November 22, 2017

[hr_invisible]

Phish NETS: Docusign and Email Server Notification

We’re finding more and more phishing (and malware-connected) emails disguised as Docusign emails, such as this one that actually seems to be from sign.com, rather than Docusign.com.  You might think that the link points to a hacked website for a concrete company in Appalachia, U.S. but you would be wrong.  That domain for appalachianpavingconcrete-DOT-com is registered to someone from Russia and hosted on a server in Dubna, Russia.

This next Docusign phish is a bit confusing if you look at the from address.  Are you meant to think it has to do with documents from Bank of America?  According to Google, there is no such domain as sendmoneytoyouhsjc-DOT-com.   The link for “View Your Document Here” points to a hacked website for an online classified WordPress website.  Look below and you’ll see a screenshot showing that the link points to a webpage looking like a Docusign login window.

[hr_invisible]

“Due to recent upgrade on our server on, you are required to validate your account on our server urgently”  Seriously? Who talks like this?  Often, one of the best reasons to be suspicious of an email, text, or social media post is poor or awkward English skills.  This is because a very high percentage of the scams that target Americans are produced by criminal gangs in other countries who don’t have the best command of the English language.  This email is trying to appear “official” by coming from a domain called secureserver-DOT-org.

Donkey-poo!

[hr_invisible]

[hr_invisible]

YOUR MONEY: Get a $5 BarkBox, Activate Amazon Rewards, and CVS Promotion

“Give your dog the joy of a million belly scratches with BarkBox.” BarkBox.com is a real website that sells products for your dog and “Cyber MuttDay” is one of their promotions, but what you see below is not from the real BarkBox.com!  Look very carefully at the from address.  This email was sent from barkboxX.com.  This incorrectly spelled domain was registered on September 1, 2017 while the original, real domain for BarkBox was registered in 2009.  More importantly, all the links in this email point to the malicious domain dantalcare-DOT-bid.  It was registered the day after the misspelled BarkBoxX.com domain.  Best to run away from this offer with your tail between your legs.

You think you’ve received a “new voucher with a value over $50 from Amazon.com” sent from the email amazongifts “@” foryoureward-DOT-com.    This misleading domain was registered by our newest arch-nemesis “Cammie McPherson.”  We’ve found many malicious domains registered in her name in the last few weeks.  So don’t believe this pitch when it says “our system still shows that you have a pending reward in your Amazon.com account.”

CVS promotion?  Hardly!  Here’s another phony promotion that can’t make up its mind… Are they offering you $50 or $100?  It doesn’t matter of course.  The only thing waiting for you at the end of that link to lgnextgen-DOT-today is a computer infection!

Deeeleeete!

[hr_invisible]

[hr_invisible]

TOP STORY: Malicious Comment Spam

It seems that this is a topic we return to each year.  Anyone who runs their own website, allowing visitors to post comments, is aware of “comment spam.”  These are comments left by spam bots that try to drive traffic to other websites, sell products/services, or worse.  It can be annoying, forcing website owners to install add-ons to try to recognize and filter out the noise.  However, there is another type of Comment Spam that is both deceitful and dangerous.  Malicious comment spam.

Take this comment from someone identified as “Gabriel Torres” and posted to a blog for fiction writers recently.  She says “I think your website needs some fresh articles” and goes on to describe a useful tool that can help along with a link to a well-known, free web-hosting site called wix.com.  Sound innocent enough, right?  Let’s break it down…

“Gabriel” offers the link to the Wix page called Susannah02 at wix.com.  We asked one of our favorite tools, the Zulu URL Risk Analyzer, to check out the Wix page and it informed us quite clearly that there is 0% chance that the Wix page is malicious.  But there is more to this analysis that deserves another look.  Check out what Zulu told us…

No “risk assessment” tool is perfect, not even Zulu.  Though Zulu tells us that the user’s Wix page is harmless, it also identified another external element linked to the page.  It’s a website called browsehappy-DOT-com.  This feels like a dentist saying “it won’t hurt” when you sit down to have 2 cavities filled.  VirusTotal.com says that the “happy” website has been identified as a phishing site by one AV service and their community page shows four people identifying the happy site as unsafe (as of November 19).

BrowseHappy-DOT-com actually has a long history that can be reviewed on Wikipedia but that doesn’t mean it can’t be abused by hackers.  Given the suspicions of others, identification as a phishing site, and oddball way it came to our attention from a comment post, we wouldn’t trust it as far as we can throw it.

If you want to read our previous articles about Comment Spam, check out these links on our site:

Comment Spam Targets Teachers (April, 2016)

April 8, 2015 Top Story  (April, 2015)

[hr_invisible]