THE WEEK IN REVIEW
In the home of a criminal malicious Spam King somewhere in the Russia, we imagine the following exchange…
Spam King’s Wife: Peter, tomorrow is beach day with grand-kids. Go try on swimsuit I bought you on our honeymoon.
(Peter dutifuly tries on swim suit)
Spam King’s Wife:Peter! You look 8 months pregnant! Dostatochno! [Enough] You have to lose weight. Summer is almost here. Get out and walk or bike or something!
Spam King: Solnishka, when do I have time to walk or bike? I work all the time! You like spending my money? I have to work!
Spam King’s Wife: You HAVE to do something! You look like fat pig! Then go take pill and lose 30 pounds!
Spam King: Take pill? Take pill… Solnishka, my love! What a great idea! This will be our new campaign! Everyone looks in mirror this time of year and think “I need to lose weight.” This is our new campaign!!
And so it is…. For several weeks, we’ve seen a constant heavy stream of malicious spam focused on losing weight. From diet plans to special pills, these promises of melting away fat are lies and social engineering tricks. Here is a very short list of just such ridiculous emails. You’ll love the subject lines! Important note: Though we joke about a “Spam King,” it is no joke. There are such individuals and one Russian Spam King was recently arrested and his botnet taken down thanks, in part, to the FBI. (Are you listening Trump?) Read how the FBI helped take down Peter Yuryevich Levashov in the article at Wired.com.
Sample Scam Subject Lines:
#1 Weird Trick to Release Anxiety Today
Amazon *special for best device* in the market
Blow Out Sale on Printer Ink. Save up to 85%
Burn FAT Fast, No Diet or Exercise
Do you have a criminal record?
How to restore Any “Battery” on your Own!
It might be too late… (open now)
Killer DRINK Became Number 1 Enemy of Obesity
Lose weight like Nature intented – raw active ingredients
Showtime without a Subscription
SPECIAL PROMO CODE INSIDE
The actual truth behind long-term weight-loss
Your paper towel is poisoning our environment…
Sample Scam Email Addresses
1inkSpecial @ meetme.bid
AppleNews @ acidz.us
BingoVIP-Member @ janct.us
FHA-rate.Help @ gunsl.us
Forbes.Investments @ zdone.top
AirDragonCompressor @ saveyourself.bid
Jacob-Vega @ wineweightlossin.us
Mass_Mutual @ confusion.presentedlifeinsurance.us
Modern.Investing @ share.kmime.us
MyTimeshare-Expert @ smilleyface.bid
Remove.SunSpots.Completely @ memory.gnert.us
Renewable.Energy.Tax.Credit @ minro.us
Sci_ed @ vwr-news.com
Phish NETS: Signin for Amazon Promotional Gift and Apple ID Locked
Would you think this next email is really from Amazon about an iPhone promotional gift? “Use your $50 Amazon gift card by Friday” is the subject line, but this is smelly phish for sure! “Thank you for visiting Amazon.com. Your last iPhone purchase entitles you to a promotional gift” SIGN IN. But a mouse-over of SIGN IN and the other Amazon links show that they point to the domain rewardingyous-DOT-com. You think you’re logging into Amazon? Think again. This oddball domain, sounding like a 1950’s Brooklynite addressing a group of people, was registered on June 7, the day the email was sent.
This phish is easy to spot if you pay attention to the from address and mouse-over the link “resolve now.” “For your protection, your Apple ID is automatically locked.” Horse manure! Don’t be fooled by seeing the secure link (httpS) in the mouse-over. That’s just a secure shortening service used by the criminals who crafted this phish. We unshortened it using Urlex.org The link points to apple-id.case-accounts-DOT-com. In this link “apple-id” is a sub-domain. Sub-domains can say anything one wants. Focus on what appears immediately in front of “.com” separated by a period from the sub-domain and you’ll see case-accounts. This domain was registered on June 9 using a privacy proxy service in Ontario, Canada.
YOUR MONEY: Free Sample Offer, Magic of African Safari and Digitize Home Movies
“ATTENTION you have been selected for a Free Sample Offer!” says an email sent from Peru (.pe = country code for Peru). The sender goes on to say that it was a friend of yours who anonymously sent the email. Right, and we have land to sell you in Atlantis. The link for “Follow the URL to read more information…” points to a hacked website for a clothing store in Peru that specializes in “Amahra Wool.
We would love to take an African safari! We’ve talked about it for years. But this isn’t the way to go about it. The email came from Insider_Travel_Deals @ agleg.us with the subject line “Experience the magic of an African Safari (Save up to 70% today)” Notice the urgency to engineer your clicking behavior. Google can’t find any website at agleg.us and that’s because the domain was registered the day this email was sent by a “Bary Mifflin” from Trondheim, Norway. The site is hosted in England. Does any of this sound like Dunhill Travel Deals in Fort Lauderdale, Florida, whom they claim to represent?
We’ve seen these bogus emails before that pretend to represent the website iMemories.com in Scottsdale, Arizona. But all the links in this scam email point to a sub-domain on the website forumdirectory.net, a website registered to a man from Bucharest, Romania. However, we absolutely loved that photo of Dean Martin!
TOP STORY: Get Leaked Snaps – Sketchy at Best!
There is a very suspicious game afoot targeting users of Snapchat and we’re not quite sure what it is. However, we wanted to bring this to everyone’s attention since Snapchat is so popular. This story actually came to us from a teen asking if the website GetLeakedSnaps-DOT-com was legitimate. He reported to us that after he entered a username the site asked him to download an app and use it for thirty seconds. This sounds like classic social engineering for malware installation to us. We started to do some digging beginning with this screenshot pulled up by ScreenshotMachine.com. After using several tools to be certain that malware wasn’t waiting for us when we arrived, we also visited the top page of the website. We found several enticing photos of scantily clad young women, suggesting that the site would give you access to these types of leaked snaps…
Before we continue, let’s be very clear about Snapchat, a company that has made many millions of dollars primarily by telling its users they can send photos to friends via smartphones and these photos will self-delete in ten seconds or less, based on the sender’s preferences. It was all a lie and ultimately the FTC fined Snapchat millions of dollars. Here are links to two articles about this sham privacy pitch:
Government Tells Snapchat to Stop Lying About Photos Disappearing (Forbes.com, May, 2014)
Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False (FTC.gov, May, 2014)
“Online privacy” is an oxymoron. Tens of thousands of Snaps have been hacked and exposed from Snapchat servers. They were made available on the Internet. As of this month, there are at least 7 apps that automatically capture snaps the moment they are opened on a smartphone, and without informing the sender. And all those “deleted” snaps are still sitting on user’s smartphones and are simply disguised and hidden from view. But we digress….
Could getleakedsnaps-DOT-com actually have, and provide. any leaked snaps that users have sent while thinking they will be deleted in 10 seconds or less? The domain getleakedsnaps-DOT-com was registered on May 21, using a WHOIS privacy service in Panama. That new registration through Panama is enough for us to be suspicious about this site. We visited the site and arbitrarily entered the usernames ssmith and amiller. In both instances we received the response “Tap ‘OK’ and verify to search the database” and we did. This is what came up next…
We had a good feeling where this was leading and we stopped here. Most likely these offers would ask us for a whole lot of personal information that we were not willing to give, and taking us to a variety of websites. So ultimately, we cannot say whether or not this site actually delivers leaked snaps, is malicious, or a clever marketing pitch. However, we do have more information about this suspicious and clever pitch to attract people to possible leaked snaps. We also found two more recently registered domains with active websites allegedly offering leaked snaps. They are:
Snapleak-DOT-online Registered April 19, 2016 (and updated on March 11, 2017)
Snapleaks-DOT-wiki Registered March 5, 2017
Both of these sites were registered through the Panamanian privacy service and are hosted in Amsterdam, Holland. They contain the same exact top page as getleakedsnaps-DOT-com you see above, all suggesting they were created by the same owner. These tactics are similar to scam tactics we’ve seen many times before to socially engineer clicking behavior, drive traffic and collect personal information. We cannot say for certain that is what is going on with these three sites but we are very suspicious. Here’s another example of the very suspicious nature of these sites. A user named “SnapChatHack” posted this completely inappropriate message on the MIT website supporting the children’s programming language called Scratch. (We’ve informed MIT.) In the instructions field, the user posted 48 strings of words to attract search engines who are asked about leaked snaps, including “leaked gay snaps,” “leaked snaps hot,” and “leaked snaps dirty.”
The more we dig into this story, the worse it feels. Our assessment is clear…. TDS DOES NOT recommend using these websites that claim to give access to stolen/leaked Snapchat snaps!
If any of our readers have already used these sites and have more information to update or clarify this story, please contact us at email@example.com
FOR YOUR SAFETY: Google Doc from Accounting, Messages from .EDU’s
Imagine getting a notice from “accounting@YOURDOMAIN” with the message “accounting@YOURDOMAIN has sent you a document through Google Docs” and the button to View Document. We moused-over that button to see that it points to the hacked website pamthelandgal-DOT-com, not Google. A search of this hacked domain turns up a link to an analysis about malware on Malware-Traffic-Analysis.net. This can’t be good, people.
A big fat deleeeeeet!
Getting an email from a DOT-edu carries some legitimacy. It came from a college or university (or other educational institution that was grandfather’d into the ICANN rules that were established in 1998) This seemingly legitimate nature of .edu is why criminals often like to send malicious emails from this top-level domain. Here are two such examples….
This first is an email that appears to come from a copier at an educational institution and targeting people at that same institution. However, the attached zip file contains malware.
This next one is just another plain vanilla Nigerian 419 scam.
ON THE LIGHTER SIDE: Yahoo Notification Letter
Last week we received notice from the “Yahoo! AOL & Gmail Award Promotion Center!” You guessed it! We won bigly! Here’s the opening paragraphs from this lovely surprise…
This is to inform you that you have won prize money of Eight Hundred and Twenty Thousand United State Dollars, ($820, 000.00) on our ongoing Monthly 2017 prize promotion, which was organized by YAHOO, AOL & GMAIL AWARDS.
Yahoo, Aol & Gmail collects all email addresses of the people that are active online, among the millions that subscribed to Yahoo, Aol & Gmail and few from other E-mail Providers. Five people are selected this month to benefit from this promotion and you are one of the lucky Selected Winners.
And it came to us in the simplest of emails. We’ve attached the entire letter as a pdf for your reading pleasure.
Until next week, surf safely!