THE WEEK IN REVIEW
We want to remind readers that criminals frequently create scandals and fake disgraceful news to entice you to click malicious links. Take these two recent emails… “TV SCANDAL: New leaked audio of Megyn Kelly.” There is a link leading you to believe you can listen to the audio files. According to the Zulu URL Risk Analyzer, there is an 80% chance the link is malicious. The domain used for this email, livetvpips-DOT-com, was registered minutes before the email was sent. And then there is this email verifying “Obama’s final act of revenge against the American people.” “…UNDENIABLE PROOF that Barak Obama was the most corrupt president in US history.” And of course, there is a link to “watch the shocking video here.” The domain linked to this email, fraru.us, was registered to someone in the North African country of Tunisia on the day the email was sent. Those Tunisians know all the inside scoops about our Presidents, don’t they!
Since September, 2016 we’ve been reporting on the very scary “underage girl sext” scam. We’ve just released a new article about the latest variation of this scam that scared a 19-year old badly. Read Your Worst Nightmare: Sexting a Minor… Or So You Think!
Sample Scam Subject Lines:
Every TV Show and Movie Ever in HD Quality on Your TV for Free
Find your hidden talents and create new opportunities.
Fox News: Stunning Medical Breakthrough – Alzheimer’s Reversal
Power Shocker, It’s Bad, Really Bad
Ray Ban Shades, $9.9 For New Season
Reduce Your Electric-Bill To (Zero) in Hours
The Meaning of 24 Number is Nature
The world’s most realistic flight simulator?
[urgent]Girl hacks lotto to win every time*
You have missed notifications
You Have Received Guaranteed Acceptance on Your Life Policy. (See Details)
Warning: The government plans to get bail-out money from YOU.
World War 2 airplane games
Sample Scam Email Addresses
CampingEssentials @ fampe.us
CBDPainRelief @ factchronicpainrelief.us
energy_savings_notice @ amaze.richhomesolar.us
FathersDayGifts @ reference.lvous.us
Forbes.Editorial @ ebeat.us
Huffington.Health @ triumph.ureversedementiaeach.us
IRS.Solar.Credit @ white.solarpowerpassed.us
LearnPhotoEditing @ phottoss.bid
live_scandals-[YOUR EMAIL] @ livetvpips.com
Nutrisystem_Partner @ gender.gancy.us
Solar.Credit.Extended @ centralsolarenergysave.us
StevenS @ savedhairlosscure.us
Timeshare.Marketplace @ advantage.stillselltimeshareknow.us
Phish NETS: No Phish in the Sea; Let’s Go to India…
This was one of those rare weeks in which we didn’t see a single phish. So we thought we would show our readers two very different malicious emails that share a funny connection to India. It’s this connection that identifies them as being created by the same person and extremely suspicious.
Let’s start with this email using the subject line “Save your marriage from snoring with ASONOR mist!” Though there is such a product, this email isn’t connected to the real product it claims to represent. There are so many subtle and not-so-subtle cues in this email that should make a reader suspicious but focus your attention just underneath the “opt out” message at the very bottom of the email. There you will find the single line of text and a link. “problem in unsub mail to support @ apexpoint.co.in” Our long-time readers know that 2-letter country codes are critically important to evaluating the legitimacy or source of online content. “.in” is the country code for India. Though we cannot comment on the effectiveness of a spray that claims to stop snoring (…but we role our eyes at any claim that says it is “revolutionary”), we have to ask ourselves why this email would ask anyone to contact a service in India if you have trouble “unsub”-ing.
Some readers may think that we are overzealous and see a threat behind every online/smartphone contact and we need to chill out. Afterall, to a hammer, all the world looks like a nail. But this is our purpose, to educate fellow Netizens…. Take this next email with the subject line “You’ve gotta check this out… (2 days left)” that came from the domain daillyyofr-DOT-bid. You might immediately notice that the global top level domain is the unusual “bid” and similar to the email above. But before checking out this 50% off offer that seems to be from ProFlightSimulator.com, look at the very bottom of the email, below the opt-out line…
Once again, but this time with “problem” misspelled, we find “Problam in unsub mail top [instead of mail to] support @ apexpoint.co.in. Coincidence? We think not. We used Screenshot Machine to show us a picture of what waits for us at the link for the “stop snoring” email above and we were shown a picture of a Google look-alike page written in Slavic languages. (See below.) How do you feel about clicking these two links and buying those products now? Yeah, us neither.
YOUR MONEY: Coolest Gifts for Dad, Attention Veterans, New Store Voucher From Costco
It’s also important to remember that criminals often target people with malicious emails that seem tied to holidays and celebrations, such as the recent Father’s Day. Here’s an email with the subject line “Coolest Gifts For Dads.” We’re both dads and we don’t agree with them when they say “The Gift Every Dad Wants” but hey, we’re not every dad. The links in this email point to kind.lsyne-DOT-us/dad-gift. “kind” is a subdomain of the domain lsyne. The Zulu URL Risk Analyzer informs us that this link will forward you to tacticalgadget.com, but after installing malware on your computer. It gave that link a rating of 100% malicious!
“Attention Veterans: Government programs can reduce monthly mortgage payments” Have you served our country? Then PLEASE don’t click this link! Once again, the Zulu URL Risk Analyzer nails this as 100% malicious! This email has nothing to do with VA Benefits.
Fortunately, this poorly created bogus email from wearecostko-DOT-com is not likely to fool too many people. Costko? Seriously? “New store voucher from Costo – Activate here” We couldn’t figure out what the heck “Prin” meant in the clickable link “Prin Reward Here” and decided to throw it into Google Translate to see if anything turned up. It turns out that “prin” means “by” in Romanian. Hmmmm….. And of course the domain wearcostko-DOT-com was registered by someone named Darrell Lemley on the day the email was sent.
TOP STORY: Typos That Hurt: Another Microsoft Tech Support Scam
Very recently we received a call from a friend who sat down at his PC to log into his Gmail account. Typing at the keyboard quickly, and without looking carefully, he clearly entered something other than gmail.google.com. Suddenly his large screen filled with pornographic images and two messages informing him he had been hit with the Zues virus. He was told to call a Microsoft tech support help line. Fortunately, the messages provided the phone number he was supposed to call.
The messages stated emphatically…. “Windows Defender Alert: Zeus Virus Detected on your Computer! Please do NOT SHUT down or reset your computer. The following data will be compromised if you do so:
– Passwords [TDS: NOT TRUE!] – Browser History [TDS: who cares…] – Credit Card Information [TDS: NOT TRUE!] – Local Hard Disk Files [TDS: NOT TRUE!]
Here’s what really happened. Our friend clearly mistyped something and went to a domain designed to take advantage of a typo. That domain, whatever it was, redirected him to a web page at criticaldefaulterrorx02158-DOT-com. (As in critical default error) This page pulled in porn images and was designed to fill his screen with them, while adding two popups containing the messages about the Zeus virus. The intent was clear. Shock someone into calling the number on the screen for help even though the easiest way to clear this problem is to force quit the web browser, relaunch and clear the browser’s cached files of the nasty popup and redirects.
The phone number listed (877-640-2280) may be a toll-free 877 number but a Google search shows no connection whatsoever to Microsoft. Similar Zeus virus scares have been reported in the past to trick people into calling and paying for tech support services. Here are links to a few articles about this scam:
Fake Zeus Virus Warning (May, 2017)
How to Remove “Windows Detected Zeus Virus” Scam (May, 2017)
If you ever get a startling message in a web browser telling you to call tech support. Quit your program! If you can’t do that, then shut down your computer! Once you are back up, scan for malware or viruses using your trusted anti-virus software.
FOR YOUR SAFETY: Job Application and I Need You to Arrange Payments
Owen @ securityupdateserver.com sent an email with the subject line “Job Application.” Apparently, someone named Kevin is looking for employment and sent his resume as a Word doc. Think it’s safe to open? We asked VirusTotal.com to have a look at that document and 7 independent services found a hidden trojan malware threat in the word document.
A BIG FAT delete!
A small non-profit recently found this very nasty scam email that is infamous for its success targeting many large companies. The sender pretended to be the head of the organization, using her first name. It was sent to, and addressed by first name, the woman who works in the business office and pays bills. The message was:
Hello [name redacted],
Hope your day is going well? I will need you to disburse few payments for me today. Kindly let me know how soon you could complete my request.
(Notice the odd use of a question mark in the first sentence.) The email came from ceogr @ usa.com and the sender hopes that the woman in the business office doesn’t notice. The scammer will ask her to arrange payment to an account owned by the scammer. This scam is well known and has been very successful in a few large companies. Below are three links about this scam. Also, USA.com warns people on their website to beware of email that appears to come from their usa.com, because it doesn’t: http://www.usa.com/scam-warning.php
ON THE LIGHTER SIDE:
Funny Conversation With a Nigerian 419 Scammer
We found this very funny series of emails written by an English comedian as he engaged in an email conversation with a Nigerian 419 scammer. So satisfying. Enjoy!
We also had fun carrying on a conversation over email with a Mr. Edward James who tried to convince us that there were two consignment boxes in our name at the Atlanta airport. Each contained $4 million dollars. Read: $8 Million Consignment Boxes.
Until next week, surf safely!