November 30, 2019

by | Dec 1, 2019

The Week in Review

When you spend years studying the malicious texts and emails that cybercriminal gangs use to target people, you can’t help but notice patterns.  One of these patterns concerns the purchase of domain names. (And we believe this criminal gang is in India, based on “bread crumbs” that point there.)  We think that a cybercriminal gang purchases hundreds of domain names ending in the same single “global top level domain” (gTLD) because buying in bulk is cheaper for them.  A gTLD always appears at the end of a domain name, after a period. Everyone recognizes the gTLDs “.com” “.edu” and “.org.” We’ve reported many times over the years that criminals bulk buy domain names with the same global top level domain and use them for their malicious purposes.  For example, read our May 22 Top Story “Stay Away from the Pro.”  It cautioned people against clicking on any domain name that ended in “.pro” like “mydomain.pro.”

 

During the last few weeks we’ve found hundreds of malicious websites that use the gTLD “.info.”  Here are just a handful of examples taken from the FROM address of malicious emails we’ve seen.  The malicious domain can be found after the “@” symbol.  ALL of these DOT-info domains were registered in Maharashtra, India on November 20, 2019:

   Slimming Recipes <soupdetox@inframild[.]info>

   Carbine Shooting System <selfdefense@pekintein[.]info>

   Regain Lost Memories <memoryloss@hollantau[.]info>

   Reduce Electricity Consumption <energysystem@curectuser[.]info>

   Chord Piano <music@banksharce[.]info>

   Woodworking Shop Layout <woodwork@scherstag[.]info>

   Joseph Wilkinson <energydevice@nascalostr[.]info>

   Natural Gout Remedies <gouttherapy@imporgate[.]info>

   Instant Pain Relief <killpain@glycomisys[.]info>

   Sprinkle This Spice <newsletter@bigbytery[.]info>

   Neuropathy Foot Pain <nervepain@herbient[.]info>

   Jake Mayers <wealthsecret@enrafilor[.]info>

And now we are seeing an uptick in malicious domains ending with “.icu.”  Stay clear of them!  For example…

   20/20 without glasses <20/20withoutglasses@visiotwittw.icu> (11/20/19)

   Hip Arthritis <Polyarthritis@curearthritis.icu> (11/20/19)

The holidays are fast approaching and you will certainly see an increase in advertisements with holiday themes.  This is also a time when can expect to see increasing holiday-themed malicious emails, texts and fake ads, like this clickbait with the subject line “Best gift for holidays.”  And yes, it points to a DOT-icu! You can see below that the Zulu URL Risk Analyzer had no problem identifying it as malicious.

We’re recently learned of a very interesting marketing ploy which feels soooo scammy, and some are saying is a scam because of the quality of merchandise sold.  Women across the U.S. are getting congratulatory notices on their pregnancy from someone named Jenny B! But they aren’t pregnant and they don’t know anyone named Jenny B!  Read about this on TheLily.com.

 

To all of our American and Canadian readers… we wish you a very warm, safe, and wonderful Thanksgiving holiday with friends and family.

Doug and David

Phish Nets: Unsubscribe Request

Recently, one of our TDS readers opened her spam folder to discover that she had received three very strange emails asking her to confirm her request to subscribe or unsubscribe from applications, newsletters and “the start of something awesome.”  She sent them to us for a look. Let’s start with “something awesome” that came from “Ericka” via the domain lochamp[.]com, which was registered in He Nan, China in 2013.  Oddly, the email also shows a “TO” address to another email at the domain itlgopk[.]uk (as in the United Kingdom) which was registered in June, 2019.  The woman is asked if she wishes to unsubscribe.  But unsubscribe from what?  

Unfortunately, the links were not working when we received the email and we didn’t find any when we dug into the under-the-hood code of this email.

About 12 hours earlier on that same day, the woman received this email from the domain imwmas57cqww[.]net which hasn’t been registered yet, according to our WHOIS lookup.  But notice that this email also seems to have been sent to an oddball address at the same domain itlgopk[.]uk!  By the way, the moment we spotted the phrase “This message is from a trusted sender” we think EXACTLY THE OPPOSITE and treat it as malicious!

The recipient is asked to confirm her request (She made no such request!) to receive 13 different newsletters. (What a lucky number!)  We were able to confirm that clicking EITHER “CONFIRM” or “Unsubscribe” would open an email to be sent to both of the strange email addresses listed below at the domain itlgopk[.]uk and the domain lochamp[.]com.  By the way, that domain LoChamp[.]com points to a website for an Animal Feed business in He Nan, China.  Clearly, both of these emails were sent by the same person.

About 12 hours earlier on that same day, the woman received this email from the domain imwmas57cqww[.]net which hasn’t been registered yet, according to our WHOIS lookup.  But notice that this email also seems to have been sent to an oddball address at the same domain itlgopk[.]uk!  By the way, the moment we spotted the phrase “This message is from a trusted sender” we think EXACTLY THE OPPOSITE and treat it as malicious!

The recipient is asked to confirm her request (She made no such request!) to receive 13 different newsletters. (What a lucky number!)  We were able to confirm that clicking EITHER “CONFIRM” or “Unsubscribe” would open an email to be sent to both of the strange email addresses listed below at the domain itlgopk[.]uk and the domain lochamp[.]com.  By the way, that domain LoChamp[.]com points to a website for an Animal Feed business in He Nan, China.  Clearly, both of these emails were sent by the same person.

Now, fast forward a week later and this same TDS reader received another email from Lochamp[.]com with the subject line “We need your confirmation to stop sending you emails !!!!”  If you read this last email, you can see that English is not likely the sender’s first language due to several subtle mistakes.  This time, were she to click the links to unsubscribe, her email program will send an email to MULTIPLE oddball email addresses…

Each of these five email addresses has no website set up on the server on which it is registered.  (Bni Salah happens to be a small town in Morocco.) So what’s going on here? The woman who sent these emails to us didn’t sign up for any of these newsletters, and she didn’t tell us that she had unsubscribed from anything recently either.

We think that these fraudulent emails may be an effort to gather information from her.  It may be as simple as confirming her email address, and that she will open and click a link.  This alone can greatly increase her risk of being a target. It is also possible that she may be asked for additional information to “unsubscribe” such as confirming her address or phone number.  In today’s cyber-world, that could be dangerous. Our advice is simple and you’ve all heard many times before.

DEEEELEEEETE!!!!

Your Money: Russian Cupid

Last week one of our friends opened his email inbox to find more than 20 emails from RussianCupid[.]com, along with one email from FilipinoCupid[.]com.  All had been delivered in less than an hour. He is neither dating, nor interested in men, and certainly not interested in Russians.

We have heard of lots of dating websites and apps over the years but never Russiancupid (or FilipinoCupid).  Given the fact that this Russian inbox invasion appeared to be a major spam campaign, reaching far outside of its circle of interested people, we wondered how real this dating service was.  It took us just milliseconds to find reviews calling this site a scam filled with fake profiles…

However, we also found a single very positive review of Russian Cupid on the website RomanceScams.org.  (Read it here.)  What troubled us about this positive review is that it clearly was not written by a native English speaker and we doubted some of the claims made in the review.  Did RussianCupid simply pay to have a positive review placed on RomanceScams.org? (TheDailyScam was once contacted by a dating website and offered payment for ads on our website.  The service was sleazy and made our skin crawl! We declined.) For example, one paragraph in the review on RomanceScams.org reads “Russian Cupid is one of the legit dating websites today.  Yes, we the number of fake dating web sites, it is essential that we should all be clear on this.  Russian Cupid has millions of Russian women who are waiting for men to sweep them off their feet. In fact, this online dating has one of the best reputations, because they always provide their members with nothing but the best features and services that they offer.  But put in mind that Russian Cupid comes with membership fees.”

Though we can’t imagine anyone actually clicking on this incoming email pile of poo, it does remind us that many people use dating sites and apps to connect with others.  If this applies to you or someone you know, remind them to do their homework and assess the service before signing up. Even the best services have fake profiles made by criminals who try to milk lonely people for their money.  We’ve reported on some of these stories from the people who have shared them with us, or asked us for help to investigate whether a love interest is real or not. Read…

I Love You, Bail Me Out

 I Love You, Send Me Money

Online Dating Scams

Top Story: Attacking the Faithful

For many people around the world, nothing is more fundamental than their faith in God.  Faith is a powerful motivator, often directing our choices, daily decisions and directing us to a “greater good” than ourselves.  And it is exactly those qualities that cybercriminals rely on when they target the faithful. They are hoping that people with a strong belief in God will be trusting of email content that aligns with their beliefs.  And since cybercriminals target email accounts at random, by the millions of emails, they choose the predominant religion of the region or country to target…. Christianity in the United States. And so we frequently see emails like this clickbait below with the subject line “A Prayer That Delivers A Bouquet of Miracles.” (Notice that it was sent from, and has links pointing to a DOT-info!)  If you read this email, you’ll see it is a shameless pitch to trick the faithful to click a perceived link to prayers from Archangel Michael, when in fact the links only lead to malware followed by many distracting popups so you don’t even know you were hit with malware. Ultimately, the person clicking will be redirected to a real prayer website.

We believe that Internet hand grenades like these say a great deal about the people who target others for their own financial gain.  They are horrible human beings without empathy. Have they ever watched a loved one — a daughter, father, spouse — suffer financial loss or pain of exposure of personal information?  Once, while talking to a man in India who tried to pull a scam on us, we broke out of the script and asked him point blank… “Don’t you realize that what you are doing is hurting people?  How does it make you feel knowing that you are causing people pain in order to make money?” We fully expected to hear a sudden click indicating he had hung up, or perhaps an expletive hurled at us before hanging up (which many of them do).  But what surprised us is that he quietly and calmly told us that he has no choice. He said this was the only work available to him and that he has a family to take care of. To which our response was “then imagine that it was your wife or daughter who was scammed out of hundreds of dollars!”  He hung up.

Enjoy another one of these malicious emails disguised as a blessing.  The links point back to a domain registered in India just 2 days before we got this landmine.

It’s not just cybercriminals in India who target believers in God.  Nigerian “419 scammers” are notorious for this as well. Take this “Urgent Massage” sent from a “Mrs. Joyce Samuels” of the United Kingdom.  (After raking leaves all day, we could use an urgent massage too.) Though her email came through a Gmail account, your reply will be sent to a different email account via a Yahoo server in Japan.  (419 scams are notorious for being delivered from 1 email address but your reply going to another email address; and they often use Yahoo servers in Japan.) Mrs. Samuels says that she is a born again Christian, childless, dead husband and doesn’t have long to live.  But she has a lot of money and wants YOU to have it! Read her heartfelt pitch to appeal to your faith in God.

And then delete!

For Your Safety: Amazon Customer Support

We saw this landmine a few weeks ago pointing to the same website in Denmark.  It’s back again. This is not a phishing scam to an Amazon account. It is a redirected link to malware. A BIG DELETE!

Until next week, surf safely!