November 14, 2018

THE WEEK IN REVIEW

We’re not sure what our readers are experiencing but last week we saw a 20 – 25% spike in visitors to our website.  Usually when this happens we can pinpoint a particular article that draws their attention, generally indicating an uptick in that scam.  However, this time it seems to be a much broader interest across multiple scams. We love to hear from our readers about the scams and suspicious emails, texts and social media posts they are seeing in their daily lives.  Take a screenshot and/or send us your suspicious items to spoofs@thedailyscam.com or fill out our web contact form.

When we ask people if they receive random texts from sources they do not know, the answer is usually yes.  Not all of them are scams but the practice of sending solicitations, even legitimate ones, as random texts is HIGHLY suspicious or very questionable at best.  We do not recommend responding to these texts! Such as this one received by a TDS reader last week…

The text came from the phone number 626-225-8742.  No business name was cited, nor links to any website that can be verified or evaluated.  …Just the claim to represent a college loan forgiveness program.

A search for that phone number in Google shows that it is associated with two towns in California.  However, Google finds no business or service using that number. As far as we can tell, it appears to be a private number.  Does this information lead you to believe this is a credible and reliable business?

Do you get oddball, random, or suspicious texts?  Screenshot them and send us your screenshots!

[hr_invisible]


[hr_invisible]

Phish NETS: Charles Schwab, Cox Online, and Wells Fargo

Here’s a twist sent to us by a TDS reader last week.  She received an email claiming to be from Charles Schwab and containing an attached Word document.  The document states “You have an important document regarding your Charles Schwab service” Six links in this document pointed to the real Charles Schwab website, except for “Log in now.”  As you can see in the screenshot, this link pointed to a website called eebug[.]com.

We uploaded that Word document to Virustotal.com to check for embedded malware and confirmed what we already knew… This was a phishing scam.

 

However, we wanted to know how good this phish was so we had ScreenshotMachine.com visit the link and send us a picture.  It looks exactly like the real site! You know what to do when you see a bug!

Cox Communications is a digital cable tv and communications service in the United States, headquartered in Atlanta.  One of the Cox account holders sent us this phishing email she received. What do you notice that is unusual about the opening line?…  “Dear Cox User, This is an Alert to help you update your cox online account.”

That first line in the email contained two capitalization errors.  These should make one suspicious of the email. If you continue to read the rest of the email with a critical eye you’ll be as confident as our reader was that this email is fraudulent!  Though we did not have a functional email to check the link associated with “Update my Cox billing information” we were able to crack open the header of the email to see that it was sent from a domain in Mexico called promophone[.]com[.]mx,  not cox.net or cox.com.

Wells Fargo bank account holders have been targeted pretty routinely during the last few months.  Here’s another phish sent to a TDS reader from an address in Germany. It’s an important opportunity to remind our readers that ANYONE can say ANYTHING in front of the “@” symbol of an email address, such as “Wells Fargo Online.”  After the “@” symbol this email shows that it came from t-online[.]de and “.de” is the 2-letter country code for Deutschland… Germany.

Deeeleeeete!

 

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Lose Weight and Pandora Sale

Wikipedia states that several studies in the mid-2000’s show about 32-36% of Americans are overweight or obese.  These figures have been confirmed by other more recent studies according to StateofObesity.org.  These figures are alarming! They have also been noticed by criminal gangs who target Americans online.  We would like to say many nasty things about these criminal gangs but “stupid” would not be one of the adjectives.  We often find malicious emails that use weight loss as the clickbait trap for targeting Americans with malware. Take this email with the subject line “No-Diet or Exercise-And I still lost weight.”  (Seriously?? If you think you can legitimately lose weight without dieting or exercising, you’ve got a problem with your perception of reality.) Notice that this email claims to be from “ABC Shark Tank” but the address is admin “@” office521[.]com.  All links point to a website called whaleconservancy[.]net.

 

At first we figured that the Whale Conservancy was a legitimate website that was hacked, a sad but common occurrence.  When we did a search for this website we found nothing! We next checked to see who registered and owned whaleconservancy[.]net and were surprised to see that the domain was 1 day old and registered in India.  At least VirusTotal.com already knew that this was a dangerous website.

 

 

Criminals frequently use the graphics and sales of legitimate businesses as malicious mimics.  Here’s a clickbait mimic disguised as a Pandora sale of 70% off Fall items. The email was sent from dorothy “@” ian.gtxes[.]com. This domain (gtxes[.]com) was registered in China last June.  All links in this email point to a website at the oddball domain dcmall[.]top.  At least one anti-malware service has identified this domain as malicious.  Dcmall[.]top was registered by Nexperian Holding Limited of China last February. We’ve previously written about malicious emails from this company six times since last February, such as in our April 18 newsletter.

 

 

[hr_invisible]

[hr_invisible]

TOP STORY:  Plenty of Fresh Phish!

TDS readers sent us so many fresh phish that we’ve decided to draw attention to them in this week’s Top Story!  Let’s start with this email from Apple “@” apple-support.org.  This domain name sounds like it is legitimate but it is far from it!  The domain was registered on September 2 from someone identified as “maharot” in the Philippines.  And that website is being hosted in Panama. Does this sound like Apple.com?  Shame on the Registry service that allowed this obvious phishing scam to be registered!

 

 

This next phishing email was sent from a domain that was registered just a few days before the email was sent.  Cobadongtembus[.]com was registered on November 3 through a private proxy service.  The link “Log in to Account” points to a link-shortening service owned by Ow.ly but at htl.li.  Zulu URL Risk Analyzer easily identified the link as 100% malicious.

 

 

And then there was this email that came from paypai[.]com rather than paypal.com.  “You sent a payment of $107.00 SGD to Singaporehost LLC”  This email was sent by the criminal gang who have been misusing Outlook.com email servers to redirect a click to malicious websites.  This Outlook link will redirect you to a domain called lihi[.]cc.  VirusTotal.com had no problem finding services that identified this website as malicious!

Bottom line…. It pays to look very carefully at:

  1. The FROM address, especially what appears after the “@” symbol!
  2. The link that shows up in the lower left corner of your browser window when you mouse over the clickable link in an email (BUT DO NOT CLICK!)
  3. The English language used in the body of the email or text.  Look for odd capitalization, grammar, spelling, or awkward use of English.

 

 

 

[hr]

FOR YOUR SAFETY: You gotta see this! Google Photo Damaged …and You Have a Suggestion

We’ve reported many times to readers about malicious emails that you receive and containing the names of people you know.  Criminals hack user email accounts and steal their contact lists. They then send malicious emails in their name, hoping that recipients will click malicious links because they recognize the name of the sender, even though the emails come from oddball email addresses.

Lately, the criminals are adding phrases to try to engineer a click, saying things like “you gotta see this” and “did you see this? OMG!” Don’t fall for these tricks! Here are a two such emails that came through servers in Japan. (“.jp” is the 2-letter country code for Japan)

Speaking of engineering your clicking behavior, check out this trick to get you to click a link to malware… “Photo has been damaged”  If you click “More information” you’ll regret it! You’ll be sent to a website hosting malware in Indonesia.

Have you enjoyed travelling all around the world yet?  Clicking the collective emails in this newsletter would have sent you to websites in Mexico, Germany, India, China, Panama and the Cocos Islands (.cc).  So why not visit Russia? Clicking “View message” in this email “You have a suggestion” will send your web browser to Russia. Enjoy your trip!


Until next week, surf safely!