July 25, 2018

[hr_invisible]

Phish NETS: : iCloud Account Locked, American Express Cardmember Alert, and USAA Bank

This phish has one of the most confusing and long “from” email addresses we’ve ever seen!  This alone should make you suspicious! Fortunately, the criminals who created this email haven’t got the best English skills.  This was disguised to look like a locked iCloud account warning. A mouse-over of “Review Account” points to a domain called rantang-sangu[.]biz.  The “hootsuite.com” portion is just a subdomain meant to trick you.

Clicking that link for “Review Account” will send you to a website that looks alot like Apple.com, but it is not!

This next phish DID NOT come from American Express.  Look carefully and you’ll see that the email was sent from aep.com, which is the website for American Electric Power.  The email says that you’ve been sent an HTML Fillable Web Form as a result of a recent security report.  Notice that the cardmember, nor his/her account, are mentioned anywhere in this email.  The attached file is very dangerous to open. Of course we opened it. If you look below you’ll see that the file pulls a javascript from an Italian website for a veterinary clinic called comarina[.]com.  Does any of this sound like American Express credit card yet?

A big fat delete!

We used to see lots of phishing scams targeting USAA Bank account holders in the winter and early Spring but then things seemed to quiet down for a few months.  THEY’RE BAAACK! USAA Bank account holders should be very careful about the emails they get claiming to represent the bank. Like this email that clearly didn’t come from the real bank at USAA.com.  A mouse-over of the link for “CLICK HERE” points to a file on the website dizzedplus[.]com.  According to BitDefender (see below), there may be more than a phishing scam waiting for you at the end of that link!

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Been Verified Searches and Get Stunning Photos

BeenVerified.com is a background checking company that can be very useful.  But, as you can predict, this next email didn’t come from BeenVerified.com even though it claims to represent this company.  Notice the Potterybarn.com email address? We’re seeing lots of these phony “Pottery Barn” emails and they certainly didn’t come from the real Pottery Barn site either.  A mouse-over of all the links in this email point to a malicious website called rangetedious[.]com (“range” “tedious”)

But the “range tedious” website contains a redirect that will send you to another website called probebble[.]com.  Were you to click the link in the email for the “range tedious” website, you would be redirected to a webpage at probebble that looks EXACTLY like the real BeenVerified.com site (See below. The photo was taken from the fake site.)

So what’s going on here?

According to at least three online services including the Zulu URL Risk Analyzer, probebble[.]com is malicious!  Need real verification?  Visit the real BeenVerified.com website, don’t fall for this BS.

Here’s yet another example of the malicious “Pottery Barn” emails, this one with the subject line “Stunning Photos From 50 Miles Away With Your Phone.”  But the links in this email point to a website called behaviourcollection[.]com (“behaviour” “collection”)  And just like the malicious email above, “Behaviour Collection” contains a redirect that will send you to DisabilityComment[.]com.  What is it with the 2 word combinations?  DisabilityComment gets a “suspicious” rating from Zulu URL Risk Analyzer.  We can guarantee that it is 100% malicious.

Just delete.

[hr_invisible]

[hr_invisible]

TOP STORY:  From Hell

Do you ever get emails from friends, relatives or acquaintances that contain little more than a “Hi” followed by a link?  And typically, the names of these folks are not accompanied by the email address you thought they had? We call this “From Hell.”  Like this bunch of emails sent to Doug from friends, colleagues, acquaintances and relatives. These poured into his email account over the course of 2 days…

It turns out that every one of these emails actually came from an email server in Japan.  (“.jp” = 2-letter country code for Japan) Mousing-over a person’s name revealed the email address.  “OCN.NE.JP” shows that these emails are coming from “Open Computer Network” the largest Internet service provider in Japan.

So what’s going on here?  Are all of Doug’s friends and acquaintances coincidentally visiting Japan?  Every one of those names is someone whose email account was hacked and, among other damages, had his/her contact list stolen.  The thieves send out emails with malicious links to target the contact list with malware and the hope of infecting computers. We call this “From Hell” because these malicious emails come from hell and will continue for years, as long as we have our email addresses.   Below are the misused email addresses from Japan used by the hackers for this group of malicious emails.  Next week or month the emails will come from a different email server somewhere in the world. The only thing that will remain constant will be that they contain a malicious link and they will include the names of people Doug knows.