Please support our effort by making a small donation. Thank you!

x

June 5, 2019

THE WEEK IN REVIEW

When you see thousands of malicious emails disguised as consumer products, and designed to trick you into clicking landmines, it is easy to see commonly re-used themes.  For example, criminal gangs like to use emails disguised as popular or discounted consumer products, Shark Tank episodes & their products, dating services (and sex, in general), offers to pay you for taking online surveys, Insurance coverage deals, credit card promotions, loans, health issues, and breaking news (usually “shocking”), just to name a few common themes.  But in the last six months, a theme used by cybercriminals that has grown significantly in popularity has been the purchase of CBD oil from the cannabis plant. A flood of ads like the two below have been hitting our honeypot accounts and we believe all are malicious.

 

 

 

Both of these emails were sent through the real marketing service called CleverReach.com.  On April 3, 2019 we wrote about the misuse of this service by spammers and criminals in our “Your Money” column.  We are now convinced that all these emails are malicious clickbait, not just spam.  The first email above was sent from the domain prodesigncourse[.]com.  This domain was registered through a private proxy service just 2 days before we received the email and its website is being hosted in France.  The second email, asking you to claim your bottle of CBD oil, came from the domain homeland-towers[.]com.  Though this domain has been in use on the Internet for more than a decade, it changed hands a month before this email was sent.  Now, homeland-towers[.]com is registered to a company in India called “SwainPharma.”  However, there appears to be no website at homeland-towers[.]com AND we can’t find any website for Swain Pharma.  In fact, the only references Google can find for Swain Pharmacy are VERY questionable links to a few crap domains, such as “mp3racha[.]top.”  If you are truly interested in CBD oil, our advice is to get it locally where it is legal, or from verifiable dispensaries in the United States.


Phish NETS: Bank of America and Scheduled Bank Payment

“We noticed an invalid login attempt to your Bank of America online account from an unknown IP address, we have temporarily suspended your account.”  If you continue reading this phishing scam, you’ll notice only a couple of spelling or grammatical errors. However, the most important thing to notice is that this email didn’t come from bankofamerica.com.  It came from “transport “@” pramo[.]local.” Pramo[.]local isn’t even a legitimate domain according to our WHOIS lookup. Equally important is the fact that the links in this email may say they point to bankofamerica.com but actually are coded to point to a misused Google service at googleapis.com.  In fact, this Google service has been misused so much by cybercriminals that you can find many anti-malware services posting information on how to get rid of malware infections that happen by visiting these infected Google links! Here are two of these helpful posts: MalwareFixes.com and PCRisk.com.

This next phish is as generic as they come! The subject line says “Advice of Debit – Bank Confidential.”  Apparently, “you scheduled a payment fo $5,950.30 from your account ending in Regular Personal Checking-7312.”  But there is no mention of a bank or your name. This email slipped through the security controls of an international listserv used by schools.  The link in the email actually points to the domain warriorllc[.]com which was clearly identified as a phishing domain.

Deeeleeeete!

YOUR MONEY:  Never Pay for TV Again, Top Weight Loss Plans, and Shark Tank

We often use the phrase “crap domain” to refer to malicious domain names that have two common characteristics… Firstly, the global top level domain (e.g. DOT-com and DOT-org) is one that is rarely used by anyone but cybercriminals.  Secondly, the name selected to represent the domain is often gibberish or doesn’t make any sense. This next email claims to be for an “UltraHD Antenna” and has links that point to the domain goosejh[.]world.  This CRAP domain was registered on May 26, 2019 in India just two days before this email was received.  The claim in this email to “get over 60+ Hdtv channels without paying a dime” sounds like a con job to us!  Add to this is the fact that Google cannot find any website at this domain.

Step away from this landmine….

Weight loss is on a lot of people’s minds.  That’s why cybercriminals use this topic so often to engineer a click with the hope of producing a computer infection.  In this next email they doubled their efforts by using “before” and “after” photos of people to entice you to find out how they were able to lose their weight!  We especially loved the pictures of the woman in red clothing on the top row because they photoshopped her “after” photo so badly that it appears to have given her a severe case of scoliosis known as lordosis. (Look at her lower back!)  Do you think the photos of the man in the upper left (before and after) or the woman in the lower left (before and after) are the same people in the before and after photos? It doesn’t matter. This email is malicious clickbait to a website called “acuityscheduling[.]com” even though the email appears to have come from Target.com!

Here is another malicious clickbait email that appears to have come from VictoriasSecret.com about a “diet sensation” that appeared on Shark Tank.  It’s total malarky, of course. And the links in this email also point back to “acuityscheduling[.]com.”

Just delete!

TOP STORY: Scams of the Week

Last week we heard from many TDS readers about a wide variety of scams.  Most of these scams targeted people through phone calls. The mix of scams was eclectic and worth a look. Let’s begin with a phone call claiming to be about your federal student loans. A woman called, claiming to be “Barbara Davis” and said… “yes, this is Barbara Davis. I’m calling in reference to your federal student loan. I need to discuss your repayment options with some new changes that have taken effect recently, so… if you could please be sure to give me a call back.  My number is 866-253-8228.  And I’m going to go and give you a reference number. If you would just have this handy when you call back, it makes things a lot easier.  Your reference number is 011105. Thank you.” Of course the person who received this call didn’t have any student loans…

Click to play


We did a Google search of that phone number, 866-253-8228, and discovered that the Internet has been blowing up with complaints in the previous 48 hours about this scam call.  Most people said that they had no student loans. Others pointed out that no company was represented by the caller and that the call came from one phone number but they were asked to call back through a different number.  One caller who reported this as fraud on CallerCenter.com said that he called the number back and a computer message answered the phone saying that if you do not have student loans you can be taken off of their call list permanently by pressing 9.  After pressing 9, the message that followed said the caller would never be able to qualify for any of their programs in the future. You can read more from people posting this as a scam by visiting CallerCenter.com and 800notes.com.

Another TDS reader contacted us to say that she received a voice message on her home phone claiming to be from Amazon Prime.  The message said that she had been charged $299.99 for renewing her Amazon Prime membership. If this wasn’t correct, there was a number she should call to cancel her renewal.  Yeah, right. We know how that one goes! Give us your credit card information to credit your account and instead we’ll charge your account! Of course Amazon Prime doesn’t cost that much money and Amazon will NEVER call you to tell you they have charged you for renewal.

And then, just a few hours later, another woman contacted us to say she received an order confirmation via email from Amazon for “Amazon order #069063-68336.”  The email contained a link to cancel the order. (She had deleted the email and therefore we don’t have a copy to show you.)  We confirmed this as fraudulent because:

  1. She didn’t order anything from Amazon.
  2. That Amazon order number does not follow the pattern that Amazon uses for their order number system.
  3. The email didn’t identify her by name or account.

Perhaps the most interesting scam we heard about last week was one that we’ve known about but have only been contacted once in five years by someone targeted by this scam.  Via online emails, a website interface and/or texting, a person is hired and paid to receive and re-ship packages. The person who is hired actually gets paid! However, the packages that are sent to them are usually stolen goods which they are asked to re-package and ship elsewhere, often outside the country.  This fraud puts the hired person at risk because what they are doing is illegal!

In this email below from “Johanna Hawkins” notice that the name in front of the “@” symbol is different… Abbey May. This is a common technique used by fraudsters.  And what does that subject line mean? Did the sender mean to say “Heaven sent?” Johanna begins by saying a “well-known US based Internet business” but doesn’t name the business.  There are also a few anomalies in this email that suggest the sender’s first language is not English. For example…

  1. Most US employers would say “a monthly salary of $3500.”  They certainly wouldn’t say “USD” because that would be the standard currency in the US.
  2. Awkward English such as “ability to full-time employment” and “ability to move products weighting 20 pounds…” and “Should you are interested”

As for the domain that “Johanna” used in her email, it is also very suspicious.  Her email came from the domain uwclub[.]net.  That domain was registered via a private proxy service more than 14 years ago in Great Britain and is being hosted in Ireland.  The website title, according to a WHOIS lookup, is “Welcome to the Utility Warehouse.” But Google is unable to find any legitimate business at that web address.  However, Zulu URL Risk Analyzer and Sucuri.net both show that a visit to uwclub[.]net will redirect you to the website “utilitywarehouse[.]co[.]uk.” This second domain seems to be registered and hosted by the same people who registered uwclub[.]net.

We had no problem finding several YouTube videos, including this one, of a man with an accent, describing (in English) how to set up email accounts using the uwclub[.]net domain.  There were also several other VERY odd YouTube videos about UWClub.net and the Utility Warehouse including this robot-like description saying that the Utility Warehouse Club site is a scam.  It is titled “Utility Warehouse Clubhouse aka UWCLUB Review from YOUGOV UK on Utility Warehouse.”  Does any of this sound the least bit legitimate to you? It is HIGHLY likely that this is a shipping scam as described on the Indeed.com website in their community forum:

https://www.indeed.com/forum/gen/Career-Advice/Explicit-Logistic-Company-Scam/t387475

Though you may actually get paid by these people to re-ship packages, you’ll be acting like a mule to move illegal goods.  About a year ago we heard from a young man in California who had been doing this but stopped after a couple of weeks because, according to him, it became immensely clear that the whole thing was sleazy and likely ilegal. He was concerned that the police would show up at his door to arrest him for moving stolen goods.

Finally, we leave you with this remarkably obvious scam email saying that you’ve won the “Free Lotto Award” to the tune of 150 million British pounds!  What made us smile most at this was the email source country. The email came from Zimbabwe! (“.zw” = 2-letter country code for Zimbabwe.) Just delete.  Nice to see that Zimbabwe is hosting a multi-million dollar lottery!

FOR YOUR SAFETY: Links from Hell

We are seeing a resurgence of short emails containing what we call “links from hell.”  These are emails that come from people who have had their email accounts hacked and their contact lists stolen.  Over years, the criminals send out emails containing very malicious links to people who were on those stolen contact lists.  The names will always be from the person you know, but the email addresses used by the criminals keep changing. This one came from a server in Japan.  Notice that the criminals sending these hand grenades were only sending it to the people whose accounts started with the letter “d.” No doubt, there were bombs that went out to addresses that began with all letters of the alphabet.  Good afternoon indeed!


Until next week, surf safely!