December 27, 2017

THE WEEK IN REVIEW

“Hyperbole” – exaggerated statements or claims not meant to be taken literally.  Hyperbole is a staple of Internet criminals.  We have reminded readers repeatedly to delete emails that contain words like “shocking” because they are so often used to lure them into clicking malicious links.  Here’s another one to throw on the fire… “Megyn Kelly’s Shocking Admission Wednesday” (Also, notice the white text at the bottom of the email.  It was taken from an online copy of The Bobbsey Twins that was published under the pen name Laura Lee Hope in 1908.

Who knew these criminals enjoyed such a nice read?

Also, since most of these types of scams originate from criminal gangs in other countries, English is not typically their strength.  When you see typos, awkward grammar, incorrect use of capitals, etc. you should immediately be suspicious.  Take this well-meaning email about tips to avoid a heart attack this holiday season.  Can you find the English errors?  (By the way, that black box at the bottom of the email contains text copied from a Reuters article about Lady Gaga. They hope this text will trick anti-spam servers into thinking that the email is legitimate.  Thankfully, it usually doesn’t work.)

   

[hr_invisible]


Sample Scam Subject Lines:

As Close As Real Flying As Possible

Attention Beneficiary

Attn: Your Amazon bonus rewards are available to claim.

Emailing: IMG_20171221_047794304, IMG_20171221_275142997, IMG_20171221_746078670_HDR

Outstanding statement

Starbucks: Your beverage rewards #84583259 are ending this week

This delicious herb will make your memory better

URGENT TRANSFER OF FUND

Vanna White departing Wheel of Fortune over this bombshell

Voicemail from 01195584898 <01195584898> 3m 52s

Worried About Heart Attacks? Doctor Recommends This 7 Second Trick

Your Costco rewards are expiring this weekend

Your CVS pharmacy Rewards

 

 

Sample Scam Email Addresses

“Amazon StoreUpdates” <amazon.storeupdates @ amznprimez-DOT-com>

“Bulletproof-Home” <Bulletproof_Home @ recreti-DOT-bid>

“CVSpharmacy Card” <cvspharmacy.card @ interpharmaz-DOT-com>

“Find Singles Only Daters” <findsinglesonlysinglesoffer @ datingoffer-DOT-com>

“Forward Head Posture Fix” <healthtips @ versaitis-DOT-trade>

“Heart Attack Defense” <hearthealth @ heartatteck-DOT-com>

“Safest.Room” <luxury.tubs @ july-DOT-science>

SamsClubcom <samsclubcom @ clubsamusa-DOT-com>

SamsClubcom <samsclubcom @ rewaardclub-DOT-com>

“Santa Claus” <santa-claus @ santalettter-DOT-com>

“UrthBox” <healthysnackbox @ snacksbox-DOT-com>

Walmartcom <walmartcom @ livebetterrx-DOT-com>

“Youthful News” <youthful_news @ skinsharkstank-DOT-com>

 

 

[hr]

[hr_invisible]

Phish NETS: Worst Apple Phish Ever and DCU

Few phish in the sea this past week!  We only found two.  But WOW, this first one must be a joke phish!  Considering how poorly this Apple iCloud phish was constructed, we wonder why the criminals bothered to send it.  Hope springs eternal!  See for yourself…  “Account Update Required” says an email from iCloudd @ teamapplecase-DOT-com.  We counted at least 15 English, spelling, grammatical, spacing and capital letter errors in this email.  Oh yah, and the link doesn’t point to apple.com.

Delete!

[hr_invisible]

This next phish is better constructed.  It targets users of DCU, Digital Federal Credit Union in Massachusetts.  “SUSPICIOUS LOGIN ATTEMPTS PREVENTED”  Of course the email clearly doesn’t come from DCU.org.  However, we sure love their scare tactics in the email: “if you don’t verify this within the next 48hours, your account(s) may be closed and your balance – plus all interest earned will be lost.”  WOW!  That’s pretty harsh banking rules!

[hr_invisible]

YOUR MONEY: Amazon Holiday Bonus, Happy Holidays from Sam’s Club and Home Depot Survey

These next three emails are reflective of a long string of emails pretending to represent well-known businesses, offering bonuses, rewards or gifts for taking a survey.  All are seriously malicious.  Let’s start with this email from reward-status @ amaznholiday-DOT-com, containing a misspelling of Amazon.  The domain amaznholiday-DOT-com was registered by someone named “David Free” from Michigan.  It was registered on the day the email was sent.  Look at the link revealed by the mouse-over.  Do you think that Amazon staff would actually name a  folder used in a link as “roundworm-unsanitary”?

Delete!

“Thanks for shoppoing with us.  Please enjoy this Holiday gift on us” says an email sent from samsclubcom @ unclesamr-DOT-com. This lame domain was also registered by David Free on the day the email was sent.  Same scam, same criminal gang.  At least they spelled Holiday correctly.

“Congratulations, you’ve been selected!”  Doesn’t that feel nice?  Though the email seems to come from consumers.com it did not.  Links in the email point to the malicious domain busnescard-DOT-bid. This domain was registered October 28 using a proxy privacy service in Panama.  The Zulu URL Risk Analyzer says there is a 90% chance it is malicious.  Run, don’t walk, in the opposite direction

[hr_invisible]

[hr_invisible]

TOP STORY: Reasons We’re Vulnerable During the Holidays

In case you hadn’t noticed, it’s the holidays.  We expect to be targeted by scams like this email with the subject line “REI: The top backpack for anyone- Get yours by Christmas.”  The email was sent from, and links point to the domain nosufferbackpack-DOT-com.  That website was registered by someone named “Jamie Turick” the same day the email was sent, a sure sign of no good intent.  Google knows nothing about this website and the Zulu URL Risk Analyzer gives it an 80% chance of being malicious.  We’re not so lenient.  We give it 100%

   

Were we to survey Americans to ask if they plan to fly during the winter holidays, or if they expect to send or receive a package at this time of year, we would expect a majority to say yes.  Internet criminals take advantage of these very common seasonal activities by targeting us with scams by email and phone.   Let’s start with this very simple email we received in one of our honeypot servers.  Oddly enough, it came from a personal Comcast email address, rather than a company or service.  If you look carefully, there appears to be a mismatch between the name in front of the email address and the name that appears WITHIN the email address.  That’s a red flag. “Re: Airlines For America”

WARNING: DO NOT CALL THE PHONE NUMBER 888-369-2751 LISTED IN THIS EMAIL!

From:”leafernb” <cherbert11@comcast.net> Subject: ✈Re: Airlines For America Date: 2017-12-22 01:19AM

Flight Coupons, Promo Codes & Deals – Dec 2017

Top Deal 55% Off: Christmas Flight Deals and New Year Flight Deals.

Call to Us and Get Discount Now 888-369-2751. (24/7 Support.)

Enjoy Christmas Deals on American Airlines, Delta Air Lines, Southwest Airlines, United Airlines, Air Canada, JetBlue, Alaska Airlines, WestJet, Aeromexico, Spirit Airlines, Frontier Airlines, Volaris, Hawaiian Airlines, Allegiant Air, Virgin America.

Don’t Miss These Handpicked Fares

Chicago  –           New York       $175.78 Los Angeles       –           San Francisco $103.94 Los Angeles       –           New York       $175.32 Chicago  –           Los Angeles    $325.77 Miami                –           New York       $96.55 Atlanta   –           Chicago           $100.64 Newark  –           Toronto          $299.24 Boston               –           Miami $189.17 San Francisco                –           New York City            $293.30 New York City   –           Casablanca     $825.88 Miami                –           Johannesburg            $1016.26 Atlanta   –           New York       $225.90 Chicago  –           Washington DC         $195.95 New York City   –           Paris   $545.05

Call to Us and Get Discount Now 888-369-2751. (24/7 Support.)

Before you get too excited, think about this for a moment.  A service claiming to offer a 55% discount on flights for Christmas and New Year’s just days in advance?  Do you see a company name?  Website? These are also red flags.  Given our suspicions about this offer, we decided to do the sensible thing.  We called the number!  We had a poor connection. The first thing we heard was a poor quality recording saying “thank you for calling airway.”  A moment later a man with a very heavy Indian accent came on the line.  We repeatedly asked the man the name of his company and the address to his company website.  We were given neither.  Listen to the two and one-half minute conversation and then ask yourself if you feel comfortable booking a flight with…. Whomever they are!

Here’s what little we do know about this unknown service based on the email we received:

  1. A Google search for 888-369-2751 on December 22 turns up fewer than 10 links and the top two lead to a website called Trashmail.com.  Each link at Trashmail shows the same email we received but from other mismatched personal email accounts.
  2. We dug into the header of this email to see what IP source (internet source) the email came from and learned that it was sent from IP: 112.16.214.182. Here’s what Cyren.com’s IP Reputation checker said about this IP…  “High Risk – This IP address is used for sending Spam on a regular basis.”

Does any of this inspire confidence to hand over your credit card and other personal information to these people?  Let’s move on to the delivery of your holiday gifts.  We weren’t expecting deliveries but we were bombarded with 23 emails in about three minutes on December 19 with tracking information from USPS about our many packages!

 

We opened one of these emails…  “A package was shipped to you on 18/12/2017 via U.S. Postal Service First-Class.”  The link sure looks like it points to the United States Postal Service website but a mouse-over tells otherwise.  It points to a website called mjlwealthfreedom-DOT-com.  Virustotal.com shows us that both Kaspersky and ForcePoint Threatseeker found this site to be malicious.

 

We always say that a healthy dose of skepticism is important when evaluating online content.  At this time of the year, this axiom is more important than ever!

 

[hr]

FOR YOUR SAFETY: December Billing Invoice and Private Message

This next BS is clever because it appears as a reply to an email YOU sent two days earlier.  Of course that isn’t true.  “Hello, I sent it to accounting @ YOURDOMAIN.com and to you.  Here you have it:”  The link is malicious of course.

 

“Charles ——- sent you a private message”  Just click here to “View private message” and infect your computer!  Sophos AV found the link to be malicious.

Another big, fat delete!

 

[hr_invisible]


ON THE LIGHTER SIDE: BMW Lottery
We’ve won the BMW lottery so many times it makes our heads spin!

BMW LOTTERY DEPARTMENT
ROCKVIEW, ARKANSAS. 49812
UNITED STATES OF AMERICA.

NOTE: If you received this message in your SPAM/BULK folder, that is because of the restrictions implemented by your Internet Service Provider,we (BMW) urge you to treat it genuinely.

Dear Winner,

This is to inform you that you have been selected for a prize of a brand new

2017 Model BMW 7 Series Car and a Check of $1,500,000.00 USD from the international

balloting programs held on the 2nd section in the UNITED STATES OF AMERICA although

it is not limited to only U.S residents or citizens. Description of prize vehicle

Model:750i x Drive Sedan Color,4.4-LITER, BMW Twin-power Turbo technology V-8 engine

 

Exterior: Metallic Silver Options: Cold weather package, premium package, fold

down rear seats w/ski bag, am fm stereo with single in dash compact disc player.

The selection process was carried out through random selection in our computerized

email selection system (ESS) from a database of over 250,000 email addresses drawn

from all the continents of the world which you were selected.

 

The BMW Lottery is approved by the British Gaming Board and also Licensed by the

International Association of Gaming Regulators (IAGR).To begin the processing of

your prize you are to contact our fiduciary claims department officer for more

information as regards procedures to the claim of your prize.

 

Name: Mr.Edward Schupp
Email:bmw-winner-agent@bmwlottery-us.com

Contact him by providing him with your secret pin code Number BMW:2541256004/25.

You are also advised to provide him with the under listed information as soon

as possible:

  1. Name In Full :
  2. Residential Address :
  3. Nationality :
  4. Age :
  5. Sex:
  6. Occupation :
  7. Direct Phone :
  8. Present Country :
  9. Email address :

10.Pin code Number BMW:2541256004/25

Congratulations once again****BMW LOTTERY****

Mrs.Diane Cindy
THE DIRECTOR PROMOTIONS
BMW LOTTERY DEPARTMENT
UNITED STATES OF AMERICA.


Until next week, surf safely!