. The number of these bot marketing requests disguised as people has exploded over the last year. Where we used to get one about every other month, we now get them every week. Here’s another one that we believe is from a marketing bot. The sender appears to be legitimate and the owner of the website he claims to represent. He offers a link about an article on WordPress security — a topic that might interest us and our readers. However, it doesn’t take much digging to learn that his website is “a place where you’ll learn how to build, rank, and monetize profitable content-driven affiliate websites.” In other words, this website has nothing to do with security at all. (We are purposely not naming this website or owner because we choose NOT to promote his site!) We also replied to this email to ask why we should honor his request since our website mission and purpose was so very different from his website. We said that his request seemed only to be a superficial effort to promote his services. We have not yet received a reply. These requests are annoying BECAUSE they purposely try to fool people into believing that there is a real human being contacting them when, in fact, these are automated marketing requests. And poor requests too. We lunge for the delete key.
[hr_invisible]
TOP STORY: Marketing Bots As People
[hr]
FOR YOUR SAFETY: Emotional Pain and Financial Loss
There is so much deceit perpetrated online that it makes us sad to think about how many people are fooled every day. The emotional pain and financial loss felt by millions who are defrauded is horrible. Here are just a few of the thousands of emails we see every year that try to pull on the heartstrings of the recipients who are targeted. Subject lines include “Concerned Children” (sent from Germany), “We Are Touching Lives” (sent from Italy), and “You have been selected for a private donation” sent from a fake charity website called charityanddonations[.]com. (Charityanddonations[.]com was registered a few months ago in April, 2018. It has been mentioned as a scam site on ScamWarners.com and other websites too.)
[hr_invisible]
Until next week, surf safely!