December 27, 2017

[hr_invisible]

Phish NETS: Worst Apple Phish Ever and DCU

Few phish in the sea this past week!  We only found two.  But WOW, this first one must be a joke phish!  Considering how poorly this Apple iCloud phish was constructed, we wonder why the criminals bothered to send it.  Hope springs eternal!  See for yourself…  “Account Update Required” says an email from iCloudd @ teamapplecase-DOT-com.  We counted at least 15 English, spelling, grammatical, spacing and capital letter errors in this email.  Oh yah, and the link doesn’t point to apple.com.

Delete!

[hr_invisible]

This next phish is better constructed.  It targets users of DCU, Digital Federal Credit Union in Massachusetts.  “SUSPICIOUS LOGIN ATTEMPTS PREVENTED”  Of course the email clearly doesn’t come from DCU.org.  However, we sure love their scare tactics in the email: “if you don’t verify this within the next 48hours, your account(s) may be closed and your balance – plus all interest earned will be lost.”  WOW!  That’s pretty harsh banking rules!

[hr_invisible]

YOUR MONEY: Amazon Holiday Bonus, Happy Holidays from Sam’s Club and Home Depot Survey

These next three emails are reflective of a long string of emails pretending to represent well-known businesses, offering bonuses, rewards or gifts for taking a survey.  All are seriously malicious.  Let’s start with this email from reward-status @ amaznholiday-DOT-com, containing a misspelling of Amazon.  The domain amaznholiday-DOT-com was registered by someone named “David Free” from Michigan.  It was registered on the day the email was sent.  Look at the link revealed by the mouse-over.  Do you think that Amazon staff would actually name a  folder used in a link as “roundworm-unsanitary”?

Delete!

“Thanks for shoppoing with us.  Please enjoy this Holiday gift on us” says an email sent from samsclubcom @ unclesamr-DOT-com. This lame domain was also registered by David Free on the day the email was sent.  Same scam, same criminal gang.  At least they spelled Holiday correctly.

“Congratulations, you’ve been selected!”  Doesn’t that feel nice?  Though the email seems to come from consumers.com it did not.  Links in the email point to the malicious domain busnescard-DOT-bid. This domain was registered October 28 using a proxy privacy service in Panama.  The Zulu URL Risk Analyzer says there is a 90% chance it is malicious.  Run, don’t walk, in the opposite direction

[hr_invisible]

[hr_invisible]

TOP STORY: Reasons We’re Vulnerable During the Holidays

In case you hadn’t noticed, it’s the holidays.  We expect to be targeted by scams like this email with the subject line “REI: The top backpack for anyone- Get yours by Christmas.”  The email was sent from, and links point to the domain nosufferbackpack-DOT-com.  That website was registered by someone named “Jamie Turick” the same day the email was sent, a sure sign of no good intent.  Google knows nothing about this website and the Zulu URL Risk Analyzer gives it an 80% chance of being malicious.  We’re not so lenient.  We give it 100%

Were we to survey Americans to ask if they plan to fly during the winter holidays, or if they expect to send or receive a package at this time of year, we would expect a majority to say yes.  Internet criminals take advantage of these very common seasonal activities by targeting us with scams by email and phone.   Let’s start with this very simple email we received in one of our honeypot servers.  Oddly enough, it came from a personal Comcast email address, rather than a company or service.  If you look carefully, there appears to be a mismatch between the name in front of the email address and the name that appears WITHIN the email address.  That’s a red flag. “Re: Airlines For America”

WARNING: DO NOT CALL THE PHONE NUMBER 888-369-2751 LISTED IN THIS EMAIL!

From:”leafernb” <cherbert11@comcast.net> Subject: ✈Re: Airlines For America Date: 2017-12-22 01:19AM

Flight Coupons, Promo Codes & Deals – Dec 2017

Top Deal 55% Off: Christmas Flight Deals and New Year Flight Deals.

Call to Us and Get Discount Now 888-369-2751. (24/7 Support.)

Enjoy Christmas Deals on American Airlines, Delta Air Lines, Southwest Airlines, United Airlines, Air Canada, JetBlue, Alaska Airlines, WestJet, Aeromexico, Spirit Airlines, Frontier Airlines, Volaris, Hawaiian Airlines, Allegiant Air, Virgin America.

Don’t Miss These Handpicked Fares

Chicago  –           New York       $175.78 Los Angeles       –           San Francisco $103.94 Los Angeles       –           New York       $175.32 Chicago  –           Los Angeles    $325.77 Miami                –           New York       $96.55 Atlanta   –           Chicago           $100.64 Newark  –           Toronto          $299.24 Boston               –           Miami $189.17 San Francisco                –           New York City            $293.30 New York City   –           Casablanca     $825.88 Miami                –           Johannesburg            $1016.26 Atlanta   –           New York       $225.90 Chicago  –           Washington DC         $195.95 New York City   –           Paris   $545.05

Call to Us and Get Discount Now 888-369-2751. (24/7 Support.)

Before you get too excited, think about this for a moment.  A service claiming to offer a 55% discount on flights for Christmas and New Year’s just days in advance?  Do you see a company name?  Website? These are also red flags.  Given our suspicions about this offer, we decided to do the sensible thing.  We called the number!  We had a poor connection. The first thing we heard was a poor quality recording saying “thank you for calling airway.”  A moment later a man with a very heavy Indian accent came on the line.  We repeatedly asked the man the name of his company and the address to his company website.  We were given neither.  Listen to the two and one-half minute conversation and then ask yourself if you feel comfortable booking a flight with…. Whomever they are!

Here’s what little we do know about this unknown service based on the email we received:

1. A Google search for 888-369-2751 on December 22 turns up fewer than 10 links and the top two lead to a website called Trashmail.com.  Each link at Trashmail shows the same email we received but from other mismatched personal email accounts.
2. We dug into the header of this email to see what IP source (internet source) the email came from and learned that it was sent from IP: 112.16.214.182. Here’s what Cyren.com’s IP Reputation checker said about this IP…  “High Risk – This IP address is used for sending Spam on a regular basis.”

Does any of this inspire confidence to hand over your credit card and other personal information to these people?  Let’s move on to the delivery of your holiday gifts.  We weren’t expecting deliveries but we were bombarded with 23 emails in about three minutes on December 19 with tracking information from USPS about our many packages!

We opened one of these emails…  “A package was shipped to you on 18/12/2017 via U.S. Postal Service First-Class.”  The link sure looks like it points to the United States Postal Service website but a mouse-over tells otherwise.  It points to a website called mjlwealthfreedom-DOT-com.  Virustotal.com shows us that both Kaspersky and ForcePoint Threatseeker found this site to be malicious.

We always say that a healthy dose of skepticism is important when evaluating online content.  At this time of the year, this axiom is more important than ever!