Please support our effort by making a small donation. Thank you!

x

February 8, 2015

On Friday, February 6 TDS Co-Founder Doug Fodeman was on the Jordan Rich show on WBZ 1030 Radio AM to talk about scams targeting people online. He was joined by his son, Ari, who was targeted (unsuccessfully!) by a scammer using the website Care.com. It was a fun time and we had some interesting callers. TDS will post the hour long show on our website sometime in the weeks ahead.

The criminal gangs must have been running out of ideas during the past week because TDS didn’t see a lot of new scams. Though we still saw a lot of scams, they were MOTS (more of the same). There were lots of scam emails that came from addresses ending in “.eu” for European Union. Notice the “names” before the @ symbol. TDS has never ever seen a legitimate use of the .eu country code. You can delete any email whose address ends with .eu as far as we can see. We wrote about these email scams early last fall. Read more about them here.

1-eu emails

And we saw a big spike in malicious emails coming from legitimate but hacked email accounts.   However, the hacked accounts sending the emails are different hacked accounts than the accounts that were first hacked to gather the email addresses. It’s all very confusing and we wrote about this nuance of an old hacking scam in an article called “From Hell.” Below is just one small list of malicious emails sent from a user’s hacked email account. The user’s name is Kimmied2….

2-From hell again

And finally, for a re-use of old but reliable scams, TDS saw more stuff like this fax scam below. What is different about this one is that the information in it is so peculiar the recipient may likely click the zip file out of curiosity. By the way, Wilmat Limited is a company in the UK that manufactures switch gears and hand trucks and gadisys.com (the sender’s email) is an electronics seller in Caracas, Venezuela. That zip file contains malicious software.

Just delete.

3-5 page fax attached

 

 

 

 

IRS 2014 Electronic PIN Attached

For the last few weeks we have said that we would keep our readers abreast of the latest tax scams since we are entering tax season. The email below is a perfect example of a well socially engineered scam. The sender’s email address looks like it comes from the IRS.gov. But look closely! It comes from “irs.gov.us.” It uses the 2-letter country code for the United States. The domain is actually “gov.us” and the scammers have simply created a sub-domain called “irs.” A WHOIS look up of the domain gov.us shows that it was registered in 2002 to a company in Sterling, VA called Neustar. The domain was updated in June of 2014 and shows little information about the registrant of gov.us.   Also, no website yet exists for the domain. We searched and found several links using Google that call Neustar a scam or shady business (Such as this link from the RipOffReport.com)

Adding to the deception is that the only web link in the email itself is a legitimate link pointing to the real IRS. However, the email contains an attached Word document and that Word document is infected with a malicious script.

4-IRS 2014 Electronic pin attached

We wonder why any company such as Neustar, buying or selling domain names would ever allow the name “gov.us” to be purchased and used without a thorough vetting of the buyer to make sure that the domain would not be misused. The reason this malicious use happens over and over so very easily is simple… Companies that sell or register domain names do not care about the people using the Internet. They care about making money! We have seen example after example of companies selling domain names that should have raised serious concerns and been stopped, but were not. Another similar example was the domain used in a phishing scam on January 31 called “AppleiVerify.com.” As you might guess, the domain was a phishing site used to capture login credentials of Apple account holders. NO ONE polices these companies or holds them to higher standards and we all suffer as a result.

 

 

 

 

 

Wolf in Sheep’s Clothing: Protect Your Idenity with LifeLock

I wish we had a dollar for every time we’ve seen or heard of software or services that offer to help you stay safe, protect your computer or identity but in reality are actually the threat you mean to avoid. The email below is just such a trick. Here’s the link to the real LifeLock.com site. They appear to be a good service and they didn’t pay us to say it. Check out the email below.

Don’t be fooled that the phone number and other links at the bottom of the email are to LifeLock. This is a well dressed wolf in sheep’s clothing!

And, for the record, HomeWorkoutWarriors.com was registered in December of 2014, the registry information was updated on February 5, the day this scam came out. And also the site ownership is hidden by a private proxy service located in Panama and the domain name is being hosted in Montreal, Canada.

 Just delete.

5-Protect your identity with Lifelock

 

 

 

 

 

Two More Good Examples of Social Engineering at its Best

We’ve talked about package delivery scam notices before and we can’t say enough about them! They prove to be some of the most successful methods to manipulate people’s online behavior, especially people at businesses. Once again, here is a UPS notice about a shipment pending. However, the sender’s address is not UPS (It is send@myup.com), the “Kindly click” link points to www.dokumed.com.tr. Notice the 2 letter country code “.tr” ? This is a link to a website located in Turkey. However, most importantly, if this were a real UPS notice that the recipient had a package waiting, wouldn’t there be personally identifying information? A name? Business name? Address? Shipping number to check online?

 6-UPS Shipment pending

 Just delete.

 

This second great manipulator is a bit odd because of the size of the text chosen by the scammer. But the large font is meant to focus your attention on the point that CVS wishes to reward you with $50 just for filling out a short survey! Once again, look at the sender’s email address and the web address in the lower left corner revealed by mousing-over the link at the bottom.

Email address: YourCardRewards@card.getyour-allnewcardperks.us

Link points to the domain “view3.getyour-allnewcardperks.us”

And before you think that maybe CVS has hired the “perks” company to handle the promotion, a look up of this domain shows that CVS itself lists this domain as a fraudulent web site and PhishTank.com has identified this domain as a phishing site meant to steal personal information.

7-CVS card perks expire today

 

 


And finally, we’ve also reported in the past that we think some of these scammers have a sense of humor and this email falls into this category. THIS IS THE BIGGEST SCAM YOU’RE DEFINITELY FALLING FOR! You got that right!

 

8-The Biggest Scam Youve Fallen For

 

And then there was this which appealed to our inner child…. “Shocking words men desperately crave” We can’t wait to find out what they are. Could be better than therapy!

9-Shocking words men crave

 

 

 

 

 

 

 

Surf safely!