May 31, 2017

[hr_invisible]

Phish NETS:  PayPal, USAA Bank, and Email Whatever

This smelly phish came from firstsunmallorca @ d793.dinaserver.com and has the subject line “Validat your account !” (Notice the spelling error and extra space before the !)  It is so very important to read carefully!  Typos, poor grammar and capitalization errors are the best way to reveal fraud, along with the from address and mousing-over a link.  “If you are seeing the messages this means that your account has been visited from an unusual place given below :”

And don’t be fooled by that https revealed by mousing over the link.  It doesn’t point to PayPal but points to a hacked engineering website in India (Dharti Argo).

[hr_invisible]

USAA Bank is often targeted by phishers.  The from address and mouse-over easily reveal this scam.  Take a look yourself.  Can you figure out what country hosts the hacked website that is used for the link?  The 2-letter country code “br” stands for….

[hr_invisible]

…Brazil!

We know that this next phish was sent from an address in Australia (2-letter country code = .au) and meant to capture your login to an email account, but what account?  The criminals who created this sent it out without a link back to their phishing site!  We couldn’t find a single link in it!  But we did count at least three errors in the email!  Can you find them?

[hr_invisible]

Finally, we’ve reported on phony Facebook friend requests many times in the past few months.  Many of them pointed to fake drug sites in Russia.  Some were phishing scams and we thought this was a phishing scam too.  However, when we used software to view the site linked to this email, we found a ridiculous weight loss secrets page titled “Gwen Stefani Shares Blake Shelton’s Secret to Rapid Weight Loss.”  It may not be a phish but we know it can’t be good for you! (We use software to peek ahead rather than visit the site directly because we don’t want to risk a malware infection.)

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Ray Ban Sunglasses, Best New Product, and Dear Patriot

“Ray Ban Sunglasses, $9.9 Stock UP SALE”  You read that correctly… $9.9 Sale.  Everything about this ad is suspicious, including the from domain erdaerersan.top to the four errors in the email content itself.  The link points to a website at rbmyr-DOT-com.   If you use a WHOIS to look up this website and take a screenshot, it seems to show many sunglasses for sale along with this description… “Ray-Ban Official Discounted Site – From USA, Stand the chance to win a unique Never Hide Sessions at your home with some of the iconic Ray-Ban artists. Discover the contest!”  But we don’t believe this is a legitimate discount site for sunglasses.  We asked the Zulu URL Risk Analyzer to review this site and the results are strong enough for us to avoid it like the plague! (See below.)

[hr_invisible]

[hr_invisible]

Best New Product (Shark Tank) “Turn Your Smartphone into a Digital SLR Camera!”  We’ve seen these scams before.  While the Pro Shot HDX is indeed a real product, this email is phony baloney.  For a laugh, read the spam text at the bottom of the email which the criminals forgot to turn white so you wouldn’t easily see it.  The odd-ball domain tjjqjmzar.info used in this scam was registered just hours before the email was sent.

[hr_invisible]

Call us overly cautious but anytime we see an email that begins “Dear Patriot” our defensive radar goes off.  We had no idea what a firekable was and had to look it up to see that there actually is such a thing.  But that isn’t the point, is it.  This email was sent from an address at the odd domain tswnber.us and the links point back to it.  A WHOIS lookup shows that the domain was registered to Ashok Parihar from Damoh, India on the day the email was sent.  None of this inspires confidence to buy this product from this site.

Delete.

[hr_invisible]

[hr_invisible]

[hr_invisible]

TOP STORY: Digging Through Layers of Deceipt

We had planned a completely different Top Story this week and in the eleventh hour of writing we unexpectedly received something very interesting.  Blackboard Learn is an online learning management system used by many universities and some high schools.  One of our friends received this short email containing a pdf file.  It appeared to be from Blackboard Learn, and at first glance we thought it might be legitimate since the recipient was a teacher.

[hr_invisible]

However, as we have said repeatedly, it pays to read carefully.  Though the subject says “NEW PDF MESSAGE FROM BLACKBOARD LEARN” the attached pdf was lablelled “FORM BLACKBOARD LEARN.”  And, of course, the email wasn’t sent from any school or Blackboard.com but from socks.com.  So we decided to download the pdf file, being very careful not to open it.  Downloading it did not trigger any of our antivirus/antimalware software but we weren’t 100% confident in that assessment.  Pdf files can carry malicious code.  So we visited TotalVirus.com and uploaded the file for review by multiple AV services.  Again, no threat so we opened the pdf…

[hr_invisible]

“Dear Member, Kindly Check the Important Document Faculty Uploaded for You.”  Where this suddenly became interesting is when we tried to mouse-over the embedded link “View Your Documents” in the pdf.  Apparently, we couldn’t see where the link leads to before clicking!  Nor could we find any method within our pdf viewer to reveal the link before we actually clicked it, and quite possibly, sending ourselves to a computer threat waiting for us.  Hmmm… what to do?  The solution is actually simple and we’re sure many of our readers have thought of this.  We disconnected from the Internet (by turning off the computer’s wifi) and then clicked the link.  Immediately, our web browser opened up and tried to send us to the following link: (We have purposely made this link dysfunctional.)

            h t t p s : / / www.cyrrobackup.com / ns7 / index .php

What? A secure server (https) for a backup service?  Could this be a legitimate link for a backed up file meant for our teacher?  Cyrrobackup.com seems to be a legitimate backup service that offers cloud back up and also recovery services.  Could we have been wrong all this time?  To a hammer, all the world looks like a nail.  Might we be the hammer, and think we see a cyberthreat behind every message that arrives in an inbox?  And yet, this seemingly legitimate service somehow felt…. Odd.  We Googled the website domain name and many links came back referring to their various services offered but we also saw the country name “Uganda” (without a capital U and without proper spacing) provided by the Meta tag for Google to display.  Rather than ease our suspicions, this seemed odd and only raised our concerns.

[hr_invisible]

We asked ScreenshotMachine.com to visit the full link provided in the pdf and peek at what was waiting for us.  It only confirmed that a Blackboard Learn login site was waiting for us…

[hr_invisible]

Finally, we turned to the Zulu URL Risk Analyzer, asking it to review the entire link provided in the pdf.  And Zulu did not disappoint us at all!  Bam! 100% malicious…

It turns out that the file on the Cyrro back up server contains code sending the visitor to a phishing site on a server identified as 365tsln-DOT-com.  A WHOIS lookup of this domain reveals all.  It was registered on February 18 to someone listed as “Karthik P” from the organization “24 / 7 Travel Solution” in “Bngalore, India.”  At least he could have spelled Bangalore correctly!

[hr_invisible]