THE WEEK IN REVIEW
We don’t often hear from our readers about malware or PUPs (Potentially Unwanted Programs) but last week we heard from two Apple computer owners about them. Though we’re missing details about their experiences we know that one is called Mac Auto Fixer. It claims to fix Apple computer issues but doesn’t do anything other than trick you into paying for something you don’t need. This is a popup that appeared on our reader’s computer. It’s all a lie…
Here are several links about this malware and how to get rid of it…
https://www.2-spyware.com/remove-mac-auto-fixer.html
https://www.youtube.com/watch?v=7mGVaIMS0ZU (Also read some of the comments below the video e.g. using Malwarebytes to get rid of it)
https://macsecurity.net/view/195-remove-mac-auto-fixer-virus
Another TDS reader told us that she had found the Atwola tracking cookie in her browser, though she didn’t know how it got there. Apparently, she knew something was up because of the pop-ups and ads that were appearing. Links about Atwola removal are:
https://www.2-spyware.com/ask/what-is-atwola-cookie-and-why-its-in-my-browser
https://www.2-spyware.com/remove-atwola.html
In the last two newsletters we’ve written about very malicious emails targeting people by using the names of friends and family whose email accounts had been hacked. Some of these hacks were from many years ago but criminals continue to use the stolen Contact Lists to trick you into clicking the link using clever phrases. Here are some of the phrases we’ve seen in the last week from emails that contain no subject line:
That’s a good one
It’s my favorite one
Can you imagine it?
That’s exactly what I wanted!
Just the thing! I can highly recommend it!
This is absolutely incredible!
I’ve been searching for it for ages!
This is my favorite one
I’m over the moon because I finally found it!
You can’t miss it!
It never occurred to me that it really works
Every one of these malicious emails has come from the “Open Computer Network” in Japan, an Internet service provider that seems not to care at all about this misuse. ALL of these emails end in “@SUBDOMAIN.ocn.ne.jp” where SUBDOMAIN is an endless variety of words such as tune, samba, proof, smile, woody, ninus andview. According to many sources, this misuse of the Japanese provider has been going on for many years. It you get these, expect to continue getting them for as long as you keep your email account!
[hr_invisible]
[hr_invisible] Same old smelly phish we’ve reported on for several weeks now…. An email claiming to be from Chase Bank that comes with little content but with an attached Word Document requesting that you log into your account. The link provided leads to a URL shortening service such as this one to x.co (which is owned by GoDaddy.com). A TDS reader sent us this screenshot of a phish pretending to represent HSBC Bank. If you have any doubt whatsoever that this is a phishing scam, take a look at how the sender spelled “bank.” We’re pretty certain that HSBC knows how to spell it correctly! Once again, Wells Fargo Bank users are getting hammered with this “important tax document” phishing scam. Frankly, we’re sick and tired of reporting it! The link for “Tax Documents” also points to a shortening service (tiny.cc). You’ll then be forwarded to the hacked website of an Israeli singer named Ayala Sherov, and to a web page that looks very convincingly like the Wells Fargo bank login page… [hr_invisible]
Phish NETS: Chase Bank, HSBC, and Wells Fargo
This email claiming to represent Vivint Home Security is just another piece of malicious clickbait using stolen graphics from the real Vivint company website. You can easily see that the email actually came from the domain hostedclasses[.]org and the links all point to the domain idecorpoint[.]com rather than Vivint.com. The domain idecorpoint[.]com was registered back in 2015 to someone from Pune, Maharashtra, India whereas Vivint.com was registered by VIVINT in Utah back in 2005 where the company headquarters are based. “Get a year of Amazon Prime” says an email from sendysn.net. Any replies to this email appear to be sent to an address at an oddball and nonexistent domain in France. (qqqorjgb[.]fr) However, clicking the link on the green bar will direct your web browser to a website called kolndersx[.]club. Kolndersx[.]club was registered through a Panamanian proxy service last March and is being hosted on a web server in Holland. We took a screenshot of the top page of this deal and see that there is a lot of fine print about what is required for this so-called Amazon Prime deal… For this deal… And where, in fact, are we on the Internet? Apparently, that website kolndersx[.]club redirected us to another website called “Retail Rewards Club” retailrewardsclub[.]net located in ROMANIA! By the way, see that “unsubscribe” address in the original email listed for 2360 Corporate Circle, Suite 400 in Henderson, Nevada? According to Bloomberg.com, that address is occupied by a gold mining company called Aviara Mining. Does any of this inspire confidence to hand over your personal information or credit card details in order to get a year of Amazon Prime? [hr_invisible]
[hr_invisible]
YOUR MONEY: Fake Vivint Smarthome Security and Get a Year of Amazon Prime
What if the information we receive on how to protect us from attack is actually an attack on our computer? The email below appears to be a newsletter from a company called Broad Technologies. The leading article is titled “Here Are The 10 Most Famous And Malicious Computer Viruses.” Other articles linked in this newsletter are “Here Are 8 Awesome Tricks Your Android Phone Can Do” and “The 10 Smart Gadgets That Are Just Very Stupid.” However, before you consider clicking these interesting articles, look more closely at the source and the links revealed by a mouse-over! The email came FROM the domain bestbroadtech[.]info, NOT from Broadtechs[.]com. (See note below about the real Broadtechs[.]com) And all links point back to bestbroadtech[.]info. We believe that this newsletter is a fake, made from stolen online content, and the links in it are malicious. Here’s why we believe this, even though we cannot confirm that the destination website is hosting malicious software… FOOTNOTE: TDS does not recommend visiting the website BroadTechs[.]com that hosts these and other articles. The reason is because their website lacks multiple credible pieces of information and features that we would expect from technology services. For example…. We sent an email to contact “@” broadtechs[.]com after locating it in several places online and inquired about their business and the authors of their articles. Unfortunately, the email was returned to us as undeliverable.
[hr_invisible]
TOP STORY: Criminals Disguised as Tech Newsletter?
[hr]
FOR YOUR SAFETY:
Blocked Incoming Messages, Confirm Your Subscription, and Confirm Your Ebay Giveaway 2019
One of our longtime readers sent us this email she received at her company. She found it funny because it asked her if she wanted to release “blocked incoming messages” that were sent on December 2… nearly a month in the future! This was just nasty clickbait!
Another reader sent us this email saying “Congratulations you have been confirmed” with a button for “Subscribe me!” We challenge you to figure out what on earth you are subscribing to! However, it is crystal clear to us where this email was sent from…. Someone in Brazil, via a server in Russia!
And finally, we leave you with this lovely email from Ebay asking you to confirm your giveaway! “Duo to the end of 2018, we are giving away gifts to our loyal customers” Oh yeah? And we have seats on the first tourist flight to Mars and invite you to join us! This email also came from Brazil, via Russia. And your reply will go to email addresses in Germany and the UK. Safe travels!
Until next week, surf safely!