December 11, 2019
The Week in Review
Sometimes we get bizarre offers at The Daily Scam, like being invited to reship stolen merchandise! David (our graphic design Guru) received the two job opportunities below, and we wanted to share them with our readers. The first job offer is SO BIZARRE that we can’t even figure out what the first paragraph means. Perhaps David should pursue it because it pays $3200/month and he thinks he can meet the criteria to “corporally exist at your house from 9 AM ending with five PM.” However, we’re not sure if he meets the criteria of being “a fresh mamma, a scholar of distant way of studying, pensioner, invalid human, or the persona which doesn’t like to leaving place of residence for labor.” (Seems like SOMEONE needs a better AI translator!)
After a good laugh over that lovely job offer, we couldn’t help but notice the very odd spacing (along with a hundred other oddball things in this email). The spacing prompted us to drag through the text to highlight it. Look what we found! Tiny grey text (different font size) that was the exact same color as the grey background. Someone has clearly gone to great effort to obfuscate the words in this email so that it will pass through any spam filter trying to block crap like this. On the one hand, that trick worked. On the other hand, we can’t imagine any human-being responding to this email from Japan to say he or she is interested in this scam job offer.
David also received this second offer as well from a Mr. Jim Gonzalez about an “exhilarating occupation” to be a Package Manager. However, the job requirements are very high and David is not sure he can meet them. If needed, he is certainly “capable of staying at house between 9am to 5 pm.” But he would have to “function with parcels!” Normally that would be OK but Mr. Gonzalez goes on to say that “a lot of parcels comprise of baloney and clothes.” We’re not sure that David can handle a lot of baloney. His bullsh*t meter is pretty sensitive!
If you care to read about the real scam behind these “package reshipping” jobs and how it can lead to your own arrest, check out our article titled Package Reshipping Jobs.
Doug, on the other hand, was sent an email offer to visit an “adult online-dating” site but the email is a bit confusing. The subject line says it is for an “adultdatingsex” dating service through a website called darknesstr[.]com…
But many things make this lovely offer confusing:
1. According to Google, darknesstr[.]com is a website to help you find the best car insurance, such as in New Jersey.
2. Darknesstr[.]com is a website that is being hosted in Plovdiv, Bulgaria.
3. The actual link in the email points to a link-shortening service in the Netherlands. When we unshortened that link, we discovered that we will be directed to an even shorter link at away[.]vk[.]com, which was identified as suspicious by VirusTotal.com. VK[.]com is a Russian social media site based in Saint Petersburg, Russia.
That’s OK. Doug’s very happily married anyway.
Phish Nets: Paypal
According to this email that hit our inbox, our Paypal account made a payment of $30 to someone at the Rockingham Forest Riding Club in the UK. We weren’t convinced of that claim! The email didn’t come from paypal.com. It came from pservices[.]com, a domain that was registered in Vietnam, is hosted in Amsterdam, Holland and is up for sale. But more importantly, a mouse-over of the link for PayPal points to a web server called zipcodefenceshopper[.]com. Screenshot Machine showed us a Paypal login page on that zip code fencing shopping website. (see below.)
Your Money: Earbuds Pro and PNC Bank Visa Gift Card
We’re shopping for holiday gifts, are you? How about a set of Earbuds Pro? This email showing a 50% discount is enticing, until you notice a few suspicious “poker tells.” Such as the fact that the ad says “USD” (you mean we have other currency choices?) and “just in $24.90 USD.” Also that the email came from the domain designsevent[.]com. This domain was registered in Pakistan in early September. Oh, and the fact that Sucuri.net detected malware waiting for you at the end of that Earbuds Pro link!
Bummer! We really liked the price of those Earbuds. How about a drone as another cool holiday gift? “This lightweight drone is PERFECT for Christmas!” says this email from gretpowertool[.]info. That’s what we thought! And at 50% off, with special free delivery, how could we resist? But resist, we did. Google can’t find any information whatsoever about a website called gretpowertool[.]info and the Zulu URL Risk Analyzer tells us that this website is sitting on a server in Gibraltar, a British territory on the southern tip of Spain. And the fact that Drone Max 100 is a business with its own website of the same name.
BEWARE of bogus text and email ads this holiday season!
Top Story: An Opaque Fish Bowl
We love an oxymoron. You know…. “Jumbo shrimp” or “deafening silence.” How about an opaque fish bowl? A friend of ours is an internet-savvy teacher at a small school. She sent us this email invitation she received to ask if we thought this was a scam. The email appears to have come from fishbowlteachers[.]com and says to the teacher “You’ve been invited by a co-worker from [NAME OF SCHOOL] to join Fishbowl. The immediate issue is that she knows all the teachers at the school and NO ONE invited her. No one subscribes to something called Fish Bowl Teachers. The link in this email to “Join Fishbowl” points to an email marketing service called MixMax[.]com. (MixMax[.]com also owns the domain mixmaxusercontent[.]com)
There is also a service called Fishbowl which is used to generate conversations in the workplace. Fishbowl has a resource designed for teachers and it can be found at their domain fishbowlapp.com.
So, at the surface, it appears that Fishbowl used a marketing service to reach out to teachers and invite them, albeit with a lie, to join Fishbowl. Right? But hold on, this fish bowl is not quite so clear! Trusting our sixth-sense, we decided to check that mixmaxusercontent link through several security services and Sucuri.net informs us that it detected malware at the end of the link. After getting infected, the recipient will then be forwarded to the teacher webpage at fishbowlapp[.]com.
But how is this possible? MixMax is a legitimate email marketing service. Don’t they vet their clients, or at least require clients to identify themselves in some way that can be traced and verified? Apparently not! In seconds we were able to find multiple instances showing that the MixMac email marketing services have been misused many times by criminals who target us all with malware. Check out this screenshot of part of our Google search…
overing how easily a legitimate email marketing service can be misused was a game-changer and had us thinking about the difference between fishbowlteachers[.]com and fishbowlapp[.]com. When we used Google on Firefox to look up those two domains (WITHOUT VISITING THEM!) we found a significant difference. There was a lot of information, and many links to represent fishbowlapp[.]com but literally nothing but the domain itself to represent fishbowlteachers[.]com. (NOTE: If we had used Google on Chrome to search for a domain, Chrome simply sends you to the website, which could be dangerous when investigating suspicious websites.) A WHOIS lookup of both domains doesn’t help clarify ownership since both domains were registered by proxy services.
This is very disturbing. Apparently we can’t make any assumptions about the emails that arrive in our inboxes, even when they appear to come from a known service through a known email marketing company.
For Your Safety: “It looks like you in the video”
In our September 25, 2019 we posted a screenshot of a Facebook message that pretended to be a link to a YouTube video. The sender said “OMG Are you in this video?” Well, it seems that the creator of this malicious clickbait is back. Check out this screenshot sent to us by another TDS reader. Though we don’t know the exact outcome from clicking that link, we do know that it doesn’t point to Youtube. It points to a website in Hungary. Don’t click on this clickbait if a friend sends it to you! In fact, inform your friend that his or her Facebook account has likely been hacked and misused to send this clickbait.