November 21, 2018

THE WEEK IN REVIEW

We don’t often hear from our readers about malware or PUPs (Potentially Unwanted Programs) but last week we heard from two Apple computer owners about them.  Though we’re missing details about their experiences we know that one is called Mac Auto Fixer.  It claims to fix Apple computer issues but doesn’t do anything other than trick you into paying for something you don’t need.  This is a popup that appeared on our reader’s computer. It’s all a lie…

Here are several links about this malware and how to get rid of it…

https://www.2-spyware.com/remove-mac-auto-fixer.html

https://www.youtube.com/watch?v=7mGVaIMS0ZU  (Also read some of the comments below the video e.g. using Malwarebytes to get rid of it)

https://macsecurity.net/view/195-remove-mac-auto-fixer-virus

Another TDS reader told us that she had found the Atwola tracking cookie in her browser, though she didn’t know how it got there.  Apparently, she knew something was up because of the pop-ups and ads that were appearing.  Links about Atwola removal are:

https://www.2-spyware.com/ask/what-is-atwola-cookie-and-why-its-in-my-browser

https://www.2-spyware.com/remove-atwola.html

 

In the last two newsletters we’ve written about very malicious emails targeting people by using the names of friends and family whose email accounts had been hacked.  Some of these hacks were from many years ago but criminals continue to use the stolen Contact Lists to trick you into clicking the link using clever phrases. Here are some of the phrases we’ve seen in the last week from emails that contain no subject line:

That’s a good one
It’s my favorite one
Can you imagine it?
That’s exactly what I wanted!
Just the thing! I can highly recommend it!
This is absolutely incredible!
I’ve been searching for it for ages!
This is my favorite one
I’m over the moon because I finally found it!
You can’t miss it!
It never occurred to me that it really works

Every one of these malicious emails has come from the “Open Computer Network” in Japan, an Internet service provider that seems not to care at all about this misuse.  ALL of these emails end in “@SUBDOMAIN.ocn.ne.jp” where SUBDOMAIN is an endless variety of words such as tune, samba, proof, smile, woody, ninus andview.  According to many sources, this misuse of the Japanese provider has been going on for many years.  It you get these, expect to continue getting them for as long as you keep your email account!

[hr_invisible]


[hr_invisible]

Phish NETS: Chase Bank, HSBC, and Wells Fargo

Same old smelly phish we’ve reported on for several weeks now…. An email claiming to be from Chase Bank that comes with little content but with an attached Word Document requesting that you log into your account.  The link provided leads to a URL shortening service such as this one to x.co (which is owned by GoDaddy.com).

A TDS reader sent us this screenshot of a phish pretending to represent HSBC Bank.  If you have any doubt whatsoever that this is a phishing scam, take a look at how the sender spelled “bank.”  We’re pretty certain that HSBC knows how to spell it correctly!

 

Once again, Wells Fargo Bank users are getting hammered with this “important tax document” phishing scam.  Frankly, we’re sick and tired of reporting it! The link for “Tax Documents” also points to a shortening service (tiny.cc).   You’ll then be forwarded to the hacked website of an Israeli singer named Ayala Sherov, and to a web page that looks very convincingly like the Wells Fargo bank login page…

 

 

 

 

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Fake Vivint Smarthome Security and Get a Year of Amazon Prime

This email claiming to represent Vivint Home Security is just another piece of malicious clickbait using stolen graphics from the real Vivint company website.  You can easily see that the email actually came from the domain hostedclasses[.]org and the links all point to the domain idecorpoint[.]com rather than Vivint.com.  The domain idecorpoint[.]com was registered back in 2015 to someone from Pune, Maharashtra, India whereas Vivint.com was registered by VIVINT in Utah back in 2005 where the company headquarters are based.

“Get a year of Amazon Prime” says an email from sendysn.net.  Any replies to this email appear to be sent to an address at an oddball and nonexistent domain in France. (qqqorjgb[.]fr)  However, clicking the link on the green bar will direct your web browser to a website called kolndersx[.]club.

 

Kolndersx[.]club was registered through a Panamanian proxy service last March and is being hosted on a web server in Holland.  We took a screenshot of the top page of this deal and see that there is a lot of fine print about what is required for this so-called Amazon Prime deal…

For this deal…

  1. We will have to provide a lot of valid personal information
  2. Complete several sponsor offers, including some that require us to purchase items
  3. And activate the card by making a purchase, transferring a balance from another one of our credit cards or taking a cash advance

And where, in fact, are we on the Internet?  Apparently, that website kolndersx[.]club redirected us to another website called “Retail Rewards Club” retailrewardsclub[.]net located in ROMANIA!

By the way, see that “unsubscribe” address in the original email listed for 2360 Corporate Circle, Suite 400 in Henderson, Nevada? According to Bloomberg.com, that address is occupied by a gold mining company called Aviara Mining.  Does any of this inspire confidence to hand over your personal information or credit card details in order to get a year of Amazon Prime?

 

[hr_invisible]

[hr_invisible]

TOP STORY:  Criminals Disguised as Tech Newsletter?

What if the information we receive on how to protect us from attack is actually an attack on our computer?  The email below appears to be a newsletter from a company called Broad Technologies. The leading article is titled “Here Are The 10 Most Famous And Malicious Computer Viruses.”  Other articles linked in this newsletter are “Here Are 8 Awesome Tricks Your Android Phone Can Do” and “The 10 Smart Gadgets That Are Just Very Stupid.” However, before you consider clicking these interesting articles, look more closely at the source and the links revealed by a mouse-over!  The email came FROM the domain bestbroadtech[.]info, NOT from Broadtechs[.]com. (See note below about the real Broadtechs[.]com)  And all links point back to bestbroadtech[.]info.

We believe that this newsletter is a fake, made from stolen online content, and the links in it are malicious.  Here’s why we believe this, even though we cannot confirm that the destination website is hosting malicious software…

  1. The links in this email contain the exact same type of redirect code through Outlook servers as hundreds of other malicious emails we have seen in recent months.
  2. The website you’ll be redirected to in this email is “bestbroadtech[.]info.” It was registered via a Panamanian proxy service just 4 days before this email was sent and this look-alike domain is being hosted on a server in Holland.

  1. A search for the business called “BroadTechs” and these article titles in Google return links to a business at “broadtechs.com” but NOT bestbroadtech[.]info.  In fact, a Google search for bestbroadtech[.]info doesn’t show up anything at all!

FOOTNOTE:  TDS does not recommend visiting the website BroadTechs[.]com that hosts these and other articles.  The reason is because their website lacks multiple credible pieces of information and features that we would expect from technology services.  For example….

  1. No authors are cited for any article we looked at.  In fact, we couldn’t find a single name listed anywhere on the website. When we clicked the “Contact us” links on several or their web pages they all produced errors stating that the page didn’t exist.  Their “About Us” page speaks in such generic terms that it could be about lots of different companies or organizations.
  2. There is no company address, executive names, or phone number listed for this business on their website.
  3. A WHOIS lookup for broadtechs[.]com shows that it was also registered through a Panamanian Proxy Service a few weeks ago on October 2, 2018.  That means that the business or person who owns this domain has chosen to hide their identity and location.
  4. One would think that a company who writes articles about computer viruses and technology would be pretty darn good at protecting themselves.  And yet Sucuri, a website security company, tells us that broadtechs[.]com is a high security risk due to outdated website software and lack of using https protocols.

We sent an email to contact “@” broadtechs[.]com after locating it in several places online and inquired about their business and the authors of their articles.  Unfortunately, the email was returned to us as undeliverable.

[hr]

FOR YOUR SAFETY: 

Blocked Incoming Messages, Confirm Your Subscription, and Confirm Your Ebay Giveaway 2019

One of our longtime readers sent us this email she received at her company.  She found it funny because it asked her if she wanted to release “blocked incoming messages” that were sent on December 2… nearly a month in the future!  This was just nasty clickbait!

 

Another reader sent us this email saying “Congratulations you have been confirmed” with a button for “Subscribe me!”  We challenge you to figure out what on earth you are subscribing to! However, it is crystal clear to us where this email was sent from…. Someone in Brazil, via a server in Russia!

And finally, we leave you with this lovely email from Ebay asking you to confirm your giveaway!  “Duo to the end of 2018, we are giving away gifts to our loyal customers” Oh yeah? And we have seats on the first tourist flight to Mars and invite you to join us!  This email also came from Brazil, via Russia. And your reply will go to email addresses in Germany and the UK. Safe travels!

 


Until next week, surf safely!