Please support our effort by making a small donation. Thank you!

x

January 4, 2015

When is a nice girl anything but? When is a job offer an attack on you? And when might we let flattery damage our computers? The sub-heading of our website could be written as “things that are not what they seem to be” and this couldn’t be more spot-on in this week’s newsletter as we expose the truth about several featured scams below.

But in case you wondered what we didn’t cover… there were all the routine scams we know and love: Walgreen’s credit, your Apple service account is frozen, find the lowest priced vehicles, get a free home security system, find the best credit repair advice, information about your last life insurance payment, a “work at home” success story that you can do too, reduce your heating bills, give yourself perfect 20/20 vision, restore your hearing loss, reverse nerve pain, (diabetes was cured…again!), use your Macy’s rewards points, weight loss scams and so much more!

However, there were three that deserved display status here. The first below is a Barclay’s phishing scam to capture someone’s bank account information. We’ve seen an increase in the number of bank phishing scams and just published a feature article exposing them in detail at TDS. Check out “Anatomy of a Phish.” It’s pretty scary when you see how sophisticated some of these scams are and the personal information requested. The middle scam below is the type that uses scare tactics to socially engineer a click to a malware-laden website. It’s very effective. And the last of this threesome we chose simply because we thought it was extremely clever! How many dog owners do you know have a dog who could use a bit of this?

 

I Am A Nice Girl

There are so many red flags that scream at the recipient NOT to click the link in this email… Like the fact that it contains a link from Google’s shortening service so you have no idea where you’ll end up on the Internet until you click or use an unshortening tool! (Check out our article on the risks from clicking shortened URLs.) Or the fact that the “from” address is a very strange address (ResultsADV.com is actually an advertising agency in Lebanon, MO who has no idea their email address is being misused), or the fact that there isn’t a single bit of information to identify the email recipient. (In other words, this email was sent out in bulk to thousands, if not millions of email addresses.)

“I.C” is anything but a nice girl! That goo.gl link is a redirect to a suspicious website. Look carefully at the redirects that were identified on the website by the Zulu URL Risk Analyzer. There are three. One redirect sends the visitor to a website in “.dk” (Denmark) while two others send the visitor to websites in “.ua” (Ukraine).

5-I am a nice girl Zulu score and redirect 2

 

Not only is the website suspicious, but look at the links waiting to be executed when you arrive on the webpage. Most of these external links are for webpages in the Ukraine, but there are also links to Russia (.ru) and India (.in)

While this may seem like a trick to send someone to a porn site in Eastern Europe, it masks the fact that the porn site contains malicious software waiting to target the visitor. This is NOT a nice girl!

Just delete.

New Job Offer

Forget for a moment the important point that the job offer doesn’t identify the recipient at all. It doesn’t really say much of anything! What is the job position? What is the company? And why does the email appear to come FROM the person it was delivered TO?

We thought the name of the website link was very interesting so we looked it up on Google:

Notice anything unsuual about Google’s display of the website (besides the fact that it contains the very scammy line “learn how to make $500 a day?” There’s no additional information about the website or its contents. In fact, Google reported nothing about this website except what you see above. This lack of information is unusual for a legitimate business. So we used a WHOIS to try to see who owned clickmoneys.com.

As if we weren’t already suspicious, the WHOIS report raised several red flags such as:

  1. com was registered (created) two days before the email was sent
  2. com was registered through BizCN.com. If you try to dig further into this registration information you’ll learn that it was registered by someone claiming to be a “Sandra Wilson” from San Antonio, Texas and BizCN.com is a registering service in China.
  3. The website clickmoneys.com is being hosted in Galati, Oancea Romania. (We had to look it up on a map.)

This email smelled so badly that we couldn’t resist asking the Zulu URL Risk Analyzer to check it out and Zulu confirmed our suspicions (though it incorrectly identified the hosting service as Turkey. Zulu isn’t perfect. We used several different sources to confirm Romania.)

10-New job offer Clickmoneys Zulu score 11-New job offer Clickmoneys Ext Elements

Finally, we wondered why the registering service BizCN.com couldn’t figure out that this was a scam domain and remove it since the name alone should be high on the “scam-o-meter.” But when we investigated the registrar service BizCN.com we quickly learned that this service was itself using very shady business practices and and had been notified last May by ICANN that they were in breach of their contract as a result of their questionable practices. Read more about this from the pdf on ICANN’s website or at Internet News. (ICANN is the parent company of all registrar services across the Internet; ICANN – Internet Corporation of Assigned Names and Numbers)

Just delete.

Vanity Scams that Appeal to Our Self Importance

There are actually some “legitimate” Who’s Who businesses but when we say legitimate we simply mean that they will charge you a fee to put your name in a directory that they publish and sell back to you telling you how awesome you are. So we use the term “legitimate” a little loosely. (Read our article about vanity scams.) However, there are also many scam sites disguised to look like a Who’s Who service such as these.

A WHOIS look up tells us that this website, whowho44.com, was registered on September 5, 2014 by a “Fanny Bigsby” from Ontario, Canada. Besides the suspect website name, check out the miles of random cookbook text that we found just inches below the graphic…

 

This text is an attempt to try to manipulate anti-spam filters into thinking that a spam email is legitimate. This tactic alone is enough to confirm that this email is worthy of the delete key. Here’s another one we thought you would enjoy. What made this one even funnier is that the recipient is invited to be included in the 2013 edition! And it’s a great “source of network pool,” whatever that is. The scammers forgot to update their template date to 2014. We saw a few other emails with old year dates such as this one saying that all 2013 car models must go!

15-All 2013 Car Models Must Go

14-Whos who invitation2

Just delete.


Surf safely!