Please support our effort by making a small donation. Thank you!

x

November 25, 2015

THE WEEK IN REVIEW

Our “30,000 foot view” of scams during the past week suggests that the scammers are increasing their victimization of people with personal challenges… health, addiction, depression, arrests for DWI, vision issues, etc. Perhaps people with these types of challenges in their lives are more willing to click while looking for any possible relief or assistance from emails flooding their inboxes. Whatever the reason, the victimization of this population in particular is reprehensible. We don’t understand why more attention isn’t focused on these criminal gangs and their despicable practices.

 

Sample Scam Subject Lines:

1800number@composerjacket.download

AffordableAirlineTickets@durief.top

AlcoholRehabCenters@cupilost.top

AlcoholDetox@cupilost.top

BeverlyHillsMD@irjij.top

BloodSugarsCanKill@allion.top

CarInsuranceQuote@worthath.top

CostaRicaResorts@plaquetuff.xyz

DWIHelp@lfkup.top

LocalPlumbingRepairServices@oplfm.top

PsychicReadings@killeseminondar.download

SpinalStenosisRelief@ktwgs.top

TripstoHawaii@ridingtemplate.xyz

Sample Scam Email Addresses:

23 Second “Exercise” Flattens your Belly Fast

ARTHRITIS PAIN RELIEF- | Search — Symptoms | — Compare-Local Specialists

Avoid the Hassles of Home Repair. Save $30 Now.

Cheap electricity from thin air

Deep Discounts, For Your Next Trip

Depression During-The-Holidays Tips for-Avoiding–Your – Triggers

Great-Deals On Colorado Getaways!

Have You– Or–Someone You– Love- Been In An Accident?

Lonely Russian Girls Looking for Boyfriend

Reduce Muscle -soreness

Removes years- of -stains– so-you — can enjoy a more confident smile

Top Quality Handbags at Low Prices

You may qualify for a lump sum payment

 

 

 

 

Phish NETS: Bridgeway Finance Limited… Not!

We bring you something completely different in this week’s Phish Net column. Bridgeway Finance Limited is a legitimate financial management firm in Nottingham, UK and has been around for about 50 years as far was we can tell. Current Directors and Secretaries are listed as people with the last name Hill and Warden on CompanyCheck.co.uk and corroborated with information from Bizdb.co.uk. However, that’s not who this email came from…

This email comes from charthson@gmail.com and is signed by someone named Charles Wealthson. Don’t you absolutely love that name for someone who says he works in a finance management company?! If you read the email closely you’ll see several subtle grammar and language issues that suggest Mr. Wealthson is either not a native English speaker or dropped out of high school. It is our suspicion that “Charles” is phishing for lots of personal information from perspective clients he hopes to connect with from across the Internet. When we Google his name, all we find is a lone link to a scam directory. We would like to view the scam directory but alas, both Google and Sophos tell us the directory has been hacked and is hosting malware. Bummer. When we Google his email address we find nothing at all. Just delete, OK? “Thanks and regards.”

2-Scam directory at virustotal

Your Money: Your Home Coverage is Set to Expire, Please Confirm your Wifi Connection

Were you to receive an email stating that your home coverage is expiring on the day the email was sent you’ld likely be a bit suspicious, or angry for the late notice. But after opening it you think it is just a marketing ploy to protect “major systems and appliances,” right? Wrong…

This bogus email was sent from Meslissa_P@diocessful.com and contains a link back to the same domain, along with random text at the bottom of the email and about the recent terror attacks in France. The text is meant to fool antispam servers. But who is diocessful.com? A simple WHOIS lookup reveals that the domain was registered through Enom.com on the very day this email was sent. And it was registered by someone named “D AMI” with the email address offers4donald@gmail.com. Diocessful.com is being hosted in the South African provence of Gauteng. To our regular readers… Does this name and email sound the least bit familiar? “D AMI” was the person who registered a scam domain about cheap air flights with Enom.com that we reported on in the Your Money column just last week! By the way, occasionally these scammers demonstrate a sense of humor. According to Google Translate “D’Ami” means “friend of.” Well D Ami is no friend of ours. In fact, DomainBigData.com shows that D Ami’s email address offers4donald@gmail.com was used to register more than 100 domains through Enom.com in just the last three weeks, including another scam email in this week’s newsletter. We spot checked ten of the 100+ domains listed in D Ami’s name and found scam emails sent from seven of the ten domains. Like we said… D’Ami is no friend of ours. Delete.

Please Confirm Your Wifi Connection…
Offers, tips, advice and deals on high speed internet! Sounds great! But before you click, guess who registered that domain the email came from, and points back to? We’ll give you a hint… He’s a friend of ours. Goes by the name of…. D AMI! Wow, “D” has sure been busy!   The domain remikoyans.com was registered with Enom on November 18, the very day this email was received. Notice a trend?

This time we asked the Zulu URL Risk Analyzer to look at the link copied by mousing over “Search Sponsored Listings Here” and Zulu said not so bad with a score of only 34/100. “Hold on,” we thought. “What about that redirect Zulu found on the webpage and leading to destinationclass.com?” (See below.) We’ve seen that strange website before! In fact, we wrote about destinationclass.com in our newsletter of November 11, 2015 It is a very suspicious website and we strongly urge our readers to stay away from it!

Now delete!

 

TOP STORY: “Tis Thy Name that is My Enemy” Says Juliet

She couldn’t be any more right! In Shakespeare’s famous play Romeo and Juliet, Juliet goes on to say “a rose by any other name would smell as sweet.” To paraphrase Juliet… “Tis thy new global top level domains that are my enemy!” And these roses have a foul odor. All of the new global top level domains (gTLDs) we have seen for many months are only used by criminals and they reek of malicious intent! But wait, it is the east and Juliet is the sun… What is a global top level domain, you ask? The answer to this question can greatly reduce your online risks!

Our readers will recall that ICANN (Internet Corporation for Assigned Names and Numbers)  is the governing body that makes rules about domain (website) names and also licenses companies (called “Registrars”) to sell domain names. These gTLDs include the original few we are familiar with, such as .com, .org and .net. The Daily Scam, for example, uses the domain “thedailyscam” and the gTLD “.com.” However, the explosive growth of domains across the Internet during the last decade has meant there are fewer and fewer name choices available to accompany the original gTLDs of com, net, and org. (Note: mil, edu and gov are all restricted to specific uses.) So in 2013 ICANN began to make available many more gTLDs like .camera, .tattoo, .support, .gift and .club. Today there are more than 750 gTLDs available to use when registering a domain for the Internet. You can view this list of gTLD, along with there release dates on the ICANN website.

The problem, as we see it, is that only criminal gangs appear to be using some of these new gTLDs. The criminals purchase domains with the new gTLDs by the thousands and host malicious websites or run phishing and fraud tricks against unsuspecting netizens.   We wrote a detailed article about ICANNs, the corrupted domain naming system and the easy way criminals misuse it in our feature article titled Taft Technologies and the Truth About Internet Lies. Check it out!

During the last few months we have seen thousands of scam emails using the following newer gTLDs (listed below with their ICANN release date.):

.bid                  3/2/2014                              .top                  8/3/2014

.date                3/25/2015                            .win                 3/25/2015

.download      3/25/2015                            .work               3/23/2014

.help                8/16/2014                            .xyz                  2/19/2014

Here are just a few recent examples of scams using these newer gTLDs in their web site names:

Reamertoll.xyz

Reamertoll.xyz

Whisblow.bid

Whisblow.bid

Willined.top

Willined.top

Tightrivet.xyz

Tightrivet.xyz

Peopher.top

Peopher.top

Nurscare.date

Nurscare.date

Collow.top

Collow.top

Numismatology.download

Numismatology. download

Since Registrars such as Enom.com offer netizens no protection from the registration of criminal domains and ICANNs seems to be completely ineffective in their stated mission to protect us, we must become better at protecting ourselves. (Some might even argue that Enom in particular is working with the criminals by turning a “blind eye” to the misuse of their services in exchange for a very lucrative business.) We at The Daily Scam currently advise all Internet users to ignore and delete ALL communications that seem to come from any of the newly released gTLDs since 2013. This includes any links that lead back to these same gTLDs. Remember, the best way to determine where a link leads to is to mouse-over it. Visit our articles about mousing-over and unshortening shortened links

Mouse-Over Skills Explained (video)

Mouse-Over Skills  

iDevice Mouse-Over Skills

Risks of Shortened URLs (Links) 

NOTE: Have a look at ICANN’s Mission statement and look at “Core Value” [a]: “Preserve and enhance… security.”

FOR YOUR SAFETY: DHL Delivery, INTUIT Quickbooks Attention and Remittance Advice Attached

“Dear Customer, A package containing some documents has been dispatched to be delivered to you” says an email from root@hash.com.   We don’t know who “root” is but Hash.com makes animation software, amongst other related services. The link to complete the “Tracking Procedure” however, has nothing to do with Hash.com or DHL. You’ll notice that a mouse-over of the link reveals that it points to a set of numbers (82.165.11.63) called an IP address. We used IPLocation.net to track the location of this address. Most of the IP location services stated that the IP address leads to a computer in Germany. (One service said Paris.) Try it yourself to see how to resolve the location of an IP.  VirusTotal.com tells us that no less than nine online Virus checkers report this IP and associated webpage are hosting malicious software waiting to infect your computer.

Delete!

 

 

Many small companies use Intuit’s QuickBooks software so the email below may not seem suspicious to them… “As of November 5th, 2015, we will be updating the browsers we support.” But continue to read very carefully and you’ll notice instances of incorrect and awkward English in the paragraph. A mouse-over of the link “proceed the following link” reveals that it points to a strange website called nightskytechnology.com (Google that domain and you’ll see what we mean but DON’T VISIT IT!).   The link itself will call for the installation of a zip file. We’re certain that this zip file contains malicious software. Just delete!

15-INTUIT attentuin re Quickbooks

We hope our readers remember that Word documents and Excel spreadsheets can contain malicious code designed to cause computer infections. This next email sure does! “COOK Remittance Advice-ACH” was sent from an email address in Mexico. Notice the 2-letter country code .mx.

16-Remittance advice attached

 

ON THE LIGHTER SIDE: Attention Owner of This Email Address

We know that any email beginning with “Attention: The Owner of this email Address” has got to be good! “Allen Bell” tells us that we’re going to receive payments of $4500 every day until we get the full $2.5m USD. That’s “m” as in millions! We’re so excited we practically pee’d in our pants! All we have to do is pay a small fee for the delivery of the funds. Sounds reasonable, right?

 

 

Until next week, surf safely!