Please support our effort by making a small donation. Thank you!

x

July 29, 2015

THE WEEK IN REVIEW

Below are just a few of the many subject lines and “From” email addresses that our readers are used to seeing. We hope you’ll groan and roll your eyes at these as well. However, we would like to focus on one email address that actually appears to be legitimate and show you what’s behind the curtain for…

GreatAutoSpecials@drive.bestautosavings.us

We can imagine that a web domain named bestautosavings.us might really be informing us about “great auto specials” in the United States (.us). Wouldn’t you agree? (Though the domain is bestautosavings.us, the “drive” portion of the address is called a subdomain because it appears before the domain and is separated from the domain by a period.) However, look at what we learned by using a WHOIS service to find out who owns this domain…

  1. The domain was registered with domain-reseller Enom, Inc. on the day the email came out, July 24.
  2. The domain was registered to a “bober wants” in a California city named “fhsdfgsdfg” on a street called “34 fr.”
  3. The zip code listed with Enom, Inc. is 05424. According to the United States Postal service, that zip code doesn’t exist.

Why is anyone allowed to register a web domain with easily verifiable fraudulent information? The answer is that domain name resellers such as Enom routinely accept bogus registrants because they make a lot of money doing it and are not held accountable. By our estimate, Enom is one of the worst offenders for registering domains used by criminals. While Enom earns a buck, the rest of us are put at risk. You may wonder who is supposed to be the watchdog governing the Internet’s domain naming system and protect netizens of the world. It is the non-profit organization ICANN, the Internet Consortium of Assigned Names and Numbers. But ICANN has demonstrated over and over that they don’t care about the world’s Internet users. (The President and Chief Executive Officer of ICANN, Fade Chehade, reported a salary of more than $842,000 in 2013. No doubt this helps him assuage the guilt he must feel for the pain ICANN causes by its unwillingness to police its domain name sellers and resellers.)

 

Sample Subject Lines        

A 10 second trick lowers high blood suger ??

Automated earning online

Find an affordable water—delivery—service, now

Get tasty healthy snacks delivered to your door!

Herpes is no longer incurable – You can eradicate it in only 2 weeks

How older women are losing weight

LED Flashlight Deal, 75% off expires July 25, 2015

NBC News Release: 4 Terrifying Things Happen Right Before YOUR Heart Attack

Printer Ink Sale up to 85% off

See pricing and reviews on top security cameras!

 

Sample “From” Email Addresses

FordSummerBlowOut@sitago.xyz

GarageProtection@divisibleproceeded.party

GreatAutoSpecials@drive.bestautosavings.us

HeadacheRelief@courthervelum.party

MarvinJulyWindowSpecials@onerst.xyz

Private_Yahct_Rental@communitiabeform.party

SaveOnPower@afterelectricitysavings.xyz

SavewithToiletPaperCoupons@thrumportan.party

TruckClearance@nevdgero.science

VOIPBusinessService@underurbance.party

 

 

 

 

 

 

Phish NETS: PayPal Again But with a Twist!

Last week we reported on a nearly identical PayPal phishing scam that was also using a shortened URL to redirect potential victims. Check out last week’s newsletter! However, this week we’ll show you how to unshorten a bit.ly link to learn where it points to before you risk clicking it…

 

Though this email appears very legitimately crafted from PayPal with a subject line “your account has been limited until we hear from you,” it is an easy scam to expose. The email was sent from hostingmantra.com not paypal.com. A mouse-over of the link “Log In Now” reveals that it points to the shortened URL “bit.ly/1Dv9MLX.” Not every shortened URL can be deciphered but many can using special tools online. Check out our article Shortened URLs, what are they and why should I care?  We used the tool “UnShorten.it” to show that this bit.ly link actually forwards the web visitor to the address:

paypal.com-mpp.science/webapps/e94ff/home

What was remarkably surprising to see was that the link was listed as “https” instead of “http.” The “s” indicates a secure website. These https websites have to be heavily vetted and prove themselves worthy to get such a secure designation and 128-bit (or higher) encrypted protocol. It turns out though that the “s” was reported as “invalid” by two online tools we checked. But the visitor will see an exact replica of the legitimate PayPal.com website complete with high resolution video under the welcome message just like the real PayPal site.

Don’t be fooled by this replica. The email, its link, and the domain paypal.com-mpp.science are as phony as a $3 dollar bill.

Just delete!

 

7-Phish-Paypal login webpage

 

YOUR MONEY: Groupon and Rite Aid Gift Cards

These two gift cards for $50 for Groupon and Rite Aid were clearly created by the same criminal group. Notice that both…

  1. Say they have to be redeemed on the day the email was sent, July 22. (Hurry up and take advantage of this offer before it expires!)
  2. Were sent from email addresses that end in two domains with names constructed from 5 random letters followed by “dot-link.”
  3. Contain the same identical address at the bottom for opting-out of these promotions. (NEVER click these opt-out links! Doing so is like putting a sign on your middle-school-self’s back that says KICK ME. Read our article Unsubscribe me…NOT!)
  4. Contain hidden white text at the bottom of the email meant to fool anti-spam filters. It turns out that the text used by the scammers came from Yelp ratings. (Special thanks go out to a very astutue reporter Brittany at WGBH for pointing this out to us!)

The Zulu URL Risk Analyzer rates the links in these gift card emails as follows

Groupon Gift Card site: 100% risk of being malicious

Rite Aid Gift Card site: 85% risk of being malicious

Delete, delete!

4-Gift card -Groupon 505-Gift Card-Rite Aid 50

 

 

 

 

 

 

 

TOP STORY: Gastrological/Medical Studies on Heartburn and Acid Reflux

This week’s top story begins with a group of nearly identical scam emails that were received over the course of 2 days about heartburn and acid reflux. The emails all used several clever tricks to create the illusion of legitimacy to their message:

  1. They refer to the Mayo Clinic or WebMD website in either or both the subject line and “from” email address.
  2. They refer to findings of a gastrological medical or acid reflux study, along with the study number and publication date. (But no link to the actual study, physician or hospital was cited. In other words, no verifiable information was provided.)
  3. They provide a testimonial section from people from all over the world, one per email, whose acid reflux/heartburn improved as a result of taking the measures detailed in the email.
  4. They cite statistics in the email such as “an estimated 74% of the U.S. adult populations have acid reflux.” (Notice the grammatically incorrect “populations.”) NOTE: TDS has no idea if these statistics are accurate or not.

These emails all contain similarly designed links and phrases to encourage a click…

Go here now to relieve acid reflux symptoms in 2 days>

(link to a dot-link domain containing the word heartburn or acid reflux)

This is another wonderful example that anyone can claim anything on the Internet, but that doesn’t make it true no matter how professional the claim may seem, how strong the testimonials from “real people” are, or how many statistics are cited. We take for granted that there exist some reasonable accountability processes and laws in the United States for protecting us against fraud or slander through print media, radio and television. None of these exist across our great world wide web of communication, entertainment and information online. This fact is the single greatest reason why we are so “at risk” to be the next online sucker or target. We all need a healthy dose of skepticism when doing anything on or across the Internet. You already have this skepticism, otherwise you wouldn’t find this newsletter worth reading. We encourage you to share this with others and help them build that same skepticism about life online, especially the young and elderly.

By the way, we need to apply this same dose of skepticism to legitimate business websites, apps and companies who make promises to users that cannot be easily verified. What proof or assurance do you have that we won’t sell your email address to earn a dollar? None other than our personal assurance and reputation. However, users of both AshleyMadison.com and Snapchat learned the hard lesson that even “legitimate” online companies routinely lie to their users. (The AshleyMadison.com website provides an online service to facilitate extra-marital affairs.) For example, Ashley Madison stated that they fully delete a user’s data after the user pays a $19 removal fee. The recent hack of the Ashley Madison servers and subsequent Christian Science Monitor article revealed that this was a lie. SnapChat’s claim to fame is that their app promised users that photos sent through the Snapchat app will be completely deleted in 3 to 10 seconds from the recipient’s smartphone and the Snapchat servers. Not so, as revealed by a security company in 2013 and reported in this Huffington Post article. By the way, Snapchat was fined by the FTC for “multiple misrepresentations” to the public as detailed on the FTC website.

We’ll get off our soapbox now and delete, delete, delete.

6-Heartburn 17-Heartburn 2

 

8-Heartburn 3 9-Heartburn 4

 

10-Heartburn 5 11-Attention-Notice on your package

 

10-Heartburn 5

FOR YOUR SAFETY: Transfer Overdue Payment and Robbed in the Phillipines!

We haven’t seen these two types of scams in nearly a year. The first is a notice that a package has arrived at an airport for you but needs action on your part before it can be released. Of course the package has a very high value or is insured for a large sum of money. Curious yet? Notice the awful grammar and poor sentence structure used in the email. This is nothing more than an advance-fee scam in which the recipient will be required to pay several fees in order to receive his or her non-existant package. But what’s a few hundred dollars when compared to that mythical box worth $2,316,000 dollars!

11-Attention-Notice on your package

 

 

 

 

This second scam was popularized a few years ago as “mugged in London” and people often fell for it because the email/contact they received actually came from a real friend’s account. Of course that account had been hacked and it was a scammer contacting friends and family for “help.” We reported on it in the past including this post in our scam collection:

http://www.thedailyscam.com/scam-collection/ive-been-mugged/

The scam has now morphed into being robbed in Manila, Phillipines. Please send money! If you see junk like this, please don’t email your friend that his or her account has been hacked. The hacker can just delete the email! Call instead.

12-Robbed in Manila

 

 

 

ON THE LIGHTER SIDE:

Like most people we’re always keeping our eyes open for some extra way to earn a dollar. Fortunately AOL understands our need and has offered us “THE JOB.” We have no idea what that job is but we’re sure that Jason Stark will let us know shortly! Please send us your congratulations to youguysrock@thedailyscam.com.

 

Until next week, surf safely!