May 24, 2017

THE WEEK IN REVIEW

The vanity scams we wrote about last week have continued to appear in different email designs all week.  Such as this email with subject line “You have been Selected from thousands of others” and the opening words “Dear Distinguished Professional.”  It claims to represent the 2017 Edition of Who’s Who among Executives and Professionals.  In our humble opinion, every one of these “Who’s Who” publications is a scam, but this one is special.  It’s another social engineering trick to infect your computer with malware.  Check out the Zulu URL Risk Analyzer score!

 

[hr_invisible]

[hr_invisible]

Do people really fall for these “survey shopper” emails offering to pay someone to shop?  Look this one over and ask yourself if it inspires confidence as a legitimate job…

 

[hr_invisible]


Sample Scam Subject Lines:

9 Reasons to ALWAYS Eat Coconut Oil (#3 is golden)

Apple Vinegar burns Calories!

Drink 2 a day to Shred 20lb Of Nasty Fat Shark Tank

Improve Your Home’s Roof with Memorial Day Specials

Invitation to Professional Business Network

Message for you

Must-Have iPhone Accessory, Professional Clip-on Lenses – Spring Discount

New device slashes power costs

Printer Ink – Save up to 85% off

Re 65145  [And many other sets of numbers]

Sex offenders in your area?

Teach Yourself Piano

This movement damages your spine

 

Sample Scam Email Addresses

1-ink @ oneinkjcjhs.pro

easyfurnitureplans @ tedoorking.party

caringforaparentcom @ cariparnt.pro

healthyliving @ bloodgf.party

Heart-Attack.Fighter @ famous.edaeh.us

only.the.best-[YOUR EMAIL] @ relationshipsisbusiness.com

pianopractice @ pianodjfjd.party

professional.business.network-[YOUR EMAIL] @ bizmaiwho.com

reform @ wwwstockx.com

ricoh @ childburn.org

Search_For_Offenders_Kids_Live_Safe @ twist.draky.us

Ted @ wwwstockx.com

Wine.of.the.Month @ notion.gainl.us

 

 

[hr]

 

 

 

[hr_invisible]

Phish NETS:  PayPal Security Alert, Amazon Account Closing, Apple Account Suspension, and Standard Chartered Bank Credit Card Application

Wow! The diversity of phishing scams this past week has been fascinating!  Let’s start with this PayPal Security Alert sent from dffd @ stabletransit.com, not Paypal.com.  “Dear Client, we have noticed some data from your account information seems inaccurate or unverified.  You have to check your information in order to continue using our service smoothly…”  Smoothly?  (Created by a native English speaker?)  Link points back to a hacked website that commemorates “Guy Fawkes” day in England. (An interesting piece of UK history –check it out!)  We’ve notified them of the hack.

[hr_invisible]

 

This next phishing scam wants you to think it came from Amazon.com but anyone who reads carefully will see through it pretty quickly.  It came from the domain Amazingjos-DOT-biz.  “We need your help” followed by an Amazon purchase number.  “We take you to note that your account has been closed for protection…” Read the rest of the email and you’ll see that the creator’s first language is, once again, not English.  A mouse-over of the link “Confirm your account now” reveals a secure https link because it points to a shortened link at bit.ly.  We used URLex.org to unshorten it and discovered the L O N G E S T use of subdomains we have ever seen!  This trick was meant to make it harder for anyone to see that the link points back to the domain amazingjos-DOT-com (not .biz).

The domain amazingjos-DOT-com has 11 subdomains in front of it in this link, beginning with “amazonupi” followed by “comi.”  These two sub-domains have the effect of appearing to the victim as amazonupi.comi.  Slick.

Now delete.

[hr_invisible]

Who does this Apple phish think it’s fooling?  It came from an address in Spain (.es = España = Spain) and begins with the hilarious opening “Reversed Customer.”  The rest of the email reads equally silly.  The link for “Click here to activate the account” points back to a webserver belonging to Gigas Hosting service in Madrid, Spain.

Deeeeleeeeete!

[hr_invisible]

A TDS reader sent us this email he received from Standard Chartered Bank of India but it actually came from hello @ mailerassist.com.  The email is a phony pitch for a credit card.  Hidden in the link revealed by mousing-over “APPLY NOW” is a redirect to the domain icubeswire-DOT-com. (A legitimate, but hacked website.)  This phish is meant to capture very personal information.  We followed it to it’s home and screenshot just a little bit of what it asks victims to provide.  Have a look below.  It is nearly impossible to tell this apart from a legitimate credit card application!

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY:  This Old House Shed Plans, Tricks to Reactivate Dead Batteries, and Wine Club

Do you know someone who likes to build with their own hands?  We do, and it is exactly this type of do-it-yourselfer that is likely to fall for this malicious email. The email claims to represent “This Old House” and offers thousands of plans to build your own shed.  However, the email is riddled with punctuation and other subtle English errors.  The unsubscribe notice is for an address we’ve been seeing often during the last few weeks…  “Kinzer Ave, Danville, VA.”  The domain mtysheds-DOT-pro was registered the day the email was sent and is being hosted in the Czech Republic.

Delete.

[hr_invisible]

Our home do-it-yourselfers are being targeted again!  How about this “Easy Trick to Reactivate Dead-Batteries” from dilly @ prodimplan.com.    The domain prodimplan.com was registered on April 21 by someone named “Naomi Nevius” from an organization called “Dubrow” using a registrar in Australia.  The domain is being hosted in Montreal, Canada.  Notice the random text at the bottom of the email in powder blue?  When we search for the unsubscribe address offered at the bottom of the email, we can’t find any such street in Saint Cloud, MN but we do find a link to fake email on email-fake.com.

 

[hr_invisible]

The criminal gangs who target us sometimes do their homework well.  They find legitimate businesses or products and then create wolves in sheep’s clothing to mimic these legitimate groups.   Case in point… Winc Wines.  This next mimic wants you to believe it represents Winc Wine Club but notice that it came from help.safep.us.  The links are malicious and point back to safep.us.  Just delete and raise your glass to toast that you didn’t fall for this scam!

[hr_invisible]

[hr_invisible]

[hr_invisible]

TOP STORY: Photo Keeper or Contact Creeper?

Imagine sitting down for an hour with an investigator and giving him or her complete access to your smart phone.  What would your phone reveal about you, your life and habits? Your family and finances? Your friends and personal communication?  If you are like most people, by the end of that hour your PI would know a lot more about you, your family and friends than you might be comfortable with!  And if this PI were unscrupulous, could he or she find a way to make money from your information?  The answer would undoubtedly be yes.  Which brings us to this week’s Top Story…

A TDS reader sent us this email that appears to come from an app called “Photo Keeper.”  “Hi, you just got photos!” “Contacts in your network added their photos. View them on Photo Keeper.”  Our savvy TDS reader had never heard of Photo Keeper, had no friends she knew of using this service AND recognized the street address listed at the bottom of the email as a misused address we have written about many times!  Have a look…

[hr_invisible]

The address Photo Keeper uses is a mail drop in Grandville, Michigan. (Read our apology to Grandville!) A mouse-over of the link to “View Photos” shows that it leads to the secure domain photokeeper-emaily.com.  Google cannot find any website by this domain and ServiceHostNet.com reports that the domain was created and is hosted through Amazon services.  We used Screenshot Machine to peek at this domain’s top web page and it shows us what appears to be a service and/or app for your phone, identical to the website of Photokeeper.com.

[hr_invisible]

 

 

 

 

 

Are you interested to sign up for this particular service?  Install it onto your smartphone?  It’s free afterall, so why not?  But try conducting a Google search for either Photo Keeper email spam or the domain photokeeper-emaily.com and you’ll see lots of complaints about this app/service being a scam and misusing people’s contact lists.  This Fox News article from January 18 claims that Photo Keeper is a sophisticated trick to steal usernames and passwords.  The app self-propagates by sending an email invite to everyone in your contact list.   Some user’s on Reddit.com also reported in January that this scam came from the email address notify @ photokeeper-emailg.com We can’t help but notice that emailY.com, seen a few days ago, is alphabetically after emailG.com, reported in January.  Could these scammers simply be adding one letter after another as they continue to create bogus domains? We randomly looked up photokeeper-emailT.com and photokeeper-emailM.com and found both had been registered through a proxy privacy service, like the others we mentioned.  Apparently, there is a method to this madness.

Read this blog post about Photo Keeper from Zyzmog about Photo Keeper.

So what’s our point?  Besides the obvious one that this app/service appears to be misusing your personal data?  Over the years there have been many examples of apps and services, even “legitimate” ones, that have gathered and misused people’s personal data.  Below are a few articles about this.  As always, caveat emptor… Let the buyer beware.  If it is free then you are not the user! You are likely the product being sold and marketed to others in one way or another.  And even well-meaning and legitimate apps can be hacked and misused.  We ask people to always think carefully about the information and content they put online or provide through an app.  No one can guarantee 100% control and safety of your information.

12 Most Abused Android App Permissions [from TrendMicro.com]

Beware Downloading Some Apps or Risk “Being Spied On” [from CBS News]

Careful: Some Free Apps Can Steal Your Data [from USA Today]

Marble Security’s PrivacyHawk Identifies Risky Android Apps That Steal Personal Data and Take Over Smartphones [from GlobeNewsWire.com]

Some Popular iPhone Apps Might Be Secretly Leaking Your Information [from BGR.com]

[hr_invisible]

[hr]

FOR YOUR SAFETY:  WhatsApp Voicemail, Docusign Legal Document, UPS Delivery Notification, and Useful Docs

We’ve spotted several emails that look like notices from WhatsApp about new voice messages.  None of them come from WhatsApp and the links are all malicious.  This one below points to malware hosted on a hacked website but that website file leads you to believe that you can purchase erectile dysfunction drugs like Viagra (see screenshot below) Any man stupid enough to think that this is a good place to buy meds for his ED, is beyond our ability to help.

Delete.

 

 

 

 

 

[hr_invisible]

[hr_invisible]

Read the from email address very carefully in this next email!  Do you spot the typo?  This was very clever and at first we thought it was a phishing scam to capture people’s Docusign login credentials.  However, after a bit more research we learned that this is a very sophisticated effort to trick people into installing malware through infected Word files.  Read this article from TechHelpList.com which exposes this attack very clearly.

 

 

 

[hr_invisible]

Emails claiming to be undeliverable packages from UPS, FedEx and other services including the U.S. mail are a constant threat in the criminal arsenal.  Here’s another one of many we see, week after week.  The attached Zip file contains malware.

Ouch!

[hr_invisible]

Know Nicholas?  He seems to know you, friend.  “Remember you were looking for these docs?  I’ve found them on…”  The link is malicious.  Enough said.

Delete.

[hr_invisible]


ON THE LIGHTER SIDE:  Looking For People Who Can Speak English!

We are always willing to help exterior employees!  In fact, it’s what we do best.  So we’ve signed up to be a correspondence corrector for Aaron Todd (Or is it Mike Bike? Or is it Robert Gav Lovskiy?  We can’t quite tell, can you?)

[hr_invisible]


From: Aaron Todd <mikebike@suddenlink.net>
Date: Mon, May 15, 2017 at 4:57 AM
Subject: Vacancies available for you

Hello,

Our rapidly growing company starts a  position of a business correspondence corrector for the people who can speak  English perfectly to help in dealing with our exterior employees. Your job responsibilities will include looking through our business text files and editing spelling and grammar lapses that we could make. Your professional responsibilities will be looking through our business documents and eliminating spelling and grammar  inexactness that we could make

The work takes about 1-2 hours  daily. You may do this on your spare time; Payment tariffs for the work done: Each 1 Kilobyte (1024 symbols) of text content is compensated by $5

This letter to you is about 1 Kb of size. Altogether, it will increase your income up to about $2500 per month

Country of residence: this position is only for US residents

If you wish to work with us,

please contact us via email: Gav.lovskiyRobert@gmail.com , add your First + last name and your house location!

Until next week, surf safely!