Please support our effort by making a small donation. Thank you!

x

December 16, 2015

THE WEEK IN REVIEW

Dear TDS Readers, the explosion of holiday scams continues so please be careful what you click on and where you shop online. We’ve also noticed an increase in the “from hell” scam emails that are the result of hacked legitimate accounts of friends and colleagues. The criminals create an email address from a strange domain but using a person’s name you’ll recognize. The email message is very brief, containing his or her name and a malicious link. (Read our feature article detailing these types of scams called From Hell.) Here’s one recent example….

1-from hell

 

 

 

Now have a look at the list of emails supposedly sent by “Fran…”

2-from hell 2

 

Sample Scam Subject Lines:

Auto-Warranties-Made Easy

Digital World demands IT Degrees

Get Your Cred-It Report– & Score Nocost 7 Day Membership..

Grand – Canyon Tours

Holiday-CLEARANCE: Michael Kors Signature-Tote $7.17, Ends 12/13/2015

Invitation: Want to have a secret affair?

Kohl’s X_Mas Sale.Beat the crowds and save

Managing Your Lung cancer Symptoms Consult With local Oncologists

New deals on energy Efficient Windows

Re: 12 delicious bottles of wine – Save $90 for-Christmas

Start the Mortgage Process Today!

This Diabetes Breakthrough Is Roaring Across The Internet!

Warning: Reduce your chance of a heart attack by 90%

Sample Scam Email Addresses:

AffordableFuneralResources@elimita.top

BackPainRelief@0x94ep0.top

CloudSolutionProviders@antinuatu.top

CompareAnimalHealthInsurance@tasmateur.top

FHAMortgageRefinance.hremu.science

GenuineSantaLetters@vesed.top

GourmetGiftBaskets@controllect.download

HearingLossReversed@postain.top

kohlsgift@mandreaole.com

Macys-Star-Rewards@dxeww.com-swapdrink.bid

Personal_Hookup@euigb.com-catchuponline.bid

PersonalInjuryHelp@limeters.download

TrumpEconomyFuture@kszzx.com-awesomespecial.webcam

 

 

 

 

Phish NETS: USAA Bank, Chase Bank and Dropbox

“We are sorry to inform you that your USAA account will temporarily be suspended in less than 48hours due to incomplete/missing information…”   That’s a new line we’ve never seen! Well at least it was nice to give us 48 hours advance notice. The email obviously wasn’t sent from usaa.com and a mouse-over of the link “Sign on” leads to a website called simplybodytalk.com which seems to be a legitimate, but hacked site in Mumbai, India.

Delete!

 

“Your online access has been temporarily blocked.” We have seen an increase in the number of phishing attacks targeting Chase Bank users including this one below. The email appears to have come from no-reply@chhs.com. The domain chhs.com is actually a health-care provider in Chapel Hill, North Carolina, not Chase Bank Services. Fortunately a simple mouse-over reveals that the word Logon points to a website in the Netherlands called sleutelspoor.nl.

 

The next email is unusual because it was actually crafted to look like it came from a Law office located in New England. The “from” address and contact information in the email were all correct, and the email correctly identified a member of the firm as the sender. It was sent to contacts from one user’s contact list at the law firm, making this a very dangerous email. All of this evidence clearly demonstrates that an employee of the law firm had his or her email address hacked at one time. Fortunately the contents of the email are suspicious and use incorrect grammar. A mouse-over of the link “Click View” once again points to a website in the Netherlands as evidenced by the 2-letter country code “.nl”

Your Money: BJ’s Club, Sam’s Club, Target and CVS

Scammers target major retailers every week as a means to engineer email recipients to click malicious links. We see so many that there is simply not enough room in each week’s “Your Money” column to identify them all. Fortunately the scammers often reuse the same graphics over and over, or use the same templates so the scams look very similar.

Check out this week’s sample! And don’t be fooled by the small text at the bottom of many saying “this is an advertisement.” These are malicious emails! As we have noted in the past, you’ll usually find that the offers are most often valued at $50, expire within the next day or two, and the email was sent on the same day that the domain name was registered.

 


7-Sams Club 50 X-mas voucher

 

8-Target holiday card is pending

9-CVS Customer Apprec X-mas points

 

 

TOP STORY: National Teacher’s Appreciation Organization (NTAO) and International Women’s Leadership Association (IWLA)

Professional people often receive invitations to join associations or organizations because of their participation in, or contributions to their profession. But how can you tell if the organization is legitimate and worthwhile or just another vanity scam? This is especially difficult if the only means to evaluate the organization is the Internet? (No phone, no physical address.) We have two organizations we wanted to bring to your attention and show you how we researched them. You can then draw your own conclusions. Let’s start with the National Teacher’s Appreciation Organization (NTAO.org).

Over the course of five days eight employees of a school received the same identical email with the subject line “You Have Been Nominated!” including an employee who was not a teacher.

Several things about these emails seemed like just another marketing ploy at best or highly suspicious at worst. Do these points make you question the validity of the email?

  1. “You have been nominated” but they don’t seem to know your name.
  2. “We have received your contact details from one of your colleagues, parents, or students” but they don’t identify whom. Later in the email you are conveniently told that “for privacy matters we are unable to submit your nominators name…” i.e. not until you click their link and register.
  3. How many grammatical errors can you identify in the email? Our English skills are mediocre to be honest but we see three, not including an extra space between two words. That’s not very flattering for an organization that claims to represent and honor teachers.
  4. Five times the email refers to the National Teacher’s “Hall of Fame.“ The National Teacher’s Hall of Fame is a legitimate non-profit organization that honors teachers. However, as reported on the National Education Association website, the link to this legitimate award is org, not the ntao.info link provided to recipients of this email.
  5. A Google search for “national teachers appreciation organization (non-profit) david lincoln” turns up absolutely nothing about this organization and its representative. We also checked with charitynavigator.org and found no listing of this “non-profit” organization.
  6. A Google search for the domain ntao.info, revealed by a mouse-over of the link, turns up a strange description for an “Indian Education Online Startup.” (Also, did you notice that the email appears to come from NTAO.org but the link points to ntao.info.
  7. A WHOIS lookup tells us that ntao.info was registered through a privacy proxy service called WhoisGuard on November 19, 2015 just a couple of weeks before TDS started receiving reports about these emails.
  8. The final nail in the coffin of this scam should be the fact that virustotal.com informs us that Websense Threatseeker has identified the link in this email as malicious.

11-National Teachers Appreciation Org

Our next questionable email was sent to 16 addresses at the same organization with the subject line “You’ve been selected for outstanding leadership.” The identical emails represent the International Women’s Leadership Association and there are LOTS of people across the Internet talking about these emails. The problem many people report is that they seem like spam meant to attract registration dollars for the organization. TDS is not evaluating whether or not this organization is worthwhile, only that it’s tactics for recruitment are very much like spam scampaigns. For example, 12 of the 16 email recipients in the next screenshot were men and this fact seems to be in conflict with their statement “for women, by women and about women.” Check out the email that follows below…

12-International Womens Leadership list

13-International Womens Leadership Assoc

Here are some points to consider about this organization that bring their legitimacy into question…

  1. They say in their Terms and Conditions web page (as of 12-14-15)  “Registering for inclusion in TheIWLA is without charge. Proactive participation in the full services and support of TheIWLA is reserved for those who choose to participate at that level and who decide to put to use the full benefits and privileges of membership and bear a reasonable fee for such services.” Their spam tactics of sending out emails to men and women by the hundreds (probably thousands but we can only document hundreds) feels like the purpose is to generate income. Every email we have seen says to the recipient “You were considered for this honor based on your leadership skills, commitment to your profession, and contributions to your community.” But no details are mentioned to identify the recipient or her contributions, not even the recipient’s name. And what about those invitations to men? As many men seem to be receiving these emails as women!
  2. Many recipients are posting complaints about these spam emails on Yelp and in blogs, including lots of women. Check out what men and women have to say on Yelp! Or this blogger’s post on Facebook Or this blogger’s post from 2012!
  3. This organization is registered in New York but is not BBB accredited and has a number of complaints against them.
  4. Karen Cioffi, a blogger who works in writing and marketing, published a warning about the International Women’s Leadership Association back in 2013 that is very well written and eye-opening as to the likely intention and motivation of this organization. It’s worth reading, especially the comments following her post.
  5. The bottom of the email lists 5 “Proud Partners” of TheIWLA but truth in advertising is important. The HER SPECTIVES” domain, a proud partner, is owned and operated by Beth Johnston, the same person listed as the Executive Director of the TheIWLA.

Bottom line… CAVEAT EMPTOR! Let the buyer beware. The IWLA.com feels more like a vanity scam than a professional organization designed to help and advance professional women. We’ve written about vanity scams in the past. Read our article titled Recognizing Vanity Scams. ]

FOR YOUR SAFETY: Holiday Shopping Text, Shared Documents and Invoices

When we speak to groups we often ask them if they ever receive random texts such as this next one about ugg australia factory outlet merry christmas sale and super deals of the year. We’re never surprised when the majority of people raise their hands. The links in these texts are malicious and either direct the recipient to fake websites meant to collect your payment information or load malware on your smartphone, or both.

Just delete!

 

 

We’ve been reporting for some weeks about the malware contained in zip files targeting email inboxes and disguised as bogus invoices, payment receipts and even airline e-tickets. Our advice is simple… never click on any attached file in zip format without first contacting the sender by phone to authenticate the email and reason they used zip format. Zip files are often used to send infecting malware to unsuspecting folks. Here are several more recent examples…

15-Confirm document I shared with you

 

16-I hope you have already paid this invoice

17-Your invoice appears below

18-Thank you for your payment

 

ON THE LIGHTER SIDE: Become a Mystery Shopper

Dear Readers, we are pleased to announce that we’ll be “mystery shoppers” during the rest of December and are so excited! We’re told we only need to visit and evaluate Western Union customer service representatives and will get paid up front! Easy-peasy! Even we can do this! We’re going to ignore this looong list of naysayers in a Google search saying that this is a scam…. Wouldn’t you?

 

 

 

Until next week, surf safely!