December 13, 2017

THE WEEK IN REVIEW

Mimic scam domains looking like Amazon promotions and surveys have continued strong during the past week.  Also increasing in number are scams disguised as Xmas promotions. (Big surprise, right?)  Below are just two of the many fake emails we saw.  One of the ways that Internet criminals are successful in tricking people to click malicious links is to steal the graphics of legitimate businesses and use them in their scam emails.  For example, there is a real business called LettersfromSanta.com.  If you look carefully at the first email, you’ll notice that it was sent from LettersfromSantnas.com!  (Santas misspelled) Both of the emails below are misusing the real address for the legitimate business SantasOfficialLetters.com.  We wrote a feature article about Christmas Holiday scams in 2016 that is still very relevant.  Visit Christmas Holiday Scams.

    

TDS has written many articles about dating scams, especially the ongoing “underage sext scam” reported in our article Plenty of Fish Has Plenty of Sharks. Recently we were contacted by a young man named Luke who told us about a very unusual dating scam that we’ve never heard of before.  Read our latest feature article… Sextortion by Bot?

[hr_invisible]


Sample Scam Subject Lines:

A Fr.ee Snack Box Is Waiting For You

Amazing New Cure for Hair loss – Regrow Your Hair in Weeks

Confirm here your Amazon account info and use your $50 e-Certificate

[FREE SHIRT] Got Me Kicked Out of a “Gun Free Zone”

Grab Your Free Bottle of Turmeric

New $50 voucher from Amazon – Use it by Sunday

Now ANYONE Can Learn Piano or Keyboard

Re: STATEMENT OF ACCOUNT OCTOBER-NOVEMBER 2017

SAVE up to 90% this Christmas!!

Someone sent you an Amazon.com e-Voucher

The world’s most realistic flight simulator?

Wanted Testers: FREE TAC800 Flashlight

Your latest activity entitles you to receive a reward worth over $50

Sample Scam Email Addresses

Amazon <amazon @ holidayvouch-DOT-com>

“Amazon Gift Central” <amazon.gift.central @ holidayrewardz-DOT-com>

“Amazon StoreNews” <amazon_storenews @ pricealer-DOT-com>

“Breaking News” <breaking-news @ recoverhairx-DOT-com>

Consumer Survey” <cardgift @ cardgift-DOT-com>

Costco <costco @ costkwholesale-DOT-com>

“Eat Coconut Oil” <healthyoilSecret @ healthyoilSecret-DOT-com>

exclusivetac5tactical @ iesjdhe-DOT-review

HSBC Advising Service <elsen.traktor @ skynet-DOT-be>

Notification Alert <mjfiduciaryservices @ outlook-DOT-com>

“Order Confirmation” <order-confirmation @ amaznvoucher-DOT-com>

“ultimate authority ” <contact @ amazingtshirt-DOT-bid>

“Women Health” <women_health @ winterfatx-DOT-com>

[hr]

[hr_invisible]

Phish NETS: Netflix, PayPal, Outlook Email, Docusign & Mailbox Full

“Your Netflix Membership Has Been Cancelled” says an email from netflix.serv.com.  Just to be crystal clear… the email was sent from the domain serv.com, not netflix.com.  The netflix in front is a sub-domain and anyone can create a sub-domain to say anything.  A mouse-over of the link “Click here to verify your account” points to a clever domain that seems to be a netflix domain but is not!  A WHOIS lookup of activate-your-netflixaccount.com shows that it was registered by someone named “David Martin” on December 5, 2017 using a registrar service in Malaysia.

A big fat deeeeleeeete!

[hr_invisible]

We found multiple instances of PayPal phishing scams again. (Another big surprise.)  English is not a strength in this first phishing scam sent from France. (.fr = 2-letter country code for France)  “Dear Customer, We have updated our protection for the safety of your accounts may own and show us some information about the appearance of your missing Please update your information quickly…”  The link “Activate Your Account” points to a hacked server for a business in Ludhiana, India.

[hr_invisible]

[hr_invisible]

Next was this supposed receipt stating “Your payment of $1072.24 USD is sent to Tom Marcone.”  Neither the from address nor the mouse-over of “Details Are Here” show paypal.com.

Delete.

[hr_invisible]

“Action Required : You Have 57 Undelivered/Pending Messages to be Delivered” says an email from stabletransit-DOT-com.  The phishers want you to believe this is about your Outlook email account.  Take a look at the Office 365 login window waiting for you at the hacked website telomerance-DOT-net.

 

[hr_invisible]

This next phishing scam wants to capture your Docusign credentials.  It appears to have been sent from a legitimate manufacturing firm in Maine.  However, a mouse-over of the link for “Review Document” shows that it points to a server in Brazil (.br = 2 letter country code for Brazil) rather than docusign.com

[hr_invisible]

“Mailbox Full”  “Your Mailbox storage capacity has reach its quota limit.”  The email was spoofed to appear as though it came from microsoft.com but it didn’t.  The link “Click Verify For Upgrade” points to the domain lokimon-DOT-ml.  Can you guess what country this website is being hosted in?  We couldn’t and had to look it up!  (Answer is below.)

[hr_invisible]

(.ml is the 2-letter country code for Mali.)

[hr_invisible]

[hr_invisible]

YOUR MONEY: UGG Boots 90% Off, Free Bible, Last Chance to Win, and Get 35 Below Socks

Have you ever seen sales for 90% off designer products?  At best, these are likely to be knock-offs from China.  The domain saleugg-DOT-shop was registered on November 9 by Jacky Chung from Shainghai, China.  According to BigDomainData, Mr. Chung also registered 99 other domains on the same day that look like knock-off sites.  Spamhaus.org has identified Mr. Chung’s emails as spam.  We cannot prove malicious intent but neither are we eager to buy his products.

If it says “free” don’t reach for the mouse to click!  We’re seeing a small, but noticeable, group of malicious emails offering free things.  Like this one for a free bible from e-hotboxmarket-DOT-club. This domain was registered on October 8 using a private proxy service in Panama.  The link in the email points to e-hbm-DOT-stream which was registered on November 28, also using the Panamanian service.   While Corporate Circle in Henderson, Nevada is a real industrial area full of businesses, #2440 doesn’t seem to exist.  We can only find a last real business at #2360.  Everything about this email feels like a landmine.

Step back and walk away

This is your “Last Chance to enter this weeks #SimplyFitLIfe Giveaway”  “You have a chance at winning a $100 Nike.com gift card – How much did you twist?  Enter Now!”  How much did you twist?  What does that even mean?  The links point to a domain called edatasystems-DOT-biz.  Google doesn’t know anything about this business, though it was registered a year ago.  It has no website at the top of the domain but screenshot machine showed us a racy set of photos on a page called “New-Newz” when we followed that link for “Enter Now!”  We won’t show the screenshot so that we continue to be family friendly.

Now delete.

In many emails we show our readers, the logos and address information is stolen from a real business’ website.  This stolen content is then used to create a malicious email and sent from scam domains, not the real business’ domain.  Below is one more example of this but the resolution of the stolen image is awful.  Just delete and go by your socks from the real company.

[hr_invisible]

[hr_invisible]

TOP STORY: The Dangers of Shortened Links

The first Internet link shortening service was tinyurl.com.  The convenience of taking a long link on the Internet and turning it into a short link is now offered by dozens of online services including Google and Twitter.  You can read a detailed history and background on link shortening on Wikipedia. The problem is that these services are heavily misused by criminals to disguise their malicious destinations.  When you click a shortened link, the service looks up the real destination for that link and then redirects you to it.  You can’t see where you will land until you arrive.  This is exactly why criminals who target us with malware often use these services.  Here’s an example sent to Doug at TDS.  The sender’s email account was hacked and her contact list stolen.  Her name is then attached to many different emails, again and again sending malicious links to her contacts.

        

Fortunately, there are services that will unshorten a shortened-link so you can see where you’ll land before you get there.  We copied that Bit.ly link into UnShorten.IT, our favorite unshortening service, to see that we would have been redirected to a file located at fragbox-DOT-com, located on a webserver in Chile.  It doesn’t take a genius to surmise that malware waits for us there.

During the past week we’ve seen an increase in the number of malicious links using shortening services. Many have been directed at Doug at TDS.   This one was unshortened to show that it points to malware on a hacked blog site.  Both BitDefender and Kaspersky have identified the hacked blog as hosting malicious content.

        

[hr_invisible]

[hr_invisible]

 

Here is a phishing “Bank of America” email that used a shortened link just recently…

Our advice is simple.  The next time you see a shortened link and think it may be legitimate, unshorten it first to see where it will send you before you click.  Here are several good unshortening services…

https://unshorten.it/

http://checkshorturl.com/

http://www.untiny.com/

NOTE: Criminals also use shortened links in phone texts for bogus ads.

[hr_invisible]

[hr]

FOR YOUR SAFETY: Invoice Status, You Have A New Fax Message, Your File Was Uploaded and See Attached Accounting Statements

Our honeypot servers saw hundreds of malicious emails with subject line RE: FYI invoice status from different names.  Of course, they were all malicious.  But what made them really stand out was the social engineering trick used by the sender…  “I tried to call at the numbers listed on [YOUR WEBSITE NAME], but nobody answered.  Decided to reach you by email. I need to know the status of the invoice enclosed below.”  But the link is not for an attached invoice but to a malware trap on some distant website.

[hr_invisible]

We’ve reported on these malicious emails disguised as fax messages.  They continue hammering our honeypot servers by the thousands…

Honestly, we have no idea what “Hide Image Bank” is referring to in this email from Brazil.  But we know it is malicious and points to a hacked website.

Delete.

Finally is this malicious email pretending to be an attached accounting statement.  It’s not a Word doc as described.  The link points to a very suspicious website that has absolutely no information in Google, despite being around for a few years.

[hr_invisible]


ON THE LIGHTER SIDE: My Dear Beloved Friend, Can I Trust You

Susan Read contacted us from her email address in Japan after locating us on our “countrys guest book.”  She wants to know if she can trust us and she’s not asking us for money.  Read her email and then cue the sad violin music…

from:   Mrs. Susan Read <DADADA@cotton.ocn.ne.jp>
reply-to: susanread2017@gmail.com
date:   Wed, Dec 6, 2017 at 3:55 PM
subject: MY DEAR BELOVED FRIEND CAN I TRUST YOU?

My Dear Beloved Friend,

Greetings. Please let this not sound strange to you because I am not asking you of money, for my only surviving lawyer who would have done this died early this year. I prayed and got your email address from your countrys guest book which I have been with my late husband and I wish to visit once more if God will in his infinite mercies grant me. In function of your good profile, I want to solicit your assistance in the discharge of my will. I am Mrs. Susan Read from London and am aged 65 years suffering from endometrial cancer. Please, I want you to help me create a charitable project with the money that I inherited from my deceased husband who died in a motor accident.  I was brought up from a motherless baby’s home and was married to my late husband for twenty nine years without a child.

My friends have plundered so much of my wealth since my illness and I cannot live with the agony of entrusting this huge responsibility to any of them anymore, so I sold all my inherited belongings and deposited all the sum of 9m Pounds with my bank. All I need is an honest person who will use at least %60 of the funds as I instructed, then the rest %40 will go to you for helping me accomplish this mission because donating this money to charity is the only legacy I can leave behind after my death. No money is required from you to carry on with this project because it is my heart desire to make a generous gift to you to work for a charity in your country, I don’t mind if you are a Christian or Muslim

but I dont know if I can trust you because there are greedy and fraudulent people over the world. I will give you more details as soon as I hear from you.

Looking forward for your urgent response.

Regards.

Mrs. Susan Read.
E-mail: susanread2017@gmail.com


Until next week, surf safely!