May 30, 2018

THE WEEK IN REVIEW

It’s important to remind our readers of a couple of critically important tips to use when evaluating the legitimacy of emails you receive.  Internet-based criminals routinely pretend to be someone they are not, as is the case in this email pretending to be from InjuryPartner.com.    However, if you look closely at the from address, you’ll see the most important information is what follows the “@” symbol.  In this case, the email was sent from manners[.]review.  A WHOIS lookup of this domain shows that it was registered on May 27, the same day the email was sent.   An email from a domain that has no history whatsoever is never good! Also, the WHOIS shows absolutely no information for the person or business who registered that domain other than the fact that it was registered from India!  We don’t even know how this is possible to register a domain without any Registrant information. On the other hand, a WHOIS lookup of the real domain injurypartner.com shows that it was registered in 2014 to someone named Kye Duncan from a firm called Leadrival.  Both Kye and Leadrival can easily be verified with an internet search

Also, we noticed a lot of blank white space at the bottom of the email.  When we dragged our cursor through it we discovered lots of hidden random white text against that white background.   This demonstrates tactics that spammers like to use to try to fool anti-spam servers, though it rarely ever works. The text is extremely random but we had no problem finding exactly those random-word paragraphs all over the internet.  Together, these facts reveal that this is click-bait, email meant to trick you into clicking it and likely resulting in a computer infection or trick you into revealing personal information. Just delete! Here’s another example of this BS… “Christian Healthcare is on the rise.  See if you qualify…”

[hr_invisible]


[hr_invisible]

Phish NETS: Unusual Sign-In Activity to SBC Global

“Unusual sign-in activity”  This smelly phish targeted SBC Global email customers. (Southwestern Bell Communications)  SBC Global was acquired by AT&T back in 2015, which can explain why you see AT&T referred to in the header..  The email claims to be from “ATTCustomerCare” but came from a subdomain of a prodigy.net account. A mouse-over of the link “replying” or “Please reply us” shows that it points to several oddball email addresses including support “@” puffexcaliber[.]net..  The date “24/05/2018” is written in the European/Asian format of day first rather than month first, as we do in the U.S. Sooooo many red flags to this junk.

Just delete!

 

[hr_invisible]

[hr_invisible]

YOUR MONEY: Amazon Prime Reward and Borrow from a Trusted Resource

We’ve seen this next social engineering trick before, often around Easter time.  “Your Order Has Arrived!!” says an email that seems to be from Amazon Prime, but actually came from the domain kabayaweb[.]com.  Though this domain was registered in 2016, there is some evidence online at a ransomware tracking site in Chile that says the domain was used to host ransomware at one point.   In 2017 this domain appears to have been moved to a hosting service in Aruba and was registered from Tangier, Morocco without a registrant name.  The link for your “Amazon reward” points to a shortened link using the shortening service ow.ly….

We unshortened that ow.ly link to discover that it points to a website called draphterpine[.]com.  Though we are unable to prove that draphterpine[.]com is malicious, it has the hair on the back of our neck standing on end.  We took screenshots of this link twice, several days apart, and got two different pages of websites claiming to offer free online movie streaming.  One was for Book Bugg and the other was for Phasicfun. On the Book Bugg screenshot visitors are informed they can call 1-877-000-0000 for assistance.  (see below) Does any of this sound the least bit like a reward from Amazon?

Deeeeelete!

Screenshots taken of draphterpine[.]com:

  

This next email was sent to us from a TDS reader.  “Hi, We are excited to let you know that you are now eligible to request funds for bill payment, car repair, or unexpected expenses.”  Excited, they are?  “Login to your account”  What account?  The email came from an account named “WiliamsSonoma@…” with a domain name so long that it doesn’t make sense and we’re unable to trace it.  However, the email content claims to be sent from “Fast Lends” and the link provided to login points to a secure website offered through Googleapis.  According to Wikipedia, “Google APIs is a set of application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration to other services.”  However, don’t assume this means that link is safe! Look below at the VirusTotal.com evaluation of that link!

A screenshot of that link’s destination appears to be for a lending service called “Fast Lends” but that is not true!  After visiting the real Fast Lends website, we see that these criminals simply stole content from the real site. This is phony baloney and we can only imagine the amount of very personal information they will ask visitors to provide as they apply for a loan.  Unless, of course, they just don’t care about your personal information and hit you with malware.

[hr_invisible]

[hr_invisible]

TOP STORY: Chinese Knockoffs or Something Else?

Over the years, we have sometimes exposed name brand knock-off sites associated with Chinese companies that either appear to be very sketchy or down-right scammy.  During the last couple of months we have seen a significant uptick in these email promotions, which usually begin with a lure of 80% or 90% off retail price. Just recently we received three of these in a few days, all claiming to sell different designer brands.  We believe that they are extremely risky to purchase through and wanted readers to know how to recognize them and understand why we don’t recommend them.

Let’s start with this email from COACH <katrina “@” geneva.kjmeb[.]com with the subject line Don’t Miss It! FINAL DAY Online Only Sale.   Obviously this email was not sent from Coach.com, Ray-Ban.com or any other recognizable retail center.  What marketing or retail firm trying to sell Ray-Ban sunglasses would use COACH or Katrina in the from email address?  The email came from the domain kjmeb[.]com (“geneva” is a subdomain and not important.)   Finally, the links in this email point back to a domain called rwshop[.]top. (with a subdomain called uo8g6)

 

A WHOIS lookup of the domain kjmeb[.]com shows that it was registered in China on April 17, 2018 by someone named ChenChang Wen from Beijing, China.  And a WHOIS lookup of the domain rwshop[.]top shows that it was registered on December 27, 2017 by someone named Gong Ying Hong, representing the company Nexperian Holding Limited located in Hangzhou, China.  It’s worth noting that a recent screenshot found on the WHOIS on May 25 shows that the rwshop[.]top is a website selling bluetooth speakers.

The fact that the email comes from a different domain than the links point to, and that these domains are newly registered is suspicious.  Also, we’ve written about Nexperian Holding Limited several times before.  In the Your Money column of our February 7 newsletter, we wrote about other “crap” domains registered to this company and provided a link to a trade disagreement brought against them by the World International Property Organization. Though we have found many crap domains registered to Nexperian Holding, we can’t find a website for the company itself.

Here’s another one of these recent name brand deals for Coach products.  “W-O-W. Jump right in to 80% off!” states an email from cynthia “@” gloria.nchhg[.]com. This domain was registered by a WHOIS privacy service located in Shanghai, China on December 25, 2017.  The links in this email point to the domain eerr[.]top.  And eerr[.]top was registered by someone named Gong Ying Hong from Hangzhou, China on September 22, 2017 for Nexperian Holding Company.

Why should Nexperian Holding Company use so many different and recently registered domains to sell their products if they were legitimate?  Why can’t we find a website or other information representing this company as a legitimate retailer?  It’s as if they are trying to hide something.

And just to make the point, below is yet another email our honeypot account received recently for 90% off Oakley sunglasses.   You can clearly see the pattern repeated. The email was sent from one crap domain, vmnym[.]com (Registered through a WHOIS agent in China on December 15, 2017) and contains links to another crap domain mzbuy[.]top (Registered on January 19, 2018 to Ye Xiao Jing from Nexperian Holding Company.)  And so we ask our readers… Would you trust this company enough to give them your credit card information and expect to receive genuine products?

We don’t.

[hr]

FOR YOUR SAFETY

This week we thought it might be interesting to share with you a little about the threats to our own safety we experience at TDS.  As you might guess, The Daily Scam is probed and attacked every week by criminals who want to shut us down. Since our birth in 2014, we’ve weathered all kinds of attacks including several DDOS (Distributed Denial of Service) attacks, an implied threat from a criminal group here in the US, and hackers from all over the world including Russia and China who have tried to knock us offline by corrupting our website.   In the nearly four years we’ve been operating, we were successfully shut down by hackers three times and knocked offline by two DDOS attacks. But in each case we were back online and operational within 12 hours or less.  Last week, our security software blocked attacks from more than 900 IP addresses in Singapore, in addition to the usual 80 – 120 weekly attacks from 8-10 other countries we routinely get. For example, on May 25 our website blocked 347 attacks to it in just a ten minute period.

In 2014 (updated in 2015) we published an article called Why it hurts to be right, about the attacks that tried to knock our website offline during our first few months of operation.  We want you to know that we are resilient and are here for you! As long as we can, we’ll keep informing our readers about the criminals around the world who try to steal your money, personal information and resources.

[hr_invisible]


Until next week, surf safely!