Please support our effort by making a small donation. Thank you!

x

March 13, 2019

THE WEEK IN REVIEW

Last week we opened with a story from a woman who was terribly upset to be targeted by a real estate scam.  We mentioned that we often hear about the emotional and financial pain felt by victims of scams.  Just recently, while visiting Reddit, we came across this sad story from user the_dough_also_rises titled Grandpa was spear-phished and then hit with the “relative in custody” scam.  The grandson detailed his concern for his grandfather’s losses and vulnerability.  We thought, once again, here is an example how scammers often target the most vulnerable people in our communities.  This is just one of the many reasons why we are so committed to our readers and maintaining our blog. We hate these scumbag leaches just as much as last week’s young pregnant woman and the Reddit grandson writing about his grandfather.

Also, last week our Top Story was about the avalanche of spam and scam calls that flood our phones.  No sooner did we publish that story when Doug, sitting at his computer with recording software at the ready, got a call from 978-927-4240, a man claiming to represent “Credit Card Services.”  The sales representative at the other end of that line had an Indian accent.  He claimed that his service represented more than 9 credit cards and could lower our interest rate on any of these cards!  Can you guess what happened when Doug informed the representative that he couldn’t find any website representing his business?

 


Phish NETS: Facebook and Apple Account

Both of this week’s phish come to us via Reddit users because we didn’t find any phishing scams in our honeypot accounts, nor receive any from TDS readers.  A rare occurrence! But check out this text phish posted by Reddit account Invest-Business-Help pretending to be from Facebook saying “We have just issued a notification for your Facebook account.”  The link LOOKS LIKE it is Facebook.com but you if you look closely, you’ll see that the domain in the link is actually benizy[.]com.

Reddit account OHFLIP7099 posted this phish claiming to represent Apple and saying your account is locked due to an attempt to purchase Spotify Premium service from Morocco.  We counted 3 grammatical errors and 2 capitalization errors. How many can you find?

YOUR MONEY:  NOT LIberty Mutual Insurance and Home Warranty Protection Plan

Were we to list the top 20 subjects that might motivate someone to click a link from an unsolicited ad that arrived into his or her inbox, insurance and warranty protection plans would not be amongst them.  But, hey… what do we know? Criminal gangs who target Americans with millions of malicious emails each year clearly think differently because they OFTEN send this type of clickbait.

This email claims to be from Liberty Mutual Insurance and lists that business name eight times to make sure you think so!  But, alas, it is all a lie easily exposed if you just look carefully at the FROM address… “atsy5r1 @ leftyse[.]com”  This crap domain, leftyse[.]com, was registered by the “Global Internet Exchange LLC” from 8 The Green Street in Dover, DE 19901.  The name interested us so we dug a little deeper and discovered that there is a “Registered Agent” at this location who sells “virtual offices” to anyone who wants to front a business in this location and be anonymous.  Does any of this sound even remotely like Liberty Mutual? However, MOST IMPORTANTLY, why you should never click on any of those links is because they point to the crap domain “detwopcsto[.]top” which was registered on the same day the email was sent!  That’s a sure signal of a malware infection waiting to happen.

Do home warranty plans really pay?  We don’t know but we’re certain that THIS ONE will only bring pain!  “Never pay for covered home repairs again” says an email from lowsoapy[.]com.  Lowsoapy?  Seriously? You can’t even find a business name or phone number in this email.  It certainly isn’t the “Vintage Car Club” in the UNSUBSCRIBE information. But they sure want you to “click here” and “click here now.”

We’ve seen the misuse of Outlook email services before and this email contains  another one. The links in this email contain a redirect to the equally oddball domain “doublyhuge[.]com.”  This “huge” domain was registered two months earlier by “Juan Newkirk” who claimed to represent a company called “Symphony Editors” in Orlando, Florida.  We find it equally odd that Google has no information about “Symphony Editors” and that the domain “doublyhuge[.]com” is being hosted in Tehran, Iran at the Iranian Research Center for Science and Technology.  RUN, don’t just walk away from this clickbait!

TOP STORY: A Very Dangerous US!

We will always point out to our readers when we spot websites that are being hosted outside the U.S. or emails that come from, or lead to email servers in countries outside the U.S.  Often, this knowledge can help us identify something as fraudulent or, at least, highly suspicious. This identification is done by recognizing the 2-letter country codes that may appear at the end of a domain name.  Here are six real examples from around the world:

www.independent.co.uk “.uk” United Kingdom (Independent news website in the UK)

NOTE: the “co” in front of the uk, in this case, refers to “company” just like DOT-com does because it doesn’t come last in the name.  If it were last, such as “independent.co” it would mean the domain is from Columbia!

www.beijingimpression.cn “.cn” China (Travel agency called Beijing Impression in China)

www.mnw.art.pl “.pl” Poland (National Art Museum in Warsaw, Poland)

[email protected]  “.sg” Singapore (Email for Singapore Government Customs Office)

[email protected] “.ae” United Arab Emirates (Email for media inquiries at Etihad Airlines)

[email protected] “.br” Brazil (Email to contact a Brazilian restaurant)

The United States also has a 2-letter country code that is obviously “.us”  However, the use of “.us” was never required for domains hosted in the United States because the Internet was first developed in the US.  In the early days of the Internet, it was simply never needed or required. That practice was grandfathered in as Internet naming rules developed and the Internet spread around the world.  But it is possible for anyone, anywhere in the world to purchase a domain that ends in “.us” including those who want to do us harm. We have very recently seen a spike in DOT-us domains that do just that…. Harm us.

Below are three malicious emails that are all wolves in sheep’s clothing.  The first pretends to be from a smart home security provider but the email came from, and links point back to the domain vaguerou[.]us.  The second pretends to represent a Mastercard credit card service but the domain used is learnlo[.]us.  And the third appears to be a pitch by Andersen for window replacements but this is also a lie.  The email came from, and has links that point to the domain drinkye[.]us.

Sucuri.net’s Site Check informed us that all 3 domains were blacklisted by the anti-virus security service McAfee.  Moreover, all three destinations were found to contain redirects to the same exact website called elliornic[.]com.  Here are two of the three reports from Sucuri.net:

What do we know about elliornic[.]com?  A WHOIS tells us that it was registered in June, 2018 through a proxy service to hide the owner’s identity and the website is being hosted on a server in Copenhagen.  But we also know through VirusTotal.com that it is hosting malware, waiting like a landmine to infect your computer.

These three were just a drop in the bucket of malicious DOT-us websites.  We’ll leave you with one more email pretending to be about walk-in tubs designed for seniors.  The domain landmine used in this clickbait is spellth[.]us and just like the others, your visit will be redirected to the very malicious elliornic[.]com.

FOR YOUR SAFETY: Malicious Attachments… Again

“Hi there, I have attached tax billing records for current period” says “Mandy Brown.”  The email claims to be from ADP Tax Services but notice that Mandy’s email address at the bottom of the email is adp.com.  This email, however, was sent from adpnote[.]com, a domain not owned by ADP.  The attached Excel spreadsheet contained a Trojan virus that was immediately dispatched by our anti-virus protection and saved the day!

 

 

Two days later, we received this “company complaint” from Dun & Bradstreet AGAINST US at The Daily Scam.  How quaint! But like the email above, it didn’t come from the real website dnb.com, but from dnbcomplaint[.]com.  Nine different services recognized the Trojan virus hidden in that attached Word document!

OUCH!

 

 


Until next week, surf safely!