Please support our effort by making a small donation. Thank you!

x

July 10, 2019

THE WEEK IN REVIEW

The most prolific scamming gangs around the world must have taken a vacation last week because our inboxes, texts, and phone calls were so much quieter than usual!  Even the Nigerian 419 scammers, who tell you that money is waiting for you at customs, or they want you to partner with them to help them get millions of dollars out of Iraq, or tell you they are dying without an heir and want you to help them give away their millions were “relatively” quiet.  We only received six of these scams. And yes, six is a low number! Here were their subject lines, along with one that we particularly enjoyed because it claims to have come from a United Nations Fund Compensation Representative AND our Federal Government led by “president Donald John Trump.” We were advised to contact “Mr. Justina Young” which, according to Wikipedia, is a name typically used for women so we’re not sure how to address him or her.   Here are the subject lines…

YOUR ATM CARD IS READY

Reply back to this email
For Our Mutual Benefit!!!!
Attention Beneficiary
Did you authorized your foreign partner for immediate change of your account
To Beneficiary Email I’D,

 


Phish NETS: Phishing for Instagram Accounts and Credit Card Information

For us, it was a phish-free week!  We saw none and received none from our readers.  Even the many thousands of Reddit Users we sometimes turn to reported very few phish in the sea last week.  However, there were two that appeared on Reddit that were fascinating… a too-good-to-be-true text offer and a phishing scam related to dating.  Let’s begin with this $1000 Visa Card Giveaway! Reddit users are saying that the link associated with this text message leads to a fake Instagram login page designed to steal your account information. 

This second phish is very creative and we have seen similar schemes before in our investigations of dating scams.  A website called GetCertifiedandProtected[.]com claims to be for a service that will “verify” someone as legitimate so the person can offer this certification during online dating, and presumably, make the man or woman whom they contact feel more assured about them.  But it is all just a scheme to steal your credit card information! (Thanks to this Reddit poster for revealing this!)  The website GetCertifiedandProtected[.]com was registered on January 23, 2019 and is being hosted on a server in Singapore.  Though we cannot verify it, the Reddit poster says that this scam is part of the “Shine Love On Me” scam, that is similar and has been going on for some time now.  You can read about this, and the shnvme[.]com website, in this article at StopThatCharge.com.

YOUR MONEY:  Buy Real Instagram Followers and Amazon Marketing Survey

Do you really think you can believe in the popularity of a photo because it has a lot of likes?  Or an Instagram or YouTube account because it has a lot of followers or subscribers? Or a consumer product because it has a lot of positive reviews?  Thousands of Likes, Followers, Subscribers, Reviews, and “Friends” can be purchased with little money nowadays and we’ve written about these deceptive practices before.  (Check out our October 31, 2018 Top Story on Fake Product Reviews, or our article titled Shades of Instagram in our April 25, 2018 newsletter, or learn how easy it is to purchase these things in The Week in Review from our March 20, 2019 newsletter.)

And so when we recently received this email below to “grow your social media presence” by buying Instagram followers or likes, YouTube views and subscribers, and Facebook page/post likes from a company called “Social Blade” we thought we might just be updating our old articles about this form of deception. Afterall, there is a company called SocialBlade.com that has been around since 2008 to promote and market things on social media.  However, a closer look at this email shows that it came from, and has links pointing back to solologodesign[.]com, a website that has been blacklisted by McAfee.  Were you to click that link you’ll be redirected from solologodesign[.]com to socialblade[.]us!  Don’t confuse socialblade[.]us with SocialBlade.com!  The DOT-us mimic was registered in October, 2018 by someone named Pablo Javier Fauaz, from Argentina.  We find it interesting that Mr. Fauaz has listed his email address with the name “mharis khan,” a typically Turkish (or Arabic) name.  Also, the Zulu URL Risk Analyzer says there is an 80% chance that socialblade[.]us is malicious!  One thing is for certain, socialblade[.]us is NOT SocialBlade.com!

Stay far away from this malicious mimic!

              

At the risk of boring our readers to death, we’ve been posting lots of malicious clickbait disguised as Amazon Surveys that offer rewards or payments to those interested to be paid and take them.  We apologize for doing this again but… Amazon is one of the biggest online retailers in the world and cybercriminals continue to use its name to target netizens. In just four days we received six nearly identical emails pretending to be Rewards Surveys, mostly disguised as Amazon…

Take this invitation sent from the domain hotelagribul[.]online containing the subject line “Congratulation!You have been selected for an exclusive rewards.” (Nice English, huh!?)  We only need to click the link, take a 30-second marketing survey and SHAZAM, we’ll be given a “reward up to $100.”

It’s pretty obvious this didn’t come from Amazon, or any legitimate marketing firm!  Sounds like it came from an overseas hotel. However, a WHOIS lookup of the domain hotelagribul[.]online shows that it was registered by someone in India just 5 days before we received the email and that is NEVER a good sign!

Into another email account we received a nearly identical invitation but this time for CVS Pharmacy, not Amazon.  Same basic text, same photo, same design. The links point to the same domain hotelagribul[.]online.  Fortunately, the site is blacklisted even though no malware was found on the site… yet.

TOP STORY: Golf Magazine Clickbait?

Though we will never claim to be expert enough to expose every type of online/smartphone threat or scam, we can ALWAYS apply a reasonable “smell test” to the content we find.  And if we smell a rat, we’ll let our readers know that there are facts that just don’t add up or make sense.  Considering how well criminals are able to hide their tracks and deceive us, we feel it is better to be over-cautious than under.  And so it is the case with a very interesting group of emails that starting showing up in one of our honeypot inboxes on June 29, 2019.  The email came from Golf Vacations Maga. <noreply “@” vacation4golfers[.]tk> and had the subject line “Celebrating the U.S. Open at Pebble Beach.”  Several things about this email immediately struck us as odd…

  1. The U.S. Open at Pebble Beach was June 13 – 16.  Why did we receive this “online magazine” nearly 2 weeks later?  Also, we never signed up to receive this email (though not unusual today) but our honeypot accounts don’t play golf and are the worst possible target audience for this content!
  2. We received the same, identical email on June 29, June 30 and again on July 7.
  3. The domain “vacation4golfers[.]tk” was registered through a free and anonymous domain name service located in Amsterdam, Netherlands called Freenom.com and using the 2-letter country code “tk.”  This means the domain is hosted or delivered through servers in Tokelau, a territory of New Zealand located in the South Pacific. TrustPilot.com gives Freenom VERY poor ratings and says that it is stupid to register any domain through them because the domains are typically dropped or taken back after a period of time.  Free domains are not dependable and don’t last.
  4. As we looked more closely at the email header, we see that the email seems to have been sent through a website identified as financialservicesfoundation[.]org.  This was also VERY odd!  This domain was registered through a private proxy service very recently, on June 8, just 3 weeks before we received the first email.  (This domain and its accompanying website on financial services is also deserving of our attention and looks exceptionally suspicious!)

The strangeness about this Golf Vacations Magazine continued to add up as we dug deeper.  For example, if you look carefully at the link shown at the bottom of the Magazine email screenshot, you can see the word “redirect.php” immediately after the first forward slash.  It means that the link will send you somewhere else across the Internet. That somewhere turned out to be the domain vacation4golfers[.]gq.  This domain was also registered through the free service Freenom.com.  The 2-letter country code “gq” refers to Equatorial Guinea, a country along the coast of central Africa.  None of our tools were able to identify malware lying in wait on any of these sites…. vacation4golfers[.]tk , vacation4golfers[.]gq , or financialservicesfoundation[.]org.  …though Forcepoint Threatseeker found the “gq” site to be suspicious:

On a hunch, we decided to search for Golf Vacations Magazine and discovered that there is, in fact, a Golf Vacations Magazine website at golfvacationsmag[.]com that uses the logo/font that was found in the 3 identical suspicious emails we received.  (However, the website doesn’t look all that professionally done in our opinion.) More importantly though, this domain for the magazine was registered in 2010, a lifetime ago for the Internet, and not through Freenom.com.  It is very unlikely that something malicious would last for nine years online without being identified as malicious or taken down.  It is our opinion that the emails we received as some type of malicious clickbait targeting Golf lovers. If we are wrong, then the legitimate Golf Magazine owners sure did a poor job of creating and sending their latest magazine content, post U.S. Open!

FOR YOUR SAFETY: Payout to you!

One of our regular readers has begun receiving multiple emails as we “go to press.”  Each offers her a payout of money to start a career with their service “MobileStartACareer[.]com” and StartACareerToday.  Below is an example.  We had traced just one of these links to discover (no surprise) that it has been identified as malicious!

Ouch! How fast can you say DELETE!

 

 

 


Until next week, surf safely!