June 28, 2017 OLD

[hr_invisible]

Phish NETS:  Amazon Order Cancelled, PayPal Update, and Your AppleID Account

WOW!  What a difference a week makes!  We went from not finding any phish two weeks ago to finding lots of phish this past week!  This included some very clever phish that deserve special attention as this week’s Top Story!

Phishers are using “Amazon cancelled order” notifications to both phish your Amazon account information and drop malware on your computer.  How sweet of them.  Here are two phony email notices about Amazon orders that were “successfully canceled.”  Both have links that point to different malicious websites abroad.   We used the Zulu URL Risk Analyzer to show you below that the link in the first email points to a domain hosted in China.  Zulu detected malware waiting for you on this site.

Ouch!

[hr_invisible]

[hr_invisible]

This next email from mailservice-DOT-org asks you to “Update Your Account Information Now” for PayPal.  The spelling used in this phish is so poor.  Hopefully no one will fall for it….. except perhaps really bad spellers.

[hr_invisible]

Here are two very different phishing emails meant to capture your login credentials for your AppleID.  This first one was sent to us by a TDS reader and appears to be from “AppleID” but if you look closely you’ll see that it was sent from the domain mexi-DOT-com.  “Your account has been locked for security reasons”  A mouse-over of the link “SIGN IN” easily reveals the fraud.

[hr_invisible]

This second Apple phish is also easily revealed by looking at the from address and mousing-over the link “Click here.”  The phish was hidden on a hacked website for a law firm.  Oops!  We’ve notified them of the breach.

Now delete.

[hr_invisible]

YOUR MONEY: Auto Warranty Quotes, Macys Voucher, and How Britney Lost 20 Pounds

We often find malicious emails disguised as deals to search for lower-cost items such as cars and insurance. Such as this one.  “Protect your car and your wallet” says an email from the domain newsandviews-DOT-press. The email pretends to represent PowerAutoWarranty-DOT-com but we don’t believe the email-senders are affiliated. (We’re also not so confident about the legitimacy of PowerAutoWarranty) A visit to newsandviews-DOT-press shows a generic Apache webserver page as if someone put a server online but never set up a website.  That alone makes this domain extremely suspicious.  Our usual toolkit can’t find any threat on that link in the email but we don’t recommend visiting the site.

[hr_invisible]

“Activate your $50 voucher from Macy’s” informs an email from macyrewardx-DOT-com.  This domain was registered by “Darrell Lemley” on the day the email was sent.  We’ve seen other scam domains registered to dear Darrell.

D for delete!

[hr_invisible]

Do you know how Britney Spears lost 20 pounds?  Do you even care how Britney Spears lost 20 pounds?  No, of course not.  But some people must because this kind of crap comes out all the time and we just roll our eyes and move on. (Acutually, it’s a bit confusing because the subject line reports 20 lbs but the email contains a line referring to 30 lbs…. and a shocking video! Of course.)  No longer able to ignore this crap, we decided to show you one of these social engineering weight loss click tricks.  This email uses a photo taken from Britney’s Instagram account just last week (and talked about in this Cosmopolitan article about her $16 bathing suit).  However, the link for “See List of Ingredients” points to a file on the webserver slimmerever-DOT-com.  We bet you can guess who registered this domain just hours before this email was released?  “D” as in delete!  Our new buddy Darrell Lemley!  Apparently, Darrell has registered at least 787 domains as of June 21.

You know what to do.

[hr_invisible]

[hr_invisible]

TOP STORY:  Phishing Tricks to Know!

Most phishing emails are lame and easily revealed if one simply pays attention to the from address or the address that appears in the lower left corner of your browser window when you mouse-over (BUT DO NOT CLICK) the primary link provided in the email.  Our Phish Nets column has exposed hundreds of these phishing emails during the last few years. However, we periodically see very clever phish in this criminal ocean that surpass the usual riff-raff in their craftiness.  These better-than-most phish use one or more of the tricks below to make them seem, at first glance, more legitimate.

(1)  The link, revealed by a mouse-over, begins with https

The “s” in https means “secure” as in a secure transfer of information between your computer and the website you communicate with because your data is encrypted.  This is incredibly important when sending/receiving very personal data such as financial information.  Turning an http website into httpS site requires something called an SSL certificate.  It must be purchased from a legitimate and recognized SSL provider.   Companies and organizations have to jump through many hoops to prove who they really are in order to get an SSL certificate and become https sites.  TDS is only aware of a small handful of instances when criminals were able to secure SSL certificates for their bogus web sites, but even these were quickly exposed and then taken down.

Seeing a link that begins as “https” is therefore very reassuring!  This is why phishers will work hard to either hack an https site or use sites that begin with https to forward you to their non-https site.  Many URL shortening services begin with https AND are intended to forward a user somewhere else on the Internet.  Take this email saying “Welcome to Amazon” that we recently found.  (By the way… there is such a thing as an Amazon “mechanical turk.”)

[hr_invisible]

Mousing-over “Confirm your account now” shows a bit.ly link that begins with https.  But bit.ly is just a shortening service that has its own SSL certificate.  Like all shortening services, bit.ly takes long links and makes short links out of them for people to use and share.  What you should see when mousing over is www.amazon.com/.  After clicking this link, a visitor is forwarded by bit.ly to a large white web page on a phishing site with this Amazon-look alike in the middle of it:

[hr_invisible]

(2)  Obfuscate a link so severely so that it is hard to figure out where it actually sends you

We tried using some of our regular tools to find out where this shortened bit.ly link leads to in the above Amazon phish.  We discovered that the domain and subdomain are soooo long that the link exceeded the display space!  We were unable see where the link pointed!  That was very clever of  Mr. Vladmir Mudak Criminal.  However, we realized that a tool like the Zulu URL Risk Analyzer will show us the full link no matter how long or how many subdomains it contained.  Zulu showed us that the fully exposed scam link contains eleven subdomains (each is separated by a period from each other and from the domain.)  If we counted correctly, there are 195 characters in the subdomains of this link.  We’ve drawn attention below to the two subdomains at the very beginning of the link, amazonup and comi, as well as the actual domain itself.  The actual domain is johniim-DOT-net and a WHOIS lookup tells us that it was registered on June 24 through a private proxy service in Australia.

[hr_invisible]

(3)  Create a subdomain that makes the real domain look like the company the email is supposed to represent

Criminals create a subdomain that adds legitimacy to the phishing scam.  Remember…Anyone can create a subdomain to say anything at all!  Notice in the full phishing link revealed above by Zulu… the first 2 subdomains a user will see are amazonup.comi.  Not exactly amazon.com but close.  In our Phish Nets column of June 14, we wrote about a phish that uses “apple-id” as a subdomain.

(4)  Create a domain that is believable to represent the company being phished.

One of the most successful phishing efforts in the history of phishing scams, in our humble opinion, was the use of the scam domain paypai created by phishers in 2000 and reported on in this article at zdnet.com. The lower case “i” looked a lot like an l in web browsers at the time and fooled lots of people.  But phishers have also been known to create domains that seem legitimate.  Take this recent phish below.  “Dear Customer  Your Apple ID has been suspended” says an email from apple-DOT-SSL-DOT.com!  (In our April 19 Phish Nets column we exposed a phish using the subdomain apple in the domain apple-DOT-ssl-DOT-com.)  The link “Verify now” in the email below points to the domain 0cloud-iverify-DOT-com and it begins with https!   How they managed to get an SSL certificate we’ll never know but this is not the same as visiting apple.com!  Look below and you’ll see a screenshot of the website found at 0cloud-iverify-DOT-com.  According to a WHOIS, the domain 0cloud-iverify.com was registered on June 21 by Carsten Hinkel from Munich, Germany and is being hosted in Hong Kong.  Sound like Apple to you?

[hr_invisible]