November 29, 2017

THE WEEK IN REVIEW

Surprisingly, we saw very few malicious emails disguised as cyber-Monday or black Friday sales.  We expected more, as in past years.  Here’s one example, and a reminder that criminals often use current consumer events, holidays and well-known U.S. culture to target us.

Another favorite trick of the gangs who target Americans online is the catch phrase “watch this shocking video.”  We’ve talked about this social engineering trick over and over!  You want a real shocking video? Watch the National news.  But stay away from social media and email that uses this descriptive and others like it, such as this one…

Read our latest feature article titled Criminals in India Target Americans.”

Ever wonder how something legal can be such a scam? Read our latest feature article International Award Payment Center

[hr_invisible]


Sample Scam Subject Lines:

Bankcard Order Confirmation

Claim Your Brave Response Holster

Fw: (DHL PARCEL Notification)

FW: shipping doc – DHL-AW20170726

Get car loan options based on your specific needs

hey! enjoy)

Official Santa Letters

Re: confirm bank details

Re:Re: My Flight itinerary & Booking Accomodation

Re: wow something new

This method will make you win the lotto by Christmas

You don’t have to battle addiction alone

Your confirmation for HoldMail Service request

Sample Scam Email Addresses

ΑIG Diгeсt Inѕurance <lignosulphonate.fettucinis @ kalvnsamoebicpandowdys-DOT-world>

“Buy Natural Turmeric” <turmericsecret @ turmericsecret-DOT-com>

“Costco StoreVouchers” <costco-storevouchers @ costkowholeale-DOT-com>

“Free Auto Loan Quotes” <carloanns @ carloanns-DOT-com>

“Get Recondition Battery Secret” <secrettbatery @ secretbattery-DOT-com>

“Gifting Guide” <gifting-guide @ holidayrewar-DOT-com>

Match Seniors <from @ newsletterinfo-DOT-today>

NACHA Federal <noreply @ nachamessage28-DOT-ml>

Ray Ban <hello @ fqjww-DOT-com>

Rudolph <rudolph @ christmaslettersfromssnt-DOT-com>

Rudolph <rudolph @ saantaletters-DOT-com>

“Shark Tank Funding” <shark.tank.funding @ skinsharktank-DOT-com>

“Vision Eye Care” <contact @ eyeshealth-DOT-bid>

[hr]

[hr_invisible]

Phish NETS: AppleCareSystem, Apple ID, Apple Update and Your Email!

A V A L A N C H E!!!  We found enough phish in last week’s sea to support weeks of phish-fry! Fortunately, it’s all pretty lame.  Anyone paying attention to the from address, a mouse-over of the link, or the English language used in the emails can see through this carp.  Take this email from “AppleGroup” sent from an address in Romania. (2-letter country code “.ro”)  “PLEASE NOTE – THIS IS AN AUTOMATED SENT”  “Thank you for are in Apple Team.. Your Account need activation of Step 3 Security”  Step 1 and 2 for these idiots must be:

  1. Take out gun
  2. Shoot self in foot

That offical-sounding domain AppleCareSystem-DOT-com was registered on November 22 through a service in Moscow, Russia and is also hosted in Moscow.

A visit to applecaresystem-DOT-com shows this fake login page:

[hr_invisible]

This next email seems to be from Support@icloud.com but if you look closely you’ll see the real address is found between the symbols < >.   The email was actually sent from a domain that doesn’t exist according to the WHOIS tools we checked: otlxouumhl-suppresupport-DOT-com.  A mouse-over of the link “Go to security settings” shows that it points to a shortened link at ow.ly.  We used Unshorten.it to discover that the link in this email will forward you to a blog in France. (2-letter country code = “.fr”)

Delete!

[hr_invisible]

Don’t you love it when the good folks at Apple Computer address you as “Dears ,”  It makes us feel warm and fuzzy.  The link for “Verify Now” points to a hacked website in Taipei, Taiwan.

Another big, fat delete!

[hr_invisible]

[hr_invisible]

Contributing to our phishing avalanche were many emails targeting webmail users.  Take a look at web addresses revealed by mousing-over the links in these emails.  Can you spot the link pointing to a server in China?  Bulgaria?  A wedding website in Mumbai, India?

[hr_invisible]

[hr_invisible]

Finally, we offer this really bogus phish pretending to be from USAA Bank…

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY: New Gift From Amazon, Learn Piano and Mystery Shopper Assignment

“Our system stil shows a pending reward worth over $50 from Amazon.com” says an email from amaziongiifts-DOT-com.  This BS is one more good example illustrating why our Domain Name System, governed by ICANN, is so badly broken.  ICANN is in need of a major change in leadership!  Any idiot can see that this domain, amaziongiifts-DOT-com, is meant to look like Amazon Gifts and likely to be fraudulent.  It was registered by “Cammie McPherson” again.  Cammie appears to be the current queen of malicious intent and we’ve reported on “her” malicious domains for weeks.

Delete!

Does this next email look legitimate to you?  “Piano for All.  The ingenious way to learn piano and keyboard.”  While Pianoforall.com is a real website, this email will send you to a website called numerologia-DOT-us, a domain opened in January of 2017 but with no observable website.  This malicious email is one of thousands that we believe are sent to Americans by a criminal gang in India.  Look at the bottom of the email for the address you are asked to contact in order to unsubscribe.  Then read our recently featured article Criminals in India Target Americans.”

We have written several times about Mystery Shopper employment scams.  Here is another one.  What makes this one different, and most interesting to us, is the sender’s from address.  The email was sent from “Secret Shopper” <nebula “@” telkomsa.net.  Telkomsa is a free email service used across most of Africa.  You can read more about these scams on our website.

[hr_invisible]

[hr_invisible]

TOP STORY: Malware Targets CNN Readers

On November 15 we wrote about a malware redirect that we experienced during a visit to CNN.com.  The redirect pretended to be about a media player we were asked to install.  Since November 15 we’ve experienced three more redirect scams to malware from CNN.  On November 24 malware disguised as Adobe flash player asked us to install it on our Mac. This happened two times on November 25.  CNN has a serious problem.  Most likely, the problem is with one of CNN’s many advertising affiliates but CNN needs to remove this affiliate ASAP.  Equally important is that CNN doesn’t appear to be warning their readers about these malicious redirects.  This is completely irresponsible of them.

Here is a screenshot of the redirected website we were sent to on November 24, just seconds after clicking a link to a CNN article

        

Flash Player is an Adobe product and any recommendation to install Flash had better provide a link directly to Adobe.com.  (By the way, our Flash Player is not out of date!)  Notice that we’ve been redirected to a website called bestmacin-DOT-comWhois and what is bestmacin-DOT-com?  This domain was registered on November 12 through a private proxy service in Panama.  A search for this domain using Google shows two very interesting things… First we notice that there is precious little information about this website.  Secondly,  all the links returned by Google talked about malware and how to get rid of it!

On November 25 we visited an article titled “Confusion as Trump and outgoing director pick leaders for consumer agency.”  In seconds, our browser was redirected first to one website and then immediately on to another.  This is what appeared in our browser window…

        

We had been sent to a scam site called siteserviceupgrade-DOT-bid.  (updatehere is a sub-domain that appears in front of the domain name.)  Virustotal.com reports four services identifying this site as malicious.

Besides the obvious responsibility of CNN to guard the safety of their site, who else was responsible for allowing this crapware trick?  We looked at our browser history and found this sequence of events:

Here is the sequence of browser actions that occurred in a second after we clicked the CNN article.  (We are redacting information and modifying links to keep our readers safe!)

  1. LEGIT: www.cnn.com/2017/11/25/politics/trump-consumer-agency-appointment/
  2. LEGIT: tracking.beginads.com/nlp/index.php?pid=8&kw=buy&sid=4444444&f=click&url=REDIRECT TO SUSPICIOUS DOMAIN:feed.myadsbro-DOT-com/
  3. MALICIOUS: engine.spotscenered-DOT-info/Redirect.eng? MediaSegmentId =39532&dcid=( SHORTENED)
  4. SUSPICIOUS: trackaffpix-DOT-com/cp/baseloopredirect.php? url=s%3A%2F%2Fsrv2.admedit.me%2Faffassociates%2F%3Fadown%3D (REDIRECT to SUSPICIOUS MEDIA COMPANY “admedit-DOT-me” REGISTERED 4/18/17 IN FRANCE: http://whois.domaintools.com/admedit.me )
  5. MALICIOUS: updatehere.siteserviceupgradenew-DOT-bid/?pcl=(SHORTENED)

Based on our limited assessment, we would have to say that the legitimate advertising company called BeginAds.com was hacked and manipulated.

We believe that spotscenered-DOT-info is malicious because this same domain was in the path of redirected sites on November 24 and look at what shows up in Google when we conduct a search for this domain…

[hr_invisible]

[hr_invisible]

The facts are very straight forward.  One of CNN’s advertiser’s was taken advantage of for at least 10 days and CNN was irresponsible by doing nothing to warn it’s readers.  If you should ever see pop-ups or be redirected to a page asking you to install software, don’t!  Immediately clear your browser’s cache completely, and then quit.  For additional piece of mind, run a full virus/malware scan of your computer.  Also, Adobe Flash Player in particular is constantly coming out with security updates.  If you use it, you should routinely visit https://get.adobe.com/flashplayer/ for updates.

Footnote: These malware redirects continued hitting CNN articles at least through Sunday, Nov. 26th.  The last one we saw sent visitors to the malicious domain brightservice2upgrade-DOT-review.

[hr]

FOR YOUR SAFETY: Request for Hold Mail Service

Just prior to Thanksgiving a business informed us that they had received thousands of emails during a 24 hour period claiming to be from the U.S. Postal Service.  These emails notified the business with a confirmation link that their mail would be held during the Thanksgiving break.  This was a very clever social engineering trick to entice the business owner to click a link to malware.

 

“We have received your Hold Mail Service request for November 20, 2017.  The USPS receipt containing the shipping information has been enclosed to this message.  To view your Hold Mail confirmation receipt, please click here.”  The confirmation for HoldMail Service was sent from the domain usapack-DOT-com.  A Google search for this domain shows very little but includes a link to an analysis of malware at Malware-Traffic-Analysis.net.  Mousing over “click here” reveals that it doesn’t point to the US Postal service but instead points to the domain packintee-DOT-net.  Fortinet, Sophos and Kaspersky have all identified this domain as malicious.

[hr_invisible]


ON THE LIGHTER SIDE: I Am Now Rich in “United State of American”
What are the odds that while Mrs. Rozella Wittmeyer was collecting her $5.5 million dollars she happened to see our email address on the list of those who should be similarly compensated?  OMG!  And to think that this wonderful news comes from one of our own, a 48 year old Texas resident, albeit via an email address in China.

From: “Mrs. Rozella Wittmeyer”<test@sz-epower.com.cn>
To: –
Subject: CONTACT HIM NOW FOR YOUR $5.5 MILLION USD
Date: 2017-11-21 03:01AM

Attention:

I am Mrs. Rozella Wittmeyer, I am a US citizen, 48 years Old. I reside here in Texas USA.My residential address is as follows, 1109 Lake Haven Drive Little Elm Texas 75068 United States,am thinking of relocating since I am now rich. I am one of those that took part in the compensation in United State of American many years ago and they refused to pay me, I had paid over $56,000 while in the US,trying to get my payment all to no avail.

So I decided to travel to Washington with all my compensation documents, And I was directed by the Federal Bureau of Investigation Director to contact Attorney James Leo, who is a representative of the Federal Bureau of Investigation and a member of the Compensation Award Committee, currently in USA and I contacted him and he explained everything to me. He said whoever is contacting us through emails are fake.

He took me to the paying bank for the claim of my compensation payment. Right now I am the most happiest woman on earth because I have received my compensation funds of $5.5 Million US Dollars,Moreover,Attorney James Leo showed me the full information of those that are yet to receive their payments and I saw your email as one of the beneficiaries on the list he showed me, that is why I decided to email you to stop dealing with those people, they are not with your fund, they are only making money out of you. I will advise you to contact Attorney James Leo. Kinldy send your personal details to him to prove your identification.

Full Name:
Home Address:
Occupation:
Phone Number:
Age:
Gender:
country:

You have to contact him directly on this information below.
Compensation Award House
Name: Attorney James Leo
Email: barristerj3@aol.com OR attorneyjamesleo@consultant.com

You really have to stop dealing with those people that are contacting you and telling you that your fund is with them, it is not in anyway with them, they are only taking advantage of you and they will dry you up until you have nothing. The only money I paid after I met Attorney James Leo was just $355 USD for the paper works, take note of that.

Once again stop contacting those people, I will advise you to contact Attorney James Leo so that he can help you to deliver your fund instead of dealing with those liars that will be turning you around asking for different kind of money to complete your transaction.

Thank you and be Blessed.
Mrs. Rozella Wittmeyer.
1109 Lake Haven Drive,
Little Elm Texas 75068 United States.


Until next week, surf safely!