November 14, 2018

[hr_invisible]

Phish NETS: Charles Schwab, Cox Online, and Wells Fargo

Here’s a twist sent to us by a TDS reader last week.  She received an email claiming to be from Charles Schwab and containing an attached Word document.  The document states “You have an important document regarding your Charles Schwab service” Six links in this document pointed to the real Charles Schwab website, except for “Log in now.”  As you can see in the screenshot, this link pointed to a website called eebug[.]com.

We uploaded that Word document to Virustotal.com to check for embedded malware and confirmed what we already knew… This was a phishing scam.

However, we wanted to know how good this phish was so we had ScreenshotMachine.com visit the link and send us a picture.  It looks exactly like the real site! You know what to do when you see a bug!

Cox Communications is a digital cable tv and communications service in the United States, headquartered in Atlanta.  One of the Cox account holders sent us this phishing email she received. What do you notice that is unusual about the opening line?…  “Dear Cox User, This is an Alert to help you update your cox online account.”

That first line in the email contained two capitalization errors.  These should make one suspicious of the email. If you continue to read the rest of the email with a critical eye you’ll be as confident as our reader was that this email is fraudulent!  Though we did not have a functional email to check the link associated with “Update my Cox billing information” we were able to crack open the header of the email to see that it was sent from a domain in Mexico called promophone[.]com[.]mx,  not cox.net or cox.com.

Wells Fargo bank account holders have been targeted pretty routinely during the last few months.  Here’s another phish sent to a TDS reader from an address in Germany. It’s an important opportunity to remind our readers that ANYONE can say ANYTHING in front of the “@” symbol of an email address, such as “Wells Fargo Online.”  After the “@” symbol this email shows that it came from t-online[.]de and “.de” is the 2-letter country code for Deutschland… Germany.

Deeeleeeete!

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Lose Weight and Pandora Sale

Wikipedia states that several studies in the mid-2000’s show about 32-36% of Americans are overweight or obese.  These figures have been confirmed by other more recent studies according to StateofObesity.org.  These figures are alarming! They have also been noticed by criminal gangs who target Americans online.  We would like to say many nasty things about these criminal gangs but “stupid” would not be one of the adjectives.  We often find malicious emails that use weight loss as the clickbait trap for targeting Americans with malware. Take this email with the subject line “No-Diet or Exercise-And I still lost weight.”  (Seriously?? If you think you can legitimately lose weight without dieting or exercising, you’ve got a problem with your perception of reality.) Notice that this email claims to be from “ABC Shark Tank” but the address is admin “@” office521[.]com.  All links point to a website called whaleconservancy[.]net.

At first we figured that the Whale Conservancy was a legitimate website that was hacked, a sad but common occurrence.  When we did a search for this website we found nothing! We next checked to see who registered and owned whaleconservancy[.]net and were surprised to see that the domain was 1 day old and registered in India.  At least VirusTotal.com already knew that this was a dangerous website.

Criminals frequently use the graphics and sales of legitimate businesses as malicious mimics.  Here’s a clickbait mimic disguised as a Pandora sale of 70% off Fall items. The email was sent from dorothy “@” ian.gtxes[.]com. This domain (gtxes[.]com) was registered in China last June.  All links in this email point to a website at the oddball domain dcmall[.]top.  At least one anti-malware service has identified this domain as malicious.  Dcmall[.]top was registered by Nexperian Holding Limited of China last February. We’ve previously written about malicious emails from this company six times since last February, such as in our April 18 newsletter.

[hr_invisible]

[hr_invisible]

TOP STORY:  Plenty of Fresh Phish!

TDS readers sent us so many fresh phish that we’ve decided to draw attention to them in this week’s Top Story!  Let’s start with this email from Apple “@” apple-support.org.  This domain name sounds like it is legitimate but it is far from it!  The domain was registered on September 2 from someone identified as “maharot” in the Philippines.  And that website is being hosted in Panama. Does this sound like Apple.com?  Shame on the Registry service that allowed this obvious phishing scam to be registered!

This next phishing email was sent from a domain that was registered just a few days before the email was sent.  Cobadongtembus[.]com was registered on November 3 through a private proxy service.  The link “Log in to Account” points to a link-shortening service owned by Ow.ly but at htl.li.  Zulu URL Risk Analyzer easily identified the link as 100% malicious.

And then there was this email that came from paypai[.]com rather than paypal.com.  “You sent a payment of $107.00 SGD to Singaporehost LLC”  This email was sent by the criminal gang who have been misusing Outlook.com email servers to redirect a click to malicious websites.  This Outlook link will redirect you to a domain called lihi[.]cc.  VirusTotal.com had no problem finding services that identified this website as malicious!

Bottom line…. It pays to look very carefully at:

1. The FROM address, especially what appears after the “@” symbol!
2. The link that shows up in the lower left corner of your browser window when you mouse over the clickable link in an email (BUT DO NOT CLICK!)
3. The English language used in the body of the email or text.  Look for odd capitalization, grammar, spelling, or awkward use of English.