November 7, 2018

[hr_invisible]

Phish NETS: Apple Store and Wells Fargo Bank

“There was a problem account information!” says an email from  sosro1[.]com. Sosro.com is an Indonesian beverage company.  However, sosro1 doesn’t seem to exist.  The link for “Log In to Account” points to a web page on the free service HootSuite.  At least one service reported to VirusTotal.com that the link is malicious!

We’ve seen similar emails like this targeting Wells Fargo users.  This one clearly didn’t come from WellsFargo.com. The link for “Tax Documents” pointed to the link shortening service tiny.cc and that link points to a well documented phishing site!

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Beware Christmas Season and Concealed Carry Permit

We’re shocked that we have to raise awareness about malicious emails disguised as Christmas promotions already!  But two things happened reminding us that traditions of the past no longer apply to the present. We are of an age that we remember when marketers held off until the day after Thanksgiving to begin promoting Christmas products.  That “tradition” changed many years ago. However, on November 2 while watching television, we saw an ad for a sale on artificial Christmas trees (OK, we’ll fess up and say that LifeTime network probably has really low advertising standards to accompany their cheesy movies but where else can you turn to for a decent feel-good movie nowadays?)  Also, a TDS reader sent us this email with broken graphics and the subject line “Bring.the.magic.of.Christmas.to.your.home” and FROM “Letters.From.Santa.”

All links pointed to Google Ad Services in this malicious Grinch in sheep’s clothing.  We’ve seen the misuse of Google Ad Services in the past, so this isn’t unusual. The link will then forward you to a hacked website for a youth sports service called teamsnap[.]com.  “Do something this holiday your child will never forget”… infect your computer!

Sometimes the criminals who try to harm us via the Internet have a sense of humor.  In this divisive political season, we think we found just such an instance. Take a close look at this email that appears to have been sent by Democrats.org to invite recipients to “get qualified now for free.”  That is to say “get qualified to receive the new concealed carry permit!”  Does anyone REALLY believe a concealed handgun permit promotion is something that would come from Democrats.org, the official website of the Democratic National Committee?  Just to be sure, we used Google’s “site” command to search their entire website to see if they had any information about this permit.   We got bubkas! Nothing at all.  Also, notice that the FROM address has “USCO” in front of it, which stands for the US Concealed Online website.  Except that their website is usconcealedonline[.]com and has nothing to do with the DNC.  And that unsubscribe address in Costa Mesa, CA has nothing to do with either organization. (Also, there is no town called Garner, VA as shown in the fake permit, but we expected that information to be fake.) This email is malicious clickbait made to look like it came from the DNC.  It probably came from Russia, but that’s just a wild guess! 😉

[hr_invisible]

[hr_invisible]

TOP STORY:  Trump’s Medicare Plan

Now this is a true oxymoron!  When has Donald Trump ever spoken about an improved medicare plan, whether his name is associated with it or not? According to Wikipedia, Donald Trump has made a total of 62 “thank you” tours, post inauguration rallies and midterm election rallies since being elected in 2016 and through November 5, 2018.  All of them are documented on the Wikipedia site.   While we cannot claim to have watched his speeches at all of these, we have read and seen summaries of the issues he addresses at many of these rallies.  Promoting a “Trump Medicare Plan” is not one of these issues. In fact, according to PolitiFact.com, the recent billion dollar Republican tax cut will mean that Medicare (and social security) will run out of money sooner rather than later.  Also, Trump’s top Medicare official, Ms. Seema Verma, slammed the idea of “Medicare for all” in the summer of 2018, according to Boston.com.  (To his credit, Trump has said multiple times that he wants to reduce the cost of pharmaceutical drugs.) So what’s going on with this promotional email that wants you to believe it came from the website Trump-Medicare-Plans[.]com?  That’s the point.  It didn’t come from that website, even though the graphics in the email and the website it points to look like the same graphics found on Trump-Medicare-Plans[.]com.  All links point to the website medicare-rtm[.]us.

This other website was registered to someone identified as “marion stivers” from Maryland on October 17, 2018.  It has already been taken down but we found that it contained a redirect to another website called Compsabid002[.]com.  We have twice reported on this malicious website in the last nine weeks. (September 5, 2018 newsletter and August 29, 2018)  Compsabid002[.]com is a VERY malicious website and was registered on July 30. It is being hosted in Holland.

If you visit that redirected link, here’s what greets you from Holland.  It appears identical to the real website Trump-Medicare-Plans[.]com but it is a malicious mimic!  Once again, a healthy dose of skepticism can go a long way to ensure your safety.