February 28, 2018

THE WEEK IN REVIEW

Should you ever get an email and wonder about its authenticity, there are many ways to evaluate it, such as looking carefully at the sender’s email address and the domain name that follows the “@” symbol.  Do these match the website they claim to represent or that you are expecting to visit if you click?  If they don’t match, be very suspicious!

We want to remind readers of another technique sometimes used in malicious emails that criminals send to infect your computer with malware, though this technique first originated in spam mail.  If you see a large white space or colored area that appears empty in an email, drag your mouse through it (or on an i-device like a smartphone, press and hold on the area. Then drag your selector tool through it.). Be very careful NOT to drag over any link or click a link!  As you drag, do you see white text appear against the white background, or same color text as the colored area?  This random text is sometimes inserted to try to fool the anti-spam servers which are used to evaluate whether an email is legitimate.  Scammers hope that the text, typically lifted from online books, articles and Yelp reviews, will trick the anti-spam servers into scoring their email as legitimate.  Here are 2 recent examples. Both are malicious emails leading to a computer infection…

 

We still need to hear from you!  Please give us 30 seconds of your time to tell us what you value most about our newsletter. Click here for our 3-question survey. Thank you!

Also, welcome to our 70+ new readers who joined in the last week!  We want you, and all our readers, to know this effort to educate is a partnership with our readers.  We invite you to send us any suspicious email, voicemail, texts and social media posts or ads.  You can send us screenshots too.  We never publish your personal information or source information unless you give us permission to do so.  Send your material to spoofs@thedailyscam.com and send voice messages to our phone number: (781) 990-6161 (NOTE: This is a message collection system only; we monitor it but don’t personally answer this line.)

[hr_invisible]


Sample Scam Subject Lines:

1 Minute Survey Might Save You Money

6,000 woodworking plans inside…(2 days left)

A Fireman Relieved His Pain And Saved His Career

Build Any Shed In A Weekend Even If You’ve Zero Woodworking Experience!

Do This Every morning With coconut Oil (odd daily detox trick)

Don’t Let Neuropathy Ruin Your Life

World’s Best Portable Water Filtration Technology.

 

Sample Scam Email Addresses

Build-A-Shed <Garden_Sheds @ shadpln-DOT-bid>

Flex In All <FlexInAll @ csjhkww-DOT-trade>

Neuropathy Treatment Group <NeuropathyTreatmentGroup @ bjdbpp-DOT-trade>

SolarSurvey Info <SolarSurveyInfo @ hfbsjj-DOT-trade>

Teds_WoodWorking <TedsWoodWorking @ sniperr-DOT-bid>

The Alternative Daily <coconut-Oil @ svelife-DOT-us>

The-AquaStiq <Survive_Life @ besttsell-DOT-bid>

 

[hr]

[hr_invisible]

Phish NETS: Fedex International Sent You a Message

Once again, we can’t be 100% certain this was a phishing scam or just social engineering to cause a computer infection.  As you’ll see below, we exercised extreme caution when researching the link for “View messages.” But since we didn’t find any real phish this past week, we offer this…

Though it is supposed to be from “Fedex International” the email address for “Bernadette” is dkennedy “@” hmic-DOT-com.  Not Fedex.com.  The link points to a hacked WordPress website but look below to see what we learned when we used Securi.net to investigate.

OUCH!

[hr_invisible]

UnmaskParasites.com found that Bantram has been used to facilitate lots of scams!

A BIG, FAT delete!

If you are truly hungry for some phish, visit one of these two pages to read more about recent phishing scams:

University of Chicago posts latest phishing scams

Phishing Schemes Net Hackers Millions of Dollars From Fortune 500 by Charlie Osborne, ZDNet.

[hr_invisible]

[hr_invisible]

YOUR MONEY: Which Egg Has Your Hidden Reward?

This came from one of our readers… “Your Reward no #368-9472 might have ARRIVED.”  This is so cute!  “Which of the eggs has your hidden reward?” And it’s not even Easter yet!  It may say “CVS” after the word From but if you look carefully it’s obvious that this email never came from CVS.  However, we’re really impressed by the clever way in which they hid their malicious link.  All links point to a long file name located at Zillow-mail.com.  As in the home-buying site Zillow.com?

Isn’t that odd?

We’re certain that a redirect is waiting for us at the end of that link so we asked the Zulu URL Risk Analyzer to take a look.  It confirmed our suspicions!  The Zillow-mail link will redirect you to an odd website called littlecreatures-DOT-host.

Does this sound like CVS yet?  Not a single tool we used could tell us what was waiting for us at this “little creatures” website.  We asked Google what it knew about this website and the answer was crystal clear…. Nothing!  The only thing we can tell you is that this website is being hosted on a server in Munich, Germany.  (WHOIS listing for this site.) Does this sound at all like a CVS promotion yet?

Step AWAY from this landmine!

[hr_invisible]

[hr_invisible]

TOP STORY: Job Scams – Wenx Insurance

Wow!  We’ve suddenly been hearing from lots of readers in the last two weeks about job scams.  Based on one woman’s experience two weeks ago, we published an article titled “Job Interviews in Google Hangouts.” In the days that immediately followed, many readers contacted us about identical or similar job scams, all using Google Hangouts as the method to “interview” the candidate.  Of course, all candidates were hired after a brief text-based Google Hangouts interview and sent a check in advance.  They were instructed to deposit it, keep a portion for themselves and use the bulk to pay for some service.  Therein lies the scam.  The checks are so well designed that the bank may take 5-7 days before realizing it is fraudulent.  But the “new hires” will already have wired their real, hard-earned money from their accounts to the scammer.

Here, however, is a different type of job offer that came to one of our readers.  We’re 100% certain it is a scam, but not certain exactly how.

What do you think? 

____________________

From: Juliana Flores <juliana_flores@wenx-ins.net> Subject: Re: [REDACTED NAME] Date: February 21, 2018 at 2:54:35 PM EST To: [REDACTED EMAIL]

Hello.

Your contact information has been transferred to me from our HR managers. All further hiring process will be going through me.

Request 01-D2E5EF8C-2/21/2018-01

My name is Juliana Flores and I am a Senior Manager at Wenx Insurance, LLC.

You have received this email due to your interest in proposed vacancy. If you believe this is mistake – please use the link below to unsubscribe.

To obtain more information about this opportunity please follow the link below or respond, otherwise please ignore this email. If you will have any questions at this point – don’t hesitate to ask me directly.

Have a good day.

All detailed information about proposed position you can find at our web site. [LINK REMOVED]

To unsubscribe click here. [LINK REMOVED]

Best wishes, Juliana Flores, Wenx Insurance, LLC

____________________

The links pointed to a shortened link created through the service tr.im followed by the word “vacancy” and a 6-digit number.  The Zulu URL Risk analyzer informed us that this shortened link redirects you to a web page at wenx-ins-DOT-com.  As in “Wenx Insurance.”  Could we have misjudged this job offer from Juliana?    We asked Google what it knows about this insurance company…

[hr_invisible]

[hr_invisible]

Apparently, there are two domains for Wenx and Google knows nothing at all about either website, except that they exist.  That struck us as very odd.  Wouldn’t an insurance agency want people to learn about it?  Generally, when we see listings like this in Google, it means that the website is specifically designed to tell search engines not to crawl it and reveal what’s there.  This is obviously a major red flag!

Though we could not prove that Wenx-ins-DOT-net was hosting malware intent on infecting computers, we decided to be cautious and have ScreenshotMachine take several pictures of the Wenx Insurance website.  Read them carefully!  Can you spot the subtle and not-so-subtle English grammar and spelling errors?  And the “Task” description below is just stupid! These make this site much more suspicious…

[hr_invisible]

“WENX Insurance is USA’s good insurance provider.”  Seriously?  “Available position – Insurance Agent at home. No working experience needed.”  No working experience needed?  The photos on the Wenx Careers page reminded us of stock office images.  We couldn’t resist digging a little and a quick TinEye.com image search for that first photo of Mr. Graham, Senior Vice President and Chief Financial Officer, revealed that the “Mr. Graham” and his team must work for lots of companies around the world!  That photo is in use on websites from Germany to ShutterStock.com Business photos.

[hr_invisible]

The Wenx Insurance “Contact Us” page provides an address to suite 220 in an office building on 3 Mill Road in Wilmington, Delaware 19806.   We checked two business databases for Delaware businesses and guess what we found for Wenx Insurance?  Yup.  Nothing.  Nada.  Zip….

New Castle County Chamber of Commerce site showing no such business.

Better Business Bureau listings for Wilmington, Delaware shows no such business.

HOWEVER…. On the BBB website, posted in early February, we found two reports from people that Wenx Insurance was a scam job offer site.  One of these reports has the exact same email from Mrs. Juliana Flores as above.  Of course we ran a WHOIS look up of wenx-ins-DOT-net and discovered two bits of information that confirmed this was a scam job site.  The domain was registered very recently (January 23, 2018) and by a privacy protection service in Kuala Lumpur, Malaysia.  ‘nuf said.  It is so easy to deceive others online.

Keep a healthy dose of skepticism and verify, verify, verify!

[hr_invisible]

[hr]

FOR YOUR SAFETY: Security Updates for Adobe Flash Player for Mac

Any email with the subject line “Critical security updates for Adobe Flash Player for Macintosh” is going to get our attention!  This was sent to us from one of our readers who smelled a rat.  The email didn’t come from Adobe.com but from techmartil-DOT-com.  Though it looks so perfectly official, it’s just a sophisticated trick to install malware on your computer from a website in France.

Deeeeleeeete!

[hr_invisible]

[hr_invisible]


ON THE LIGHTER SIDE: United Nations To Pay Inheritance of $10.5 Million

One of our readers received this official notice from the United Nations “Debt Reconciliation Department” to inform him of his payment of $10.5 million dollars!  That’s so exciting to hear!  We’ve asked if he would chip in and pay for a new website for The Daily Scam once he gets his payment.


Until next week, surf safely!