July 19, 2017

[hr_invisible]

Phish NETS:  Chase Bank, Apple Accounts Team and IT HelpDesk

Look carefully at this Chase Bank wannabe.  The email was sent from the domain chase.net, NOT Chase.com.  Chase.net is an email service registered in, and operating out of Canada.  Any time an email says something like “It is mandatory that you verify your account now to avoid total lockout” you know it is phony-baloney.  The link “ACCOUNT VERIFICATION” points to a shortened link on bit.ly.  We used Unshorten.it to unshorten the link and discovered that it points to a website in Indonesia called Gulung-DOT-com.

Delete.

[hr_invisible]

“Hi You have one verification pending.”  Verification for what?  The email was sent from an address in Hong Kong (notice the 2-letter country code .hk)  The link points to a file on the website sarahstiefelmayer-DOT-com.  Apparently this threat is much more than just a phishing attack.  The Zulu URL Risk Analyzer scored the link “100% Malicious” because of the many malicious scripts waiting to spring on you when you arrive on that website.  (See screenshots.)

Ouch!

[hr_invisible]

[hr_invisible]

[hr_invisible]

Finally, here’s a generic “HelpDesk” phish that is meant to look like your IT folks offering to help you out.  It’s pretty lame though….

[hr_invisible]

[hr_invisible]

YOUR MONEY:  KidGuard, Amazon Account Gift and Never Squeeze Blackheads Again!

Our Top Story in last week’s newsletter was “Can You See Deleted Texts” and it was written in response to a malicious email targeting parents who have concerns about their children’s use of the Internet. (What parent doesn’t???)  Apparently, criminals continue to target parents by focusing on these concerns.  This email wants you to believe it is associated with KidGuard.com, a very real internet safety product for parents. The email uses the logo and graphics taken from KidGuard.com but it is a wolf in sheep’s clothing!  The email came from, and links point back to, the domain childprotekt-DOT-com. Google finds no such domain.  The only thing it does find are fake emails listed on emailfake.com such as this one. The scam domain was registered by “Darrell Lemley.”  We’ve identified other malicious domains registered in his name during the last few weeks.

[hr_invisible]

“Your Amazon account has a pending gift of $200” says an email from primezonusa-DOT-com. Darrell Lemley has been very busy!  This is another one of his more-than-1,065 registered domains.  And we’ll bet bigly that each and every one of those domains is malicious.

A big fat delete!

[hr_invisible]

This email seems to represent Astrid Skin Solution when it says “Never Squeeze Blackheads Again!”  But the off-beat domain shoppingonlinegood-DOT-com is registered to that mail-drop black hole of criminal misuse…  “Domain Administrator” at 2885 Sanford Ave. in Grandville, MI.  However, we loved the photo used in this malicious email and did a reverse image search for it.  Apparently it has been used on many sites around the internet, including Pinterest and YouTube, though we can’t locate the original source.

 [hr_invisible]

[hr_invisible]

TOP STORY:  Deception and Perception

We frequently talk about how easy it is to deceive others online and that what we perceive to be true is often far from it.  Here are a few more simple but specific examples of this.  At first glance, these may appear to be something innocuous.

Let’s begin with the fact that many Americans travel to other countries during the summer and, of course, require a passport to enter many countries.  One of our readers sent us this email with the subject “New Passport Rules” that seems to have come from “Government Update.”  “The Ministry of External Affairs just recently announced a new set of rules for applying for a passport.  And we’ve summarized some of the major changes that these new rules have bought in.” (…have bought in?)  But on closer inspection we want readers to notice that the email actually came from an email service called mailerassist.com, not the U.S. government.  We’ve written about another misuse of Mailerassist.com in the Phish Nets column of our May 24 newsletter.

[hr_invisible]

If you look very carefully at the code in the link revealed by mousing over “Continue Reading…” you can make out a redirect designed to send you to the website discountwalas-DOT-com and a page called “new-passport-rules.” Below is a screenshot of what waits for you there.  Apparently along with new passport rules you can click on links for fashion offers, lingerie & nightwear, as well as travel offers.  Does this sound legit to you?  The Zulu URL Risk Analyzer doesn’t think so.  It identified the site as being hosted in Malaysia and says it has an 80% chance of being malicious.  We’ll kick in the other 20%.

[hr_invisible]

[hr_invisible]

[hr_invisible]

[CONTENT REMOVED 10/16/17]

So, once again we ask you to take everything online with a “grain of salt.”  Our perception may really be deception.  Want to try this out for yourself?  Try investigating this short and sweet email representing the Lau Niu Foundation!

[hr_invisible]