THE WEEK IN REVIEW
We’ve written about vanity scams many times at TDS, most recently as the Top Story of our May 17 newsletter “Your Award Is Waiting.” Here’s a reminder of the ridiculousness of these scams. This email was sent to a school employee about the school’s “nomination in the Travel & Tour Awards 2017 under the wider category of Luxury Travel.”
Seriously?
[hr_invisible]
This particular scam award came from a business called “CV Magazine” at the website corp-vis.co.uk. Apparently, this business makes a business out of selling bogus awards. Here’s what they say on their own Awards page…
“Corporate Vision is dedicated to working around the clock to shine a spotlight on the brightest, best performing and most deserving companies and individuals from around the business world.”
It took just a few seconds in Google to find this article published on LinkedIn by Peter Coleman in January, 2016 titled Business Excellence Awards Sham or Scam about this company. Enjoy!
TDS is proud to announce that we have exceeded 104,000 page views of our website since January 1, 2017! We thank our readers for valuing our work and hope they feel safer using the Internet in many ways because of our site.
[hr_invisible]
Sample Scam Subject Lines: A special discount and genuine five star review Best nail fungus removal formula Free Russian Beauty Search Get perfect toes in as little as 3 days! How to Easily Transfer Old Tapes and Film to DVD Lonely Russian Girls Looking for Boyfriends! Now ANYONE Can Learn Piano or Keyboard Power Shocker – It’s Bad, Really Bad Ray Ban Sunglasses 80% Off Now! Save Thousands on Your Mortgage. Learn More About HARP Second attempt your July electric bill is zero This will change your life… Your Family is in Danger (leaked report)
Sample Scam Email Addresses Bob @ mbc-tv.com Edgardo @ spiderimport.com.br foxlive-[YOUR EMAIL] @ todayzcandal.com idell-[YOUR EMAIL] @ renewiwindow.com mayola-[YOUR EMAIL] @ todaywehelpz.com natural.news-[YOUR EMAIL] @ youislimmer.com opencart @ italyetc.info powerfreedom @ gymnocarpic.us Reda.Salama @ bue.edu.eg samsclubrewards-[YOUR EMAIL] @ samsfreebiesnow.com sams-club-[YOUR EMAIL] @ giftcouponzyou.com secure @ apple.ssl.com serial @ jetmylogin.us
[hr]
[hr_invisible] WOW! What a difference a week makes! We went from not finding any phish two weeks ago to finding lots of phish this past week! This included some very clever phish that deserve special attention as this week’s Top Story! Phishers are using “Amazon cancelled order” notifications to both phish your Amazon account information and drop malware on your computer. How sweet of them. Here are two phony email notices about Amazon orders that were “successfully canceled.” Both have links that point to different malicious websites abroad. We used the Zulu URL Risk Analyzer to show you below that the link in the first email points to a domain hosted in China. Zulu detected malware waiting for you on this site. Ouch! [hr_invisible] [hr_invisible] This next email from mailservice-DOT-org asks you to “Update Your Account Information Now” for PayPal. The spelling used in this phish is so poor. Hopefully no one will fall for it….. except perhaps really bad spellers. Here are two very different phishing emails meant to capture your login credentials for your AppleID. This first one was sent to us by a TDS reader and appears to be from “AppleID” but if you look closely you’ll see that it was sent from the domain mexi-DOT-com. “Your account has been locked for security reasons” A mouse-over of the link “SIGN IN” easily reveals the fraud. [hr_invisible] This second Apple phish is also easily revealed by looking at the from address and mousing-over the link “Click here.” The phish was hidden on a hacked website for a law firm. Oops! We’ve notified them of the breach. Now delete.
Phish NETS: Amazon Order Cancelled, PayPal Update, and Your AppleID Account
We often find malicious emails disguised as deals to search for lower-cost items such as cars and insurance. Such as this one. “Protect your car and your wallet” says an email from the domain newsandviews-DOT-press. The email pretends to represent PowerAutoWarranty-DOT-com but we don’t believe the email-senders are affiliated. (We’re also not so confident about the legitimacy of PowerAutoWarranty) A visit to newsandviews-DOT-press shows a generic Apache webserver page as if someone put a server online but never set up a website. That alone makes this domain extremely suspicious. Our usual toolkit can’t find any threat on that link in the email but we don’t recommend visiting the site. [hr_invisible] “Activate your $50 voucher from Macy’s” informs an email from macyrewardx-DOT-com. This domain was registered by “Darrell Lemley” on the day the email was sent. We’ve seen other scam domains registered to dear Darrell. D for delete! Do you know how Britney Spears lost 20 pounds? Do you even care how Britney Spears lost 20 pounds? No, of course not. But some people must because this kind of crap comes out all the time and we just roll our eyes and move on. (Acutually, it’s a bit confusing because the subject line reports 20 lbs but the email contains a line referring to 30 lbs…. and a shocking video! Of course.) No longer able to ignore this crap, we decided to show you one of these social engineering weight loss click tricks. This email uses a photo taken from Britney’s Instagram account just last week (and talked about in this Cosmopolitan article about her $16 bathing suit). However, the link for “See List of Ingredients” points to a file on the webserver slimmerever-DOT-com. We bet you can guess who registered this domain just hours before this email was released? “D” as in delete! Our new buddy Darrell Lemley! Apparently, Darrell has registered at least 787 domains as of June 21. You know what to do. [hr_invisible]
[hr_invisible]
YOUR MONEY: Auto Warranty Quotes, Macys Voucher, and How Britney Lost 20 Pounds
Most phishing emails are lame and easily revealed if one simply pays attention to the from address or the address that appears in the lower left corner of your browser window when you mouse-over (BUT DO NOT CLICK) the primary link provided in the email. Our Phish Nets column has exposed hundreds of these phishing emails during the last few years. However, we periodically see very clever phish in this criminal ocean that surpass the usual riff-raff in their craftiness. These better-than-most phish use one or more of the tricks below to make them seem, at first glance, more legitimate. (1) The link, revealed by a mouse-over, begins with https The “s” in https means “secure” as in a secure transfer of information between your computer and the website you communicate with because your data is encrypted. This is incredibly important when sending/receiving very personal data such as financial information. Turning an http website into httpS site requires something called an SSL certificate. It must be purchased from a legitimate and recognized SSL provider. Companies and organizations have to jump through many hoops to prove who they really are in order to get an SSL certificate and become https sites. TDS is only aware of a small handful of instances when criminals were able to secure SSL certificates for their bogus web sites, but even these were quickly exposed and then taken down. Seeing a link that begins as “https” is therefore very reassuring! This is why phishers will work hard to either hack an https site or use sites that begin with https to forward you to their non-https site. Many URL shortening services begin with https AND are intended to forward a user somewhere else on the Internet. Take this email saying “Welcome to Amazon” that we recently found. (By the way… there is such a thing as an Amazon “mechanical turk.”) [hr_invisible] Mousing-over “Confirm your account now” shows a bit.ly link that begins with https. But bit.ly is just a shortening service that has its own SSL certificate. Like all shortening services, bit.ly takes long links and makes short links out of them for people to use and share. What you should see when mousing over is www.amazon.com/. After clicking this link, a visitor is forwarded by bit.ly to a large white web page on a phishing site with this Amazon-look alike in the middle of it: [hr_invisible] (2) Obfuscate a link so severely so that it is hard to figure out where it actually sends you We tried using some of our regular tools to find out where this shortened bit.ly link leads to in the above Amazon phish. We discovered that the domain and subdomain are soooo long that the link exceeded the display space! We were unable see where the link pointed! That was very clever of Mr. Vladmir Mudak Criminal. However, we realized that a tool like the Zulu URL Risk Analyzer will show us the full link no matter how long or how many subdomains it contained. Zulu showed us that the fully exposed scam link contains eleven subdomains (each is separated by a period from each other and from the domain.) If we counted correctly, there are 195 characters in the subdomains of this link. We’ve drawn attention below to the two subdomains at the very beginning of the link, amazonup and comi, as well as the actual domain itself. The actual domain is johniim-DOT-net and a WHOIS lookup tells us that it was registered on June 24 through a private proxy service in Australia. [hr_invisible] (3) Create a subdomain that makes the real domain look like the company the email is supposed to represent Criminals create a subdomain that adds legitimacy to the phishing scam. Remember…Anyone can create a subdomain to say anything at all! Notice in the full phishing link revealed above by Zulu… the first 2 subdomains a user will see are amazonup.comi. Not exactly amazon.com but close. In our Phish Nets column of June 14, we wrote about a phish that uses “apple-id” as a subdomain. (4) Create a domain that is believable to represent the company being phished. One of the most successful phishing efforts in the history of phishing scams, in our humble opinion, was the use of the scam domain paypai created by phishers in 2000 and reported on in this article at zdnet.com. The lower case “i” looked a lot like an l in web browsers at the time and fooled lots of people. But phishers have also been known to create domains that seem legitimate. Take this recent phish below. “Dear Customer Your Apple ID has been suspended” says an email from apple-DOT-SSL-DOT.com! (In our April 19 Phish Nets column we exposed a phish using the subdomain apple in the domain apple-DOT-ssl-DOT-com.) The link “Verify now” in the email below points to the domain 0cloud-iverify-DOT-com and it begins with https! How they managed to get an SSL certificate we’ll never know but this is not the same as visiting apple.com! Look below and you’ll see a screenshot of the website found at 0cloud-iverify-DOT-com. According to a WHOIS, the domain 0cloud-iverify.com was registered on June 21 by Carsten Hinkel from Munich, Germany and is being hosted in Hong Kong. Sound like Apple to you? [hr_invisible]
[hr_invisible]
TOP STORY: Phishing Tricks to Know!
[hr]
FOR YOUR SAFETY: You Have Private Message and Auto Stock Trade App
We’ve seen these fake “you have private message” notifications many times in the past but most led to malicious sites in Russia, some some of which tried to sell fake meds. However, according to the Zulu URL Risk Analyzer, this link will send you to a site in Indonesia that is 100% malicious
This next email encourages you to install an app that we strongly suspect is malware. “Hello! My close friend Trudy told me to inform you about launch of his trading app. It’s called CopyBinary… and as its name says, its generating profits of 50,000 dollars every week for its users.” Well, first of all its name doesn’t say that! The link points to a hacked web site registered to someone from Dhaka, Bangladesh. None of this sounds safe.
[hr_invisible]
ON THE LIGHTER SIDE:
Next of Kin Beneficiary for $9 Million
Once again we are amazed at the volume of people around the world who insist that we have money coming to us. Barrister Philip Mark tells us that one of our relatives has died, though we can’t imagine who that is. Apparently, our relative left us $9 million dollars! Wow! If we had known he or she was that rich when alive, maybe we would have been nicer to him or her.
From: philmark@one.org
Time: 2017-06-21 12:48:28
Subject: Notification
Good Day.
We wish to notify you again that you were listed as beneficiary to the total sum US$9 of Million only in the intent of the deceased. On my first email I mentioned about my late client whose relatives I cannot get in touch with. But both of you have the same last name so it will be very easy to front you as his official next of kin. I am compelled to do this because I would not want the finance house to push my clients funds into their treasury as unclaimed inheritance.
We contacted you because you bear the Last name with our Late Client and therefore can present you as the Beneficiary to the inheritance since there is no written WILL or Bequest. O u r legal services aim to provide our private clients with a complete service. We are happy to set-up all modalities and administer Trusts,carry out the administration of estates. All the papers will be processed in your acceptance of this Transaction.
Note that you are to furnishing me with the requested information’s below immediately;
(1)Full names.
(2)Contact address.
(3)Telephone and fax numbers.
(4)Location.
If you are interested do let me know so that I can give you Comprehensive details on what we are to do. Waiting for your response.
Yours faithfully,
Barr. Philip Mark
—
Until next week, surf safely!