Please support our effort by making a small donation. Thank you!

x

November 4, 2015

THE WEEK IN REVIEW

As expected during the final days of October we saw an uptick in the number of scams and malicious emails disguised to be Halloween special deals. They were special alright but not in the way we want! Now we’re seeing a big blast of email coupons, rewards and vouchers for CVS, Kmart, Sam’s Club, Amazon, Walgreens and other businesses. Nearly all are for the same amount… $50. What’s so magical about $50 as opposed to $75, $45 or some other dollar amount? We would love to ask the criminals who push this junk out.

Visit our latest feature article “Apple Tech Support Scams

Also, Doug Fodeman of TheDailyScam was featured as one of 27 security experts at DigitalGuardian.com speaking about social engineering tricks and phishing scams. Check it out here!

Sample Scam Email Addresses

AffordableContactLenses@lenseschangespace.space

Amazon.Bonus.Points@flecw.pw (.pw is the country code for Palau)

Amazon_Customer_Appreciation@bcmmh.accountant

FanDuel.Fantasy.NBA@qoucd.bid

Kohls.Reward@qddwy.bid

Macintosh-October-Clearance@jhyxq.top

MichaelKors.Black.Friday.Overstock@itac.space

Military-Survival-Gear@zydmm.date

Reverse_Your_Mortgage@mmnev.bid

Sams_Club@egsro.pw

TechCrunch_Mac_Gadget@leasv.date

VisitCostaRica@mantables.xyz

Sample Scam Email Subject Lines

Accident Injury? Search Legal Help

Forbes Report: Think like a Millionaire with this New “Genius Pill”

Heavy-duty universal wrench for any job, Free 40-piece set today

Home Warranty Protection for your Family. $30 Savings. Limited time.

Lasik Surgery for Both Eyes

Make a Difference – Become a Teacher

New Documentary—Goes-Viral (watch here). –Harvard—and Cornell Disclose Fascinating News.

Protect Yourself in an Emergency , 75% off expires Saturday, October 31, 2015

Re: Are you being cheated on? Prepare for the unexpected.

Re: Claim your $50 Groupon reward

Re: Kmart wants to give you a $50 voucher, No. 2993876

Search SUVs, To Match Your Lifestyle

Slash Your Gas Bill By 80%

 

 

 

 

Phish NETS: Straight2Bank and American Express

Finally, something other than PayPal! “Straight2Bank” is a service run by Standard Chartered Bank as an online international banking exchange with offices in Jordan, London, Hong Kong and dozens of other locations. Apparently their customers suffer phishing attacks along with the rest of us. Check out this scam sent from weeklyhp9@roos-freizeitanlagen.com (By the way “freizeitanlagen” is German for “leisure facilities.” Weird.) “We detected irregular activity on your Straight2Bank Account.” …

If you search Google for the domain revealed by the mouse-over — s2bstandardch-arteredsso.com – you’ll see many links to PhishTank.com showing that people have reported phishing scams to this domain on day we received this email, October 28th. A WHOIS lookup shows that the site is registered to a proxy protection service in China but is hosted in Russia and was registered on October 27th before being sent to thousands of us in the United States. How multi-national of them. Just delete!

And while you’re at it, delete this American Express email with the attached phishing html file. We’ve all seen it dozens of times before. But we want you to notice that the “from” address is actually the American Stock Exchange (amex.com), not American Express. Also, do you notice anything important missing besides your name? In the right navbar under “For your security” you would expect to see the last 4 digits of your card. Would you notice the omission?

Your Money: Letter from Santa, Learn to Cook and Get Tax Relief

We’ve barely made it through Halloween when we started seeing these scams masquerading as “letters from Santa” for your child that parents can sign up for. Except they are just malicious links meant to install malware on your computer. Does this mean we’ve all been bad and this is a message from Santa? Don’t believe us? Check out what the Zulu URL Analyzer says about the link in the email… 100% Malicious! Ya betta watch out, ya betta not shout…

Want to learn to cook? Thinking about a career in the Culinary Arts? Well this next email has nothing to do with that… Just another social engineering trick to get you to click a malicious link and infect your computer. By the way, a WHOIS look up of the domain widerstood.download shows that it was registered the day this email was sent. Big surprise.

 

Finally, would you like a little tax relief?  You won’t find it here.  This next scam was also registered on the same day the email was sent.  According to a WHOIS lookup  it was registered to a company called Futurebright Solutions in Grandville, MI.  Google can’t find any website for this domain or the company Futurebright Solutions in Michigan, or anywhere else on the planet.  The only reference we found to a company with this name was for a phone number in India on a shady website.  Tax relief?  We don’t think so…

 

TOP STORY: When Bad Things Happen to the Email of Good People

Normally we make effort to protect the identities of innocent people who are victimized by the criminals intent on doing us all harm. This time we’re going to make an exception because it is our hope that many people will learn better from this experience. CoastTec.com is a good company and I (Doug) have used their services for at least ten years to refurbish used backup devices called SmartUPS. (I highly recommend them and refurbishing a SmartUPS is cheaper than buying a new one!) I know my sales rep and we typically talk by phone/email a few times every year. On October 29 I received the following email from the sales rep, Bow, whom I’ve know for so many years. All of the contact information for Bow is correct and the same as every email he sends me. Imagine that you were to receive such an email from a business associate, client, or friend you’ve known for many years. How many things can you see in this email that might make you suspicious of its source? Start counting…

 

 

I immediately knew that Bow’s email had been hacked and he had a big problem on his hands. Here’s what tipped me off…

  1. Subject line “Hi There” is not only incorrect capitalization but not a message I would expect Bow to send.
  2. The email was sent to me BCC –meaning blind carbon copy— so that I could not see other recipients of this email and they could not see that I received it. There is no reason whatsoever to send it BCC unless someone is trying to hide something.
  3. Bow has known me for a long time. He wouldn’t say “Hi,” It would be “Hi Doug.”
  4. It is extremely suspicious in an email when someone capitalizes words like “HERE” and “IMPORTANT.” These capitalizations are usually tricks used by criminals, not business associates.
  5. If this email was so terribly important, why didn’t Bow offer some explanation why?
  6. The “coup de gras” was the link revealed by the mouse-over. It pointed to a suspicious domain named verybestforu-fastdailytipss.rhcloud.com.

It is important to point out that the link is a secure link beginning with https. Many people may believe that https means the link can be trusted. However, in this case, it only means that the criminals have purchased an account with rhcloud.com (a Red Hat service) and are using its secure service to host malicious content.

I copied and pasted the link into VirusTotal.com three times. Within 5 minutes of receiving Bow’s email, VirusTotal.com showed me that 1 online service had already identified the link as malicious. About an hour later there were 3 services stating that fact. One day later 8 online services identified the link as malicious.

 

I feel badly for Bow and CoastTec. Like so many others before him, his computer was infected by malware that enabled criminals to send out malicious emails in his name. We like the services and pricing his company has offered and will continue to use it. However, the broader issue here is that many of us continue to be fooled when we get an email, text, post or comment from someone we know and therefore trust the links or documents they send. We shouldn’t. It is too easy to deceive online and through a smartphone. Everyone should be trained to be skeptical online and learn how to recognize the telltale signs of fraud. Our safety and security depend on it.

FOR YOUR SAFETY: Email From Grandpa, Your Mailbox is Almost Full

A 13 year old student recently contacted me because she received an email from her grandfather that made her suspicious. (She’s more astute about Internet fraud than most adults!) The link following “This is it” even contained her grandfather’s name as the name of the document.

 


We looked up the link for the domain puresophisticates.com using the Zulu URL Risk Analyzer and Zulu told us the link was harmless…

9-Email from Grandpa Zulu score 1

Not so fast, we say! We noticed that Zulu shows there is a redirect waiting at the website to send the visitor to another web site we’ve seen before. So we asked Zulu to check out the redirected link and BAM! 100% Malicious.

Delete, young lady, delete.

 

Don’t you hate it when your mailbox fills up? We do too. But that’s not what’s going on here. The fact that this email came from martha.dumas@vote.alabama.gov is very strange. We can’t find a Martha Dumas associated with the Alabama government website but we did find a complaint online that “Martha” was asking someone to launder $500,000 USD. Her email was sent from somewhere off the coast of northern West Africa.

Did you notice the donate-usf.org website revealed by mousing over “Click here?” VirustTotal.com tells us that Fortinet has identified it as a phishing site.

Now delete.

12-Your mailbox is almost full virus total score

ON THE LIGHTER SIDE: Pretty Wives Looking to Have An Affair

We love our wives and have no intention of straying from the path of blissful matrimony but emails from beautiful, lonely housewives who are waiting for us doesn’t make it any easier. Maybe we’ll just peak at their profiles…

Until next week, surf safely!