THE WEEK IN REVIEW
The criminal gangs who target us are creative and resourceful. They seem to have a good understanding for the content that gets us to push their buttons…. Er, links. They will sometimes use celebrity and pop culture to lure us into their traps such as these two examples disguised to look like products pitched on the popular TV show Shark Tank. Our job is to be skeptical and resist that urge to click!
“Mark Cuban and Lori make a record investment – SHARK TANK”
“This amazing product has just hit the Shark Tank”
“Your electricity bill for June is 0. The Sharks feasted on this!”
“Mark Cuban partnered with this. See it in action.”
Sample Scam Subject Lines:
Auto Coverage for Families with Multiple Drivers Be part of the hybrid movement Claim Your Amazon Gift Card Go on a stunning Irish vacation Got a great idea? Patent it now Hotel Room Prices Protect your family from Sex Offenders Ready to fight your Tinnitus? Save on kitchen cabinets Transfer your iPad into a laptop replacement Trump did it again – CNN Report Urgent message (Open this now!) Weight Loss Plan For Those Who Want Quick Results
Sample Scam Email Addresses: addictionhelp@achore.download BedroomDecoratingIdeas@dro-m.download BeverlyHillsMD@dee-4.download care@resultalertbrainpro.com DrMichaelPhelpsMD@0i7-f.download HomeRoofingDeals@lhw-d.download mayohealth@fatabds.pro Pet_Insurance@2i8-c.download RenewalByAndersenWindows@cuj-q.download RiverCruises@k81-k.download shavingproducts@shavikit.top TerminixPestControl@czp-8.download YachtRental@qym-q.download
[hr]
[hr_invisible] This phish appears to be an email from “Amazon Customers Support Service” but was sent from the odd domain richsrdsen.com. “Dear Valued Customer. We observed multiple login attempt error while login in to your online account…” Thankfully their command of English isn’t very good. A mouse-over of the link “Click here” points to a shortened URL on bit.ly created to appear as though it is related to Amazon. [hr_invisible] We used Urlex.org to expand bit.ly/1AmzSuppots and discovered that it points to the domain robinsohonmk.com. A WHOIS lookup shows us that this domain was registered on June 11 (modified on June 15) and is being hosted in Zurich. Certainly not Amazon.com! Delete! “Dear Chase Client” “Our system detected your account has been compromised and we had no choice than to temporarily suspend your account.” These are pretty upsetting words to read, if they were true. A mouse-over of the link “Click Here to Verify Your Account Info” reveals the link to point to a shortened URL at bit.ly, just like the Amazon phish above. The email wasn’t sent from Chase Bank but from the gmail address Just.Mazika@gmail.com. We used Unshorten.It to see where the bit.ly address really leads to and discovered that the Chase Bank phishing scam will send you to a fake Chase Bank page on a website in the small Balkan country of Montenegro (2-letter country code = .me) Now delete!
Phish NETS: Amazon Account, Chase Bank Client
Can you spot the very funny error in this scam sent from Exclusively_for_you@instantrewards.site? You know what re-gifting is? Apparently the scammers had created an identical scam targeting Walmart customers with a fake $100 gift card. Then they tweaked the design to target Amazon users…. But forgot to make one small change. The domain registered and used for this Amazon Gift Card scam is instantrewards.site. A WHOIS lookup shows that it was registered on June 13 by someone named David Rodriguez. By the way, if you look up the company “RewardsFlow, LLC” in Google (identified as the sender of this email), you’ll see several links identifying that company as a scam. Visit: https://www.google.com/#q=rewardsflow+llc Then deeeeleeeete! [hr_invisible] Many of the malicious emails we see come disguised as “free quotes” and “free consultations” for many different things… Insurance, roofing, window installation, Heating/Cooling installation and much more. They are all engineered to do one thing, manipulate the recipient to click a malicious link. Here is what several of these “free quotes” look like. Notice the odd domains the emails come from and lead to. And in case you had any doubts about our evaluation, look at the Zulu Score about the first quote for “free HVAC estimates.” [hr_invisible] [hr_invisible] [hr_invisible]
[hr_invisible]
Your Money: Amazon Gift Card, Get Free Quotes…For Everything!
This week’s Top Story is a company or organization’s worst nightmare. The Chief Financial Officer of a school was targeted by full name with a malicious email pretending to be from the very real company called Grimley Finance Corporation, an agency that specializes in collecting debt. The signature name and contact information accurately represents the President of Grimley FC. And even the subject line was crafted to target the institution. “Outstanding Tuition Receivables” All the evidence suggests that this incendiary device came from a criminal group in India. Let’s break it down for you… [hr_invisible] As we frequently say, it is easy to deceive people online and it pays to be skeptical!
Now Delete.
[hr_invisible]
TOP STORY: Targeting A Chief Financial Officer for Attack
[hr]
FOR YOUR SAFETY: Heinekin Premium Project, Important Message from Help Desk
“You have been selected.” We don’t know why but it can’t be good. Even if you do like Heineken. Anyone can create an email address and this rediculous email from heinekenpremiumproject23@gmail.com is not from the real Heineken company.
[hr_invisible]
Criminals are trying to figure out new ways to make it harder for recipients to expose or reveal the tricks they use to target them. This “Important message from Help Desk” is another example. The recipient sees an “EMAIL NOTIFICATION” to read the “attach message from Helpdesk Administrator.” The attached pdf doesn’t carry malicious code, such as a Trojan.
[hr_invisible]
However, the pdf carries the message you see below… And a link to “CLICK HERE.” The problem is that many programs that will open a pdf will not reveal the link by a simple mouse-over of the words “CLICK HERE.” Fortunately, Firefox and Chrome will both open a pdf file AND allow us to mouse-over the link to see where it points BEFORE we click. The link points to the domain Whereleh.com. A search in Google for this domain shows many links related to phishing scams, malware and “scumware” in general.
Delete!
[hr_invisible]
ON THE LIGHTER SIDE: I Need Your Assistant!
We received the following email from a Mrs. Teresa Mpume with one clear message. She needs our assistant! Well, we need him too and she can’t have him. We’re firm on this point.
Until next week, surf safely.