February 14, 2018

[hr_invisible]

Phish NETS: Amazon, PayPal, cPanel, Email and DCU

Doug at TDS received this targeted phishing email to inform him that his Apple iPhone X has shipped!  Of course, he didn’t order one.  It’s just social engineering to produce clicking behavior.  A close look at the email address shows that it was sent from shipments-DOT-com, rather than amazon.com.  Mousing-over the link “Track your package” shows that it points to an odd domain kindeyforjim-DOT-com.  We dug deeper into this phish and discovered that hundreds of these have gone out targeting individuals.  Thousands?  Perhaps.

Don’t fall for this smelly carp.

[hr_invisible]

“Account Limited Notification 07/02/2018”  “We need your help resolving an issue with your account.  We have temporarily locked what you can do with your account until the issue is resolved.”  This BS was actually well written, most likely, by someone who is not a U.S. citizen.  Can you tell why we believe this, despite how flawlessly it is written?  We’ll give you a hint…. Look carefully at the subject line.  The link “Unlock My Account” was also well-crafted and deceiving.  It contains a built-in redirect to a website in Italy: saporidipugliasrl-DOT-it (“.it” is the 2-letter country code for Italy.) Fortinet has identified this site as a phishing site.

[hr_invisible]

Most readers are not likely to know what a “cPanel” is but any website designer or owner who gets involved in the installation and set up of their website knows.  cPanel is the access to all behind-the-scenes resources to a website.  If you have access to a cPanel, you have the keys to the kingdom.  Now check out this email that seems to come from cpanel-DOT-net.  But mousing over the link “click here” shows that it points to a domain in Canada (arktyp-DOT-ca).

Just delete.

We continue to see lots of phishing scams targeting webmail users and users of DCU (Digital Credit Union).  We’ve been reporting on these for weeks.  **sigh**  Here are three more to delete. Can you tell which one came from an email address in India?  …Poland?  Can you tell which one contains a link that points to a webserver in Poland?  (Hints are below.)

[hr_invisible]

[hr_invisible]

[hr_invisible]

(Look for the 2-letter country codes found in the email from address, or link revealed by a mouse-over.  “.pl” = Poland, “.in” = India)

[hr_invisible]

[hr_invisible]

YOUR MONEY: Ray-Ban, Couch Coat, and Confirm Your Amazon Account

Probably one of the most famous sunglasses are Ray-Ban Aviators.  So imagine the excitement upon receiving this email for an 80% discount on them!  You already know it isn’t legitimate though.  The email came from an address in China.  But before you say “knock off” let’s dig a little deeper.  All links lead to a crap domain called hqcom-DOT-top.  This domain was registered by someone named Wang Zheng Jun from Hangzhou, China on November 16, 2017.  Google can’t find this website at all.  Spamhaus has identified the domain as a source of spam.  Sound trustworthy to you?  Yeah, we thought so.

Delete.

Apparently, “Couch Coat” is a real product and has a real website.  But this didn’t come from the real Couch Coat website and doesn’t contain links pointing back to it.  Look carefully at the from address…. Couchcoatt-DOT-com.  “Give Your Outdated Sofa an Instant Facelift.” But all links point to the crap domain coatfor-DOT-bid.  This is a phony as a $2 bill and much more dangerous.  Look below to see how the Zulu URL Risk Analyzer scored it WITHOUT even considering the fact that there is a redirect on the website that will send you to another dangerous domain.

Deeeeleeeeete!

[hr_invisible]

And finally, we have yet another malicious email disguised as an Amazon gift code.  However, the criminals just dressed up a scam that had been disguised as Costco Rewards.  Look at the from email address after the “@” symbol!  Costcoweekends-DOT-com?? This domain was registered by “Darrell Lemley” in early 2017.  We’ve found many malicious domains registered in this name since early in 2017.

[hr_invisible]

[hr_invisible]

TOP STORY: Invitation to Join Business Who’s Who!

Have you ever heard the term “vanity award?”  It can be described as an award given to a person, business or organization in which the recipient buys the award or services from the provider of the award.  The award is meant to look legitimate but it’s worthless.  It’s just a way for someone to make some money.  There have been many vanity awards over the years. But there are also “vanity scams” and we have written about these many times.  You can read our feature article titled “Recognizing Vanity Scams.” The reason we bring this up is because we’ve been seeing a few of these vanity scams again recently.  Check out this email from “Only The Best” <only_the_best “@” exposeddiiabtes-DOT-com>.   “Your Award is waiting.”  “Congratulations, A business plaque was made for you to honor your recent achievements in business” says Marianela Bridges, the Award Coordinator.

Did Mrs. Bridges mention you by name?  Did she mention your business?  You were supposedly nominated by a colleague.  But who?  If you continue reading this email you’ll see oddities in her writing that should make you suspicious.  “We are delighted to inform you of this word, which will hopefully be the first of many you will receive.”

This email is literally the exact same trash we reported in our May 17, 2017 newsletter (top story).  Except that this email has links pointing to a different malicious domain exposeddiiabtes-DOT-com.  Who registered this domain?  None other than “Darrell Lemley!”  This is nothing more than a social engineering trick meant to infect your computer.  However, it speaks volumes about the sender of this scam.  It means they recycle old scams.  That means they have some kind of organization for keeping them around and re-using them.  We see this often and believe it is another breadcrumb to suggest that a foreign criminal organization, with discrete job functions, is responsible for a large percentage of the malicious emails we see.

What about a Business Who’s Who invitation?  “Dear Valued Professional, You have recently been nominated as a candidate to represent your professional community in the 2018 Edition of Who’s Who among Executives and Professionals!”

And there is “No-Charge” to be included!

Again, is the recipient identified by name?  What about the sender?  The email came from, and links lead to a website called businessideasbest-DOT-com.  Who registered this domain?  Once again, our good buddy Darrell Lemley!

Are there any legitimate business honors or Who’s Who directories?  Yes, of course.  However, there are a overwhelming number of vanity awards that are meaningless and, as we’ve shown here, an additional large number of malicious vanity scams that result in nothing more than a computer infection.  Look before you leap…

[hr_invisible]