December 6, 2017

THE WEEK IN REVIEW

Looking back at last week’s Top Story, Malware Targets CNN Readers, we have an eerie feeling that these malicious manipulations were polictically motivated.  We continued to get redirected to malware sites through November 27 at 7:30 pm.  Below are screenshots of two more redirects from CNN articles on November 26 and 27.  As we looked back at the sequence of links that led from a CNN article to a malware site, we realized that we only got redirected from CNN articles that were embarrassing to or shameful of Donald Trump.  Hmmmm…..  Is this Vladamir Putin showing support for his presumed lackey?  Of course we can’t say for certain but we wonder…

     
[hr_invisible]

[hr_invisible]


Sample Scam Subject Lines:

Activate your $50 store-reward from Costco Wholesale

Amazon has a gift for you.

Emailing – 10006008480

Every woman needs to take this

Print all In new window

How To Easily Transfer Old Tapes And Film To Dvd

Nail Fungus Can Kill You – Remove It With This Simple Trick!

New $50 from Amazon – Activate eVoucher here

RE: FW: Proof of Payment

Use your new Amazon gifts – Expires Sunday

Why Every Judge on Shark Tank Backed This $5 Product

Your Amazon rewards are now ready to use

Your child will love this personal hand written letter from santa

Sample Scam Email Addresses

Amazoncom <amazoncom @ amznreward-DOT-com>

Amazon <amazon @ amznprimex-DOT-com>

Amazoncom <amazoncom @ newyearsuprize-DOT-com>

“Amazon Prime” <amazon_prime @ summervoucher-DOT-com>

“Amazon Gifts” <amazon_gifts @ novemberprice-DOT-com>

Amazon <amazon @ yourewardz-DOT-com>

“Amazon Rewards” <amazon.rewards @ givingreward-DOT-com>

“Amazon Prime” <amazon-prime @ onlinesprime-DOT-com>

Costcocom <costcocom @ sampleandcards-DOT-com>

“Costco Gifts” <costco.gifts @ wholesalespromo-DOT-com>

CostcoWholesalecom <costcowholesalecom @ onlinepromz-DOT-com>

CostcoWholesalecom <costcowholesalecom @ vouchercostco-DOT-com>

Invoicing <Invoicing @ solo-svet-DOT-ru>

[hr]

[hr_invisible]

Phish NETS: PayPal, AppleID, Chase Bank and Wells Fargo Bank

Phishers have been very busy targeting Americans!  Let’s begin with this extremely dangerous phish disguised as an email from PayPal but sent from staff “@” secureinfo-DOT-us.  “It’s unfortunate for us to inform you that we may restrict or suspect your account if you refuse to update some of your information that are out of date.”  The English in the email is awkward.  The recipient is sent an “update form” but the attached document is actually an html web document asking for extremely personal and financial information! (See below.)  This html form was coded by a real pro!  It was one of the best we’ve ever seen.  The author included coding that hid the real destination of your personal information and then redirected you to the real PayPal.com site after you provide it.  Your data appears to go to PayPal.com but the behind-the-scenes code dynamically assembles a URL and will send your precious data to “user5836” at secure.safe-platform-DOT-net.  A WHOIS look up for the domain safe-platform-DOT-net shows that it was registered on November 30 to someone identified as Mark Ingrid from Kuala Lumpur, Malaysia.

Ouch!

[hr_invisible]

[hr_invisible]

By contrast, this next phish for your AppleID was soooo lame that the inept criminal senders coded it incorrectly.  The email was supposed to pull all email addresses and a time/date stamps into the body of the email and it didn’t work.  Also, look at their English language skills.  Why bother sending this scam when you can barely write a sentence correctly?

Deeeeleeeeete!

[hr_invisible]

This next phish pretends to be from Chase Bank and is also pretty lame.  “Unthorize sign in to your chase account from an unrecognized device.”  You don’t say?!  A close look at the from address and mouse-over of the link for Chase.com easily reveals the fraud.

Delete.

[hr_invisible]

“Important Security Notification  Dear Customer, Please log into your  Wells Fargo account immediately to review and verify recent activity on your account.”  That link may appear to be a secure link for wellsfargo.com but it actually points to a shortened link using the service ow.ly.  We unshortened the link to find that you’ll be sent to a website in Spain! (2-letter country code “.es” = España = Spain)

Borrar esta mensaje!

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY: Amazon Customer Survey and Keysmart Organizer Holiday Gift

This email appears to come from a domain that doesn’t exist as of December 2.  “Amazonscard-DOT-com” was never registered.  However, clicking the links in this email don’t send you there anyway.  They will send you to a malicious domain called amazngofr-DOT-site. (Confirmed by the Zulu URL Risk Analyzer.) Don’t believe this “Amazon Consumer Survey” offering a chance to win something.  We wrote an article about the criminal gang in India whom we believe is responsible for this malicious email and thousands more.  Check out Criminals in India Target Americans.

There is a real company that makes the “key smart organizer” but this next email is not from them.  It is, however, an important reminder that American consumers will be getting lots of malicious emails disguised as holiday promotions.   This email came from the domain keysmardhc.trade, and the links point to it as well.  It was registered the day this email came out (November 28) by someone named Albert Reyes from Minnesota.  We wonder why Albert listed his email as Yandex-DOT-com, an email service located in Russia.

This is a big, fat holiday delete!

[hr_invisible]

[hr_invisible]

TOP STORY: Beware Amazon Mimics

Undeniably, Amazon.com is probably one of the largest retailers in the world today.  With the holiday season in high gear, millions of people will be excited to get emails, texts, social media posts, and online coupons for products at Amazon.  But many of these are fraudulent tricks designed to infect computers, tablets and phones with malware.  We always see malicious emails and fake domains pretending to represent Amazon.com, among others.  But, in the last week we have seen a four-fold increase in the number of fake domains and malicious emails pretending to be from or about Amazon products and promotions.  Such as this one with the subject line “Your Amazon.com Gift Card is on the way” sent from amazoncom “@” amznreward-DOT-com.

        

Or this next email with subject line “Rewards worth over $50 from Amazon – Get yours” and sent from amazon.prime “@” amazionusa-DOT-com.

If you didn’t already notice, look back at the scam email addresses listed at the top of this newsletter.  There are eight different domains (and email addresses) pretending to be from or about Amazon.  In addition, here are six more that we found…

Amazon <amazon@novembergift-DOT-com>

“Amazon Certificates” <amazon-certificates@newyeargiftz-DOT-com>

“Amazon Prime Rewards” <amazon_prime_rewards@shopnvouch-DOT-com>

“Amazon Customer Center” <amazon_customer_center @ primeonlines-DOT-com>

“Amazon Prime” <amazon.prime@amazionusa-DOT-com>

“Consumer Survey” <amazonscard @ amazonscard-DOT-com>

Our honeypot email servers saw hundreds of emails from these fourteen different domains wanting us to believe they were for Amazon.   Whatever is written in front of the “@” symbol is unimportant as far as determining who was responsible for these malicious domains. The only important information is what follows the “@” symbol. Using a WHOIS tool, here’s a quick look at who we found, or didn’t find, was behind the registration of these domains…

DOMAIN Date Registered Registered to:
novembergift-DOT-com 11/27/17 Cammie Macpherson
newyeargiftz-DOT-com 11/27/17 Cammie Macpherson
shopnvouch-DOT-com 11/27/17 Cammie Macpherson
 amazionusa-DOT-com 11/28/17 Cammie Macpherson
onlinesprime-DOT-com 11/29/17 Cammie Macpherson
amznprimex-DOT-com 11/30/17 Cammie Macpherson
newyearsuprize-DOT-com 11/30/17 Cammie Macpherson
summervoucher-DOT-com 11/30/17 Cammie Macpherson
novemberprice-DOT-com 11/30/17 Cammie Macpherson
yourewardz-DOT-com 11/30/17 Cammie Macpherson
givingreward-DOT-com 11/30/17 Cammie Macpherson
primeonlines-DOT-com 12/1/17 Cammie Macpherson
amznreward-DOT-com 12/1/17 Cammie Macpherson
amazonscard-DOT-com Never registered

We have written about “Cammie Macpherson” several times this fall.  Every WHOIS lookup lists her email, phone number, fax and home address, which is shown as an apartment complex in Pompano Beach, Florida.  Of course we don’t believe that this is real, or if real, that Cammie ever registered these domains.  “Cammie” has registered more than one hundred malicious domains since October, 2016 according to DomainBigData.com Domains in her name include curediiabetes-DOT-com, curediiiabetes-DOT-com, starrbuckss-DOT-com, candidatesecretzz.com (on 9/29/16 close to election day), costcoreward-DOT-com and costcowholesale-DOT-com.  All of these scam domains were registered using either NameCheap.com or Enom.com.  We have seen these two registrars misused by criminals for years!

Cammie Macpherson is the perfect example of everything that is wrong with ICANN, Registrars (sellers of domains) and the entire domain naming system.   Cammie’s malicious efforts raise questions…

  1. According to ICANN, there are at least 2500 Registrars worldwide. Why is it that criminals overwhelmingly use just two of these many registrars?  Has this been investigated?  If not, why not?
  2. How is it possible that anyone can register a domain with fraudulent information? Why isn’t there a better system in place to verify identity, or follow the money trail the moment fraud is detected?  And why are proxy services allowed to purchase domains in someone else’s name, allowing identity to be hidden, without any accountability for the proxy services?
  3. Why is Cammie allowed to purchase so many fraudulent domains? Why didn’t she get black-listed after initial domains were found to be fraudulent?  Some of her domain names clearly raise alarms about copyright infringement.  Do the registrars pay attention to the domain names purchased?  Shouldn’t they be held accountable and show due diligence?
  4. Why are there no Internet police? The Internet is probably the largest single economic, social thriving entity in the world.  Yet, there are so few protections of citizens who use the Internet and reporting Internet crime is a joke.

All of this lack of accountability and responsibility to world’s citizens means that fraud is easy and rampant.  It is us, users of the Internet who suffer the effects daily.  The Daily Scam has made six specific recommendations on how to make the Internet safer for everyone. You can read about them here. Finally, we leave you with one more malicious Amazon-mimic in this losing battle for safety online…

        

[hr_invisible]

[hr]

FOR YOUR SAFETY: Docusign, Fax Mail, LinkedIn Message, You Have 7 Notifications and “Sup”

This email didn’t come from Dropbox and doesn’t lead to Dropbox.  Step away from the bear trap…

Google cannot find any website called faxmail-DOT-com.  The link in the email was coded to send the click to a malicious file hidden on the domain medivencompressionstockings-DOT-com.  It doesn’t lead to efax.com as it shows.

Now delete.

[hr_invisible]

Here’s another example of a doctored link pointing to malware.  “New direct message from Una Young awaiting your reply” is not from LinkedIn.  A mouse-over of the link shows that it points to a hacked website called ifixigear-DOT-com.

[hr_invisible]

“Hello You have 7 notifications” says an email sent from an address in Tonga, in the South Pacific.  Even Google informs readers that “this site may be hacked” when we look up the link domain advisorsoverseas-DOT-com.

Gee, ya think?

[hr_invisible]

What we find most interesting about this last malicious trick with subject line “Re: sup!” is that the sender makes it look like he is answering an email that YOU SENT HIM.  The link, no surprise, is malicious.

[hr_invisible]


ON THE LIGHTER SIDE: You Will Be Rewarded Handsomely

What a sweet phrase…. To be “rewarded handsomely.”  According to etymonline.com, the phrase was first documented as meaning “generously” in the 1680’s.  Of course we wonder why a West Point Graduate like Capt. Castro would use an email address from Russia.

From: “Capt.Ivan Castro” <guest@proekt.net.ru>
Recipients <guest@proekt.net.ru>
Subject: Greetings
Date: 2017-11-30 04:12PM

 

Greetings

 

I am sorry to encroach into your privacy in this manner. I found your contact particulars in an address journal and I find it pleasurable to offer you my partnership in business. I only pray at this time that your address is still valid. I want to solicit your attention to receive money and gold on my behalf.

I am Capt.Ivan Castro, an officer in the US Army,and also a West Point Graduate presently serving in the Military with the 82nd Air Borne Division Peace keeping force currently deployed in Afghanistan.

We were moved to Afghanistan from Iraq as the last batch just left, and i really need your help in assisting me with the safe keeping of money and gold and to conceal this kind of money became a problem for me, so with the help of a German contact working here, and his office enjoys some immunity, I was able to get the package out to a safe location entirely out of trouble spot.

You will be rewarded handsomely if you could help me secure the funds until I conclude my service here. If you can be trusted, i will explain further when i get a response from you.

God Bless America.
Capt.Ivan Castro
Kabul Afghanistan
US ARMY


Until next week, surf safely!