February 13, 2019

THE WEEK IN REVIEW

Happy (almost) Valentine’s day!  Normally, we see cybercriminals take advantage of holidays with themed malicious messages but, alas, we saw none!  Did you? Let us know by emailing us at spoofs@thedailyscam.com.

We would like to remind readers to keep a close eye on BOTH the “From” address of an email they receive and the “Reply to” address.  Under rare and unusual circumstances they might be different. But 99% of the time these email addresses should be the same! However, cybercriminals wishing to engage a victim in a conversation will sometimes send an email from one address and embed a “reply to” address that is different.  You may not even see this until you click/hit reply. Here’s an example of this in a recent email from an obvious Nigerian 419 scammer. Mr. Ibrahim Janahi claims to be from the United Arab Emirates but his email can from a server in China (see “.cn” at end of domain; 2-letter country code for China) and the reply-to address is with good old-fashioned AOL.com.

 

 

Send us your malicious, suspicious email, and annoying spam!  We love seeing it!

Would it surprise you to learn that more than 70,000 YouTube viewers were tricked into clicking malicious links that were disguised as famous YouTube stars?  Check out this article titled “YouTube Subscribers Get Scammed By Celebrity Imposters” at MetaCompliance.com.  And then take a look at all the links that come up on Google when you search for “malicious links pretending to be celebrity news.

 

[hr_invisible]


[hr_invisible]

Phish NETS: M&T Bank and Citi Bank

One of our readers gets hammered by a plethora of phishing and Nigerian 419 scams.  She sent us both of this week’s phish. This one pretends to be an email from M&T Bank, a bank headquartered in Buffalo, New York and serving several states.  However, the email came from a scam domain we’ve reported on recently called cfargo[.]com. The link embedded in the email points to a shortened link at ow.ly.  What made us smile at this obvious scam was the opening line… “Dear Csstomer.”

 

 

The second phish pretends to be an email from Citi Bank, but notice that the email came from the domain city.com rather than citi.com or citibank.com.  The link for “Click here” points to a hacked website called alliancebhi[.]com.

Deeeeleeeete!

 

 

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Amazon Wants Your Feedback, Tech Auto Warranty, and Elite Singles

If we had a $1 for every scam email pretending to represent Amazon, we could retire early!  This next one is ludicrous. Just look at the FROM address and then you can roll your eyes…. “THANKYOU” is followed by the email address of the very real and legitimate website for the Democratic Congressional Campaign Committee representing the Democrats in the House of Representatives. (DCCC.org)  Does THAT make any sense? Of course not. We think it says much more about the political views of the scammer who sent it… Russian?

The link for this clickbait points to the domain teamsnap[.]com.  And if you look up this domain you’ll discover that teamsnap[.]com is a web service for managing recreational and competitive sports teams and groups.  So how do you feel about the legitimacy of that $60 Amazon survey offer now?

 

Speaking of clickbait, this next email is 100% BS and has nothing to do with the real website for “Total Tech Auto Warranty.”  You’ll find the email after the “@” symbol, as well as the domain in the lower left corner for the link, is queuemotif[.]tech.  It was easy to find this crap domain in a WHOIS and see that it was registered just 15 days before a Comcast user received this email.  It was registered to an organization called “New Deal Net, LLC” located in Helper, Utah where the 2010 census found a whopping population of 2100 people.  According to Zillow.com, on the day we checked, there is a single family home for rent at the address associated with “New Deal Net, LLC. We can’t wait to get our auto warranty quote from these guys.

Our favorite unshortening service tells us that we’ll be redirected to a website we know well!  It’s called kayolly[.]online and we’ve written about it before.  You’ll want to stay as far away from that website as possible.  The screenshot below from Virustotal.com says it all!

 

“Discover the exciting world of elite singles!”  “Explore like never before!” Before you get too excited, notice that this next email actually came from a bogus address of random letters “@” warlome[.]com.  This domain is now for sale but was used to host a website in Buzău, Romania not long ago.  The link in the email points to another crap domain called leighen[.]top.  We know this domain is 100% malicious because it was registered on the same day this email was sent.  The domain was registered for a technology service that Google can’t even find.

Wonder why?

[hr_invisible]

[hr_invisible]

TOP STORY: Time to Renew Your Domain… Or is it?

Have you ever wondered what it takes to put up your own website? We don’t mean using a free website service like Weebly, or a paid service like Wix.  We’re talking about a website in which you get to choose your own domain name and build, or have built, the website you want from scratch. Essentially, you need just three things:

  1. Pay a hosting service to put your website on their servers so the world can see it.
  2. Create the website yourself, perhaps using free open source software like WordPress, or pay someone to build the website for you after you provide the content.
  3. Purchase a domain name from a Registrar, like we did for TheDailyScam.com.

Nowadays tens of thousands of ordinary people own a domain name, and not just for business.  We’ve seen domain names purchased by families (just for family email!), clubs, and themed groups.  But technically speaking, no one “purchases” a domain. They rent the domain name from any one of thousands of Registrars around the world.  If they wish to keep their domain for another year or more, they will inevitably need to renew that domain or it goes back to the Registrar for someone else to rent.  So it isn’t uncommon for domain owners to get an email like this “Domain Notice” to remind him or her that an expiration date is approaching. Or is it?

 

 

If you read the above email carefully, you may have noticed the following…

  1. This email is actually a “notification for your business Domain name search engine registration” and NOT a notice for the renewal date of your domain name.
  2. Failure to respond to this email may result in “cancellation of this offer making it difficult for your customers to locate you on the web”  –FLAT OUT LIE! Doing nothing in response to this email will have NO impact whatsoever with your customers finding your website!
  3. The email ends by saying this is a “courtesy reminder” to register your domain for a better search engine listing.  Again, this is a lie. The link to “select a package” points to the domain feedgenius[.]com.  FeedGenius is an American company based in Minnesota that helps hog farmers by offering liquid feeding technology.  That’s right! Hog farmers!
  4. The email came FROM the domain eigne[.]net.  A WHOIS lookup of this domain tells us it was registered just 1 week before this email was sent.  The Registrants name is hidden behind a proxy service and the domain is being hosted in Warsaw, Poland.

In four days, the school representative who owns this DOT-school domain received four of these emails.  Here is another one. It is identical in every way to the one above besides the sender’s date/time EXCEPT one other thing… Look at the link at the bottom of the email.

The link to “select package” leads to DentalWorld786[.]com???  Additional emails about this domain service notice contained links to blazethread[.]com and acmeskyventures[.]com as well as a bunch of random text characters far below each link to the “select package”…

 

We followed the link to “Dental World” and found a fake web page asking the owner to submit the website for “domain name search engine registration.”  The visitor is asked to choose amongst the priced packages. Of course you’ll have to enter your credit card information and authorize the purchase.

 

 

If you think we’re being a little too paranoid about this and the other 3 domains, we discovered that Sucuri.net (online security service) informed us that McAfee had already blacklisted dentalworld786[.]com for hosting this and other malicious content!

 

 

So, the next time you get an “official notice” that it is time to renew anything, be sure to look at it with a more critical eye!  By the way, the school that was targeted informed us that the renewal date of their domain name isn’t until April.

[hr]

FOR YOUR SAFETY: FedEx Delivery, Invoice Attached, and Criminals Want Your Email Address

The subject line “You have package” doesn’t inspire thoughts of glowing comments from our fifth grade English teacher.  That should be the first sign that something is “off” about this email. A close look adds much more to our suspicions! It came from a Government server in Venezuela (gob[.]ve).  Also, FedEx is not going to send you a Word document!

Deeeleeeete!

 

 

This little email packs a LOT of punch!  The link about the attached invoice points to a website called kamisehat[.]com.  Look how many services have identified that website as hosting malware/malicious content!

 

 

We are still receiving a variety of emails pretending to be FedEx or an “unsubscribe” notice in which criminals seem to be collecting your email address.  They are all being sent by the same criminal(s), as evidenced by many of the return addresses always starting with “Roba.” We’re curious fellows and wondered if there were any significance to the name Roba.  According to Wikipedia, Roba is a Finnish drama TV series about a police department. Roba is also Italian for “stuff” or “things” (possessions). However, our favorite definition applies to “roba rubata.”

It is Italian for “stolen stuff!” How apropos!


Until next week, surf safely!