THE WEEK IN REVIEW
A funny thing happened during the last week in scamland. Some criminal mastermind from one of the major scam gangs came up with a new idea and decided he liked it so much that he used it in subject lines of thousands of scams we saw. This mastermind decided that he wants to give us choices! Look at this weeks’ subject lines below lifted from sample scam emails during the last week to see what we mean. It was funny to see so many of these.
Also, just a reminder that it is still tax season and we continue to see a lot of tax scam emails such as this one with the subject line “Online Tax Preparation.” The text in the email is very slick and well written. Also, the bogus U.S. Treasury and IRS phone calls are also still very popular as they target Americans. We found this article on ABCNews.com about a smartphone app capable of identifying incoming calls from known tax scam phone numbers and blocking them immediately. We have no idea how effective it is but it sure seems like a great idea! Check it out.
Sample Scam Subject Lines: Check out Top 10 Listings for Identity Theft Today Compare Top 12 options for Francise Business Compare Top 13 Listings for Wireless Internet Today Compare Top 14 Options in Substance Abuse Compare upto Top 18 Options for Dui Lawyers Explore Top 10 Options in Remodel Kitchen Explore Up-To Top 19 Cosmetic Dentistry Listings Search Top 15 Options in Thyroid Treatment Search Top 16 Personal Injury lawyers Listings Search top 19 Listings for Alaska Cruises Today Search Up-To Top 11 Cholesterol Management Listings View Top 16 Options in Vision Correction View Top 19 Options in Retirement Planning
Sample Scam Email Addresses: +=+CarInsurance+=+@beinging.top -AttorneyLegalHelp-@thanity.top Amazon-Prime-Bonus@djien.ntemper.top Checking_Account@kotoju.top CreditCardProcessing@greatedly.download GrandCanyonAdventures@polyhs.download hummingbirdvineoffer@humvin.download LastMinuteTaxPreparation@histoidit.download matchcom-[YOUR EMAIL]@ventmill.com PopularDogFoodProducts@cartwheelml.download TaxPreparation@histoidit.download TradeshowBusinessTools@prenuous.download WirelessSecurityCameras@lagmeo.download
Have you heard of ransomware? It is a particularly nasty piece of malware that, once initiated, quickly encrypts all your personal files so they cannot be opened. Unless you have the encryption key. The criminals who trick you into installing ransomware on both Apple or Windows computers are happy to sell you the encryption key. Prices range from as low as $300 to as much as $2000 and are most often purchased through the untraceable Internet currency called bitcoins, which brings us to this week’s phishing scam. We found yet another phishing scam pretending to be an Apple GSX email “notification alert.” But rather than a malicious link, this email contained a very dangerous attached shtml file:
We have written about the risks of opening web files such as html or htm files. (Check out our article called Filenames Will Set You Free!) However, the shtml file is even more dangerous because this type of file allows for “server side includes.” In other words, an shtml file offers instructions to a server to process information even as you are viewing the file. Coming from the hands of a criminal, an shtml file is capable of doing serious harm to a person’s local computer by employing the processing power of a server to inflict damage. At first we thought this email was just another plain old phishing scam. However, we cracked open the file and when we looked at the code we found this precious snippet…
The personal data being collected by the shtml file is posted to a website in Palau (2-letter country code = .pw) called ebitcoin.pw. Palau is an archipelago of more than 500 islands, part of the Micronesia region in the western Pacific Ocean. We found this particularly interesting because of the recent popular association between bitcoins and ransomware. (Check out this article on the Bitcoin News Service titled What Came First, Bitcoin or Ransomware? – March 25, 2016) We wondered if this shtml file, with directives issued by a server and a link to a site named for bitcoins, was in fact a malicious initiation of encyrption if opened on a personal computer. Of course we didn’t want to risk viewing the shtml file in real time so we can’t be certain. Also, the domain ebitcoin.pw was registered on March 17 by Dumitru Bogdan through Namecheap.com. What makes this even more curious is that legitimate bitcoin sites can be found at bitcoin.org and bitcoin.com, not ebitcoin.pw. Delete fast.
Phish NETS: Apple Phish Hiding Ransomware Link?
This next email was sent from Movers@clickonthis.pro. “Affordable Movers at Your Service.” The domain “clickonthis.pro” was registered on March 16 using Alpnames to the company called Digital Technical. Our loyal readers will recognize this bogus company because we’ve written about this company in several past newsletters… February 24 (http://www.thedailyscam.com/february-24-2016/), March 2 (http://www.thedailyscam.com/march-2-2016/) , and March 9 (http://www.thedailyscam.com/march-9-2016/). Just delete!
Thinking about renovating a bathroom and interested in some bathroom renovation resources? Need some ideas for stylish and affordable bathroom renovations? This email will hurt a lot more than it will help. This email’s style looks like so many of the scam emails we report on. There are many ways to investigate this one but all you need to do is look at the unsubscribe link after the graphic… Look familiar? “Lemon Juice” in Houston, TX? The scammers use this bogus company a lot. When we searched Google for this company along with its address, we got 140 links to scam/spam messages from around the Internet. Check out Google’s returns.
Is your family thinking about travel plans? How about Alaska? According to this email you can “find amazing Alaska cruises” through their link to alaskatrip.pro. And of course it’s another scam from the same criminal gang who sent the other two emails described above. Look at the address in the “unsubscribe here” under the graphic. Our longtime readers should also recognize the company listed at the bottom of the email. Futurebright Solutions from Grandville, Michigan is another bogus company often used by these criminals to legitimize their scams. We’ve reported on Futurebright Solutions many times, most recently in our newsletter from January 27.
Your Money: Affordable Movers, Bathroom Renovation, and Travel to Alaska
This week’s top story is about another dangerous example of social engineering. What makes this so dangerous is that the email came from a user’s hacked account and sent to everyone in their contact list. Would you have clicked the link if you had received this email from a friend’s account you recognize? So-and-so shared the following PDF: Docup8date1370515.pdf Supposedly this pdf file is shared with you on Google Drive. Except it’s a lie. A mouse-over of both the “Open” and pdf link point to a file on the webserver compuvellsadecv.com.
Compuvellsadecv.com? This is certainly not Google, but is it safe to check out? We asked both Virustotal.com and the Zulu URL Risk Analyzer to check this link. There responses were crystal clear…
In fact, Zulu found 7 malicious links waiting for you at the website compuvellsadecv.com. This is a definite delete! We say it over and over! Mousing-over a link to see where it leads BEFORE clicking is one of the most important skills people need to stay safe. We have many links on TheDailyScam.com that teach folks how to mouse-over.
TOP STORY: Shared a PDF on Google Drive
FOR YOUR SAFETY: Image PDF, Fax Transmission, and Invoice Statement
Is it a pdf? Or an image? Or a pdf file of an image? But these emails all come with an attached zip file. Of course the file is malicious. Here’s a sample and below you’ll see a screenshot showing many such emails targeting one email server. We’ve obscured the “from” addresses as well as the “to” addresses because the emails were spoofed so that they appeared to be sent from the same person who received the email. This trick is a well-practiced form of social engineering meant to engage your curiosity. Why does this email come from me? What is this? CLICK.
Expecting a fax? “Please find attached to this email a facsimile transmission we have just received on your behalf.” Yeah, right.
Delete!
“Please find attached the statement (S#516105) that matches back to your invoices. Can you please sign and return.” Except that the zip file is malicious. And we all say….deeeleete!
What do these next 3 scams have in common? Look closely… And then check out what the Zulu URL Risk Analyzer has to say about what they all have in common!
ON THE LIGHTER SIDE: Excessive Sweating
Imagine having to do a presentation for your boss and a whole group of executives. Can you feel the pressure? Are you starting to sweat? Thank goodness for this product. It’s certainly original!
Until next week, surf safely!