July 12, 2017

THE WEEK IN REVIEW

What is it with Russia?  As if it wasn’t enough that they hacked our electoral process and put their first choice into the most powerful position on this planet.  Do they still have to target Americans with malware, spam, and mean tricks?  We see thousands (not hundreds) of emails every month enticing men to visit Russian dating websites.  Social engineering tricks, all of them!  Look at this list of a handful of emails hitting one honey-pot server over a few hours.  They’re beautiful.  They’re hot.  They’re adoring. They’re lonely.  And they’re so full of cow-poop.

 

 

 

[hr_invisible]

And then they continue to rub Hillary Clinton’s nose in it, as if she’s still a threat.  Actually, we think they’re more likely targeting Trumps base because his base of voters are more likely to believe and click on this crap-o-la.  First is this absurd subject line “Hillary replacing Trump: Back in the oval office” and followed by “Hillary’s violent meltdown caught on camera.”  Supposedly “Terrence Miller” registered the domain orehired-DOT-com. We exposed his shennanigans last week.  Well, Terrence has to be a pseudonym for Vladamir because no one else seems to carry such a grudge against Hillary that doesn’t quit.

[hr_invisible]

If you want a good laugh, listen to this 2 minute call that Doug at TDS took from 651-256-3537.  It’s hard to understand because of the heavy Indian accent and the tinniness of the call from halfway around the world but it’s worth a listen if you ever wonder what happens when a scammer is called a scammer to his face, er… voice.  Doug found it very satisfying!

Click sound byte to play (NOTE: Foul language at the end of the call)

[hr_invisible]


Sample Scam Subject Lines:

Few People Know How to Save with Free Samples

Change your life NOW

Get perfect white teeth from home

Good Day to Improve Your Life

Home security with ADT monitoring offer

Is Cable TV Worth The Price?

People Are Throwing Away Their Vitamins

Ripley’s Believe It Or Not Investigated Him After His 5th Win..

Saves You Money on Printer Ink! Free Shipping Available

Switch to a 15 Yr Fixed Mortgage Before It Expires Soon

Take the Test: Which of These Three Oils Cures Diabetes?

How to start a woodworking business

Your $50 coupon for Walgreens is now ready to us

 

Sample Scam Email Addresses

1ink-[YOUR EMAIL] @ owensconing.com

amazoncom-[YOUR EMAIL] @ unitedamzn.com

analyst @ nahlily.info

breathalyzer @ docreap.info

cnn-alert-[YOUR EMAIL] @ rorygilmore.com

hydrotherapeutics @ tetukurg.info

lowermybillscom-[YOUR EMAIL] @ cymix.net

nonmakeup @ javaunited.info

open-immediately-[YOUR EMAIL] @ netdingo.com

reduce_eye_wrinkles-[YOUR EMAIL] @ mydermauza.com

safestreetsusa.adt.authorized.dealer-[YOUR EMAIL] @ adtnewsys.com

sams_club-[YOUR EMAIL] @ dealforsams.com

walgreens-gifts–[YOUR EMAIL] @ walgrinisnow.com

 

[hr]

 

 

 

[hr_invisible]

Phish NETS:  Capital One and Email Important Notice

“Important Notice”  “Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account.”  This email is like nails on a chalkboard to grammar teachers across the U.S.!  The email, of course, didn’t come from citi.com but came from localhost.localdomain.  And the link “Click Here Verification Your Account” points to an Albanian website that we think is for the Democratic Party of Kosovo.  Must be the Russians again.

Delete!

[hr_invisible]

This next phish with subject “Important Notice” tries to target generic Outlook email account users with a bogus scare tactice. “POSSIBLE VIRUS/PHISHING SCAM DETECTED”  Hell, you got that right!  The link points to the domain tripod.com, a free web-hosting service.

 

[hr_invisible]

YOUR MONEY:  PCShield Inc, Amazon Survey Reward, and Lotto Destroyer

We loved seeing this next old-fashioned, who-uses-fax-anymore scam!  It came to us via a TDS reader with sharp eyes who noticed it was complete bull crap, not a legitimate bill.  The fax arrived at a school on July 4.   That’s our first hint that something isn’t right about this fax.  It’s a bill from PC Shield, Inc in Oklahoma City, OK.   There is one small spot on the entire bill that says “Ad from.”  Everything else about this bogus bill screams fraudulent billing practice.  There’s no phone number and no website to visit.  In fact, a visit to pcshield.com shows a BIG message saying “This Domain Name is Suspended.”  However, you can email your payment to them or fax the payment information.  The school, of course, doesn’t use this service and knows nothing about it.

Deeeeleeete… er, we mean rip it up.

 

 

 

[hr_invisible]

“You have been selected to take part in our anonymous survey” about Amazon!  “Take this 30 second questionnaire and we’ll offer you an exclusive deal worth over $50!”  Notice they aren’t offering you $50, but a deal valued at $50.  Nevermind though, the bottom of the email contains the opt-out address to the most misused scam mailbox in the history of our three years in operation… 2885 Sanford Ave. Grandville, MI.  Even the domain itself was registered to this dropbox address of no particular origin.  According to the Zulu URL Risk Analyzer, the domain leputic33-DOT-com has been blacklisted as malicious.

[hr_invisible]

 

[hr_invisible]

 

Want to meet the LOTTO DESTROYER!?  Sounds like the villain from some B-grade movie.  “Winning has never been this easy”  The logic of this email is absurd.  Think about it.  I create a smart robot software able to win lotteries.  Then I post it online and send the link to random people across the Internet?  Wow, what a self-less, benevolent and altruistic person!  Or could it be that I want to infect people’s computers and have malware like ransomware at the end of the link?  Hmmm…. Zulu reports a 91% chance the link is malicious.  The odds of getting an infection are way better than winning the lottery.

Delete!

 

[hr_invisible]

[hr_invisible]

TOP STORY:  Can You See Deleted Text Messages?

This next effort to engineer your clicking of a malicious link got us thinking about a common question parents ask in their effort to monitor or check on their child’s smartphone use…  Can a child’s text messages be read after being deleted?  First, have a look at this scum email we received with the subject line “How To See Deleted Text Messages.”  It is made to appear as though it is affiliated with CNN but the email was sent from the domain childrenzaler-DOT-com on July 3.  “Over 50% of teenagers experience cyber bullying and are 9 times more likely to consider suicide.”

Sadly, cyber-bullying impacts many kids and the statistics in this scam email appear to come from the i-Safe Foundation (reported on bullyingstatistics.org and nobullying.com from 2013 and 2014.  Of course the numbers are a moving target from year to year and vary by how they are reported.  The point is that the problem is serious.   But this email is not going to lead you to help.  A search in Google for the domain childrenzaler-DOT-com only shows lots of links for the website emailfake.com and other sites reporting fake emails.  The domain was registered to someone named “James Wilson” on July 3rd and the Zulu URL Risk Analyzer reports that this domain has already been blacklisted and is malicious.

[hr_invisible]

So where does that leave this notion about resurrecting deleted texts?  Is it possible?  Can parents or police use this trick to safeguard, protect, monitor, or track someone?  We think you’ve already guessed the answer…  There’s no such thing as delete when it comes to our online lives.  Doubt us?  Ask Kyle Navin, now in a Connecticut jail for murdering his parents, after police used special software to find and restore his deleted texts. (How Police Can Get Your Deleted Texts, WTNH.com, November, 2015) Or ask a teacher in Florida about the 129,000 deleted text messages found by investigators on her phone and a student’s phone in 2016, leading to the arrest of the teacher. (Florida Teacher Exchanged 129,000 Sexually Explicit Texts with Student, WFLA.com, November, 2016)  Perhaps you remember the tragic death of a Beta Theta Pi fraternity pledge at Penn State U last February.   Eighteen Penn State students are facing charges this summer, in part, due to recovered texts that had been deleted from phones.  (Reported on ABCNews.com: More Details Emerge in Horrific Penn State Fraternity Death, May, 2017).

Even lawyers and parents have access to these tools.  DecipherTools.com is a company based in California and Arizona that offers services, tools, and resources for restoring deleted content including texts.  They even have a blog informing parents how they can undelete texts themselves.  Visit “How to Recover Deleted iPhone Text Messages.”

So, once again, the next time you think that digital content is private or unrecoverable once “deleted,” think again.  Even the professional Russian hackers couldn’t completely hide their tracks.  So why do we think we can?

[hr]

FOR YOUR SAFETY:  Shipping Information, July Order, and UPS Unable to Deliver

We’ve seen this type of malicious email before but it is so good at fooling the recipient that it bears repeating.  “Hello, The delay happened because of the Independence Day.  Here is the label from UPS, use the tracking number on their website” followed by a link that appears to be for UPS.  It even seems to be a response to an email that the recipient first sent saying “Have you shipped my order.”  Lies, lies, lies!  The link points to a domain that feels like a company selling tires.  But it is a close look-alike.  The link, of course, is malicious.  Check out the Zulu score!

[hr_invisible]

[hr_invisible]

“See attached our order for July, please see specifications and confirm…”  Of course the attatched zip file contains malware.

Ouch!

[hr_invisible]

[hr_invisible]

And the same goes for the attached zip file called “UPS Label” in this malicious email.

Deeeeleeete!

[hr_invisible]


ON THE LIGHTER SIDE:  OMG! We never could have predicted this!

A music teacher at a school was contacted last week by Jordan Japal, Awards Executive at NorthAmerica-News.com, to say that she has been nominated to be North American CEO of the year for 2017!    What an outstanding, and surprising, honor to be up there with the likes of Jeff Bezos, Mark Zuckerberg, Marissa Mayer, Elon Musk, Warren Buffet and others. NorthAmerica-News.com says on their web site that they are “the leading magazine for the dealmakers, game changers and decision makers in the U.S business market.”   It’s just a bit odd that such an honor comes from an organization representing North America, but uses a domain that’s registered and hosted in England.  Also, their website was just created at the very end of March.  Interestingly, there was another similar domain called CorporateAmerica-News.com, registered in 2014 and offering similar awards.  CorporateAmerica-News.com  was flagged as a source of vanity scams.  If you look at the WHOIS data for both sites, you’ll see that they look nearly identical, including the website description “North America News – Home.”

   http://whois.domaintools.com/corporateamerica-news.com

   http://whois.domaintools.com/corporateamerica-news.com

We found Mr. Japal’s LinkedIn page.  On it, he lists his credentials for Awards Executive at AI Global Media as “researching and selling various award programmes for industry sector specific magazines.”   We think the operative word in his description is selling!

Until next week, surf safely and don’t buy any awards telling you how awesome you are!  Even though you are awesome!


 

[hr_invisible]

Until next week, surf safely!