May 30, 2018

[hr_invisible]

Phish NETS: Unusual Sign-In Activity to SBC Global

“Unusual sign-in activity”  This smelly phish targeted SBC Global email customers. (Southwestern Bell Communications)  SBC Global was acquired by AT&T back in 2015, which can explain why you see AT&T referred to in the header..  The email claims to be from “ATTCustomerCare” but came from a subdomain of a prodigy.net account. A mouse-over of the link “replying” or “Please reply us” shows that it points to several oddball email addresses including support “@” puffexcaliber[.]net..  The date “24/05/2018” is written in the European/Asian format of day first rather than month first, as we do in the U.S. Sooooo many red flags to this junk.

Just delete!

[hr_invisible]

[hr_invisible]

YOUR MONEY: Amazon Prime Reward and Borrow from a Trusted Resource

We’ve seen this next social engineering trick before, often around Easter time.  “Your Order Has Arrived!!” says an email that seems to be from Amazon Prime, but actually came from the domain kabayaweb[.]com.  Though this domain was registered in 2016, there is some evidence online at a ransomware tracking site in Chile that says the domain was used to host ransomware at one point.   In 2017 this domain appears to have been moved to a hosting service in Aruba and was registered from Tangier, Morocco without a registrant name.  The link for your “Amazon reward” points to a shortened link using the shortening service ow.ly….

We unshortened that ow.ly link to discover that it points to a website called draphterpine[.]com.  Though we are unable to prove that draphterpine[.]com is malicious, it has the hair on the back of our neck standing on end.  We took screenshots of this link twice, several days apart, and got two different pages of websites claiming to offer free online movie streaming.  One was for Book Bugg and the other was for Phasicfun. On the Book Bugg screenshot visitors are informed they can call 1-877-000-0000 for assistance.  (see below) Does any of this sound the least bit like a reward from Amazon?

Deeeeelete!

Screenshots taken of draphterpine[.]com:

This next email was sent to us from a TDS reader.  “Hi, We are excited to let you know that you are now eligible to request funds for bill payment, car repair, or unexpected expenses.”  Excited, they are?  “Login to your account”  What account?  The email came from an account named “WiliamsSonoma@…” with a domain name so long that it doesn’t make sense and we’re unable to trace it.  However, the email content claims to be sent from “Fast Lends” and the link provided to login points to a secure website offered through Googleapis.  According to Wikipedia, “Google APIs is a set of application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration to other services.”  However, don’t assume this means that link is safe! Look below at the VirusTotal.com evaluation of that link!

A screenshot of that link’s destination appears to be for a lending service called “Fast Lends” but that is not true!  After visiting the real Fast Lends website, we see that these criminals simply stole content from the real site. This is phony baloney and we can only imagine the amount of very personal information they will ask visitors to provide as they apply for a loan.  Unless, of course, they just don’t care about your personal information and hit you with malware.

[hr_invisible]

[hr_invisible]

TOP STORY: Chinese Knockoffs or Something Else?

Over the years, we have sometimes exposed name brand knock-off sites associated with Chinese companies that either appear to be very sketchy or down-right scammy.  During the last couple of months we have seen a significant uptick in these email promotions, which usually begin with a lure of 80% or 90% off retail price. Just recently we received three of these in a few days, all claiming to sell different designer brands.  We believe that they are extremely risky to purchase through and wanted readers to know how to recognize them and understand why we don’t recommend them.

Let’s start with this email from COACH <katrina “@” geneva.kjmeb[.]com with the subject line Don’t Miss It! FINAL DAY Online Only Sale.   Obviously this email was not sent from Coach.com, Ray-Ban.com or any other recognizable retail center.  What marketing or retail firm trying to sell Ray-Ban sunglasses would use COACH or Katrina in the from email address?  The email came from the domain kjmeb[.]com (“geneva” is a subdomain and not important.)   Finally, the links in this email point back to a domain called rwshop[.]top. (with a subdomain called uo8g6)

A WHOIS lookup of the domain kjmeb[.]com shows that it was registered in China on April 17, 2018 by someone named ChenChang Wen from Beijing, China.  And a WHOIS lookup of the domain rwshop[.]top shows that it was registered on December 27, 2017 by someone named Gong Ying Hong, representing the company Nexperian Holding Limited located in Hangzhou, China.  It’s worth noting that a recent screenshot found on the WHOIS on May 25 shows that the rwshop[.]top is a website selling bluetooth speakers.

The fact that the email comes from a different domain than the links point to, and that these domains are newly registered is suspicious.  Also, we’ve written about Nexperian Holding Limited several times before.  In the Your Money column of our February 7 newsletter, we wrote about other “crap” domains registered to this company and provided a link to a trade disagreement brought against them by the World International Property Organization. Though we have found many crap domains registered to Nexperian Holding, we can’t find a website for the company itself.

Here’s another one of these recent name brand deals for Coach products.  “W-O-W. Jump right in to 80% off!” states an email from cynthia “@” gloria.nchhg[.]com. This domain was registered by a WHOIS privacy service located in Shanghai, China on December 25, 2017.  The links in this email point to the domain eerr[.]top.  And eerr[.]top was registered by someone named Gong Ying Hong from Hangzhou, China on September 22, 2017 for Nexperian Holding Company.

Why should Nexperian Holding Company use so many different and recently registered domains to sell their products if they were legitimate?  Why can’t we find a website or other information representing this company as a legitimate retailer?  It’s as if they are trying to hide something.

And just to make the point, below is yet another email our honeypot account received recently for 90% off Oakley sunglasses.   You can clearly see the pattern repeated. The email was sent from one crap domain, vmnym[.]com (Registered through a WHOIS agent in China on December 15, 2017) and contains links to another crap domain mzbuy[.]top (Registered on January 19, 2018 to Ye Xiao Jing from Nexperian Holding Company.)  And so we ask our readers… Would you trust this company enough to give them your credit card information and expect to receive genuine products?

We don’t.