February 27, 2019


Wow!  What a difference a week makes.  Do cyber-criminal gangs take vacations?  We think so. Because whatever vacation they were on last week it is clearly over this week.  Starting the weekend of February 16-17 we saw a big jump in online and text scams, especially phishing scams!  In fact, we devoted this week’s Your Money column to Amazon account phishing scams.

In the past, we’ve mentioned the valuable website “Have I Been Pawned” as a resource that tracks online data theft of emails and passwords.  This website makes it possible for consumers to check and see if their email addresses or passwords have ever been “pawned” and made available on the dark web.  Last week they announced finding on the dark web the stolen data from a major security breach that had occurred some months ago for the 150 million world wide users of the fitness app MyFitnessPal.  This data breach was announced nearly a year ago, as in this Forbes article.  However, finding that the data had been posted for criminals to use was a new discovery.  The data includes email addresses, usernames on MyFitnessPal and passwords! This is especially important if you are one of those people who use the same password for many accounts.  You should change your passwords immediately if your email shows up on “Have I Been Pawned!”  And while we’re at it, here are some tips on how to create a set of strong passwords that are easy to remember.



Phish NETS: Bank of America, JPMorgan Chase Bank, and Web Mail

“Hi , your Online Banking has been disabled !” The spacing and capitalization errors in this sentence should be enough to make everyone suspicious that it isn’t what it seems to be.  Confirmation of this can be found in the fact that this email pretending to be from Bank of America was sent from mailucenter “@” transit.com.  Not even close to the proper address!  Or the fact that mousing-over “Sign in to your Online Banking” points to a blog site called lisindia[.]net that is being hosted on a server in Roosendaal, a city in the southern Netherlands.  Also, Google has no information about lisindia[.]net other than it exists.



A TDS reader sent us this “Security Policy Update Notification” that appears to be from JPMorgan Chase Bank.  Of course it is not. The scammers tried REALLY HARD to send this email from an address that sounded soooo official and important…  regionalinspection-Alert “@” project-doministration-activityalerting[.]com.  The link for “Sign in to Online Banking” points to the often misused free web hosting service called 000WebHost.com



A TDS reader also sent us this phishing email meant to look like the login for a generic webmail account, which are email accounts used by anyone who owns/operates a website or web blog.  The email seems to have come from the domain office-mail[.]com, which happens to be for sale and not in use at the time we published our newsletter.  Look in the lower left corner of the email. The link for “Fix your problem automatically” points to a website in the European Union (“.eu” is one of the few exceptions for 2-letter country codes since it points to a region, not one country.)






YOUR MONEY:  Phishing for Amazon Accounts

If we had a dollar for every scam or malicious email or text pretending to be from Amazon.com, blah, blah, blah… According to these business statistics posted on ExpandedRamblings.com, Amazon was estimated to have about 300 million users in late 2017, so it should be no surprise that Amazon users are heavily targeted by fraud. Two TDS readers sent us these Amazon phishing scams.

The first Amazon phish came from the email ama-zon “@” info[.]net.  “Please confirm your account.  We were unable to process your most recent payment.”  Mousing-over “Confirm your account now” shows a link to the domain mybigcommerce[.]com which BitDefender clearly identified as a phishing scam site.  But there’s more maliciousness here than meets the eye….



MyBigCommerce[.]com was found to contain a redirect to a tutoring and test preparation website called CramCrew[.]com.  This test prep website was hacked and many services have already identified it as malicious.  We let them know and a day later the website was taken down. No doubt they were looking for all the hidden backdoors that hackers will place on a website once they gain access to it.  By the way, you can see below what the fake login page on CramCrew[.]com looked like before they took down this phishing page. It looks identical to the real Amazon login page.





The second phishing email pretending to be from Amazon.com actually correctly spoofed the FROM address!  The subject line is “Thank you for using Amazon with RedBubble Inc.” The graphic in the email was broken when we got the email but a mouse-over clearly showed that the link pointed to a server in Poland.  Check out the 2-letter country code at the end of the domain name at the bottom of the email. “.pl” is Poland. And we had no problem taking a screenshot of that server’s web page in Poland!






TOP STORY: Malicious Texts Disguised as AmEx and Chase Bank

Another TDS reader, who is a very tech-savvy young man, sent us a screenshot of four texts he received from two different sources disguised as credit card companies.  The first one appears to have come from Chase.com (though he doesn’t have an account with Chase Bank.) For three days in a row he received a text from the same source.  Each stated something different and contained a link pointing to a different website:

Value Customer // Link to “gasasegazx[.]site”

Verification Required // Link to “gasdesafase[.]global”

Verification Notice // Link to “tethamn.co.zw

Can you figure out the 2-letter country code in the last link?  “.zw” (Answer below)

While we could not find information on all of these links, we know that none of them are Chase.com.  Nine security services identified the first link as malicious! And one security service found that last link to be malicious.






The second source appeared to be from “American.Express “@” amx.com”  Except that amx.com is not American Express! It is an audio visual solutions website by Harman.  The link for this “Urgent Message” pointed to the domain “americanexpressesitz[.]com, which was a domain registered by someone named “Abel Nystrom” from Kungsangen, Sweden just a couple of days before this text was received.  



These texts were exceptionally easy to see as scams because the link addresses were visible in the text.  More sophisticated criminals are able to hide the link by making the text clickable. These serve as a caution for everyone!  Just because you get a text from a sender that is clearly identified as a recognizable service, it doesn’t mean that the text is legitimate, or that the links are real!    Caveat emptor!



FOR YOUR SAFETY: iCloud Support About Your Paid Storage Plan

Normally we would have guessed that this bogus email pretending to be about your iCloud storage plan would have been a routine phishing scam.  However, further investigation informs us that the website connected to that link “Pay Securely>>>” contains malware waiting to infect your computer.  Ouch! The website is a crap “.xyz” domain…. planprovidescd[.]xyz.




Until next week, surf safely!