May 23, 2018

[hr_invisible]

Phish NETS: Chase Bank, Netflix, and USAA Bank

This week’s phish were all caught recently by TDS readers.  As one woman pointed out to us, the awful grammar and typos made it pretty easy to spot.  Not to mention that these emails didn’t come from the sources they claim to represent. This first one didn’t come from chase.com for example.  The presentation is not professional, grammar is not great, and the tense of a verb doesn’t fit.  The recipient isn’t identified by name or account number. And, by the way, Wells Fargo and Chase are two completely different companies!

This next email claims to be from Netflix but the email address that follows is service404 “@” noreply.net.  Not even close!  They are trying to capture your login credentials, but more importantly, trick you into revealing your credit card information including security code.

A BIG fat delete!

USAA Bank has been targeted pretty heavily by phishing scams.  However, a keen eye can spot many things wrong with this email, starting with the from address!  Also, look in the USAA Security Zone grey box in the upper right corner.  Do you see your account number there? And there may be “new document(s) for you” but they don’t even identify YOU!  The link “View Your Documents” points to a hacked website in South Africa. The country code in the link is “.za”. This may seem an odd country code for South Africa but it comes from the Dutch words for the country… Zuid-Afrika.

[hr_invisible]

[hr_invisible]

YOUR MONEY: International Wire Transfer Payment and Computer Purchase on Ebay

Though this next scam is not meant to target individual consumers, it has been targeting schools and non-profit organizations during the last few months.  We heard from the CPA at a school who told us she received a very short email made to look like it came from the School Principal with a simple message… “Are you in?” and signed by the Principal.  The CPA was savvy enough to recognize that the actual email address that followed the Principal’s name was not the real email address for the principal.

From: School Principal <jackdbrown “@” lycos.com>

And then five minutes later, the CPA received another email with instructions:

The School CPA simply deleted the emails after sending us copies.  The next day, she was contacted again but from a slightly different email address: myprivte-e “@” lycos.com

Lycos offers a free email service that was used by these criminals to target the school’s business office.  Though we can easily find a registered Hong Kong business called the “Lida Import and Export Trade Co Limited” listed on this website of Hong Kong businesses, the business itself has no website, no address and no other information about it.

These fraudsters were easy to spot.  However, real professionals can completely spoof the Principal’s email address so that it appears to be the real one, or they can code the email so that it only displays the Principal’s name as a link to the email address (and thus harder to spot unless you mouse-over the name.)  Or the Principal’s real email account could have been hacked and an email sent in his or her name. This happened to a Massachusetts independent school in April, that nearly resulted in the transfer of more than $10,000 to overseas criminals.  In our research about this fraud, we’ve heard from other schools who have also had their business offices targeted by phishing emails disguised as Heads of Schools as well as private school board members.

We also recently learned about a scam from a Reddit user named t_for_top  targeting eBay visitors.  He found a Samsung Galaxy Note 8 phone for sale very inexpensively on eBay. It was about half the normal retail price.  However, the seller wanted the buyer to purchase it by using eBay gift cards. Here’s the final message from the seller…

“I got the confirmation from eBay, that they’ve sent you the invoice for the transaction. Let me know if you’ve got it and you understand the terms of the transaction. It’s a very simple and quick process. You need to confirm $400 to eBay with the eBay cards. They`ll need to verify the code from the eBay cards…they just need to verify if you have the cash, the money stays on the eBay cards. As soon as you receive and inspect the phone you’ll have to hand over the cards to the delivery agent so the money can be transferred to me. Keep me posted, please.”

As one Reddit respondent put it…”when buying on eBay, pay through eBay.”  The criminal was trying to fool the buyer into “verifying” his intentions and means to pay by showing the seller the code on the gift cards.  That would be akin to giving the money to the seller! eBay gift cards have nothing to do with paying through eBay and, like a moneygram or Green Dot money card, giving someone the code on the card is the same as handing them the value of that card.  It takes just seconds to cash it in. Caveat emptor!

[hr_invisible]

[hr_invisible]

TOP STORY: Bogus Phone Texts, Popups & Calls

If you have a smartphone, you’ve probably been getting random messages and calls from unidentified or spoofed sources.  Even four or five years ago this was considered an oddity and unusual. Unfortunately, today we expect it and no one seems exempt.  (If you have elderly parents or younger children with smartphones, it’s important to have a conversation with them about this fact so they know not to respond and to let you know how they may be targeted by criminals.)  Below are several examples of what we mean. These two texts came to the same phone a day apart and are about losing weight.  The first came from (219) 333-4273 and appears to be an invitation to try a weight loss supplement by paying only shipping and handling.  The link points to a domain identified as Sanscram[.]com.  Even IF you were naive enough to consider this, you should know that the domain sanscram[.]com was registered on the same day this text was sent.  And that’s never a good sign!  A WHOIS lookup shows that it was registered to someone named “Ben Williams” from the company Clear Box Solutions, located in Palm Beach Gardens, Florida.  Except that the only company called Clear Box Solutions that Google can find is an engineering firm in the UK. Also, waiting for you on that website is a redirect to another website called bizarreluckynews[.]com, registered on April 2nd.

And the next day came this text to the same recipient from (240) 221-6227.  It is also about weight loss and clearly matches the previous text. Spokeo.com, a people search engine, traced the first phone number to a mobile phone in Crown Point, Indiana.   It then tracked this second one to a mobile phone in Kensington, Maryland. And this second domain, Sankelp[.]com was also registered by Ben Williams on the day the text was sent.  And a day later the WHOIS record was modified and Ben’s name was removed, along with other registrant information.  Does any of this sound the least bit trustworthy?

How about this screenshot sent to us by a young teen who does not have a Facebook account but does have  the good sense not to believe it… “Congratulations! You have been randomly selected to spin and get (1) unclaimed reward.  Click OK to start!” We can’t trace any more details about this phone popup.

Would you trust it?

A TDS reader contacted us just a few days ago to say that she received five calls in just two days claiming to be from Apple computer.  The automated message said there was a problem with her “Apple device” and to press a number to be directed to the Apple Support Advisor.  She hung up but sent us two of the recordings as a video file (see below). She looked up the phone number displayed by Caller ID only to discover that it was for an Apple store in another part of the country.  She called it and got a recorded message saying that the store’s phone number was being spoofed by criminals who were trying to get personal information from Apple Customers.