THE WEEK IN REVIEW
During the last couple of months we’ve noticed a change in the tactics used by criminal gangs responsible for the bulk of malicious emails. It’s as if they now use online fake word generators to create their scam domain names. We’ve seen many domain names that seem as though they might be words but are not. This isn’t as strange as it sounds. For example, Wordoid.com is a website that is designed specifically for this purpose. And there are several other fake word generators online such as WordGenerator.net.
Recently we were contacted by a woman who asked for our opinion about a “work from home” job that she was considering until she realized it was a scam. Her conversation with the scammer is priceless, especially how she got him to reveal his true nature. You can read it here.. “Work at Home with WebMD Corporation.” Hearing from her reminded us that many people seriously consider, or even depend on “work from home” jobs and they need to be especially careful. Every “work from home” job we’ve seen is a scam, such as the one below. Our advice is simple…. If a “work from home” job contacts you first (via email, text or social media), then the odds are extremely high that it is a scam! And if a “work from home” job offers many hundreds of dollars per week or more, then you can bet that it’s a scam. And finally, any legitimate “work from home” job will have a business address and number to call. If your only communication is via email, it’s a scam, like this one…
[hr_invisible]
Sample Scam Subject Lines: (1) Security Message Incoming voicemessage 2:17PM Latest FREE Report – Your medicine is killing you… Major Scandal Takes The Renewable Energy World By Storm Message for you New voice message – 7:48 PM No more embarrassing senior moments Shocking Video: The Cause of Memory Loss! Simple Tip Gives You 6 Pack Abs Spring Auto Insurance Savings | Get a complimentary quote World Business Registration 2017/2018 [REF:NPE-23575] You can stream ALL your favorites ALL-DAY without having to pay! You reached first place
Sample Scam Email Addresses chevrolet @ anoxic.info eject @ drugrex.date Off-GridSystem @ virtualgamss.us pianopractice @ piansdobd.party uranus @ pschic.info dollar @ sassnew.info publisher @ zondcal.info guoedbv @ 00.com (Zero-Zero-dot-com) excitement @ gabyear.info oippole @ betshopitalia.com superinformation @ silkbud.info hemochrome @ thudbot.info protomorph @ hootel.info
[hr]
[hr_invisible] This smelly phish came from firstsunmallorca @ d793.dinaserver.com and has the subject line “Validat your account !” (Notice the spelling error and extra space before the !) It is so very important to read carefully! Typos, poor grammar and capitalization errors are the best way to reveal fraud, along with the from address and mousing-over a link. “If you are seeing the messages this means that your account has been visited from an unusual place given below :” And don’t be fooled by that https revealed by mousing over the link. It doesn’t point to PayPal but points to a hacked engineering website in India (Dharti Argo). [hr_invisible] USAA Bank is often targeted by phishers. The from address and mouse-over easily reveal this scam. Take a look yourself. Can you figure out what country hosts the hacked website that is used for the link? The 2-letter country code “br” stands for…. [hr_invisible] …Brazil! We know that this next phish was sent from an address in Australia (2-letter country code = .au) and meant to capture your login to an email account, but what account? The criminals who created this sent it out without a link back to their phishing site! We couldn’t find a single link in it! But we did count at least three errors in the email! Can you find them? [hr_invisible] Finally, we’ve reported on phony Facebook friend requests many times in the past few months. Many of them pointed to fake drug sites in Russia. Some were phishing scams and we thought this was a phishing scam too. However, when we used software to view the site linked to this email, we found a ridiculous weight loss secrets page titled “Gwen Stefani Shares Blake Shelton’s Secret to Rapid Weight Loss.” It may not be a phish but we know it can’t be good for you! (We use software to peek ahead rather than visit the site directly because we don’t want to risk a malware infection.) [hr_invisible]
Phish NETS: PayPal, USAA Bank, and Email Whatever
“Ray Ban Sunglasses, $9.9 Stock UP SALE” You read that correctly… $9.9 Sale. Everything about this ad is suspicious, including the from domain erdaerersan.top to the four errors in the email content itself. The link points to a website at rbmyr-DOT-com. If you use a WHOIS to look up this website and take a screenshot, it seems to show many sunglasses for sale along with this description… “Ray-Ban Official Discounted Site – From USA, Stand the chance to win a unique Never Hide Sessions at your home with some of the iconic Ray-Ban artists. Discover the contest!” But we don’t believe this is a legitimate discount site for sunglasses. We asked the Zulu URL Risk Analyzer to review this site and the results are strong enough for us to avoid it like the plague! (See below.) [hr_invisible] Best New Product (Shark Tank) “Turn Your Smartphone into a Digital SLR Camera!” We’ve seen these scams before. While the Pro Shot HDX is indeed a real product, this email is phony baloney. For a laugh, read the spam text at the bottom of the email which the criminals forgot to turn white so you wouldn’t easily see it. The odd-ball domain tjjqjmzar.info used in this scam was registered just hours before the email was sent. Call us overly cautious but anytime we see an email that begins “Dear Patriot” our defensive radar goes off. We had no idea what a firekable was and had to look it up to see that there actually is such a thing. But that isn’t the point, is it. This email was sent from an address at the odd domain tswnber.us and the links point back to it. A WHOIS lookup shows that the domain was registered to Ashok Parihar from Damoh, India on the day the email was sent. None of this inspires confidence to buy this product from this site. Delete. [hr_invisible] [hr_invisible]
[hr_invisible]
YOUR MONEY: Ray Ban Sunglasses, Best New Product, and Dear Patriot
We had planned a completely different Top Story this week and in the eleventh hour of writing we unexpectedly received something very interesting. Blackboard Learn is an online learning management system used by many universities and some high schools. One of our friends received this short email containing a pdf file. It appeared to be from Blackboard Learn, and at first glance we thought it might be legitimate since the recipient was a teacher. [hr_invisible] However, as we have said repeatedly, it pays to read carefully. Though the subject says “NEW PDF MESSAGE FROM BLACKBOARD LEARN” the attached pdf was lablelled “FORM BLACKBOARD LEARN.” And, of course, the email wasn’t sent from any school or Blackboard.com but from socks.com. So we decided to download the pdf file, being very careful not to open it. Downloading it did not trigger any of our antivirus/antimalware software but we weren’t 100% confident in that assessment. Pdf files can carry malicious code. So we visited TotalVirus.com and uploaded the file for review by multiple AV services. Again, no threat so we opened the pdf… [hr_invisible] “Dear Member, Kindly Check the Important Document Faculty Uploaded for You.” Where this suddenly became interesting is when we tried to mouse-over the embedded link “View Your Documents” in the pdf. Apparently, we couldn’t see where the link leads to before clicking! Nor could we find any method within our pdf viewer to reveal the link before we actually clicked it, and quite possibly, sending ourselves to a computer threat waiting for us. Hmmm… what to do? The solution is actually simple and we’re sure many of our readers have thought of this. We disconnected from the Internet (by turning off the computer’s wifi) and then clicked the link. Immediately, our web browser opened up and tried to send us to the following link: (We have purposely made this link dysfunctional.) h t t p s : / / www.cyrrobackup.com / ns7 / index .php What? A secure server (https) for a backup service? Could this be a legitimate link for a backed up file meant for our teacher? Cyrrobackup.com seems to be a legitimate backup service that offers cloud back up and also recovery services. Could we have been wrong all this time? To a hammer, all the world looks like a nail. Might we be the hammer, and think we see a cyberthreat behind every message that arrives in an inbox? And yet, this seemingly legitimate service somehow felt…. Odd. We Googled the website domain name and many links came back referring to their various services offered but we also saw the country name “Uganda” (without a capital U and without proper spacing) provided by the Meta tag for Google to display. Rather than ease our suspicions, this seemed odd and only raised our concerns. We asked ScreenshotMachine.com to visit the full link provided in the pdf and peek at what was waiting for us. It only confirmed that a Blackboard Learn login site was waiting for us… [hr_invisible] Finally, we turned to the Zulu URL Risk Analyzer, asking it to review the entire link provided in the pdf. And Zulu did not disappoint us at all! Bam! 100% malicious… It turns out that the file on the Cyrro back up server contains code sending the visitor to a phishing site on a server identified as 365tsln-DOT-com. A WHOIS lookup of this domain reveals all. It was registered on February 18 to someone listed as “Karthik P” from the organization “24 / 7 Travel Solution” in “Bngalore, India.” At least he could have spelled Bangalore correctly! [hr_invisible]
[hr_invisible]
TOP STORY: Digging Through Layers of Deceipt
[hr]
FOR YOUR SAFETY: Package Delivery Notification
A reminder to our readers that malicious emails are continually disguised as notifications about package delivery problems like this one. The attached zip file doesn’t contain a Fed Ex label. It contains malware.
Ouch!
[hr_invisible]
ON THE LIGHTER SIDE: I Didn’t Dare Write to You
Oh dear. Rosana is sending us mixed messages. “I didn’t dare write to you” but “I decided to write you.” Apparently she’s hoping we live alone (free of women?) because she’s alone in Serbia and looking for companionship…. A real man, as she puts it. Bummer. Only fake men here. (Wonder why she sent her email through a server in Germany? (.de = Deutschland = Germany)
[hr_invisible]
—
Until next week, surf safely!