February 7, 2018

[hr_invisible]

Phish NETS: Chase Bank, Apple App and ID, DCU, and Email Migration

One of our readers sent us this phish.  Notice that it didn’t come from chasebank.com and a mouse-over of “Click Here to access message” points to a website in the Republic of Gambia, West Africa! (.gm = 2-letter country code for Gambia.).

Big fat delete!

[hr_invisible]

Technically speaking, the second email isn’t a phish.  It actually contained a virus meant to infect your computer and it also targeted Apple GSX users…

[hr_invisible]

Here are two very rotten Apples.  They may say they come from the “Apple Store Team” or “AppleID,Inc.” but we could say that we’re the POTUS and SCOTUS.  It doesn’t make it true!  Look at the domains that follow the “@” symbol in the from address.  It doesn’t say apple.com!  Mousing-over the link in the first for “Learn More” shows that it points to a hacked website for a school in Malaysia.  (.my = 2-letter country code for Malaysia)  The link in the second “Log In Here” points to a free webpage at blogspot.com.

Deeeeleeeete!

[hr_invisible]

[hr_invisible]

Wow!  Digital Credit Union (DCU) members have been getting hammered for weeks with phishing emails.  Like this one saying “you sent $1,500.00 to Jennine Redmond’s bank account.”   AND, to make this more convincing, the phishers have correctly spoofed the from address to look like it came from dcu.org, the correct domain for DCU.  The ONLY way to see this is not legitimate is to mouse-over the link “Login Now.”  You can clearly see that this link points to a crap domain at the top-level-domain .xyz.

Run, don’t walk!

This email looks like it came from the official Microsoft servers @account.outlook.  However, we can say with certainty that no such domain or server exists!  This is not one of the many legitimate logins for Outlook.  Mousing-over the link “CLICK HERE” confirms that this is a phish and not a login for Microsoft Outlook Webaccess!

Move on.

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY: Money Pak and Green Dot, UGG Boots and Amazon Reward

[hr_invisible]

There are hundreds of ways that criminals trick you into giving them your hard-earned money.  That is the essence of fraud.  To enable this crime they need an untraceable method for you to transfer your money to them where they have a high degree of confidence they won’t be caught.  For most scammers, this means convincing you to purchase a Green Dot MoneyPack card or other moneygram.  It is the most used method of moving cash by fraudsters!

A criminal will ask you to “load” money on the card when you buy it at a Walgreens, CVS, Kmart or dozens of other national stores.  Once you’ve done that, the criminal wants you to scratch off the numbers on the back and send them to him.  He can then submit those numbers from anywhere in the world and retrieve the cash.  Here’s a phone screenshot taken by a victim who contacted us recently and shared her experience.

If anyone asks you to make a payment using a Green Dot Moneypak or similar service, you can be 100% certain it is a scam!

[hr_invisible]

This next email is a complete rip off of the very real UGG Boot products.  It looks official and legitimate but look carefully at the from address!  It was sent from Janice “@” bernedette[.]ddrdq[.]com.  All the links in this email point back to a crap domain at ggmg[.]trade.  This crap domain was registered in April 2017 by a Chinese firm identified as “Nexperian Holding Limited.” We certainly found many domains registered to this Chinese company but not the company itself.   We also found a trade disagreement brought against them at the World International Property Organization (WIPO.int) And the domain ddrdq.com was registered by a Chinese firm identified as Wuxi Yilian LLC in June, 2017.  Does any of this inspire you to believe you’re going to get real UGG boots or get any boots at all?

[hr_invisible]

A week without an Amazon scam email is like a week without sunshine.  So here’s your sunshine…. The fraudulent domain used in this malicious email, primegiift-DOT-com, was registered by “David Free” on January 3, 2018.

Now delete.

[hr_invisible]

[hr_invisible]

TOP STORY: Free Merchandise via Facebook

We’re sorry to say that this warning to readers comes from a young woman who contacted us about a purchase she made through a Facebook Ad.  The ad, she tells us, was a promotional item offering black mesh fit leggings for free!  All one had to do was pay the tax and shipping cost.  And, of course, this promotion was not going to last long.

She clicked the link and visited the website raymensapparel.com in early January.  Everything about this website made it look like a legitimate website selling clothing.  So, she placed her order, entered her credit card information and looked forward to getting her leggings!  She was even sent a confirming email, which she sent to us…

[hr_invisible]

There were no red flags and nothing seemed out of the ordinary about this online purchase.  Afterall, consumers often see promotions for various products.  However, after two weeks the young lady still had not received her leggings.  So she tried to look up her order and visit the online store again.  Only there wasn’t any online store.  Her browser kept informing her of an error.  No website could be found for raymensapparel.com. She went back onto Facebook and could no longer find the ad.  Yet, when she contacted her credit card company, she learned that she had paid $10.93 for a product she never received.

So what do we know about Raymensapparel.com?  A WHOIS lookup tells that this domain was registered on December 1, 2017 using a proxy privacy service in Ontario, Canada.  This was just a few weeks before our reader ordered her free leggings.  Using Google, we find many links for former web pages at this website but none of them are working at the end of January.  Not one.  This search also turned up links to Facebook pages for Raymens Apparel showing more than 2000 likes and a rating of 5 stars, but none of those links work anymore.  It’s as if Raymens Apparel has fallen off the Internet.  The young lady who contacted us lost less than $11.

Not a huge loss.

Her loss, however, is part of a bigger game.  Imagine as many as 2000 women losing $11 from this “free promotion.”  If this were true we’re now talking about $22,000.  Not bad for a few weeks work with a small investment in a web domain, a website and some time to market on Facebook.  We reported last September, 2017 about fraudulent ads appearing on Facebook.  (Read “Fooled on Facebook.”) Once again, caveat emptor!  Let the buyer beware.  Facebook, and other social media, have repeatedly demonstrated an inability to keep fraudsters and other criminals from using their sites to target the public.  You cannot depend on them!  And so, it is important to apply the age-old smell test.  If someone offers you something at a price (free) that is ridiculously low, maybe things aren’t what they appear to be.

Walk away.

[hr_invisible]