THE WEEK IN REVIEW
Looking back at last week’s Top Story, Malware Targets CNN Readers, we have an eerie feeling that these malicious manipulations were polictically motivated. We continued to get redirected to malware sites through November 27 at 7:30 pm. Below are screenshots of two more redirects from CNN articles on November 26 and 27. As we looked back at the sequence of links that led from a CNN article to a malware site, we realized that we only got redirected from CNN articles that were embarrassing to or shameful of Donald Trump. Hmmmm….. Is this Vladamir Putin showing support for his presumed lackey? Of course we can’t say for certain but we wonder…
[hr_invisible]
[hr_invisible]
Sample Scam Subject Lines: Activate your $50 store-reward from Costco Wholesale Amazon has a gift for you. Emailing – 10006008480 Every woman needs to take this Print all In new window How To Easily Transfer Old Tapes And Film To Dvd Nail Fungus Can Kill You – Remove It With This Simple Trick! New $50 from Amazon – Activate eVoucher here RE: FW: Proof of Payment Use your new Amazon gifts – Expires Sunday Why Every Judge on Shark Tank Backed This $5 Product Your Amazon rewards are now ready to use Your child will love this personal hand written letter from santa
Sample Scam Email Addresses Amazoncom <amazoncom @ amznreward-DOT-com> Amazon <amazon @ amznprimex-DOT-com> Amazoncom <amazoncom @ newyearsuprize-DOT-com> “Amazon Prime” <amazon_prime @ summervoucher-DOT-com> “Amazon Gifts” <amazon_gifts @ novemberprice-DOT-com> Amazon <amazon @ yourewardz-DOT-com> “Amazon Rewards” <amazon.rewards @ givingreward-DOT-com> “Amazon Prime” <amazon-prime @ onlinesprime-DOT-com> Costcocom <costcocom @ sampleandcards-DOT-com> “Costco Gifts” <costco.gifts @ wholesalespromo-DOT-com> CostcoWholesalecom <costcowholesalecom @ onlinepromz-DOT-com> CostcoWholesalecom <costcowholesalecom @ vouchercostco-DOT-com> Invoicing <Invoicing @ solo-svet-DOT-ru>
[hr]
[hr_invisible] Phishers have been very busy targeting Americans! Let’s begin with this extremely dangerous phish disguised as an email from PayPal but sent from staff “@” secureinfo-DOT-us. “It’s unfortunate for us to inform you that we may restrict or suspect your account if you refuse to update some of your information that are out of date.” The English in the email is awkward. The recipient is sent an “update form” but the attached document is actually an html web document asking for extremely personal and financial information! (See below.) This html form was coded by a real pro! It was one of the best we’ve ever seen. The author included coding that hid the real destination of your personal information and then redirected you to the real PayPal.com site after you provide it. Your data appears to go to PayPal.com but the behind-the-scenes code dynamically assembles a URL and will send your precious data to “user5836” at secure.safe-platform-DOT-net. A WHOIS look up for the domain safe-platform-DOT-net shows that it was registered on November 30 to someone identified as Mark Ingrid from Kuala Lumpur, Malaysia. Ouch! [hr_invisible] [hr_invisible] By contrast, this next phish for your AppleID was soooo lame that the inept criminal senders coded it incorrectly. The email was supposed to pull all email addresses and a time/date stamps into the body of the email and it didn’t work. Also, look at their English language skills. Why bother sending this scam when you can barely write a sentence correctly? Deeeeleeeeete! [hr_invisible] This next phish pretends to be from Chase Bank and is also pretty lame. “Unthorize sign in to your chase account from an unrecognized device.” You don’t say?! A close look at the from address and mouse-over of the link for Chase.com easily reveals the fraud. Delete. [hr_invisible] “Important Security Notification Dear Customer, Please log into your Wells Fargo account immediately to review and verify recent activity on your account.” That link may appear to be a secure link for wellsfargo.com but it actually points to a shortened link using the service ow.ly. We unshortened the link to find that you’ll be sent to a website in Spain! (2-letter country code “.es” = España = Spain) Borrar esta mensaje! [hr_invisible] [hr_invisible]
Phish NETS: PayPal, AppleID, Chase Bank and Wells Fargo Bank
This email appears to come from a domain that doesn’t exist as of December 2. “Amazonscard-DOT-com” was never registered. However, clicking the links in this email don’t send you there anyway. They will send you to a malicious domain called amazngofr-DOT-site. (Confirmed by the Zulu URL Risk Analyzer.) Don’t believe this “Amazon Consumer Survey” offering a chance to win something. We wrote an article about the criminal gang in India whom we believe is responsible for this malicious email and thousands more. Check out Criminals in India Target Americans. There is a real company that makes the “key smart organizer” but this next email is not from them. It is, however, an important reminder that American consumers will be getting lots of malicious emails disguised as holiday promotions. This email came from the domain keysmardhc.trade, and the links point to it as well. It was registered the day this email came out (November 28) by someone named Albert Reyes from Minnesota. We wonder why Albert listed his email as Yandex-DOT-com, an email service located in Russia. This is a big, fat holiday delete! [hr_invisible]
[hr_invisible]
YOUR MONEY: Amazon Customer Survey and Keysmart Organizer Holiday Gift
Undeniably, Amazon.com is probably one of the largest retailers in the world today. With the holiday season in high gear, millions of people will be excited to get emails, texts, social media posts, and online coupons for products at Amazon. But many of these are fraudulent tricks designed to infect computers, tablets and phones with malware. We always see malicious emails and fake domains pretending to represent Amazon.com, among others. But, in the last week we have seen a four-fold increase in the number of fake domains and malicious emails pretending to be from or about Amazon products and promotions. Such as this one with the subject line “Your Amazon.com Gift Card is on the way” sent from amazoncom “@” amznreward-DOT-com. Or this next email with subject line “Rewards worth over $50 from Amazon – Get yours” and sent from amazon.prime “@” amazionusa-DOT-com. If you didn’t already notice, look back at the scam email addresses listed at the top of this newsletter. There are eight different domains (and email addresses) pretending to be from or about Amazon. In addition, here are six more that we found… Amazon <amazon@novembergift-DOT-com> “Amazon Certificates” <amazon-certificates@newyeargiftz-DOT-com> “Amazon Prime Rewards” <amazon_prime_rewards@shopnvouch-DOT-com> “Amazon Customer Center” <amazon_customer_center @ primeonlines-DOT-com> “Amazon Prime” <amazon.prime@amazionusa-DOT-com> “Consumer Survey” <amazonscard @ amazonscard-DOT-com> Our honeypot email servers saw hundreds of emails from these fourteen different domains wanting us to believe they were for Amazon. Whatever is written in front of the “@” symbol is unimportant as far as determining who was responsible for these malicious domains. The only important information is what follows the “@” symbol. Using a WHOIS tool, here’s a quick look at who we found, or didn’t find, was behind the registration of these domains… We have written about “Cammie Macpherson” several times this fall. Every WHOIS lookup lists her email, phone number, fax and home address, which is shown as an apartment complex in Pompano Beach, Florida. Of course we don’t believe that this is real, or if real, that Cammie ever registered these domains. “Cammie” has registered more than one hundred malicious domains since October, 2016 according to DomainBigData.com Domains in her name include curediiabetes-DOT-com, curediiiabetes-DOT-com, starrbuckss-DOT-com, candidatesecretzz.com (on 9/29/16 close to election day), costcoreward-DOT-com and costcowholesale-DOT-com. All of these scam domains were registered using either NameCheap.com or Enom.com. We have seen these two registrars misused by criminals for years! Cammie Macpherson is the perfect example of everything that is wrong with ICANN, Registrars (sellers of domains) and the entire domain naming system. Cammie’s malicious efforts raise questions… All of this lack of accountability and responsibility to world’s citizens means that fraud is easy and rampant. It is us, users of the Internet who suffer the effects daily. The Daily Scam has made six specific recommendations on how to make the Internet safer for everyone. You can read about them here. Finally, we leave you with one more malicious Amazon-mimic in this losing battle for safety online… [hr_invisible]
[hr_invisible]
TOP STORY: Beware Amazon Mimics
DOMAIN
Date Registered
Registered to:
novembergift-DOT-com
11/27/17
Cammie Macpherson
newyeargiftz-DOT-com
11/27/17
Cammie Macpherson
shopnvouch-DOT-com
11/27/17
Cammie Macpherson
amazionusa-DOT-com
11/28/17
Cammie Macpherson
onlinesprime-DOT-com
11/29/17
Cammie Macpherson
amznprimex-DOT-com
11/30/17
Cammie Macpherson
newyearsuprize-DOT-com
11/30/17
Cammie Macpherson
summervoucher-DOT-com
11/30/17
Cammie Macpherson
novemberprice-DOT-com
11/30/17
Cammie Macpherson
yourewardz-DOT-com
11/30/17
Cammie Macpherson
givingreward-DOT-com
11/30/17
Cammie Macpherson
primeonlines-DOT-com
12/1/17
Cammie Macpherson
amznreward-DOT-com
12/1/17
Cammie Macpherson
amazonscard-DOT-com
—
Never registered
[hr]
FOR YOUR SAFETY: Docusign, Fax Mail, LinkedIn Message, You Have 7 Notifications and “Sup”
This email didn’t come from Dropbox and doesn’t lead to Dropbox. Step away from the bear trap…
Google cannot find any website called faxmail-DOT-com. The link in the email was coded to send the click to a malicious file hidden on the domain medivencompressionstockings-DOT-com. It doesn’t lead to efax.com as it shows.
Now delete.
[hr_invisible]
Here’s another example of a doctored link pointing to malware. “New direct message from Una Young awaiting your reply” is not from LinkedIn. A mouse-over of the link shows that it points to a hacked website called ifixigear-DOT-com.
[hr_invisible]
“Hello You have 7 notifications” says an email sent from an address in Tonga, in the South Pacific. Even Google informs readers that “this site may be hacked” when we look up the link domain advisorsoverseas-DOT-com.
Gee, ya think?
[hr_invisible]
What we find most interesting about this last malicious trick with subject line “Re: sup!” is that the sender makes it look like he is answering an email that YOU SENT HIM. The link, no surprise, is malicious.
[hr_invisible]
ON THE LIGHTER SIDE: You Will Be Rewarded Handsomely
What a sweet phrase…. To be “rewarded handsomely.” According to etymonline.com, the phrase was first documented as meaning “generously” in the 1680’s. Of course we wonder why a West Point Graduate like Capt. Castro would use an email address from Russia.
From: “Capt.Ivan Castro” <guest@proekt.net.ru>
Recipients <guest@proekt.net.ru>
Subject: Greetings
Date: 2017-11-30 04:12PM
Greetings
I am sorry to encroach into your privacy in this manner. I found your contact particulars in an address journal and I find it pleasurable to offer you my partnership in business. I only pray at this time that your address is still valid. I want to solicit your attention to receive money and gold on my behalf.
I am Capt.Ivan Castro, an officer in the US Army,and also a West Point Graduate presently serving in the Military with the 82nd Air Borne Division Peace keeping force currently deployed in Afghanistan.
We were moved to Afghanistan from Iraq as the last batch just left, and i really need your help in assisting me with the safe keeping of money and gold and to conceal this kind of money became a problem for me, so with the help of a German contact working here, and his office enjoys some immunity, I was able to get the package out to a safe location entirely out of trouble spot.
You will be rewarded handsomely if you could help me secure the funds until I conclude my service here. If you can be trusted, i will explain further when i get a response from you.
God Bless America.
Capt.Ivan Castro
Kabul Afghanistan
US ARMY
Until next week, surf safely!