THE WEEK IN REVIEW
In case you hadn’t noticed, it’s Valentine’s day! We wanted to dedicate this newsletter to scams and malicious emails disguised to be Valentine’s day promotions but we only found one! And the one we found had broken links to its graphics. Sooooo disappointing. (Actually, we’re very happy about this.) Here’s the lame email we found…. The links point to an attractive domain called chineswomndate-DOT-bid. (“Chinese women date”) This lovely domain was registered just hours before the email was sent sweetheart.
We’re seeing a new design variation of the very malicious emails claiming to have messages for you to view. This one is just as malicious as the others. It didn’t come from Google.com and doesn’t point back to Google.com either. But we love their subject line… “4 damaged messages has been found and restored”
[hr_invisible]
Sample Scam Subject Lines: Claim your Amazon.com Gift Card Reload by Sunday I think you’ll like this… Last nights lottery winner tells all to CBS news (how he has won 3 times) Losing your hair? Then don’t do THIS… Lotto winner secret revealed (ABC Exclusive) Pain Relief and Breakthrough Pain RE: Did you check this The BEST Holiday gift: 80% OFF anything (TODAY ONLY!) Use this 50.00 eVoucher from Amazon by Sunday Your profile update #24314921 You still need to update your professional profile YouTube: Most seen video ever #5596737451 You’ve been approved
Sample Scam Email Addresses Amazon <amazon @ egiftzusa-DOT-com> Amazoncom <amazoncom @ jcprewardtoday-DOT-com> Amazoncom <amazoncom @ morninggiftcard-DOT-com> “Amazon StoreNews” <amazon-storenews @ givinggiftz-DOT-com> Apple <noticeserviceid @ logiin-DOT-com> Bank of America <noreply @ americabank59-DOT-ml> Catriona (FedEx International) <frothmeijer @ mrprealty-DOT-com> “Confirmation Mail?” <easy-cellar @ bodypnting-DOT-us> “Forbes News” <forbes.news @ suniituurwe-DOT-com> “NBC News Exclusive” <nbc_news_exclusive @ americasbestink-DOT-com> “Save Your Family Memories” <giftone @ giftone-DOT-com> “tj” <mail @ mail.watchcopy-DOT-top> “Urgent Message” <thesurvivalniche @ breakingnews-DOT-com>
[hr]
[hr_invisible] Doug at TDS received this targeted phishing email to inform him that his Apple iPhone X has shipped! Of course, he didn’t order one. It’s just social engineering to produce clicking behavior. A close look at the email address shows that it was sent from shipments-DOT-com, rather than amazon.com. Mousing-over the link “Track your package” shows that it points to an odd domain kindeyforjim-DOT-com. We dug deeper into this phish and discovered that hundreds of these have gone out targeting individuals. Thousands? Perhaps. Don’t fall for this smelly carp. [hr_invisible] “Account Limited Notification 07/02/2018” “We need your help resolving an issue with your account. We have temporarily locked what you can do with your account until the issue is resolved.” This BS was actually well written, most likely, by someone who is not a U.S. citizen. Can you tell why we believe this, despite how flawlessly it is written? We’ll give you a hint…. Look carefully at the subject line. The link “Unlock My Account” was also well-crafted and deceiving. It contains a built-in redirect to a website in Italy: saporidipugliasrl-DOT-it (“.it” is the 2-letter country code for Italy.) Fortinet has identified this site as a phishing site. [hr_invisible] Most readers are not likely to know what a “cPanel” is but any website designer or owner who gets involved in the installation and set up of their website knows. cPanel is the access to all behind-the-scenes resources to a website. If you have access to a cPanel, you have the keys to the kingdom. Now check out this email that seems to come from cpanel-DOT-net. But mousing over the link “click here” shows that it points to a domain in Canada (arktyp-DOT-ca). Just delete. We continue to see lots of phishing scams targeting webmail users and users of DCU (Digital Credit Union). We’ve been reporting on these for weeks. **sigh** Here are three more to delete. Can you tell which one came from an email address in India? …Poland? Can you tell which one contains a link that points to a webserver in Poland? (Hints are below.) [hr_invisible] [hr_invisible] [hr_invisible] (Look for the 2-letter country codes found in the email from address, or link revealed by a mouse-over. “.pl” = Poland, “.in” = India) [hr_invisible]
Phish NETS: Amazon, PayPal, cPanel, Email and DCU
Probably one of the most famous sunglasses are Ray-Ban Aviators. So imagine the excitement upon receiving this email for an 80% discount on them! You already know it isn’t legitimate though. The email came from an address in China. But before you say “knock off” let’s dig a little deeper. All links lead to a crap domain called hqcom-DOT-top. This domain was registered by someone named Wang Zheng Jun from Hangzhou, China on November 16, 2017. Google can’t find this website at all. Spamhaus has identified the domain as a source of spam. Sound trustworthy to you? Yeah, we thought so. Delete. Apparently, “Couch Coat” is a real product and has a real website. But this didn’t come from the real Couch Coat website and doesn’t contain links pointing back to it. Look carefully at the from address…. Couchcoatt-DOT-com. “Give Your Outdated Sofa an Instant Facelift.” But all links point to the crap domain coatfor-DOT-bid. This is a phony as a $2 bill and much more dangerous. Look below to see how the Zulu URL Risk Analyzer scored it WITHOUT even considering the fact that there is a redirect on the website that will send you to another dangerous domain. Deeeeleeeeete! [hr_invisible] And finally, we have yet another malicious email disguised as an Amazon gift code. However, the criminals just dressed up a scam that had been disguised as Costco Rewards. Look at the from email address after the “@” symbol! Costcoweekends-DOT-com?? This domain was registered by “Darrell Lemley” in early 2017. We’ve found many malicious domains registered in this name since early in 2017. [hr_invisible]
[hr_invisible]
YOUR MONEY: Ray-Ban, Couch Coat, and Confirm Your Amazon Account
Have you ever heard the term “vanity award?” It can be described as an award given to a person, business or organization in which the recipient buys the award or services from the provider of the award. The award is meant to look legitimate but it’s worthless. It’s just a way for someone to make some money. There have been many vanity awards over the years. But there are also “vanity scams” and we have written about these many times. You can read our feature article titled “Recognizing Vanity Scams.” The reason we bring this up is because we’ve been seeing a few of these vanity scams again recently. Check out this email from “Only The Best” <only_the_best “@” exposeddiiabtes-DOT-com>. “Your Award is waiting.” “Congratulations, A business plaque was made for you to honor your recent achievements in business” says Marianela Bridges, the Award Coordinator. Did Mrs. Bridges mention you by name? Did she mention your business? You were supposedly nominated by a colleague. But who? If you continue reading this email you’ll see oddities in her writing that should make you suspicious. “We are delighted to inform you of this word, which will hopefully be the first of many you will receive.” This email is literally the exact same trash we reported in our May 17, 2017 newsletter (top story). Except that this email has links pointing to a different malicious domain exposeddiiabtes-DOT-com. Who registered this domain? None other than “Darrell Lemley!” This is nothing more than a social engineering trick meant to infect your computer. However, it speaks volumes about the sender of this scam. It means they recycle old scams. That means they have some kind of organization for keeping them around and re-using them. We see this often and believe it is another breadcrumb to suggest that a foreign criminal organization, with discrete job functions, is responsible for a large percentage of the malicious emails we see. What about a Business Who’s Who invitation? “Dear Valued Professional, You have recently been nominated as a candidate to represent your professional community in the 2018 Edition of Who’s Who among Executives and Professionals!” And there is “No-Charge” to be included! Again, is the recipient identified by name? What about the sender? The email came from, and links lead to a website called businessideasbest-DOT-com. Who registered this domain? Once again, our good buddy Darrell Lemley! Are there any legitimate business honors or Who’s Who directories? Yes, of course. However, there are a overwhelming number of vanity awards that are meaningless and, as we’ve shown here, an additional large number of malicious vanity scams that result in nothing more than a computer infection. Look before you leap… [hr_invisible]
[hr_invisible]
TOP STORY: Invitation to Join Business Who’s Who!
[hr]
FOR YOUR SAFETY: Payment, eVoice Invoice, and Failed Delivery
There is nothing in this email with subject “PAYMENT COPY” to identify the recipient or even what the payment is for. But it contains a “zip” file. Our long-time readers know that zip files are often used by criminals to package and send malware and this email is no different.
This is a big, fat delete!
eVoice is a legitimate service but this didn’t really come from evoice.com. The link “View Invoice in DOC Form” implies that it is for an attached document. However, that link leads to a domain that has been identified as a source of malware, as you can see below.
[hr_invisible]
Our honeypot email server was hit with hundreds and hundreds of notices that appeared to come from UPS Quantum View about “Failed delivery attempts.” All of them contained links to malware! But we sure loved the creativity of the criminals who created the domain in the sample email below… ups “@” goodpostoffice-DOT-com.
[hr_invisible]
[hr_invisible]
ON THE LIGHTER SIDE: Help to Mankind
You have to read this email! It speaks for itself.
From: shpg2@richpacific.imsbiz-DOT-com.hk
To: –
Subject: Re: Help To Mankind/ Please Reply!
Date: 2018-02-09 04:45AM21st Floor, Block D,F,G
Yayasan Sultan Haji
Hassanal Bolkiah Complex, Jalan PrettyBandar
Seri Begawan BS8712, Brunei Darussalam
Greetings,
I’m a bit scared of you replying this massage due to the high rate of disbelieving the internet has been over the years, but I sent you this email basically on your person as well the high profile you portray.
I’m Mrs. Malai Mariam Bin am a widow to late Mr.Abdul Hamid Bin former CEO of Brunei National Petroleum Company Sendirian Berhad. I’ve Cancer of the breast for quite some years now; it’s in deteriorating stage as you read this email, as I’ve couple of mounts to leave.
My marriage couldn’t produce any child, after the death of my husband, he has a WILL which our family attorney read to me that I inherited an amount of money in one of his offshore accounts with a Finance Firm in Europe as well all his business, I need you to collect this fund and distribute it to charitable homes, so that when I die my soul can rest in peace. The funds will be entirely in your hands and management.
I hope God will use you to touch many lives. Please reply back to me; the doctor has stopped me from receiving and making calls due to my ill health condition.
God bless you.
Best Regards,
Mrs. Malai Mariam Biz
Until next week, surf safely!