December 20, 2017

THE WEEK IN REVIEW

Both Apple & Windows computer tech support scams litter the Internet.   Some are perpetrated by cold calls from India, others take advantage of pop ups or redirects embedded into hacked web sites.  Here’s a recent example that popped up from a visit to an infected site.  If you look carefully, the web browser is in the back ground trying to inform the viewer that it “detects suspicious incoming network connection.”  But the popup and dark window nearly obliterate the warning… “Call Windows Help Desk Immediately +1-888-885-4967.”  The message that follows is actually pretty funny doom and gloom stuff.  AND This “Windows Help Desk” message hit an Apple Mac user!  You can read much more about these types of scams, and see dozens of scam phone numbers that have been used for this scam by visiting this Microsoft.com web page.

We want to remind readers of the continuing deluge of malicious emails disguised as a “New Incoming Fax.”

   

[hr_invisible]


Sample Scam Subject Lines:

Drink this and flatten your stomach by Christmas

End of the year reward – Activate your $50 online-certificate from Amazon.com

Get This $25 Credit Card Knife Free!

How to get rid of Tinnitus overnight? (VIDEO)

If you are suffering from alcohol or drug addiction you’re anything but alone.

Invoice RE-2017-12-12-00398

Open for an Amazing Gif(t)

Quality Heating & AC Systems For Less

Scan

The coolest backpack is a must have for Christmas

The wildest episode ever on Shark Tank (and other Shark Tank subject lines!)

Unhappy With Your Medicare Plan? Check Into Changing It Today.

Watch this shocking video – It may save your life

 

Sample Scam Email Addresses

“Andrea Serfass” <andrea.serfass @ helpmyblood-DOT-com>

AsianLadiesOnline <AsianLadiesOnline @ redgdve-DOT-review>

“Cosmo Magazine” <cosmo-magazine @ skindolces-DOT-com>

Dania <dania @ sharkinvestus-DOT-com>

Find Obamacare Health Plans <FindObamacareHealthPlans @ posdbsde-DOT-review>

“Find Singles Only Daters” <findsinglesonlysinglesoffer @ datingoffer-DOT-com>

Fre e HVAC Estimates <FreeHVACEstimates @ iokjhygfr-DOT-review>

“Multiple PC Player” <contact @ realisticflightsim-DOT-bid>

Pandora2017 <Pandora2017 @ poduan-DOT-loan>

Pandora2017 <Pandora2017 @ pona-DOT-loan>

“Tesla Energy Secret” <Contact @ cnntodaynews-DOT-bid>

“Trust Numerologist” <numerologist @ numrgly-DOT-com>

“Woodworking Design Plans” <woodworkingplans @ woodworkingplanss-DOT-com>

 

[hr]

[hr_invisible]

Phish NETS: Capital One

Sparse phishing last week.  We caught none!  Fortunately, one of our readers sent us this phish made to look like an email from Capital One. “We have currently disable your Online Banking services, due to un-authorized usage from an unregistered device.”  The email actually came from a free email service called Mail2world.com.  The link for Capitalone.com points to a hacked, though secure website for a manufacturing business called axismt-DOT-com.

 

[hr_invisible]

 

[hr_invisible]

YOUR MONEY: Sav!eUp to 75% On Hotels, Solar Survey, and Amazon Shopper Deals

Agoda.com is a real company for booking hotels.  But this email from BestHotelOffers @ heartbrk-DOT-win didn’t come from Agoda.  Links in the email also point back to the same malicious domain, heartbrk-DOT-win.  This heart breaking domain was registered at the end of May, 2017 by someone identifying himself as “Carl Carlson” from Jackson, Mississippi.  We found it interesting that Carl uses an email address with Yandex.com, an email service from Russia and eastern Europe.

 

“This Survey Might Help Save You Hundreds On Your Energy Bill” says an email from SolarSurvey @ ferri-DOT-club. This domain was also registered at the end of May, 2017 but through a private proxy service in Panama. Despite being around for seven months, Google knows nothing about this website or the one above for heartbrk-DOT-win. A screenshot of their top web pages shows only a generic apache webserver page and nothing more. There is nothing about either of these emails that appears to be legitimate or traceable. Step away from clicking those links!

 

Why would an email from “Amazon shopper deals” with subject line “Confirmed: Your Fifty dollar Amazon Reward” come from someone’s personal email address at outlook.com?  That graphic may look adorable but the link points to a shortened link created by the shortening service bit.do.  We tried to unshorten it to see where it leads but Bit.do had already removed it after a day.

What does that tell you?

[hr_invisible]

[hr_invisible]

TOP STORY: Fake Masquerading As Real

As we get deeper into gift-buying season, the volume of malicious emails pretending to be legitimate businesses increases.  We see so many stolen logos and graphics from real businesses used in malicious emails.  Even the from addresses are being spoofed or made to look like they come from legitimate domains.  In many of these wolves-in-sheep’s-clothing emails, the only way to expose the malicious intent is to mouse-over the links to see where they point without clicking them.  In the lower left corner of your browser window you’ll see that the email doesn’t point back to the business represented in the email.  Instead, the links point to crap top level domains like DOT-bid or DOT-review, etc.  Criminal gangs use these newer global top level domains because they are so much cheaper than the original top level domains like DOT-com or DOT-org.  Purchased in bulk, they could be as cheap as 49 cents for a one-year lease.  Check out these 4 samples.  Remember, none represent the business they claim to represent.  The links point to….

Datplan-DOT-bid (Registered October 16)

Clspno-DOT-bid (Registered October 25)

Loshair-DOT-bid (Registered October 23)

Clickbest.us (Registered December 17, 2016)

   

[hr_invisible]

 

The oldest domain, clickbest-DOT-us, seems to represent UrthBox and was registered a year ago but doesn’t mean it is safe.  The Zulu URL Risk Analyzer says there is a 95% chance that it is malicious!  So don’t be so quick to believe the promotional emails you are sent, especially if they land in your spam folders!  If you are truly interested in an email, mouse-over the link to see where it willl send you.  Does that link really represent the website the email claims to represent.

If the answer is no, then delete it!

[hr_invisible]

[hr]

FOR YOUR SAFETY: Your Payment Has Posted, Deactivation Notice, FedEx Delivery Notification, and Message from Copier

One of our loyal and savvy readers sent us a group of nearly identicial emails sent to her at work.  Each one listed a transaction number and said that “Attn: Your-payment of $ was successful.”  The dollar amounts varied, as did the companies they claimed to represent.  All the emails contained links registered and located in the European Union (.eu)  Every link in each email pointed to the same EU location on the Internet.  Even the links for Twitter, Facebook, and “Remove yourself…”  And these links are malicious.  Below are 2 of these emails…

[hr_invisible]

Imagine getting a “Deactivation Notice” from Email Administrator.  Hopefully you wouldn’t fall for this junk. Clicking either the red or green buttons would not be in your best interest!

Look carefully at the link in this email from Brazil (2-letter country code .br = Brazil).  This email may look like a FedEx Express notice but the link points to a file on a Google drive account.

Deeeleeeete!

This little hand grenade is spoofed to look like it came from a networked photo-copier in your own business!  The mail program warning says it all.

[hr_invisible]


ON THE LIGHTER SIDE: Donate One Million and Dear Winner!

Thankfully, we got the first message in time from Friedrich in Russia.  (2-letter country code .ru = Russia)  As for the second message below, it’s nice to see companies working together like Gmail Corporation (??) and Microsoft to create contests worth half a million!  Funny how you never hear about these wonderful contest winners in the national or local news…

from:   Friedrich Mayrhofer <koklinasp@susu.ru>
date:   Sat, Dec 9, 2017 at 5:11 PM
subject: I HOPE YOU GET MY MESSAGE THIS TIME?

This is the second time i am sending you this mail.
I, Friedrich Mayrhofer Donate $ 1,000,000.00 to You, Email Me personally for more details.

Regards.

==============================================

From: Mr Barry Dubberly<info@vizyontanitim.com>
Subject: Dear Winner Reply Immediately.
Date: 2017-12-14 11:46PM

Dear Winner

We are pleased to inform you of your winning sum of five hundred thousand united state dollars with microsoft surface pro 3 laptop by GMAIL CORPORATION, in conjunction with microsoft windows.

We collect all the gmail addresses of the people that are active online from the gmail directory, among the people that subscribe to gmail and various microsoft windows user.we only select five people as our winners,without the winners applying and we are also congratulating you for being one of them.

However you will to fill and summit the below information to the event manager.

CONTACT EMAIL:dubb.barry2015@hotmail.com

Note we dont respond to forwarding email,you have to summit your details to the email stated above.

FULL NAME:
CONTACT ADDRESS:
AGE:
TELEPHONE NUMBER:
SEX:
OCCUPATION:
STATE:
COUNTRY:

Contact the events manager department,summit your information to the email given above.

Your urgent response is needed immediately so we can be able release the wining prize to you without any delay of any kind.

EVENT MANAGER:
Mr Barry Dubberly

 


Until next week, surf safely!