Please support our effort by making a small donation. Thank you!

x

March 4, 2015

THE WEEK IN REVIEW

Wow what a week! We don’t mean scams, we mean snow! Your TDS team lives in the Boston area and we’re looking at four feet of snow, not counting the drifts. Thank goodness the scammers have kept us distracted from shoveling. Here are just some of the subject lines we saw during the past week…

1-Email list of usernames

Scammers will often run variations of usernames for some variety, such as these recent ones:

HomelandSecuritySpecialization@unted.net

HomelandSecuritySchool@unted.net

HomelandSecurityDegree@unted.net

HomelandSecurityTraining@unted.net

 

Readers can also avoid a lot of scams by looking carefully at the subject lines of emails AND the sender’s email address with a very healthy dose of skepticism! We’re certain that most of you would just hit the delete key upon seeing most of these emails in your inbox, or would you?

2-Email list 2

3-Emails list 3

 

 

 

 

Phish NETS: Apple Users Get Targeted Again!

Once again Apple account holders got hammered last week by a significant phishing scampaign to capture user’s account information. Along with the login credentials the scammers trick victims into revealing lots of personal information and give access to their credit card which is on file in their Apple account. We’ve mentioned this many times before. What we want our readers to notice in these nearly identical phishing scams (no doubt put out by the same criminal gang) is both the sender’s email address and the domain name that is revealed by mousing-over the link to update your ID.

4-Update Apple ID 1

6-Update Apple ID 3

5-Update Apple ID 2

Between these three emails the scammers have registered five domains meant to trick recipients into thinking they are legitimate Apple Computer related businesses. But they are not!

 

In this recent scampaign over a two day period, TDS found hundreds of bogus emails that were sent from email addresses sounding like Apple Computer:

bounce@applenotification.com

bounce@applenotification.co.uk

bounce@apple-emails.eu

bounce@apple-maintenance.co.uk

 

But none of these come from the domain Apple.com! However, scammers can spoof email addresses too. All of these emails contained links that led to phishing domains meant to sound like Apple. But they are still not Apple.com!

authorizeapple.info

authorizeapple.uk

approvedappleip.com

apple-authorize.info

apple-authorize.eu

If the sender’s email address or link in the email does not exactly match the business it claims to represent, don’t click! If you have any doubts or suspicions, Google the domain name that appears in the link and see what Google returns.

By the way… the fact that legitimate registering companies, like Enom.com, allow people to register domain names without investigating the obvious fraud demonstrate that our safety is really not their concern. It’s a wild, wild, west out there.

 

 

 

 

YOUR MONEY:

Nowadays it isn’t uncommon for many of us to have a PayPal account. PayPal was one of the first “digital wallets” established in 1998. It has also been one of the oldest online banks targeted by scammers. The scam below is a perfect example. At first glance the email appears reasonably well designed as PayPal, but upon closer inspection things don’t seem so legit. Can you spot all the things that identify this as a scam?

 Just delete.

 

 

  1. The sender’s email address is not com. It is email.wpengine.com, a web-hosting service.
  2. The recipient is asked to update his or her account information but is not identified by name or account number. Simply….”Hello PayPal user.”
  3. The grammar and English in the email is full of mistakes and peculiarities such as the very first line of the opening paragraph.
  4. When we moused-over every single link in the email such as Learn more, See Merchants, Help and Security they all pointed to legitimate web pages at PayPal.com. There were seven correct legitimate links. But a mouse-over of the blue-button called “Login” shows that it points to a website called in not PayPal.com. That unusual domain contains a 2-letter country code “.in” which means that the website is hosted in India

And as if these identifiers weren’t enough, read the “P.S.” that appears after the “Sincerely, PayPal” in the email. We had a good laugh about that one too. “Don’t login from the official PayPal website!”

Addendum: We asked the Zulu URL Risk Analyzer to pay a visit to PinkCityIntranet.in to give us an assessment.  It found six suspicious javascripts running on the top page of the site when visitors arrive and rated the entire site as “suspicious.”

Want to see more gift card scams? Check out this article on our website!

 

 

 

 

 

TOP STORY:

For some people there is nothing more enticing than a company giving away money in the form of gift cards for loyalty or for input to an online survey. Companies often run these type of programs. This fact explains why scammers often mimic them in order to target potential victims. In the world of animals, this behavior is a type of mimicry called Batesian Mimicry, but in reverse. Batesian mimicry occurs which an edible animal is protected by its resemblance to a noxious one that is avoided by predators. However, in this reversal it is the malicious emails that mimic the email gimmicks that are attractive to consumers!

Let’s first look at a classic retail malicious mimic…. Walgreens gift card.

 

 

 

 

 

 

 

 

 

This gift card claims to come from, and link to, a domain named oilcouponsnow.com.  A search for this domain on Google shows nothing. No website, no business. Zero. However, a WHOIS lookup shows that the domain is hosted in London, England and the owner is hiding behind a proxy service called WHOISGUARD that is located in Panama. If you look up in Google the “OPT-OUT” address that is written at the bottom of the email, you get a menagerie of links to websites in various languages that seem to use that address for opting-out, including a couple of scam emails posted to the web. This doesn’t inspire confidence.


This next scam asking you to take a survey for a $100 gift card makes no effort at sophistication or legitimacy. Notice the awful grammar and spelling in the email, as well as the random text at the bottom to try to fool anti-spam servers.

 

A search for the website getthebestnewflight-rewards.us turns up nothing in Google and a WHOIS lookup shows  that the website was registered in Houston, Texas and is being hosted in Coquitlam, British Colombia (Canada). The registrant is listed as a company called “DestinationWeb Hosting” but a search for this company in Texas turns up nothing.

Just delete!

 

 

 


FOR YOUR SAFETY:

Believe it or not, the next two simple emails are just the kind of emails to initiate a click by a curious recipient. Don’t fall for this! Do you notice the 2-letter country code in the sender’s address? “.uk” is United Kingdom. The attached zip file in the first email contains malware causing a serious computer infection.

 

The second email about an eFax report contains a link that also leads to a drive-by download of malicious software. The link contains a 2-letter country code showing that the link leads to a website in Chile (.cl). Just delete!

 

 

 

 

 

 

 

 

 

ON THE LIGHTER SIDE:

Finally, we’re thrilled to report that we are being inducted into the 2015 World Edition of Who’s Who! We know we’re deserving and it’s about time someone else recognized how amazing we are!

 12-You have been accepted by Whos Who

 

 

 

 

Until next time….

Surf safely!