December 28, 2016

THE WEEK IN REVIEW

We’re sick just thinking that we’ll have to look at malicious emails for the next four years made to look like Trump news stories or witty Trumpisms.  (Is that an oxymoron?)  Perhaps we should create a whole new column called “Witty Trump – An Oxymoron.”  In any case, here’s yet another example of this painful criminal effort, though it is funny.  It starts with one of his best quotes “I consult myself on foreign policy because I have a very good brain.” The link points to another mailicious dot-top domain.

[hr_invisible]

Have you ever heard of the scam called “stock pump and dump?” Wikipedia describes it well. We periodically see this scam through random emails like this one…

[hr_invisible]

Finally, while the Christmas season is truly lovely, we won’t miss the deluge of scams that poured into email inboxes disguised as Christmas something-or-other, such as this “Secret to a Christmas You’ll Never Forget.” We guess we now have to be on the lookout for New Year’s celebration scams.


 

 

[hr_invisible]


Sample Scam Subject Lines:

Donald Trump – We’re all doomed – Fox News Special

Government Overstock: “Super flashlight” – X-mas Special

Greetings

HOLIDAY DEALS: over 70% off

Instantly Find Any Lost Item With Your Smartphone

Keep Your Feet Warm Even in The Bitter Frost

Local Representation

Mortgage rates are rising. Refi now. Don’t miss out!

NBC Special Report: Oregon Dr Discovers the Key to Reversing Diabetes

Official Marvel Spider-Man Drone

The Zero to Hero DIY Hack That’ll Build Anything…

Window-Specials

Your glasses are KILLING YOU!

 

Sample Scam Email Addresses

4mintrick@4minabs.club

Best-Secure-Data@always.cleedol.top

blood_sugar_blueprint-[YOUR EMAIL]@snoopysnackbar.com

Constipation-Relief@heal.soreliefconstipation.top

eharmony-partner-[YOUR EMAIL]@ourspeakeasy.com

HARP-Qualify@greased.antiies.top

homewarrantyspecial@repairhome.eu

Mayo_Clinic_Study@weasel.sgguard.top

miracledrops@canabidoil.download

mostwishedgifts2016@strikdron.xyz

Seek.Research.Brand@grand.manydcv.top

Tactical.Patriots@breeze.millfzz.top

winning-lotto-tricks-[YOUR EMAIL]@inspiretab.com

 

[hr]

 

 

 

[hr_invisible]

Phish NETS: Chase Bank, LogMeIn Account, and Please Confirm Your Email Address

Though we found no phishing scams last week, this week’s fine kettle of phish more than made up for it! Let’s start with this Chase Online Banking Validation.  The phish is actually quite clever because it makes malicious use of the email delivery service called sendgrid.net.  A mouse-over of “Verify Now” points to a secure https (“s” = secure) link for sendgrid.  However, look below at the evaluation of that link by the Zulu URL Risk Analyzer.  It’s not good.  The sendgrid link directs you to a shortened link created at bit.ly and that short link then sends you to the domain niyimarc.com.  Not Chase Bank.

[hr_invisible]

[hr_invisible]

It isn’t often we see something totally new but we did!  LogMeIn is a remote connection software that allows one to access and manage another computer remotely.  We saw this phish trying to steal someone’s LogMeIn credentials.  A mouse-over of the link shows that it leads to a WordPress website in Japan.

Delete!

[hr_invisible]

And from markocnvzd @wow-office products.info was this email asking the recipient to “Please confirm your email address.”  This phish is trying to steal your login credentials.  A mouse-over reveals a hidden redirect, though we don’t know what the point is since the primary site is clearly wrong.  “Click here” points to a hacked website in the Netherlands (.nl = 2-letter country code) but then the link forwards you on to the website privatepillvalue.ru in Russia.

Whatever.

[hr_invisible]

[hr_invisible]

YOUR MONEY: Hollar Pillow Pets, Perfect Wine Opener, and Qualify for $50 CVS Giftcard

These “pillow pets” are sooooo cute!  We’ve got to get one or two!  But not through this email from hollar @hollarcupn.men.  The domain hollarcupn.men was registered on the day the email came out by someone named “joyti” from Bangalore, India and the site is being hosted in Frankfurt, Germany.

A big fat $2 delete.

[hr_invisible]

Are you a wine drinker? “Meet the last wine opener you’ll ever need” from Vineyard Elite, or so they want you to believe.  All the links in this email point back to the dot-top domain called wakingy.top.  The email was sent less than 3 hours after the domain was registered by a “Robert Teems” from Rue Jaques Jordaens in Brussels, Belgium.  Ooh, lala.

Now deleeete!

[hr_invisible]

This survey scam and enclosed graphic has now been used multiple times to represent a variety of retail stores.  Take our survey and get paid $50.  Yeah, right.  This is not for a legitimate CVS shopper survey.  It’s just another social engineering trick so step away from the mouse and be glad you didn’t click.  The domain hosting that supposed survey was registered on the day the email was sent by someone named “Care Mcclellen” from Jakarta City, Indonesia.

[hr_invisible]

 

[hr_invisible]

TOP STORY: The WORST Birthday Invitation!

We’ve been invited to a birthday party!  The only oddball thing is that we didn’t know “Begonia,” the person who invited us.  At first we scratched our collective heads and wondered if we were simply forgetful. (Our wives tell us it’s happening more and more.)  Then we wondered if it wasn’t some type of marketing pitch because we’re asked to print and bring this invite along and “your presence must be confirmed in order to gain access.”  But finally we smelled a rat…

[hr_invisible]

“Kindly View your private invitation for details and confirm your attendance (tick yes to rsvp this invite)”  We wondered why Begonia Santos would use a shortened link from the bit.ly service rather than just include the real link directly for whatever RSVP service she used.  Being naturally suspicious, we decided to follow her birthday cake crumbs.  Our favorite unshortening service is Unshorten.it and it didn’t disappoint us.  Oddly, the shortened bit.ly link redirects to a file on the website mynanoflix-dot-com.  No birthday candles here.  The site boasts for you to “Meet America’s Favorite Streaming Players.”

[hr_invisible]

Now we were certain that this was not a nice party invitation!  We sent out our favorite scout, the Zulu URL Risk Analyzer, to check out the link at mynanoflix-dot-com and POW!  We found an exploding cake!  Icing flew everywhere as Zulu triggered LOTS of malicious scripts.  We rarely see Zulu confirm so many malicious scripts, dangling malware, and all-round bad stuff as it did for this birthday party.  We didn’t just dodge a bullet.  We dodged booby-traps with hand-grenades, razor trip-wire and deadly landmines, all in the name of a birthday invite.  And we lived to tell you the tale.

 

[hr]

FOR YOUR SAFETY: You Received a New eFax, Thank You For Taking Time to Contact Us, Blocked Clearing House Transaction, and Your Secure Communication

eFax. You know it.  Send and receive faxes anywhere.  “You received a new eFax from 516-9003248”  Google informs us that the number is supposed to be a landline in the area of Massapequa, NY but we don’t believe it.  Mousing over the link in the line “Your fax can be viewed online, at our website, by visiting: https://www.efax…. Etc” reveals the lie.  The link points to a server in Japan (.jp = 2-letter country code for Japan). VirusTotal.com tells that three services have identified the link as malicious (Sophos, Websense and Kaspersky) Ouch.

[hr_invisible]

“jonnygee2000” says “Thank you for taking the time to contact us. Within two days we should be able to provide you with a decision in regard to your question, and we want you to know that we will be giving your question our fullest consideration.”  That’s nice, isn’t it.  But what question?  This is simple social engineering 101.  The link for “Tracking System Page” points to a malicious site in Poland. (.pl = 2-letter country code)

[hr_invisible]

“The Automated Clearing  House transaction (ID: 60233715), recently initiated from your online banking account, was rejected by the other financial institution.”  But that attached Word document is infected with a malicious script.

Deeeeeleeeete!

[hr_invisible]

This next email looks soooooo  official and legit!  It appears to be sent from the domain hmrc-secure.co.uk and the official “HM Revenue & Customs” department of the UK Government.  The domain was registered on the day the email was sent so don’t be fooled by the official-ness of it.  “HM Revenue & Customs” is the equivalent of the IRS here in the U.S. and their real domain is gov.uk The attached Word document contained a malicious script.

 

[hr_invisible]

ON THE LIGHTER SIDE: Dormant Account!

This is simply way too much fun not to share with readers.  We encourage everyone to reach out to Dr. Mond Tam to inform him that you received an email about your dormant account with the Public Bank of Malaysia about your $9,500,00.00.  But first, create a new email account on Gmail to use (rather than use your personal account) and don’t pay any of his fees to release the money!  Insist that all fees be paid from your account in Malaysia.  Keep stalling him and ask lots of questions! Write to us and tell us how it all went!

 


Greetings from Mond Tam.,

I am Dr. Mond Tam, Group Accountant (P.B) However, I have already sent you this same letter by post one month ago, but I am not sure if it did get to you since I have not heard from you, hence my re-sending it again. I discovered a dormant account in my office, as Group Accountant with Public Bank Of Malaysia. It will be in my interest to transfer this fund worth $$9,500,000.00 (Nine Million Five Hundred Thousands United State Dollars ) in offshore account. Can you be my partner?
Pls reply me to: directmail28@gmail.com

Regards and respect,
Dr.Mond Tam

 

Until next week, surf safely and have a happy, healthy and safe new year!