November 29, 2017

[hr_invisible]

Phish NETS: AppleCareSystem, Apple ID, Apple Update and Your Email!

A V A L A N C H E!!!  We found enough phish in last week’s sea to support weeks of phish-fry! Fortunately, it’s all pretty lame.  Anyone paying attention to the from address, a mouse-over of the link, or the English language used in the emails can see through this carp.  Take this email from “AppleGroup” sent from an address in Romania. (2-letter country code “.ro”)  “PLEASE NOTE – THIS IS AN AUTOMATED SENT”  “Thank you for are in Apple Team.. Your Account need activation of Step 3 Security”  Step 1 and 2 for these idiots must be:

1. Take out gun
2. Shoot self in foot

That offical-sounding domain AppleCareSystem-DOT-com was registered on November 22 through a service in Moscow, Russia and is also hosted in Moscow.

A visit to applecaresystem-DOT-com shows this fake login page:

[hr_invisible]

This next email seems to be from Support@icloud.com but if you look closely you’ll see the real address is found between the symbols < >.   The email was actually sent from a domain that doesn’t exist according to the WHOIS tools we checked: otlxouumhl-suppresupport-DOT-com.  A mouse-over of the link “Go to security settings” shows that it points to a shortened link at ow.ly.  We used Unshorten.it to discover that the link in this email will forward you to a blog in France. (2-letter country code = “.fr”)

Delete!

[hr_invisible]

Don’t you love it when the good folks at Apple Computer address you as “Dears ,”  It makes us feel warm and fuzzy.  The link for “Verify Now” points to a hacked website in Taipei, Taiwan.

Another big, fat delete!

[hr_invisible]

[hr_invisible]

Contributing to our phishing avalanche were many emails targeting webmail users.  Take a look at web addresses revealed by mousing-over the links in these emails.  Can you spot the link pointing to a server in China?  Bulgaria?  A wedding website in Mumbai, India?

[hr_invisible]

[hr_invisible]

Finally, we offer this really bogus phish pretending to be from USAA Bank…

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY: New Gift From Amazon, Learn Piano and Mystery Shopper Assignment

“Our system stil shows a pending reward worth over $50 from Amazon.com” says an email from amaziongiifts-DOT-com.  This BS is one more good example illustrating why our Domain Name System, governed by ICANN, is so badly broken.  ICANN is in need of a major change in leadership!  Any idiot can see that this domain, amaziongiifts-DOT-com, is meant to look like Amazon Gifts and likely to be fraudulent.  It was registered by “Cammie McPherson” again.  Cammie appears to be the current queen of malicious intent and we’ve reported on “her” malicious domains for weeks.

Delete!

Does this next email look legitimate to you?  “Piano for All.  The ingenious way to learn piano and keyboard.”  While Pianoforall.com is a real website, this email will send you to a website called numerologia-DOT-us, a domain opened in January of 2017 but with no observable website.  This malicious email is one of thousands that we believe are sent to Americans by a criminal gang in India.  Look at the bottom of the email for the address you are asked to contact in order to unsubscribe.  Then read our recently featured article “Criminals in India Target Americans.”

We have written several times about Mystery Shopper employment scams.  Here is another one.  What makes this one different, and most interesting to us, is the sender’s from address.  The email was sent from “Secret Shopper” <nebula “@” telkomsa.net.  Telkomsa is a free email service used across most of Africa.  You can read more about these scams on our website.

[hr_invisible]

[hr_invisible]

TOP STORY: Malware Targets CNN Readers

On November 15 we wrote about a malware redirect that we experienced during a visit to CNN.com.  The redirect pretended to be about a media player we were asked to install.  Since November 15 we’ve experienced three more redirect scams to malware from CNN.  On November 24 malware disguised as Adobe flash player asked us to install it on our Mac. This happened two times on November 25.  CNN has a serious problem.  Most likely, the problem is with one of CNN’s many advertising affiliates but CNN needs to remove this affiliate ASAP.  Equally important is that CNN doesn’t appear to be warning their readers about these malicious redirects.  This is completely irresponsible of them.

Here is a screenshot of the redirected website we were sent to on November 24, just seconds after clicking a link to a CNN article

Flash Player is an Adobe product and any recommendation to install Flash had better provide a link directly to Adobe.com.  (By the way, our Flash Player is not out of date!)  Notice that we’ve been redirected to a website called bestmacin-DOT-com.  Whois and what is bestmacin-DOT-com?  This domain was registered on November 12 through a private proxy service in Panama.  A search for this domain using Google shows two very interesting things… First we notice that there is precious little information about this website.  Secondly,  all the links returned by Google talked about malware and how to get rid of it!

On November 25 we visited an article titled “Confusion as Trump and outgoing director pick leaders for consumer agency.”  In seconds, our browser was redirected first to one website and then immediately on to another.  This is what appeared in our browser window…

We had been sent to a scam site called siteserviceupgrade-DOT-bid.  (updatehere is a sub-domain that appears in front of the domain name.)  Virustotal.com reports four services identifying this site as malicious.

Besides the obvious responsibility of CNN to guard the safety of their site, who else was responsible for allowing this crapware trick?  We looked at our browser history and found this sequence of events:

Here is the sequence of browser actions that occurred in a second after we clicked the CNN article.  (We are redacting information and modifying links to keep our readers safe!)

1. LEGIT: www.cnn.com/2017/11/25/politics/trump-consumer-agency-appointment/
2. LEGIT: tracking.beginads.com/nlp/index.php?pid=8&kw=buy&sid=4444444&f=click&url=REDIRECT TO SUSPICIOUS DOMAIN:feed.myadsbro-DOT-com/
3. MALICIOUS: engine.spotscenered-DOT-info/Redirect.eng? MediaSegmentId =39532&dcid=( SHORTENED)
4. SUSPICIOUS: trackaffpix-DOT-com/cp/baseloopredirect.php? url=s%3A%2F%2Fsrv2.admedit.me%2Faffassociates%2F%3Fadown%3D (REDIRECT to SUSPICIOUS MEDIA COMPANY “admedit-DOT-me” REGISTERED 4/18/17 IN FRANCE: http://whois.domaintools.com/admedit.me )
5. MALICIOUS: updatehere.siteserviceupgradenew-DOT-bid/?pcl=(SHORTENED)

Based on our limited assessment, we would have to say that the legitimate advertising company called BeginAds.com was hacked and manipulated.

We believe that spotscenered-DOT-info is malicious because this same domain was in the path of redirected sites on November 24 and look at what shows up in Google when we conduct a search for this domain…

[hr_invisible]

[hr_invisible]

The facts are very straight forward.  One of CNN’s advertiser’s was taken advantage of for at least 10 days and CNN was irresponsible by doing nothing to warn it’s readers.  If you should ever see pop-ups or be redirected to a page asking you to install software, don’t!  Immediately clear your browser’s cache completely, and then quit.  For additional piece of mind, run a full virus/malware scan of your computer.  Also, Adobe Flash Player in particular is constantly coming out with security updates.  If you use it, you should routinely visit https://get.adobe.com/flashplayer/ for updates.

Footnote: These malware redirects continued hitting CNN articles at least through Sunday, Nov. 26th.  The last one we saw sent visitors to the malicious domain brightservice2upgrade-DOT-review.