December 18, 2019

The Daily Scam Newsletter

The Week in Review

What a week! It takes a lot to surprise us but last week we had many surprises, including several first-time ever seen scams.  Some of them were extremely well disguised! But first we wanted to share with our readers something we learned from one of our newest newsletter subscribers.  We LOVE learning things from our readers! A young man named Louis told us that if you have a Gmail account there is a supah nifty way to use it to sign up for various services AND track whether or not those services are sharing your email address with others!  

Apparently, Gmail allows people to drop periods into their email name and the email will still arrive in to your inbox.  For example, suppose we used the email address SendMailHere@gmail.com.   Email will also find its way into our inbox if it were sent to Send.Mail.Here@gmail.com, or even Send…Mail…Here@gmail.com  — they all resolve to the same address! Also, if you end your email name with a plus sign (+) and some additional text (e.g. SendMailHere+thedailyscam-newsletter@gmail.com or SendMailHere+NewsBlogWebsite@gmail.com), Gmail will still resolve that email address to everything in front of the plus sign. Louis actually proved that this works by sending us email using both of those tricks.  

This is a big deal!  Why, you ask? Suppose you are interested to sign up for a service or subscribe to a list and are concerned that they might distribute your email address to a spam list or other shady service. If we sign up to every subscription with our pure email address SendMailHere@gmail.com and then get spammed, how can we tell who leaked or sold our email address? We can’t.  But, if we create unique email addresses to give to services and they are shared with spammers, we can identify WHO sold or gave away our email address! For example, if you were concerned that TDS might sell your email address to a spam distributor (We don’t!), I could sign up for our newsletter with the email SendMailHere+tds@gmail.com. You will still receive our emails, but if you received spam and the spam was sent to SendMailHere+tds@gmail.com, you would know that we sold/gave away your email address!  You could also set up a rule in your inbox that deletes all email with the recipient address of “SendMailHere+tds@gmail.com.” Brilliant idea for those with Gmail! Thank you Louis! And, by the way, TDS NEVER shares your email address with anyone for any reason unless we contact you for permission and you grant it! (Sometimes the FBI or news reporters have contacted us to ask if they can contact people who have informed us about scams. We only share that information if YOU give us your permission.)

The Daily Scam was mentioned in a newly published article from Vince Besier, an investigative reporter with Wired.com. Vince wrote an outstanding article about the underage girl sext scam that targeted a young Veteran, who eventually committed suicide because he thought the scam was real.

Wired Article:  https://www.wired.com/story/the-phone-call-from-hell/

Phish Nets: Phishing Via Fake Online Stores and Email Login

How is your holiday shopping going?  Are you making some (most? all?) of your purchases online?  BEWARE of online stores that are not well known! We were looking for gifts online and came across a website called Suepas.com selling a variety of consumer products.


 

We were amazed at seeing a $130 Frigidaire ice maker on sale for about $17.  Actually, that low ball price made us suspicious. We selected an item to throw into the cart and went to check out.  That’s where we saw something unbelievable that made us even more suspicious. Consumers are being asked to provide their birthdays and social security numbers, along with the address and credit card information!  What?! There is no reason on the planet that they should ask for SS# or birthday information. That information completes everything needed for identity theft!

After seeing that, it didn’t take us long to show that the Suepas.com online web store was only 3 weeks old AND others on the internet have identified this online store as a scam.  Caveat emptor! We found another similar online store called Kirmadi.com that was registered and put up just 3 weeks before we found it.  Stick to well-known sites or make sure you research the store you want to purchase from to make sure they are legitimate!  Google knows absolutely nothing about the Kirmadi.com store.  A little odd, isn’t it? As for Suepas.com, here’s some of what we found:

 Suepas Com Scam Adviser Reviews

Suepas scam site discussed as ScamZeroed.com

OnlineThreatAlerts analysis

This past weekend we received this email asking us to “update your email account to avoid access been block.” Nice grammar, right?  The email came from MailCenter.com and mousing over the link to “click here” shows that it points to a malicious website called iologiaxis[.]com that was registered and is hosted in India!

Deeleeete!

Your Money: Holiday Gift Collection and Insert Bank Name Here

Are you looking for top Christmas deals and to lower your Cable TV bills?  How about this 67% off deal for a ShadowBox TV? The email came from, and links point to the cheerful domain HolidayGiftCollection[.]com.  Sounds like a great website to visit and look for lots of holiday deals, right?  Except that this domain was registered through a Panamanian proxy service 2 days before we got this email!  That’s ALWAYS BAD NEWS!

Another big, fat delete!

Not everyone is perfect, not even cybercriminals!  That was obvious when we received this email informing us that we had received a $1000 PNC Bank Visa gift card. Besides the obvious idiotic fact that the email came from the domain victoriassecret.com (not exactly a bank), the criminals who sent it forgot to write the bank name into the top of their scam layout.  Instead it says “[BANK NAME].” No matter, the shortened link in the email was easily unshortened at Urlex.org. It will redirect us to a malicious website called warmthpony[.]com, a website we have previously reported as malicious.

Delete!

Top Story: Amazon Fraud - Phone Call and Email?

We have been hearing a lot from people who have been targeted by criminals in India (accents identified as Indian) disguised as customer support from Amazon, saying that there is a problem with your Amazon account.  Listen to this recording a TDS reader sent to us claiming to be from Amazon. The artificial voice claims that someone fraudulently purchased a refurbished iPhone 6 on your account and you need to visit the nearest Amazon store to clear this up. (Amazon has about 18 popup stores around the U.S. Good luck finding one!) Or you can call their “fraud detection number” at 855-280-4861 “else we have to block your account.”

Often, the caller’s ID is spoofed to look like it comes from the real Amazon customer support phone numbers.  If you are not sure that a call like this is real or fraudulent, one of the best things to do is to Google the phone number you are asked to call.  In this case you would see that there are hundreds of people complaining that the phone number 855-280-4861 is a scam number, such as on RoboKiller.com and 800Notes.com.  Normally, that would be the end of this fraud.  But cybercriminals are creative and resourceful!  During the last couple of weeks we have been hearing from TDS readers who report that these fraudsters are following up with emails to people who have tried to contact Amazon.  One woman from the Carolinas received a call after using a help form in her Amazon account but became very suspicious during her conversation with “Amazon customer support.”  The caller had an Indian name and accent. She eventually hung up. The next evening this woman received the following email. ALMOST EVERYTHING about this email appears to be legitimate and believable.  Can you spot the subtle clues that made the woman suspicious that this may not be what it appears to be?

The email above appears to have come from the domain Amazon.com.  The links in the email point to Amazon.com. Notice that the most prominent link in the center of the email, for the help pages, points to the domain amzn.to.  This “amzn.to” is a shortening service that is owned by Amazon.  Also, the phone numbers listed in this email are the real and legitimate Amazon phone numbers.  So what’s going on here that deserves our attention?

This email contains several grammatical and capitalization errors.  The errors made our TDS reader suspicious because she expected the professionals at Amazon to do a better job in any email they might send her.  She forwarded the email to us to ask what we thought. Our initial thought was legitimate, although the English errors bothered us. We have confirmed that the phone numbers are real numbers for Amazon. Even RoboKiller.com says that the 206 number is legitimate!  HOWEVER, scam callers have spoofed these phone numbers SO MANY TIMES that many people now doubt that they are the real Amazon phone numbers. Even RoboKiller.com is calling the real Amazon 888 phone number a scam number!  There are many discussion threads online about this problem, including this post on Tellows.com from Cat on November 13, 2019 at 21:08:33 about the phone number 206-922-0880, found in the above email:

“The number is being spoofed. The criminals just made the caller ID read the real Amazon number. Here’s how I know – this number called my cell phone. I have never given Amazon my cell. My account has my home number. My Amazon Prime account is about to be charged $32. I say that isn’t accurate. They ask, would you like to cancel. I say, sure. They say ok and start asking me questions like, what type of phone do you have? And verify my address. Complete BS folks. I should have known it from them calling my cell – which I never give to places I do business.” [Read the full thread at Tellows.com – a database of phone number profiles created by community members.]

Phone spoofing is now so common that it has poisoned Google’s, and people’s perceptions about the real Amazon phone numbers.  Cybercriminals are also able to spoof the FROM email address to look like it comes from the real amazon.com domain. When readers contact us, we always try to do our “due diligence” even when we’re pretty sure that something is legitimate, such as the above email.  So we asked several services to check that shortened link in the middle of the email. What happened next surprised us and was completely unexpected! Not one, but two services (CRDF and Sucuri.net) detected malware waiting at the end of that link and a third service (Hybrid Analysis) found the link to be suspicious.  Take a look…. (Note: the short amzn.to link in the email points first to a full link at amazon.com and then redirects to the shortened link before redirecting again.)

We have found references online going back to 2012 saying that the domain amzn.to is incorrectly being blacklisted as unsafe, when it is not unsafe.  However, like the three services above, we find plenty of links saying that there are other amzn.to links that ARE UNSAFE.  Amazon has a SERIOUS credibility problem with their legitimate phone numbers and domain names because of the overwhelming volume of scam calls and malicious emails pretending to be Amazon!  To be perfectly honest, we’re not 100% certain that the amzn.to link is indeed malicious.  However, given the cleverness of cybercriminals, their access to personal information (such as the woman’s email address) and the volume of scams pretending to be Amazon, our recommendation to the TDS reader was not to click those links and to delete the email.

Hey Jeff Bezos!  Can you hear us little folks screaming from way down here below?!  In the words of Hugh Masekela, “There’s a whole lot of jivin’ going on.”  CYBERCRIMINALS HAVE CREATED A SERIOUS CREDIBILITY PROBLEM FOR AMAZON AND YOU NEED TO FIX IT!

For Your Safety: New Voicemail and Your Social Security Account

And while we’re on the topic of voice messages this week, here are two more voice message notifications.  The first came as an email to the Safety officer of a company in Texas. It is EXTREMELY suspicious! It supposedly came from dminj[.]com, a company in New Jersey that manufactures personal care products like hair wax and make up.  “You have a new Voicemail” attached and it is 4.6 MB in size. That’s a BIG voice message! But the link to download that message points to a the website pardot[.]com, a marketing automation firm with offices in Atlanta GA, San Francisco CA and London, England.  Neither of these two companies is known to the Safety officer. We smell a dung heap.

Step slowly away from that link!

Finally, if you would like a good laugh, listen to this voice message sent to us by a TDS reader.  He received EIGHT of these voice messages on his cell phone in one day! And each came from a different phone number.  Sounds like the real social security administration to us, right? You are asked to call 667-300-7883.  Other calls with this scam came from 858-286-5115.

Until next week, surf safely!