Please support our effort by making a small donation. Thank you!

x

June 19, 2019

THE WEEK IN REVIEW

Have you heard the expression “drinking from a firehose?”  That’s what the last week and a half has felt like to us!  We’ve been contacted by so many people about different kinds of scams and shady marketing practices that it has felt like a deluge and we can’t keep up!  With many, we started to crawl down a rabbit hole only to discover a deep and dark chasm with no end. As a result of what readers have shared with us, we have updated the following articles in the last week…

Job Interviews in Google Hangouts

Apple Tech Support Scams

Scams Targeting Tutors

Craigslist Rental Scams

You Won a Car or $25K!

Car Wrap Scams on the rise

 

In addition, we’re still investigating rabbit holes related to supplemental “health care” products for your brain (see our Your Money column below!), shipping job scams –also called a “procurement specialist”– and more questionable practices surrounding the purchase of skin care products, as well as an online “shoe sales” business that appears to be a complete sham.  We’ll keep you posted as we publish our explorations in the coming weeks.

Recently we wrote about the common topics used by cybercriminals to manipulate our clicking behavior.  Both CBD oil and weight loss products are very high on this list! Below are several of these recent emails that fell into our inbox.  Also, you can see two of those malicious emails from people we know, but whose accounts were hacked, and contain dangerous links to malware.

 

 

On another note, we recently read an article about a new criminal practice to defraud consumers with recurring charges of just $2 a month.  But apparently an odd set of circumstances between bank and credit card companies made it impossibly hard to turn off these recurring fraudulent charges!  To read more, visit:

https://www.inquirer.com/business/google-storage-credit-card-fraud-capital-one-visa-account-updater-20190613.html


Phish NETS: Capital One Credit Card, Apple Account, and Apple ID locked

A TDS reader sent us this first phish, made to look like it represents Capital One Credit Card.  Unfortunately, we were unable to see where that “Click here to proceed” link pointed but this clearly didn’t come from Capital One!  The email came from “appdigusers[.]com which is a domain that is blacklisted by Norton Safe Web.  There are spelling and grammatical errors and the English is extremely awkward.  Plus, banks and credit card companies don’t send notifications like this.

Drop-kick this bad boy.

“[IMPORTANT] Your account has been temporarily disabled, verify your account now!” says this next email sent from the domain dgsdgfa[.]com.  Now there’s a domain name that rolls off the tongue!  The TDS reader who sent this to us was meant to think that someone had fraudulently tried to log into her Apple account from Australia, causing the account to be disabled.  She was asked to “Signin Now” to verify who she was and that she owned the account. Yeah, right. The link pointed to a link-shortening service called Capsulink. However, they either detected the fraud or someone quickly reported it because they took the offending scam page down pretty quickly.

A ray of sunshine in a dark cloud!

Once again, Apple account holders are being targeted.  This time the email came from an interesting domain called “jessievainikka[.]me” which was registered just a month ago.  The email, of course, contains awkward English, etc., etc.  The link in this email may look like it points to AppleID.apple.com but a mouse-over reveals the truth.  It points to a shortened link through LinkedIn. It appears to have redirected to a legitimate but hacked website called “davdev9[.]com” but LinkedIn also shut this down quickly.

YOUR MONEY:  Unlock Your Brain Power

At the start of our newsletter we mentioned several different scammy, spammy and smelly things we’re investigating.  One of these took us down a deep dark trail into the health supplements industry. This industry is unregulated by the FDA in the United States and is littered with outrageous claims and absolute fraud.  We wanted to give you the tip of the iceberg via this email that came into one of our honeypot accounts. “Triple Your Brain Power Instantly With This 1 Trick” says the subject line of an email that came from Nora.Yefimova6852 “@” welcomeglamour[.]info through the legitimate, but misused marketing service called CleverReach.  We’ve written about the misuse of CleverReach to send malicious content at least three times since early April, 2019. There are two critical issues raised by this email. The first supposes that this is a legitimate marketing campaign for a real health supplement to improve brain function… Does it really work and is it OK to take?  The second, and more immediate issue, is this link safe to click or is it malicious clickbait? Let’s focus for a moment on this second question…

Though the Zulu URL Risk Analyzer told us the link appeared to be safe, it also said that the website it pointed to had a redirect that forwards visitors to another website called BuyMindHack[.]com, which is being hosted in Ireland.  That’s valuable information because now we at least have an idea that the product this claims to represent is very likely “Mind Hack.”  A quick search using Google reveals a supplemental product called Mind Hack Pills. This product is even listed on Amazon (as of 6/15/19) and the manufacturer/seller is a firm called EvoHack Nutraceuticals.  (However, before you think about purchasing that product you should read the feature article we’re working on and will publish some time this summer!)

So what does any of this have to do with Welcomeglamour[.]info and the person who first sent this email advertisement?  We wondered about that and did a simple WHOIS look up of the domain to discover some interesting tidbits….

  1. This domain was registered just 6 months ago.
  2. This domain was registered in India, though it is hosted in Canada.

And, according to Google, the name “Nora Yefimova” easily identifies as a Russian name.  And none of this information bears any connection to EvoHack Nutraceuticals, the seller on Amazon’s website.  By the way, EvoHack Nutraceuticals has only been selling on Amazon since 2018, according to SellerRatings.com.  It has been extremely difficult to find any verifiable and legitimate information about any of these websites, or find their addresses or phone numbers for the businesses.  Every direction we turn either leads to dead ends, such as proxy services, or links to shady and questionable web pages in various countries or blogspot posts. Does any of this information inspire confidence in the companies or in this product?  A quick dip into this pool and we couldn’t verify anything at all, but see deeper, darker water. We’ll keep you posted…

TOP STORY: Down the Rabbit Hole of an Apple Phish

Poor Apple account holders!  They are often targeted by cybercriminals but lately they seem to be hit the most by phishing scams.  We’ve already documented two different Apple account phishing scams in this week’s newsletter but here is another one that led us down a more interesting path.  Though the email says is came from “Apple Care” it is clear that the email came from the domain emaildeliverysystem[.]org.  The criminals who sent this also listed an Apple email address in the TO field to try to add a bit more legitimacy to the appearance of the email.  But this isn’t credible at all. The email says “we sent you an attachment about the problem in your account” and the attachment is a pdf file.  REAL COMPANIES DON’T DO THAT!

Below is the email, followed by the attachment.  In the attachment is a link you are asked to click to verify the payment information in your account.  However, the link points to a domain called “laubeyrietechnology[.]com.”

What made this so interesting to us is that this embedded link in the pdf contained a VERY VISIBLE redirect to a link-shortening service called x.co.  This means that you’ll be redirected again to yet another website. We couldn’t resist! We followed the x.co link to one of the best disguised criminal domains we’ve ever seen!  Our final destination was https :// secure[.]appleid[.]account[.]login[.] applecaresupport[.]net! (which is being hosted on a server in Great Britain.)  The criminals purchased the domain APPLECARESUPPORT[.]net about 3 weeks earlier through a privacy proxy service in Canada.  Then they created four official-sounding subdomains for that website: secure, appleid, account, and login. We’ve seen the real APPLE.COM use various subdomains such as support.apple.com, so this criminal strategy was very clever!

Unfortunately, there was more going on with their criminal intentions and we’re glad that we didn’t just click the link for “Continue” and be driven through their redirects to arrive at the phishing site.  We learned that they also had malware waiting at the first site, laubeyrie technology. Apparently, this technology site has been around for a while hosting malware and infecting computers. When we asked Google about it, we saw many links talking about the adware installed when visiting this website.  Ouch!

Sadly, the Internet is set up in such a way that there are no real consequences for criminals who use it to target us.  There is no “internet police force” though the Internet is the largest “city” conducting financial transactions and connecting people on the planet!  ICANN is the governing body over registrars (the “name sellers), where people buy (lease) domain names. ICANN is responsible for creating sensible rules about registering domain names. THEY DO NOTHING to protect citizens around the world.  But they have managed to line their pockets with deep profits by promoting domain names for sale to anyone for any reason….. Such as “applecaresupport[.]net” to someone who is obviously not Apple.com!

FOR YOUR SAFETY: Instagram Has Exploded!

Considering that Instagram has exploded into a community of more than 110 million people around the world, we figure that many of our readers have Instagram accounts.  We want to raise your awareness of two very different scams that are making the rounds lately on Instagram. The first is simply a version of the “90% off Ray Ban sunglasses” crap that we’ve documented many times in malicious or bogus emails.  Easy to spot, yet people are apparently clicking those links, following the accounts, etc. on Instagram resulting in their accounts being hacked and misused. You can read more about it on Komando.com.

However, the more interesting, and less obvious scam on Instagram lately, is one that is meant to appeal to people’s empathy for others and a desire to help.  It typically begins with the phrase “For every person who follows and shares this on their story…” Here’s an example that follows with “we will provide one meal to starving Sudanese children.”  Yes, there are starving Sudanese children but it doesn’t mean that the account linked to this Instagram post is a legitimate fundraiser for them! A college student and blogger named Varsha Suresh has written a very good article called “For every person who shares this, we will…” about these scams and how to separate fact from fiction.

 

 

And finally, Reddit members are reporting a variation of the “Grandma/Grandpa, it’s me!” phone call scam that tries to trick elderly people into sending money to their “grandson” (i.e. the scammer).  In this variation, the scammer contacts people via text by name and identifying him/herself as a relative BY NAME because of information the scammer has found on the Internet. You can read more about this from a recent post by Reddit user Palehag.

 


Until next week, surf safely!