Please support our effort by making a small donation. Thank you!

x

July 24, 2019

THE WEEK IN REVIEW

We imagine that most of our readers receive lots of random calls to their smartphones and landlines, just like we do.  Some of these are obviously scam callers, while others are questionable. And since “Ma Bell” (AT&T) and all the Bell family members have made it possible for call spoofing to exist, we can no longer rely on CallerID to identify the real phone number or name of the caller.  It makes us laugh when our CallerID says “united states” as the location of the caller, or identifies the caller’s phone number as “000000.” However, when scam calls use 800-692-7753 (the legitimate Apple Computer support phone number) and claim to be Apple tech support, that’s a problem for the millions of people using Apple products. (The Apple Tech Support Scams article on our website continues to be VERY popular.)

However, what about calls that seem like legitimate marketers, or are not easily identified as fraudsters?  For example, listen to this call we received from 978-462-7342 representing Cardmember Services:

 

Click below to listen

 

We turned off our chill music, pressed one and eagerly waited for someone to pick up so we could learn how to reduce our credit card interest rate and debt.  But the “service” hung up on us! If we dig a bit deeper with the little information we have on this seemingly legitimate call we see several serious red flags…

  1. “Card Member Services” is not a business name. (Nor is “Cardmember Services.”) We searched for this business but find no such business.  However, the 4th link down was this article about the FTC shutting down a massive robocall scam to “trick people into paying for worthless credit card interest rate reduction programs” back in 2015!  We see how effective that FTC shut down was! (NOT!)
  2. If we use Google to search for “card member services calls” (the most popular search string that auto-populated in Google as we started typing), we see no less than 10 links to articles and YouTube videos about scam robocallers, especially “Rachel, from card member services.”
  3. Not that we need any more proof of malicious intent but a search for that phone number, 978-462-7342, turns up nothing at all related to any business or credit card service.  We only find a few references to some previous home owners who may have used this phone number at one point.

In addition to climate change caused or exacerbated by humans, racist tweets sent by an amoral U.S. President who was likely elected with the help of the Russian government, we have to accept that any incoming unrecognizable call is highly likely to be malicious.  (The only exceptions we can think of are those calls that come from repair/service men and women trying to reach us, or our doctor’s/dentist’s office, etc. These legitimate callers will leave voice messages!) There seems to be two sets of statistics widely available online about the number of robocalls that bombarded Americans in 2018 and both are crazy high!  Hiya, maker of a CallerID app, claimed that Americans were targeted by 26.3 BILLION robocalls in 2018, consisting of a mix of spam, scams, and marketers. This was 46% higher than 2017, they said. (Reported here on ZDnet.)  However, PRN Newswire reported on numbers released by YouMail, another blocking app, saying that Americans were targeted by nearly 48 BILLION robocalls, almost 57% more than in 2017. And that 37% of these calls were scams. (The PRN article lists the top 10 scam calls as well.)

Our advice is simple…. Everyone should be using an app or service to cut down on the number of robocalls  received since most are fraudulent or unwanted. Also, if a call comes to you and you don’t recognize the number, let it go to voicemail.  If it’s legitimate, the caller will leave a message. Two apps that come highly recommended to help stop robocalls are Nomorobo and YouMail. (We do not use either one. These recommendations are based on online reviews. Also, we receive no money from these services.  Last time we checked, YouMail was 100% free.)

Overall, scam emails, texts and social media posts continue to be much lower than usual.  Contrary to this statement, the Nigerian 419 scammers are still hard at work. Here’s one of our recent favorites from “Mrs. Bertha Kra.”  Take out your violins. She’s dying from cancer….

 


Phish NETS: Netflix Account

One of our longtime readers sent us this very unique phish pretending to represent Netflix. (Since January, 2016 we have only reported on 15 phishing emails pretending to represent Netflix.  This is actually a very low number!  By contrast, we’ve reported on about 100 phishing emails claiming to represent either Bank of America or JP Morgan Chase Banks.)

This Netflix email actually came from “info.com” and the links point to a hacked travel service located in Egypt, called Aidilazman Nasron Travel.  Even Google knows that this website has been hacked! (see graphic below.)  Editorial note: Google should report and post this suspicion much better than it currently does!  “This site may be hacked” should be BOLD RED CAPS! And Google should automatically send an email to the web hosting service, site owner and service with whom the domain is registered to say that they suspect the domain has been hacked.

NOTE: TDS added the shocked emoji on the Google search screenshot, not Google.

YOUR MONEY:  Skin Science CBD Cream

We’re going to look at this next suspicious email through two very different lenses to help readers identify malicious intent.  The first here will focus on the FROM email address. The sender of this email has used the name DailyDietInsider[.]com.” However, a close look at the domain that follows the “@” symbol shows that it was sent from skinsciencecbd[.]pro. (We know nothing about DailyDietInsider[.]com, except that it was registered in January, 2018, appears to refer to “Dr. Oz” and note that NO ONE on the Internet seems to be referring to this website. Our advice is to stay away.)  And who is skinsciencecbd[.]pro?  As you can see from the screenshots below, this domain was registered the day before this email was sent and has already been identified by the Zulu URL Risk Analyzer as 80% chance of being malicious.  We’ll be bold and say the chances are 100%. This is not a product that will “turn back the clock on aging.” Remember…. It is critically important to look at the domain name that FOLLOWS the “@” symbol!  

To see the malicious intent of this email through our second lens, read this week’s Top Story column titled 2 Random Hyphenated Words.”

              

TOP STORY: 2 Random Hyphenated Words

In December of 2017, we began to notice something rather odd about some of the emails we identified as malicious. The email links pointing to these malicious websites contained two random words that were hyphenated, usually at the start or end of the link.  At first we thought this was an anomaly, but the frequency increased so much that we reported it in our newsletter on January 3, 2018 and showed TDS readers four malicious emails disguised as offers from Sam’s Club, CVS Pharmacy, Walmart and Amazon.  The random hyphenated words in the links to those four scams were:

   “screwdriver-argot”

   “questionnaire-Poole”

   “superseding-striven”

   “backspaced-conversation”

But the use of random hyphenated words in malicious links seemed to have disappeared by the spring of 2018.  And then we began to see them again, though infrequently in the spring of 2019. We reported on a Windows Survey scam in April 3, 2019 that used the random word string “dismally-autopsies”! And check out the Phish Nets column in our April 17, 2019 newsletter for more examples.  During the last few months, we are seeing more of this design in the malicious emails that target us all.  It was, and still is our belief that a cybercriminal gang has automated their process for creating the malicious file structure on web servers, and the associated malicious links that they use to target us.  

Therefore, you can probably identify malicious intent by mousing over any link (BUT DO NOT CLICK) and look in the lower left corner of your web browser to see where it points. (NOTE: If you don’t see the link revealed in the lower left corner of your browser, it means your browser preferences are set to hide it.  Not a good idea.) If you are not sure about the domain (website name), look to see if the link contains 2 random hyphenated word combinations.  If it does, the odds are very high that the link is malicious! Check out these two examples we created just to illustrate our point. The words “crazy-combination” represents the name of a folder (i.e. directory) on a web server when it is preceded and followed by a forward slash in a link:

   Www. sampledomainname[.]com/crazy-combination/933hahsh92halc-whatever

   Www. sampledomainname[.]com/933hahsh92halc-whatever/crazy-combination

Now that you have an idea about what we mean, go back to this week’s Your Money column and look at the link at the bottom of the “turn back the clock on aging” email for the hyphenated words “goodly-print.”  When we reloaded that malicious link into Sucuri.net to evaluate it, we also noticed that it dynamically changed to a new modified link at skinsciencecbd[.]pro.  But the newly modified link ALSO had two random hyphenated words: council-denominator:

Remember, the hyphenated word combination doesn’t always appear at the end of the link.  We often see it at the beginning, just after the name of the domain, such as in this recent malicious clickbait from timeshareexit[.]pro.  (We understand that “Muriel” is a name, not a dictionary word, but apparently that’s still fair game by cybercriminals.)

For the record, this “Get Rid of Your Timeshare” clickbait was registered the very same day the email was sent.  And that website at timeshareexit[.]pro also contains a forwarding script that will send a visitor to a domain we’ve identified as malicious many times during the last few weeks…. NextCoolDeal[.]com.

So, the next time you hover your mouse over a link to see where it points (BUT WITHOUT CLICKING IT!) and you see two random hyphenated words, lunge for the delete key!

FOR YOUR SAFETY: Cyber-risks from Hair Straighteners!

Have you heard about “IoT” devices?  IoT stands for the Internet of Things and it refers to everyday devices that connect to the Internet, presumably to make our lives easier and more convenient.  For example, a baby monitor that allows parents to listen (or look) at their sleeping baby in the crib while they are out to dinner somewhere.  Or how about a “smart refrigerator” or “smart TV?”  All of these devices are increasingly making us vulnerable to hackers and there are a growing chorus of security experts who say that the number and kind of IoT devices are getting out of hand and putting us at risk.  These everyday consumer products are being designed and built by companies with little or no consideration for security and the protection or privacy of information. This is nothing new. But what is new to us is the ridiculous consumer products that are being featured with IoT connectability.  Would you believe a hair straightener? What nonsense is this?! But it now exists and security experts had no problem hacking it via bluetooth and adjusting the settings high enough to cause a fire. Check out this recent article on the Sophos blog called Naked Security:

“The log files that are part of its software design were far too open, allowing anybody with a little time on their hands to infer the commands to do dangerous things.”

https://nakedsecurity.sophos.com/2019/07/18/hacked-bluetooth-hair-straighteners-are-too-hot-to-handle/

Think that’s the extreme use of internet connectivity in the crazy world of IoT?  How about remote diaper sensors that can tell a parent if their child’s diaper has pee in it!


Until next week, surf safely!