THE WEEK IN REVIEW
My gosh, criminal gangs must think that America is obsessed with losing weight! We have been seeing LOTS and LOTS of malicious emails disguised as methods and tricks to lose weight, follow amazing diet plans, gobble weight loss pills, or try alternative ways to be healthy. Though these emails come from a wide variety of email addresses and point to an equally wide variety of malicious domains, they are all very similar in design. Also, every email we opened also contains a web beacon to inform the criminal sender that we’ve opened it, when and how many times. Oops. Web beacons can often be seen embedded at the end of an email as a tiny square or rectangle. We’ve pointed one out in the first of these samples but you’ll see them in the other samples as well.
[hr_invisible]
[hr_invisible]
[hr_invisible]
Also, “shocking” and unbelievable lies continue to be the staple of criminal social engineering tricks such as this email saying that “Ellen resigns during her show Monday” …or was fired, depending on the part of the email you read.
[hr_invisible]
Speaking of social engineering… What mother wouldn’t open this email about a possible sex offender registered in her child’s neighborhood? Don’t be tricked by this scam…
[hr_invisible]
Sample Scam Subject Lines: Apple Vinegar Burns Calories! Confirm your address for your package #5497F3901 Controversial Bottle Info Gluttony is a deadly sin, learn how you can stop being a sinner and lose extra weight Hey Dude – check this out It might be too late…(open now) Lock in rate as low as2.99% (3.12% APR*) today Melts Your Belly Quicker Then Running 6 miles a Day READY: Try Nike Samples on Us! Secret 2 Minute Mind Control Trick This Economist Has News About The US Dollar We found the perfect home for you Your Home_Security_Confirmation:
Sample Scam Email Addresses 1inkcom @ oneinkjhg.top ABCNews_Feature @ qualify.dcurled.us ABCNewsLifestyle @ maximum.steotly.us Boostmycredit @ boostme.party Dogwhisperer @ braininggs.top Fitnessprogram @ flaellyeht.top Floaterseyes @ eyeoateore.party Fox-Exclusive @ blind.jblance.us Healthnews @ memres.pro Iodine @ toesfungusremoved4.com Job @ lsup.net Michelle @ marknetwork.com property-manager-[YOUR EMAIL] @ before1stay.top
[hr]
[hr_invisible] Anyone paying close attention will know this is a scam. The email comes from GoogleNotify but the email address reported is from the domain screwupmovies-DOT-com. A simple mouse-over of the link for View messages or Learn More shows that it points to a phishing page on a hacked website for teachjim.com. We’ve informed the webhosting service of this website because we can’t find any way to contact “Jim” or know if he really exists. [hr_invisible] “Great news, we’ve shipped your order” Is this from iTunes or Netflix? Or both? Of course the answer is neither. The email came from noreply5 @ charter.com. Most importantly, both VirusTotal.com and the Zulu URL Risk Analyzer show that the link points to a Russian website that is seriously malicious and meant to phish your login credentials. Ouch! [hr_invisible] [hr_invisible] [hr_invisible]
Phish NETS: Google’s Gmail, iTunes or Netflix?
“What will you buy with your $50 Costco Easter Giftcard?” says this email from CostcoCustomerRelations @ drown.spokern.top. This is the perfect opportunity to remind our readers that anyone can create an email address that says anything in front of the “@” symbol! But that doesn’t make it true. A lookup using our favorite tool, WHOIS, shows that spokern.top (“drown” is a subdomain because it is separated from the domain spokern by a period.) was registered using Alpnames by somone listed as “Teodor Lames” from Zurich, Switzerland on the day this email was sent. Sound legitimate to you? And that “click to unsubscribe” address in Reno at the bottom of the email is a malicious red herring sending you to the same site as clicking the main link. A big fat delete. “We found the perfect home for you” “Search in your area for rent to own homes.” Hold on! Anyone notice the spammy light yellow text at the bottom of this email? We’ve highlighted it. It begins with “Hundreds of pot smokers unabashedly gathered outside the Knesset on Thursday…” Great choice of words, don’t you think? It was taken from one of many news sites posting an article on April 20 about Israeli pot smokers, such as this one at CNN. The domain government4cross.top was registered using Alpnames by someone named “Joshua Johnson” from the organization “pal ink” located in Bangor, Maine. And if you believe that, then we have land to sell you in Atlantis. Alpnames, once again! That registrar service needs to have it’s hand slapped pretty badly because they seem to make a LOT OF MONEY by allowing malicious domains to be registered with them by the thousands. Where’s the Internet police when you need them? Oh yeah, there are no Internet police. Delete!
[hr_invisible]
YOUR MONEY: Costco Easter Gift, The Perfect Home for You
[hr_invisible]
[hr_invisible]
On the afternoon of Wednesday, May 3, 2017 the Internet blew up with activity after criminals successfully manipulated Google to send out hundreds of thousands of malicious emails to Google account holders. This trick hit schools, universities, and other non-profits especially hard as they are big users of G-Suite (formerly known as Google Apps for Education.) Apparently, clicking the link in this fake email sends you to a permissions screen where you are asked to give permission to “Google Docs” but it isn’t the real Google Docs app. It’s a wolf in sheep’s clothing. This phony-balony “Google Docs” app scours your email content and also steals email addresses too. It will self-propagate by sending the same scam to everyone in your inbox and address book. So others get this scam email from someone they know making you particularly vulnerable. Have a look…. [hr_invisible] Imagine getting this from someone you know. Seems pretty simple and innocuous, right? Let’s do what we’ve always taught our readers…. Mouse-over the link “Open in Docs” and see what it reveals: [hr_invisible] According to the beginning of the link “Open in Docs” it points to the very legitimate accounts.google.com using secure protocol identified by https. But that’s only part of this brilliantly crafted scam. Hidden in that link is a redirect to a fake domain called gdocs-DOT-pro. If you go back to the email above and look carefully through all the text displayed by mousing over the link, you’ll eventually see the word redirect followed by the scam domain. The Daily Scam knows of at least nine fake domains that were used in this well planned, coordinated attack that was weeks in the making. Each of these scam domains begins with the subdomain “googledocs.” Anyone can create a subdomain to say anything they want! Every one of these scam domains was registered on April 22 through a proxy privacy service in Panama using the registrar called NameCheap. The fully qualified domain follows the subdomain googledocs… googledocs.g-cloud-DOT-pro
googledocs.g-docs-DOT-pro
googledocs.gdocs-DOT-pro
googledocs.docscloud-DOT-download
googledocs.g-cloud-DOT-win
googledocs.docscloud-DOT-win
googledocs.gdocs-DOT-win
googledocs.gdocs-DOT-download
googledocs.docscloud-DOT-info This attack and misuse of a Google vulnerability was pure genius. Though Google was able to stop the attacks after a couple of hours and repair the vulnerability that enabled it, this raises a simple question for all Internet users… Can I reasonably expect the companies whose services I use on the Internet, like Google, to protect me from possible harm or attack? The answer is overwhelming, and historically, “no!” No one should be surprised by this answer. Every single major Internet service company has been hacked and manipulated. (Case in point…. In 2013, a Lithuanian man stole more than 100 million dollars from Google and Facebook through simple social engineering tricks. Read more.) Ultimately this means you and your data have been hacked, stolen, sold, monetized, etc. This speaks to the most important question for users who fell prey to this scam…. What information do I have in my Gmail or Google Documents that can be used by a criminal for financial gain? Do you keep password and account data, sensitive health information, tax records in your Google account? If so, you should immediately do what is necessary to minimize your risk. For example, change passwords (including to your Google/Gmail account), put a credit-freeze on your name, purchase a credit-monitoring service or similar service that can monitor accounts/services opened in your name, notify your health care providers, etc. You have to assume that the criminals have copies of all your email and documents. What you do depends entirely on the type of personal information that was available in your account. You’ll have to assess your own risks but doing nothing is never a good option. Score 1 for the bad guys. To read more about the recent Google attack, read… https://motherboard.vice.com/en_us/article/massive-gmail-google-doc-phishing-email http://bgr.com/2017/05/03/google-docs-phishing-hack-attack-how-to-delete/ [hr_invisible]
[hr_invisible]
TOP STORY: Google Failed Us. Why Are We Surprised?
[hr]
FOR YOUR SAFETY: Voicethread Notification and Shipping Information Needed
Voicethread is a small multi-media collaborative service. We were surprised to find that it was being used to target people and trick them into visiting a malicious website, but it is. Look at this notificaion which did not come from Voicethread. A mouse-over of the link “Go to Waner Sajbel’s comment” points to a very malicious website called gunerimetal-DOT-com located in Turkey. So says Virustotal.com and the Zulu URL Risk Analyzer. Double ouch!
[hr_invisible]
[hr_invisible]
[hr_invisible]
“URGENT: Shipping information needed for shipment” Inside you’ll find a printable shipping label with tracking bar code. “We are looking for product testers and you have been selected to receive products to test from fortune 500 companies.” **roll eyes** Why anyone today believes this crap we’ll never know, but people do. The link points to another malicious website at kill9game-DOT-bid. Delete and be grateful you dodged a bullet.
[hr_invisible]
ON THE LIGHTER SIDE: Cash Payment Scheduled. (We just can’t figure out how much.)
Somebody wants to give us money but we can’t tell who or how much. Is it $74,642.24 or $18,500.00? (The same exact email appeared on email-fake.com but we can’t show it to you. It contains live links.)
[hr_invisible]
[hr_invisible]
The link in this email is to a shortening service. We followed the bread crumbs and arrived at the Binary Brain Trust Website in the nick of time! There are only 21 memberships remaining for the opportunity of making a minimum of $5000 per day! Wow, we’re excited! Nevermind that the Zulu URL Risk Analyzer says there is a 91% chance that this website is malicious, we’re all in! $5000/day means $35,000/week or $1,820,000 per year.
Sign us up!
[hr_invisible]
[hr_invisible]
—
Until next week, surf safely!