May 24, 2017

[hr_invisible]

Phish NETS:  PayPal Security Alert, Amazon Account Closing, Apple Account Suspension, and Standard Chartered Bank Credit Card Application

Wow! The diversity of phishing scams this past week has been fascinating!  Let’s start with this PayPal Security Alert sent from dffd @ stabletransit.com, not Paypal.com.  “Dear Client, we have noticed some data from your account information seems inaccurate or unverified.  You have to check your information in order to continue using our service smoothly…”  Smoothly?  (Created by a native English speaker?)  Link points back to a hacked website that commemorates “Guy Fawkes” day in England. (An interesting piece of UK history –check it out!)  We’ve notified them of the hack.

[hr_invisible]

This next phishing scam wants you to think it came from Amazon.com but anyone who reads carefully will see through it pretty quickly.  It came from the domain Amazingjos-DOT-biz.  “We need your help” followed by an Amazon purchase number.  “We take you to note that your account has been closed for protection…” Read the rest of the email and you’ll see that the creator’s first language is, once again, not English.  A mouse-over of the link “Confirm your account now” reveals a secure https link because it points to a shortened link at bit.ly.  We used URLex.org to unshorten it and discovered the L O N G E S T use of subdomains we have ever seen!  This trick was meant to make it harder for anyone to see that the link points back to the domain amazingjos-DOT-com (not .biz).

The domain amazingjos-DOT-com has 11 subdomains in front of it in this link, beginning with “amazonupi” followed by “comi.”  These two sub-domains have the effect of appearing to the victim as amazonupi.comi.  Slick.

Now delete.

[hr_invisible]

Who does this Apple phish think it’s fooling?  It came from an address in Spain (.es = España = Spain) and begins with the hilarious opening “Reversed Customer.”  The rest of the email reads equally silly.  The link for “Click here to activate the account” points back to a webserver belonging to Gigas Hosting service in Madrid, Spain.

Deeeeleeeeete!

[hr_invisible]

A TDS reader sent us this email he received from Standard Chartered Bank of India but it actually came from hello @ mailerassist.com.  The email is a phony pitch for a credit card.  Hidden in the link revealed by mousing-over “APPLY NOW” is a redirect to the domain icubeswire-DOT-com. (A legitimate, but hacked website.)  This phish is meant to capture very personal information.  We followed it to it’s home and screenshot just a little bit of what it asks victims to provide.  Have a look below.  It is nearly impossible to tell this apart from a legitimate credit card application!

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY:  This Old House Shed Plans, Tricks to Reactivate Dead Batteries, and Wine Club

Do you know someone who likes to build with their own hands?  We do, and it is exactly this type of do-it-yourselfer that is likely to fall for this malicious email. The email claims to represent “This Old House” and offers thousands of plans to build your own shed.  However, the email is riddled with punctuation and other subtle English errors.  The unsubscribe notice is for an address we’ve been seeing often during the last few weeks…  “Kinzer Ave, Danville, VA.”  The domain mtysheds-DOT-pro was registered the day the email was sent and is being hosted in the Czech Republic.

Delete.

[hr_invisible]

Our home do-it-yourselfers are being targeted again!  How about this “Easy Trick to Reactivate Dead-Batteries” from dilly @ prodimplan.com.    The domain prodimplan.com was registered on April 21 by someone named “Naomi Nevius” from an organization called “Dubrow” using a registrar in Australia.  The domain is being hosted in Montreal, Canada.  Notice the random text at the bottom of the email in powder blue?  When we search for the unsubscribe address offered at the bottom of the email, we can’t find any such street in Saint Cloud, MN but we do find a link to fake email on email-fake.com.

[hr_invisible]

The criminal gangs who target us sometimes do their homework well.  They find legitimate businesses or products and then create wolves in sheep’s clothing to mimic these legitimate groups.   Case in point… Winc Wines.  This next mimic wants you to believe it represents Winc Wine Club but notice that it came from help.safep.us.  The links are malicious and point back to safep.us.  Just delete and raise your glass to toast that you didn’t fall for this scam!

[hr_invisible]

[hr_invisible]

[hr_invisible]

TOP STORY: Photo Keeper or Contact Creeper?

Imagine sitting down for an hour with an investigator and giving him or her complete access to your smart phone.  What would your phone reveal about you, your life and habits? Your family and finances? Your friends and personal communication?  If you are like most people, by the end of that hour your PI would know a lot more about you, your family and friends than you might be comfortable with!  And if this PI were unscrupulous, could he or she find a way to make money from your information?  The answer would undoubtedly be yes.  Which brings us to this week’s Top Story…

A TDS reader sent us this email that appears to come from an app called “Photo Keeper.”  “Hi, you just got photos!” “Contacts in your network added their photos. View them on Photo Keeper.”  Our savvy TDS reader had never heard of Photo Keeper, had no friends she knew of using this service AND recognized the street address listed at the bottom of the email as a misused address we have written about many times!  Have a look…

[hr_invisible]

The address Photo Keeper uses is a mail drop in Grandville, Michigan. (Read our apology to Grandville!) A mouse-over of the link to “View Photos” shows that it leads to the secure domain photokeeper-emaily.com.  Google cannot find any website by this domain and ServiceHostNet.com reports that the domain was created and is hosted through Amazon services.  We used Screenshot Machine to peek at this domain’s top web page and it shows us what appears to be a service and/or app for your phone, identical to the website of Photokeeper.com.

[hr_invisible]

Are you interested to sign up for this particular service?  Install it onto your smartphone?  It’s free afterall, so why not?  But try conducting a Google search for either Photo Keeper email spam or the domain photokeeper-emaily.com and you’ll see lots of complaints about this app/service being a scam and misusing people’s contact lists.  This Fox News article from January 18 claims that Photo Keeper is a sophisticated trick to steal usernames and passwords.  The app self-propagates by sending an email invite to everyone in your contact list.   Some user’s on Reddit.com also reported in January that this scam came from the email address notify @ photokeeper-emailg.com We can’t help but notice that emailY.com, seen a few days ago, is alphabetically after emailG.com, reported in January.  Could these scammers simply be adding one letter after another as they continue to create bogus domains? We randomly looked up photokeeper-emailT.com and photokeeper-emailM.com and found both had been registered through a proxy privacy service, like the others we mentioned.  Apparently, there is a method to this madness.

Read this blog post about Photo Keeper from Zyzmog about Photo Keeper.

So what’s our point?  Besides the obvious one that this app/service appears to be misusing your personal data?  Over the years there have been many examples of apps and services, even “legitimate” ones, that have gathered and misused people’s personal data.  Below are a few articles about this.  As always, caveat emptor… Let the buyer beware.  If it is free then you are not the user! You are likely the product being sold and marketed to others in one way or another.  And even well-meaning and legitimate apps can be hacked and misused.  We ask people to always think carefully about the information and content they put online or provide through an app.  No one can guarantee 100% control and safety of your information.

12 Most Abused Android App Permissions [from TrendMicro.com]

Beware Downloading Some Apps or Risk “Being Spied On” [from CBS News]

Careful: Some Free Apps Can Steal Your Data [from USA Today]

Marble Security’s PrivacyHawk Identifies Risky Android Apps That Steal Personal Data and Take Over Smartphones [from GlobeNewsWire.com]

Some Popular iPhone Apps Might Be Secretly Leaking Your Information [from BGR.com]

[hr_invisible]