June 27, 2018

[hr_invisible]

Phish NETS: Docusign Cordial Invitation

What makes this phish much more risky than most is that it was sent from a real businessman’s hacked email account.  Subject: “William [NAME REDACTED] has shared ‘Cordial Invitation’ with you.” Fortunately, the coding for this phish had some problems, making it suspicious.

[hr_invisible]

[hr_invisible]

YOUR MONEY: Oakley Sunglasses

We continue to get emails for name brand products at discounts of 80% – 90% off, and from oddball domain names such as this one, dmtey[.]com.  Like others we have reported, this domain was registered in China just a few months ago through a private proxy service.  The from email address is crap, like the domain name.  Our first thought is that it is a “knock off” site but real risks also come from handing over your credit card information to these people. Would you trust them with that information?  Not us. There is also more going on here anyway. We asked the Zulu URL Risk Analyzer to evaluate that link for this sale on sunglasses. It found the link to be 100% malicious!

Deeeleeeete!

[hr_invisible]

[hr_invisible]

TOP STORY: Manipulating Your Clicks to Install Malware

People keep a great deal of personal information on their computers AND use their computers to access a great deal of personal accounts!  Think about your own activities… Social media, banks, credit card companies, retirement and other financial accounts, medical records, services and commercial accounts like Uber, Amazon, Wayfair, etc…. And all of these can be monetized for someone else’s financial gain if their access fell into the wrong hands.  That’s what a lot of malware is designed to do, capture access to these accounts. And there are also the Internet criminals who simply want to hold your devices ransom by encrypting it with malware and then selling you the decryption key to gain access to it. Those decryption keys are costing $300 – $600 for personal computers and about $600 – $6000 for business computers.

A TDS reader recently sent us several different emails that were obviously malicious as revealed by looking at links revealed by mousing-over.  However, we were surprised to learn that they were all related and part of the same trick to motivate the recipient to install malware on his computer.   Take these first two emails, received on June 21 about five hours apart. They are similar and very suspicious, beginning with the subject line “Purchase verified.”  The first was sent from an email account in France (“.fr” = France).

The next day, the same fellow received an email from “Google Support” but using an email address of hawkins “@” lamaravilla[.]com.  “We have sent you a message: 2 broken emails was found” and “View emails”  Our first reaction was that this was a phishing email targeting Gmail account holders.  But we were wrong! Clearly, mousing-over the link for “view emails” reveals that it doesn’t point to Google.com or Gmail.

And then, two days later, the same guy gets this spoofed email pretending to be from FedEx about delivery problems.  Subject “Not possible to make delivery” sent from “Katherine” using an email address in Germany. (“.de” = 2-letter country code for Deutschland = Germany)  Based on the grammar error in the email, the sender’s first language is not likely English. And a mouse-over of “Limitation of Liability” easily reveals the fraud because it doesn’t point to Fedex.com.

[hr_invisible]

When we investigated all four of these emails, surprisingly, we found that they were are related and had one thing in common.  They all led to redirected websites where the visitor was informed that his Adobe Flash Player software was out of date. He was asked to install updated software to continue.  On this screenshot you can see that the fake Fedex link doesn’t send the visitor to Adobe.com but to a website called forgot2buypremiumlistcontentsumup[.]bid.  This malicious website was registered in Panama on June 21, just 3 days before the email was sent.

These emails are just social engineering tricks meant to infect your computers with malware.  The creators of this crap are very persistent and are obviously using many websites and types of emails to achieve their criminal goals.  Never, ever install software on your computer because a web page or popup tells you to do that! If, for example, you think your Adobe software is out-of-date, visit Adobe.com and look there for the latest version.  However, Adobe’s software is also capable of letting you know when it is out of date and gives you the option to install a more up-to-date version!