Please support our effort by making a small donation. Thank you!

x

July 31, 2019

THE WEEK IN REVIEW

In May, 2018 we first published an article about love scams targeting women, called “I Love You, Send Me Money.”  It has been updated several times, as more women have shared their stories with us.  Very recently, a 58 year old woman shared the details of another love scam with us and we’ve published a new article titled “I Love You, Bail Me Out of Jail!”  The scam artist in our newest article was VERY clever and skilled using software to manipulate both PDFs and photographs!  But we saw through his BS and uncovered his lies! Check it out!

Could there possibly be a “Scammer University?”  Where do fraudsters learn the tips and tricks of their malicious trade?  Take, for example, the simple but remarkably consistent technique used by Nigerian 419 scammers (and other con artists) when they first contact a potential victim.  They will use one email address in the first contact but then arrange a reply through another different email address for continued conversation. We see this over and over!  We think it must be a technique to help protect the criminals by making it harder for law enforcement to track their crimes. Here are two examples….

In this example, a scammer pretending to be Mrs. Widad Omer contacts us through the email account “sellchemicalsdelealers “@” gmail.com. (“delealers” = “dealers? A spelling error?) But the embedded “reply-to” address that our email will be automatically directed to is actually “w.b.omer01 “@” gmail.com. And she asks us to use this other email address.

 

 

In our second example, “Mr. John Marthins” contacts us through “ccasals “@” vtr.net” about our $3.5 million dollar check but asks us to reply to Mr. Chidike using the email address “ccchenry2323 “@” gmail.com.”

 


Phish NETS: Netflix Account and Amazon

One of our loyal readers sent us this very lame Netflix phish!  The cybercriminals who created it made some funny mistakes. First of all, they sent it to more than 100 users with Apple iCloud email accounts at “me.com” in alphabetical order.  They started with usernames that began with “dan.” We believe these cybercriminals are not Americans because they’ve used the UK English way of spelling “canceled” (with 1 L; as opposed to the American spelling “cancelled”) and they accidentally wrote the word “payment” in French: Paiement.  In any case, they can’t “resolve your payment issue and your subscription was canceled.” And so we’re supposed to click that shortened “t.co” link which will redirect us to a website called FozzyHost[.]com.  FozzyHost has already been identified as a phishing site by PhishTank.com!  Waiting for us on FozzyHost is a Netflix look-alike login page!

Deeeeleeeete!  

NOTE: If you look carefully at the screenshot, and just above the link that appears at the bottom, you’ll see a small visible square.  This is a tracking graphic called a “clear gif” (or Web beacon)  However, they forgot to make it invisible!  Web beacons can inform the sender of an email that you’ve opened the email, when and how many times.  And you think you have privacy??

 

Uh-oh!  Amazon can’t verify your billing information and is asking you to verify it or your account will be suspended.  Except that this email didn’t come from Amazon. It came from Burungus[.]com, a domain that was registered anonymously just 2 months ago in Canada.  And that link that looks like “support.amazon.com” actually points to a domain “mysp[.]ac” that has been identified as a phishing site more than 2000 times by the AI site called CheckPhish.AI.  And one more thing, there’s malware waiting on that phishing site for you too. (See below)

OUCH!

YOUR MONEY:  Get $150 Credit and Smart Robot Vacuum

Another longtime TDS reader sent us a suspicious email newsletter a couple of weeks ago from the domain panictop[.]com.  Though this name seemed like a bizarre choice for the topic it covered, none of our tools could find anything suspicious or malicious about it.  And a WHOIS lookup shows that it was registered nearly a year ago in August, 2018.  But a week ago, our friend sent us yet another email she received from PanicTop and this time we really smelled a rat.  “Hey, [NAME REDACTED], You may get a $150 Credit to your account…” says this email from “Chase.” We had no problem finding several different payment services online named for Echelon, spelled with an “e” in the middle!  The Better Business Bureau informs us that this is a former legitimate payment processing service that is no longer in business. (Echelon Financial, LLC.)  However, the link to PanicTop contains a redirect that will forward you to a malicious mimic at the domain Echilon, with an “i” instead of an e.  The specific web page in the redirect is titled “14 Best Cash Back Credit Card Reviews Comparison.”  But don’t think for a moment that this is legitimate! Echilon[.]com has been blacklisted by several security services.  In what country would you guess the cybercriminals registered this malicious mimic Echilon[.]com?  India! (See the screenshot below.) Don’t panic on top of it all, just lunge for the delete key!

              

Common, everyday machines are being built with more and more artificial intelligence (AI).  Perhaps they will take over the world one day, like science fiction movies have shown. We got this email from Jacky Luo of szebo[.]com offering us the latest “Smart Robot Vacuum” built in China.  However, an email from China to us means that we immediately go into “Defcon 3.”  Cautiously, we moused over the link Jacky provided of her website and see that it isn’t szebo!  It points to an Italian named website “foto magazzino” (meaning “photo warehouse”) that was registered in China and is being hosted in Hong Kong.  You’ll be injected with malware before they redirect you on to the szebo[.]com.  Now we’re at Defcon 1 and hitting the delete key.

TOP STORY: What “Sounds Official” But Isn’t?

One of the ways in which people are tricked into believing something that isn’t true is when the sender builds his or her credibility by “sounding official.”  Scammers use all types of tips and tricks to do this and below are just two small ways in which they try.

This first email was sent to a school last week on July 28 with the subject line “Domain Notification for [NAME REDACTED].school : This is your Final Notice of Domain Listing”  In fact, the school does own the domain about which they were contacted and domains have to be registered every year or few years, depending on your payment schedule. As domain leases come due, the domain services send out reminders to renew them.  So any domain owner knows that getting an email like this is not unusual. Notice that this one does say “This letter is to inform you that it’s time to send in your registration.” At a glance, one might think this is a reminder to renew a domain registration because it is about the expire.  With this in mind, read the notification carefully…

The email states that it is a “notification for your business Domain name search engine registration.”  Search engine registration? Businesses (and schools) have to register with search engines? And then it says that “failure to complete your Domain name search engine registration… …may result in cancellation of this offer…”  And in the find paragraph, as if to sound “official” it says “…this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.”

Were a business, or school in this case, not very tech savvy they might fall for this “official sounding” malarky.  But it is all just a clever ploy to sell the recipient a service that is, at best, questionable. It may also be a credit card scam because the sender’s domain, slabchapter[.]xyz, was registered just 5 days before this email was sent AND the domain is being hosted in Warsaw, Poland. Check out what we found at the end of the link they provided (we inserted the name “scammer.school.”)  Supposing for a moment that you were actually interested in this service. Who are they and what is their expertise? We don’t recognize the business domain “ar10medya[.]com” at all.  Perhaps it is because it was registered in Turkey and hosted on a web server in Denizili, a city in southwest Turkey.  Look at the screenshot below. Can you even find the name of this business or contact information listed?  Considering the short existence of the sender’s domain, the 2 domains involved and their registration information, we don’t think this is a real business at all!  But the email sure sounded official by using real information about the school’s domain and official-sounding language. By the way, the school double-checked their domain expiration date to see if it was about to expire on July 29 as the email suggested.  The school domain doesn’t expire until April of 2020. Lies and deceit.

Many of us are used to getting questionable marketing ploys, legitimate or outright fraudulent.  For example, many of us get official letters in the mail saying that our “automobile warranty” is about to expire but can be extended.  Or that our life insurance policy needs to be renewed. Even some of these “legitimate” services are advertised using somewhat deceptive language.  But what about official sounding email addresses? Cybercriminals often use this trick to add the appearance of “office” or official standing. We have previously pointed out the misuse of email addresses from “consultant.com” by Nigerian 419 scammers, like this one…

Anyone can set up an email address ending with “@consultant.com.”  But that’s not all! At Mail.com, a German Internet company, anyone can sign up to get official sounding email addresses from about 200 domain names, including:

  YourName@engineer.com

  YourName@dr.com

  YourName@accountant.com

  YourName@alumnidirector.com

  YourName@pediatrician.com

  YourName@job4you.com

What makes this most troubling is the fact that cybercriminals often use these free email services and select official sounding names when they target victims.  We have most frequently seen criminals pretend to be lawyers/attorneys, accountants, and Human Resource officers interviewing for fake jobs. Their email address helps make their scam sound more plausible.  So the next time you get an email that sounds official, and has an email address that “looks” official, don’t assume that it IS OFFICIAL! Read it carefully and check on the domain names used in the email addresses with a WHOIS lookup!  If they are listed on Mail.com or were registered very recently, there is good reason to be suspicious!

FOR YOUR SAFETY: Malicious Link from a Friend

Salutations from Brazil! Please click my link to malware on a server in Pakistan!  Find the 2-letter country codes in this malicious email below.


Until next week, surf safely!