THE WEEK IN REVIEW
We remind readers that holidays are always used by criminals as a theme to target us. We’ve highlighted fake and malicious holiday advertisements in previous newsletters. As a reminder, how about this heart warming email that claims to have come from Richard and Angela Maxwell, winners of a 2015 multi-million dollar lottery in the UK? The subject line is “A Special Gift for You This Christmas!” says an email that came from inetsim[.]org. (InetSim is an internet service for analyzing unknown samples of malware.) However, you are asked to reply to the Maxwells at an address at qq.com. QQ.com is an email server in China. Well, no surprise since Richard said that he wanted to travel the globe with his winnings! (Typically, these particular scams are “advance fee” scams carried out by African cybercriminals, often from Nigeria. Recipients will discover that they have to pay “customs or administrative fees” etc. before they can receive their money… which never comes.)
Also, in a newsletter earlier this Fall we showed readers multiple examples of short emails that were meant to verify a working email to a gullible recipient, or get a response to engage a criminal in conversation, or raise your curiosity enough to click a malicious link in a subsequent email or text thread. Here is another recent example sent to us by one of our readers:
This email reeks of fraud! The name in front of the email address (Wilhelm Linss) doesn’t match the name IN THE EMAIL Address (graficamg) Notice that the email was sent from a server in Italy (alice.it). Also, the reply will go to a different address (simone.valguarnera86) than the email came from! And finally, it was sent to many “undisclosed recipients.” ‘Nuf said, so don’t worry about the “info regarding Eric.”
[hr_invisible]
[hr_invisible] Sent to us by an observant TDS reader, this email with subject line “New Notificaion. [Your account is on hold]” didn’t come from Netflix.com. It came from the domain info[.]com. That’s your first tip that it doesn’t pass the smell test! However, mousing-over the link “VERIFY NOW” shows that the link points to a phishing page hidden on the hacked website for Grayson Track and Field. Ouch!
Exercise your index finger by hitting the delete key! Another TDS reader received this American Express “security concern” from an email address at cox.net. The opening paragraph of the email contains awkward English and doesn’t sound legitimate…. “We notice some suspicious activities on your online banking and we are putting a hold on your account for your protection.” Mousing over the link “americanexpress.com” reveals that it points to a shortened link through x.co. We have long cautioned readers about shortened links. Criminals routinely use them to hide where a link will really send you. (Read our article “Shortened URLS: What are they and why should I care?”) We used Unshorten.it to see where the link pointed and discovered that it will forward you to a hacked restaurant website in England called tamilsamayal[.]net. Even Unshorten.it recognized the site was used as a malicious phishing site! Were you to visit the link, look below at how professionally this phishing page appears to be American Express! TDS readers also sent us these phishing emails asking you to update or unlock your Apple ID. Both were missing the active link, but the “FROM” address and text in these emails confirm that they are phishing scams! (Notice grammatical, spelling or capitalization errors.) [hr_invisible]
Phish NETS: Netflix, American Express and Apple ID
Like most Americans, Doug at TDS receives lots of scam calls. On Thanksgiving morning he received this call from a company claiming to offer a 25% discount on his National Grid utility bill. With his family listening in the background, he recorded the call to see how this scam would play out and if the representative had an accent, a likely indication that this scam originated outside the US. He did! Click Below to play: People are sometimes tricked into applying for a “Mystery Shopper” job which is just a form of the fake-check scam. (Visit our full feature article called “Secret Shopper Scam”) Here’s a recent example of an email inviting the recipient to be a BestMark secret shopper. However, the email came from an email address at soudertonsd[.]org, a school district in Pennsylvania. Also, the link doesn’t point to BestMark.com, it points to an oddball link shortening service called gg[.]gg. As for that 888 area code phone number, someone reported it on December 7 as a fake-check scam on 800notes.com. This next email is just clickbait to malicious files waiting to infect your device. It wasn’t sent from Personal Loan Pro but actually came from an email address in the European Union. (See the 2-letter code “.eu” at the end of the email address). The Outlook.com link actually contains a redirect to a website hosted in the EU named edgeairy. A simple delete is all that is needed! [hr_invisible]
[hr_invisible]
YOUR MONEY: National Grid, Mystery Shopper and Pre-Approved Loan
In addition to scam emails, texts and online ads, it is important to show legitimate content and point out WHY it is legitimate! A TDS reader recently asked us if this Google warning he received was real or a scam. It was, in fact, real and required that the fellow change his password to his GSuite account! Here’s why it is legitimate… It helps to see that the link that appears after mousing-over begins with httpS instead of just http. The “s” means your device will be using a secure protocol to exchange information between your web browser and the distant server. This is only important if you plan to send very personal and private information to the web page you are visiting, such as a password, credit card or social security number. Unfortunately, cybercriminals have gotten better about hacking https web sites and using them to represent phishing scams, or using legitimate link shortening services that also begin with https. Therefore, seeing https is no guarantee of safety or authenticity like it used to be. But it is important to see https if you plan to send very personal information through a web page. (Note: Don’t believe that a web page is “secure” just because you see some lock symbol, page graphic, or text telling you the web page is secure! Nor should you believe that a web page is secure just because you see a small lock symbol in front of the link at the top of your web browser. These things USED TO indicate some level of security but cybercriminals have now proven them to be useless. Just look for the https at the start of a link!) Think you understand all the important pieces to check? Here is another legitimate email. Go through the check list above and practice identifying all the necessary pieces to give you confidence that this email is what it claims to be! (Note: the domain “apple.com” must appear BEFORE the first single forward slash “/” to authentically represent Apple.com. However, separated by a period, you’ll also see the words “email” and “getsupport” in this next legitimate email. These are subdomains only. (Just like “accounts” and “myaccount” are subdomains in the mouse-over link of the above Google email.) It is important to know that anyone can create a subdomain that says whatever they want. Subdomains are NOT reliable indicators of authenticity! So please don’t be tricked by legitimate-looking subdomains such as these… apple-com.security-alert.com
(Malicious domain!) icloud.applehelpdesk.com
(Malicious domain!) apple.email.net
(Malicious domain!) apple.com
(REAL domain for Apple Computer!) google.com
(REAL domain for Google, Inc.!)
Mouse-over skills are critically important in today’s digital world. These skills can reveal fraud associated with most malicious and phishing links. The Daily Scam has created several resources to teach our readers how to develop these skills. Visit: Mouse-over Skills Explained (short video)
[hr_invisible]
TOP STORY: Why Is This Google Warning Legitimate?
[hr]
FOR YOUR SAFETY: Job Application Malware and The BIG BUTTON Gang!
Tam Skipworth (or Marcus? We’re not sure which name to call this applicant) wants to apply for a job at The Daily Scam! We were so excited but became suspicious when she/he sent his/her resume saying the password is “1234.” We know 10-year olds who can come up with better passwords than that! The attached Resume contained malware, of course. She/he could have at least use a better password choice like perhaps… “password.” JK.
One of our TDS readers has been getting HAMMERED by very similar malicious emails that all have one thing in common… BIG BUTTONS! She has appropriately labelled the source as the Big Button Gang. Each button leads to a computer infection. Ouch! If you see these landmines too, you know what to do.
Until next week, surf safely!