THE WEEK IN REVIEW
Vacations are over! Kids are back at school. And the bloodsucking men and women who make a living as human leeches with their scams and malicious emails are back at their desks! (For the record, we don’t think the Nigerian 419 scammers had a vacation this summer.) Last week malicious emails began hitting our honeypot email accounts again and many readers reported similar experiences to us. Also, phishing emails have started up again, as you’ll read below. It is September. **sigh** Oh well. The quiet weeks of August were nice but it’s time for everyone to ramp up their awareness, careful reading of online content, and evaluative skills!
We are so excited to share with our readers that we were the 5 Billionth person to conduct a search since the last 5 Billionth winner was selected! As a result, we were invited to choose a prize by clicking one of three buttons! We’ll also receive a winner’s certificate and be entered into their “Hall of Fame!” OMG! But we couldn’t make up our minds! Should we take door #1, #2 or #3? What would Monty Hall of Let’s Make a Deal fame recommend? Wow! What are the odds that the last winner also lived in our home town?!
Let’s dig a bit deeper into this “prize” BS…. Doug was looking up a restaurant’s website in Lynn, Massachusetts. When he clicked on the link, he was immediately redirected away from the restaurant’s domain to this “prize” domain bigabum15[.]live. (“Reward9252” that preceeds the domain is a subdomain.) The bigabum15[.]live domain (as in “bigger bum?”) was registered through a proxy service on August 31, the day before Doug visited the restaurant’s website. We did not proceed any further by selecting a “prize.” Doing so might easily have installed malware on our computer. We urge readers never to click on crap like this!
In the first half of August we reported on a malicious email that used stolen graphics and information about a Hoover “One PWR” vacuum that “washed while it vacuumed.” Days earlier, the criminals had purchased a domain called floorstep[.]pro to host their malicious files. They are back again with the same clickbait but using a misspelled Hoover name for the domain: hooverr[.]pro. It was registered on August 31, the same day this malicious email was sent, and the domain is being hosted on a server in Amsterdam. This email makes a strong case why it is so very important to look carefully at domain names. If something seems out of place or not right, don’t click!
Phish NETS: Paypal again, and again!
Readers sent us their phishing scams and all of them targeted Paypal users! Under the category of “just because it looks official, doesn’t mean it is,” we have this email sent from the domain service-paypal-support[.]co[.]us. The “paypal” that precedes this domain name is called a “subdomain” and is separated by a period from the actual domain name. (Any domain owner can easily create a subdomain name that appears in front of a domain name to say anything they want!) It takes no effort at all to enter “paypal” into a Google search field and see that the real domain for Paypal is paypal.com. This hyphenated multi-term domain name is not legitimate! (Nor does it seem to exist according to a WHOIS registry.) In addition, you’ll see that this phish was sent to “undisclosed-recipients.” “You account has been temporarily blocked” following a suspicious purchase for $299.99
But what makes this phishing scam most interesting is that it DOES NOT contain a link to a fake Paypal site, asking you to log in thereby revealing your login credentials. Instead, you are offered a “Paypal Helpline” and asked to call the phone number immediately. This IS NOT the real Paypal phone number! The phone number in this scam, 850-888-7284, has been reported several times as fraudulent on the website FindWhoCallsYou.com.
A TDS reader also sent us this email which CLEARLY came from an email server in Japan called ekenko[.]co[.]jp. (“.jp” = Japan) It claims to be from “@PayPalNews Coustumer Account-Activity” (Yes, the criminals misspelled it. They can’t be good at everything!) “Make your account secure” because your account “has just been accessed from a new browser or device.” You are asked to secure your account by using the BIG BLUE BUTTON to login into it and confirm your information. That BIG BLUE BUTTON doesn’t point to Paypal.com. It points to a domain cleverly named access-services-user[.]com. (The word “confirm” that precedes the domain access-services-user[.]com is just another subdomain.) This domain name was registered anonymously through a proxy service in Panama a couple of days before this email was sent.
IMPORTANT FOOTNOTE: Many years ago, “secure link protocols” were first developed for use on the Internet. These secure links begin with HTTPS (S = secure) and criminals were not able to register domains with httpS protocols because a domain owner had to jump through LOTS of hoops to prove who they were and what they represented on the Internet. We used to teach people that if you see a link beginning with “https” you knew it was legit! Those days are long gone! Now it takes nothing more than a click and paying a fee to use the secure protocol https. If you look back in the link at the bottom of this Paypal phishing email you can see that it begins with https. So much for the once-lofty value of being “secure.”
YOUR MONEY: Get 5 Dr. Seuss Books for $5.95 and Fox News About Shark Tank
Several times this year alone, we have pointed out that a cybercriminal gang is likely using automated software to create their directories and links using two random hyphenated words. We started noticing this back in 2017! In fact, it was our Top Story on July 24, 2019. Now take a look at this just-in-time-for-the-school-year offer to purchase five Dr. Seuss books for $5.95. The email comes from, and has links pointing to the bastardized spelling of Dr. Seuss’s name: drsasuues[.]pro. (This is NOT a coincidence that we see another malicious DOT-pro global top level domain. Criminal gangs likely get discounts when they buy them in bulk. Everyone needs to save a little money when they can, even cybercriminals.) The domain drsasuues[.]pro was registered on August 29, the same day this email was received and this fact is NEVER a good sign of legitimacy! Also, we are also immediately suspicious when we see that opening sentence “This offer is for United States only” because it often appears in malicious emails sent by the same cybercriminal gang.
But let’s return to the two hyphenated word poker “tell” of this malicious clickbait. Look at the bottom of this email at the link that appears when we moused over it. Find the two hyphenated words that follow the first forward-slash “/”. Churchwoman-represses. The Zulu URL Risk Analyzer had no problem nailing the intentions of this click-bait. If you see random hyphenated words like this, lunge for the delete key!
We have an idea that explains why we often see malicious emails pretending to be about the TV series called “Shark Tank,” like the email below. Maybe, just maybe, it’s because some cybercriminal gang boss really loves to watch Shark Tank! This multi-millionaire oligarch probably fantasizes about being a Shark on Shark Tank! (He would never fantasize about being a hopeful pion pitching an idea, mind you. He wants to be a big deal wheeler and dealer!) And so to play out his fantasy and self-inflate his ego, he tells his minions to “go make me rich by using that show I always watch…Shark Tank!” But we digress….
This click-bait subject says “Fox News: What is the Shark Tank Product Everyone is Talking About?” Of course this “Fox News EXCLUSIVE” is total BS. This email didn’t come from Fox News like the sender wants us to believe. Look at the domain that follows the “@” symbol! However, the funniest part of this clickbait is the domain that the links point to…. Assroom[.]info. This inappropriately chosen domain name was registered on August 20, ten days before we got this email and is being hosted in Canada. Adding insult to…errr…insult, is that this room-filled-with-derrieres domain was also used in some other scam requiring someone to register for something. We don’t know what the registration scam was about but we found this other image below taken when that website first appeared on the Internet. Make room for something else in your inbox and drop-kick this badass goodbye!
TOP STORY: Have You Had “The Talk” Yet?
A new season of scams appears to be scaling up and targeting people around the world after an unusually quiet few weeks in August. The very fact that you are reading this newsletter means that you are concerned enough about online threats to want to raise your awareness and learn how to recognize online fraud. Many of our readers have become very savvy at reducing their online risks, especially those who regularly send us suspicious or known scams and malicious emails. However, it begs the question… How well would your spouse, children, parents or friends do if they were targeted? (Most likely, many of them are already being targeted.)
The reason that Dave and Doug started this blog over five years ago was because their family members had been targeted and nearly tricked into sending lots of money to a scammer who had posted bogus apartment listings on Craigslist and another scammer who wanted to hire someone to look after her 8-year old boy in a wheelchair. Sadly, several of our elderly family members have been successfully targeted as well.
Even those of us who are savvy enough to recognize threats can be vulnerable, depending on the circumstance. Just recently, one of our spouses, while looking at email on her phone, was overheard to say “I didn’t sign up for eHarmony! Why am I getting this? Where’s unsubscribe?” At which point we yelled out “Don’t hit unsubscribe!” Smartphones may be convenient but they make it extremely difficult to see the actual email source domain. Instead, they are designed to show whatever words or names are shown in front of the sender’s real domain. We opened up that email on a computer and could tell immediately that it was malicious clickbait by looking at the sender’s domain.
Every week our families receive dozens of scam phone calls pretending to be about all kinds of craziness like IRS and tax debt, Ponzi cash schemes, credit card offers, insurance offers, Amazon and Apple customer service calls and more. It is a veritable deluge of spam and scams that pour into our email, text screens, phones and even our social media accounts. And so it begs the question… Though you are savvy and interested enough to be reading this newsletter (and presumably other content on our website), are your spouses? Your children? Your parents? Your friends? Have you had a conversation with any of them about possible threats that they receive?
If you haven’t yet, it’s time to have “the talk” with them! Ask them about their online experiences! Have they ever received something that felt odd or unusual by it’s content? Do they know how to find and review a domain name and why it is important to do so? If someone called them and told them that he was calling from Amazon Customer Support about suspicious activity on their account, would your relatives accept that call at face value? Would your friend or family member click a link to an email that says her credit card account was locked due to suspicious activity and she needed to click a link to verify her information?
We could go on and on, but you get the point. Your friends and family members are likely much more vulnerable to online fraud and threats than you are. It’s time to have “the talk” with them about their online experiences, especially now that cybercriminals are scaling back up for another “season” of targeting us all. Show them our website articles, teach them to look at domain names and how to mouse-over links. Sign them up to get our newsletter. Show them our previous newsletter topics! Teach them how to mouse-over links and look at destinations BEFORE they click! Help them understand that viewing content on smartphones or iPads makes it harder to identify fraudulent content than on a laptop or desktop computer.
It’s time to have “the talk” with friends and family to better protect them. If they haven’t been targeted yet, the odds are that they will be.
FOR YOUR SAFETY: Check the Attached File and Bitcoin Soft!
This next email supposedly came from someone at North Star Support Group, an organization devoted to helping families who have children with disabilities. However, if you read the content carefully you’ll notice that the English isn’t quite right. It’s awkward, as if it isn’t the sender’s first language. “Payment for 1842.34 USD you made at 08/19/2019 is accepted and received by specified recipient.” Of course, the sender is hoping you’ll click on the attached document labelled “Full_payment_info.” But that attached document is a “docm” document. DOCM documents are Word documents that have “macros enabled” meaning that they will execute specific code upon opening. Because of this automatic code execution, they are commonly used by criminals to send malware! This is a computer infection in the making!
This next email is so obviously a fraud but it is worth pointing out how criminals misuse link shortening services like Bit.ly because it hides the real destination of a link. Someone who clicks that link will immediately be redirected from Bit.ly to somewhere else on the Internet. The Zulu URL Risk Analyzer informed us that the link bit.ly link will redirect you to a domain called getli[.]online. Getli[.]online was registered on August 21, ten days before we received this email and the site has been blacklisted by at least two security services. It is highly likely that malware is sitting at that destination waiting for your arrival! Let this bad boy go! Bitcoins are too risky anyway.
Until next week, surf safely!