THE WEEK IN REVIEW

When you spend years studying the malicious texts and emails that cybercriminal gangs use to target people, you can’t help but notice patterns.  One of these patterns concerns the purchase of domain names. (And we believe this criminal gang is in India, based on “bread crumbs” that point there.)  We think that a cybercriminal gang purchases hundreds of domain names ending in the same single “global top level domain” (gTLD) because buying in bulk is cheaper for them.  A gTLD always appears at the end of a domain name, after a period. Everyone recognizes the gTLDs “.com” “.edu” and “.org.” We’ve reported many times over the years that criminals bulk buy domain names with the same global top level domain and use them for their malicious purposes.  For example, read our May 22 Top Story “Stay Away from the Pro.”  It cautioned people against clicking on any domain name that ended in “.pro” like “mydomain.pro.” During the last few weeks we’ve found hundreds of malicious websites that use the gTLD “.info.”  Here are just a handful of examples taken from the FROM address of malicious emails we’ve seen.  The malicious domain can be found after the “@” symbol.  ALL of these DOT-info domains were registered in Maharashtra, India on November 20, 2019:

Slimming Recipes <soupdetox@inframild[.]info> Carbine Shooting System <selfdefense@pekintein[.]info> Regain Lost Memories <memoryloss@hollantau[.]info> Reduce Electricity Consumption <energysystem@curectuser[.]info> Chord Piano <music@banksharce[.]info> Woodworking Shop Layout <woodwork@scherstag[.]info> Joseph Wilkinson <energydevice@nascalostr[.]info> Natural Gout Remedies <gouttherapy@imporgate[.]info> Instant Pain Relief <killpain@glycomisys[.]info> Sprinkle This Spice <newsletter@bigbytery[.]info> Neuropathy Foot Pain <nervepain@herbient[.]info> Jake Mayers <wealthsecret@enrafilor[.]info>

And now we are seeing an uptick in malicious domains ending with “.icu.”  Stay clear of them!  For example…

20/20 without glasses <20/20withoutglasses@visiotwittw.icu> (11/20/19) Hip Arthritis <Polyarthritis@curearthritis.icu> (11/20/19)

The holidays are fast approaching and you will certainly see an increase in advertisements with holiday themes.  This is also a time when can expect to see increasing holiday-themed malicious emails, texts and fake ads, like this clickbait with the subject line “Best gift for holidays.”  And yes, it points to a DOT-icu! You can see below that the Zulu URL Risk Analyzer had no problem identifying it as malicious.

 

 

 

 

 

 

 

 

 

Phish Nets: Unsubscribe Request

Recently, one of our TDS readers opened her spam folder to discover that she had received three very strange emails asking her to confirm her request to subscribe or unsubscribe from applications, newsletters and “the start of something awesome.”  She sent them to us for a look. Let’s start with “something awesome” that came from “Ericka” via the domain lochamp[.]com, which was registered in He Nan, China in 2013.  Oddly, the email also shows a “TO” address to another email at the domain itlgopk[.]uk (as in the United Kingdom) which was registered in June, 2019.  The woman is asked if she wishes to unsubscribe.  But unsubscribe from what?  

Unfortunately, the links were not working when we received the email and we didn’t find any when we dug into the under-the-hood code of this email.

About 12 hours earlier on that same day, the woman received this email from the domain imwmas57cqww[.]net which hasn’t been registered yet, according to our WHOIS lookup.  But notice that this email also seems to have been sent to an oddball address at the same domain itlgopk[.]uk!  By the way, the moment we spotted the phrase “This message is from a trusted sender” we think EXACTLY THE OPPOSITE and treat it as malicious!

The recipient is asked to confirm her request (She made no such request!) to receive 13 different newsletters. (What a lucky number!)  We were able to confirm that clicking EITHER “CONFIRM” or “Unsubscribe” would open an email to be sent to both of the strange email addresses listed below at the domain itlgopk[.]uk and the domain lochamp[.]com.  By the way, that domain LoChamp[.]com points to a website for an Animal Feed business in He Nan, China.  Clearly, both of these emails were sent by the same person.

Now, fast forward a week later and this same TDS reader received another email from Lochamp[.]com with the subject line “We need your confirmation to stop sending you emails !!!!”  If you read this last email, you can see that English is not likely the sender’s first language due to several subtle mistakes.  This time, were she to click the links to unsubscribe, her email program will send an email to MULTIPLE oddball email addresses…

 

Each of these five email addresses has no website set up on the server on which it is registered.  (Bni Salah happens to be a small town in Morocco.) So what’s going on here? The woman who sent these emails to us didn’t sign up for any of these newsletters, and she didn’t tell us that she had unsubscribed from anything recently either.

We think that these fraudulent emails may be an effort to gather information from her.  It may be as simple as confirming her email address, and that she will open and click a link.  This alone can greatly increase her risk of being a target. It is also possible that she may be asked for additional information to “unsubscribe” such as confirming her address or phone number.  In today’s cyber-world, that could be dangerous. Our advice is simple and you’ve all heard many times before.

DEEEELEEEETE!!!!

Your Money: Russin Cupid

Last week one of our friends opened his email inbox to find more than 20 emails from RussianCupid[.]com, along with one email from FilipinoCupid[.]com.  All had been delivered in less than an hour. He is neither dating, nor interested in men, and certainly not interested in Russians.

 

 

We have heard of lots of dating websites and apps over the years but never Russiancupid (or FilipinoCupid).  Given the fact that this Russian inbox invasion appeared to be a major spam campaign, reaching far outside of its circle of interested people, we wondered how real this dating service was.  It took us just milliseconds to find reviews calling this site a scam filled with fake profiles…

However, we also found a single very positive review of Russian Cupid on the website RomanceScams.org.  (Read it here.)  What troubled us about this positive review is that it clearly was not written by a native English speaker and we doubted some of the claims made in the review.  Did RussianCupid simply pay to have a positive review placed on RomanceScams.org? (TheDailyScam was once contacted by a dating website and offered payment for ads on our website.  The service was sleazy and made our skin crawl! We declined.) For example, one paragraph in the review on RomanceScams.org reads “Russian Cupid is one of the legit dating websites today.  Yes, we the number of fake dating web sites, it is essential that we should all be clear on this.  Russian Cupid has millions of Russian women who are waiting for men to sweep them off their feet. In fact, this online dating has one of the best reputations, because they always provide their members with nothing but the best features and services that they offer.  But put in mind that Russian Cupid comes with membership fees.”

Though we can’t imagine anyone actually clicking on this incoming email pile of poo, it does remind us that many people use dating sites and apps to connect with others.  If this applies to you or someone you know, remind them to do their homework and assess the service before signing up. Even the best services have fake profiles made by criminals who try to milk lonely people for their money.  We’ve reported on some of these stories from the people who have shared them with us, or asked us for help to investigate whether a love interest is real or not. Read…

I Love You, Bail Me Out

I Love You, Send Me Money

Online Dating Scams

 

 

 

 

 

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.