January 23, 2019

THE WEEK IN REVIEW

Anyone who has loved and lost, or simply loved at all, knows that love can hurt.  Paloma Faith sang about it so beautifully in her 2014 video.  This week’s Top Story addresses a very different kind of hurt from love.  We have been seeing a spike in several different kinds of extortion scams and wanted to raise our reader’s awareness about them.  Of all the scams we have ever written about, these scams are the scariest and emotionally destructive. We’re very sad to say that it even pushed one victim to suicide and many others to consider it.

Here is another reminder of what a REAL email looks like and why.  This time from Facebook. The FROM address shows the domain facebookmail.com following the “@” symbol.  You might think this is suspicious because it isn’t facebook.com.  However, searching Google for “facebookmail” demonstrates how easy it is to confirm that the domain belongs to Facebook, including this article on their website where they confirm it.  Also, the link revealed in the lower left corner of the email after we mouse over “View Notifications” clearly shows that it points to facebook.com.

 

 

In last week’s Top Story “When Good Food Turns Bad: Hacked Websites,” we described how criminals had used the domain of a local restaurant and planted malware landmines for unsuspecting visitors to step on.  We then heard from a woman who sent us this screenshot, asking our advice. We had to deliver the bad news that these messages indicated she already had malware installed on her Apple computer and these messages were tricks to install more.  As it turns out, she had been twice fooled to install malware disguised as Adobe Flash updates. These warnings below were more tricks to get her to visit a hacked website registered by a business in Cyprus and hosted in Holland.  A little suspicious when you live in New England, don’t you think?

[hr_invisible]


[hr_invisible]

Phish NETS: Apple Store and Wells Fargo

Once again, proper English counts!  Not only did this email NOT come from apple.com, but there are so many English writing errors in so few words that it may set a new record.  (We counted 9 and we’re no expert either!) But we opened the attached pdf file anyway! All links in the pdf file pointed to an official looking domain called appstore-managepayment[.]com, but again, that is NOT apple.com.  This domain was registered the very same day this email was sent!

Big fat deeeleeete!

 

 

This next email that appears to be from Wells Fargo Bank employs a very clever trick!  The email came from the domain cfargo[.]com.  Though this domain was registered back in 2015, Google can’t find it at all and it is not owned by Wells Fargo Bank, according to a WHOIS.   The message in this email is scary.  You are informed that someone has stolen the password to your bank account and you are asked to login via the link provided to verify who you are.  But the email was sent to “undisclosed recipients” (meaning LOTS OF PEOPLE) and you are not addressed by name or account number! The link “Verify Account” points to a free web hosting service that criminals have used in the past to post a phishing page looking like a login to Wells Fargo bank.

Ouch!

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Meet Singles in Your Area

“Do you want to meet matches in your area?” “Register to begin meeting compatible singles in your area” says this email sent from the crap domain rudranew[.]icu.  Links point back to that same domain.  According to a WHOIS lookup, this domain was registered the day before this email was sent.  That is NEVER a good sign!  Of course, a Google search turns up nothing about this domain and the email shows no credible business represented.  There is no business name, address or any other verifiable information. This email is malicious clickbait, plain and simple.

Just delete.

 

We’ve given our readers a break from Amazon survey scams but not because we no longer see them.  Amazon is one of the largest retailers in the United States and perhaps the world. Since it is used by so many millions of people, of course it is one of the biggest malicious mimics used by cybercriminals to engineer our clicking behavior.  So here we go again, stepping on a landmine that looks like another Amazon consumer survey.

The recipient is told that his AMAZON order #42740 is ready, though the email appears to come from Pillsbury.com!  Once opened, you will be invited to take a 30 second “shoot the egg” survey and receive $50 worth of exclusive rewards in return.  All links in this clickbait point to a website that wants to “engage you” called engageya[.]com, which was registered back in 2012.  That’s practically middle-age if measured in Internet years.

 

 

However, that link to “engage you” doesn’t reveal the entire truth.  It was so terribly long that it could not fully display in the computers we used to view it.  That extreme link length made us a bit suspicious. We copied the link and pasted it into a text editor to discover that the link to engageya[.]com actually contains a REDIRECT to a Canadian link-shortening service called t2m[.]io.  Our next step down this rabbit hole was to use Unshorten.it to inform us of the real destination of that short link…

 

Unshorten.it tells us the real destination is an odd domain named skuronse[.]com.  But hold on!  We’ve been learning that cybercriminals like to maximize their weaponized domains with dynamic links to multiple online landmines.  So we asked the Zulu URL Risk Analyzer to look at that shortened link as well. Sure enough, Zulu told us that the link will also send us to a VERY malicious website at the domain mainstreamkind[.]com.  Ouch!  This sounds like Russian roulette but every chamber holds a bullet.

Don’t crack that egg!

 

[hr_invisible]

[hr_invisible]

TOP STORY: Sextortion on the Rise

On Friday morning, January 18, we logged into our TDS email to find seven emails waiting for us from various anonymized email addresses sent from servers in Mali, Central African Republic, Georgia (country), and Equatorial Guinea.  They were sent between 2:42 and 6:27 AM EST. (Because of the hours over which these emails were sent, we think the sender is likely telling the truth when he says that he doesn’t live in the United States.) The subject lines were all essentially identical, saying “Hi perv, I recorded you masturbating! I have captured ‘[email name].mp4’ !”  Each of the seven emails were also nearly identical, beginning with “THIS IS NOT A JOKE –  I AM DEAD SERIOUS!” but sent to different email addresses we’ve used for The Daily Scam. (We use many email addresses for different purposes.)

As one sample of these seven emails demonstrates, an anonymous hacker claims to have captured a very embarrassing video of one of us and is demanding $2,000 to be sent to his Bitcoin account within 72 hours or he will “send your masturbation video to ALL Your FRIENDS AND ASSOCIATES from your contact list,” information he claims to have hacked.

This is terribly disturbing!

 

And it is not true.  Not a single word of it.  Let’s analyze the pieces of this frightening message….

  1. First of all, Mr. Anonymous Hacker claims to have a video that could not possibly exist.  You’ll have to take our word for it.
  2. There is no malware installed on our computers.  Given the work we do every week investigating threats for our readers, you can imagine the many layers of up-to-date security we use to protect ourselves from exactly such threats. (However, according to the tech consumer site, BGR, and other sources, there has been malware dubbed “Fruitfly” (discovered in 2017) that was capable of turning on Apple’s built-in cameras and making recordings, until a patch was installed to remove that vulnerability.  Similar vulnerabilities have been discovered on Windows PCs as well. –USAToday article)
  3. If this hacker had truly compromised our computer and captured our “email contact lists and list of your friends on Facebook” then he would easily know our name rather than address us as “Hi perv.”  Also, as proof of what he had done, he could at least name a few folks on our contact list or Facebook account. We know this is total BS because we don’t keep any contact lists on our computer! Mr. Hacker has given us no evidence that he has any lists or contacts of ours.  It’s important to note that even IF he had named people, he could easily have found those names listed on our social media accounts (including LinkedIn or Facebook) if they are open to the public, or listed on websites of the places we work or have worked. Also, a quick search using a service like Spokeo.com can reveal who we are related to, likely phone numbers and even email addresses.  Anyone with mediocre search skills can find this information about anyone anyway! The hacker’s claim proves nothing.
  4. Mr. Anonymous Hacker says that when we pay the extortion fee in full, he will remove the files and deactivate his program.  We presume he means the embarrassing video and the supposed malware used to capture them. And we’re supposed to trust him to do this?  From the HUNDREDS of extortion victims we’ve heard from, we’ve learned something very important and very consistent about these types of scams… Anyone who pays these bastards will be asked to pay again and again, until the victim stops paying.  We know of one man in early 2018 who paid his extortionist a total of $6000 over several months before he finally stopped on his own.

This extortion email is a blind bluff and complete scam generically sent to thousands of email addresses and created using a bot to generate and send the messages!  We also know that none of it is real because other TDS readers have sent us nearly identical emails over several months in mid-2018. We’ve written about this scam in our article Sextortion by Email. (By the way, the extortion price in July, 2018 was $1900.  Apparently there’s inflation here as well.)

Contrary to this fraud, another very real and frightening scam has targeted men on Facebook, and other social media.  We’ve heard from about three dozen men who received a friend request from a woman which quickly led to an exchange of phone numbers and/or other personal information.  Initially the contact seems like a simple flirtatious interest across the Internet. The conversation becomes sexual fairly quickly from the woman and she asks if the man wants to have “video sex.”  Another variation is that a woman will simply “sell” video sex to a man for a small fee, paid through an online form. However, in every one of these instances, the video sex is recorded by the woman and used to extort hundreds or thousands of dollars from the man.  In the case of the Facebook connection, the woman has easily captured contacts of friends and relatives after being “friended.” Also, in early conversation with the man, the woman has him reveal where he lives and works. It is a brutal scam. Based on what we’ve learned from the men who contact us, we believe these women are not acting alone.  They seem to have some sophisticated support and these scams are so similar that it feels like they are part of a cybercriminal gang’s playbook. You can read about these scams in our article Sextortion Scam Via Facebook.

The love scam that we’ve written about the most is the “underage girl sext” scam.  It’s been going on for at least three years and nearly 700 men have reported their experiences to us.  We heard from so many that we were able to detect patterns and similarities which we turned over to the FBI in 2018.  At the end of November, 2018 The Attorney General of South Carolina announced the arrest (and re-arrests!) of 15 individuals most responsible for this scam.  Immediately, the number of victims contacting TDS dropped to zero! It was wonderful! Unfortunately, the scam has returned, though smaller in number. We’re now hearing from 3-4 men each week who’ve been targeted by this scam again.  You can read about the full history of this scam in our most up-to-date article Plenty of Fish Has Plenty of Sharks.

There have been many other “love scams” and not just targeting men.  In 2018 we also wrote an article about online dating scams targeting women by fraudsters who try to win the love and trust of a woman and then milk her for money.  Read I Love You, Now Send Me Money.   The search for online romance, or just internet sex, can be a challenging effort even when using very well known and trusted dating sites! Read about Abe’s experiences in our article Online Dating Scams.   Finally, to round out your education about these threats, try reading our other related articles!  As one woman we interviewed told us, she’s done with online dating! Her many fraudulent experiences have turned her off completely.  She says that she’ll never use another online dating service/app again. We believe it can be done safely but online dating requires a different set of safety rules and decision making.  We’ve detailed these safety rules in our article I Love You, Now Send Me Money.

Other articles include:

Sextortion by Bot?

Underage Girl Sext Scam

Your Worst Nightmare: Sexting a Minor… Or so you think.

Finally, we wanted to remind readers that this loving digital landscape is also mined with malicious mimics.  Even as we write this article a TDS reader sent us an email she received and asking if it was legitimate. It was not.  It looked like a promotional email from eHarmony on her phone. (There is so little information available via the phone interface making it hard to tell real from fraud!)  We opened the email on a computer and knew immediately that it was a fraud! Can you spot the obvious problem?

 

This email was sent from the domain pieceflu[.]casa and all links point back to that domain.  According to a WHOIS, this crap domain was registered on the very same day the email was sent.  And yet, here is a screenshot of what waits for you at the “piece of the flu in your house” website.  Sure looks like eHarmony, doesn’t it? Remember, it is so easy to deceive online. Bottom line, if you are looking for love online you had better learn how to verify, verify, verify…. And be skeptical!

 

 

[hr]

FOR YOUR SAFETY: USPS Delivery Problems

This next fraudulent email should be obvious to anyone who is paying attention!  The FROM address is NOT usps.com after the “@” symbol!  However, if you would like to take a quick trip to a Russian website called yazkova[.]ru then click “View Details.”

USPS delivery problems? Hell yes!

 

 


Until next week, surf safely!