November 8, 2017

[hr_invisible]

Phish NETS: Bank of America, Chase Bank, and Mail Security

This phish for Bank of America has soooo many red flags in addition to the link recipients are asked to click.  Look carefully at the from address.  …or the account number.  …or your last log in date in the “Security Checkpoint” at the middle of the email.

Then delete.

This is disturbing.  Imagine getting an email telling you that “your instant payment of $3292.80 to” someone was sent.  Click the link to get your detailed information.  This is not an email from Chase Bank and the link doesn’t point back to Chase Bank!  It points to a website in Slovakia.

Delete.

And then we found a number of emails that appeared to be phishing scams for Chase Bank but they were just virus hand-grenades lobbed in our direction.

[hr_invisible]

Finally we saw this phishing email targeting Gmail users’ web mail account via Chrome. “Someone recently used your password to try to sign in to your Account.”  “If you do not recognize this sign-in attempt, someone else might be trying to access your account: cancel the request immediately.”  Look at the link revealed by the mouse-over.  Do you think it points to Google?  If you look more closely, you’ll see that the link contains a built-in redirect to a website in India named gramrajasthan-DOT-in.  (.in = 2-letter country code for India)

[hr_invisible]

[hr_invisible]

YOUR MONEY: Detox My Mac and Burglary Happens

Apple computer owners often have the misconception that they are risk-free of viruses and malware unlike the Windows operating system.  It is not true!  What IS true is that there are millions MORE malware targeting Windows computer owners than Macs.  However, there are still thousands of malware that have successfully targeted the Apple operating systems.  It is critically important that Mac owners install protection too.  We recommend a product called Sophos (Sophos for Mac.) And it is free!  However, there are also many questionable products out there claiming to improve Mac performance and most of them are just Crapware, Adware, or worse.

Here is an email pretending to be one of these questionable Apple products… Detox My Mac.  “Clean up your Mac computer before it is too late” says an email that came from skyroad @ grandefragrance-DOT-com.  At the bottom of the email, recipients are told to “write to 3822 Gold Street, Miami, Fl” to unsubscribe.  Google cannot find any such street in Miami and the only reference we found to it are spam sent to a website.  Most importantly, the links in this crap point to the website called khamoshiyaa-DOT-com which was registered in September by someone named “raju verma” from Bhopal, India.

A BIG, FAT DELETE!

Footnote: We do not recommend installing the real “Detox My Mac” because of the many negative reviews we’ve found online, inluding this review on Youtube. A blogger named Vaughn has listed 22 programs never to install on your Apple computer.  We recognize many of these as crapware.

Did you know that “Burglary Happens?”  Fortunately, there is this offer from Vivint, or so they want you to believe.  The email came from an address at the crap domain vivnmuiopl-DOT-date, not vivint.com, which is a real home security company located in Massachusetts.  The crap domain was registered by an “Archie Jordan” and is being hosted in Germany.  This is malicious click bait!  Look below to see what the Zulu URL Risk Analyzer thought of the link  you are asked to click…

[hr_invisible]

[hr_invisible]

[hr_invisible]

TOP STORY: Health Insurance Enrollment Pain

The criminal gangs that target us are smart.  We’ve seen them use seasonal events to trick us into clicking malicious links to gain access and control of our computers, or simply hold them ransom until we pay a fee.  These bastards know that the American Health Care system holds “Open Enrollment” from November 1 through December 15 for Americans to choose or modify their health care plan for 2018. (Confirmed on the U.S. government website HealthCare.gov.) At the start of November we saw an increase in malicious emails disguised as health care and insurance company advertisements.  Let’s start with this extremely deceptive pitch on November 2 from a legitimate-sounding website called EnrollmentMarket-DOT-com.  “2018 Open Enrollment is Here! Don’t miss your chance!”  The name “InsuredYes.com” appears in the from address (but in front of the @ symbol!) and in the unsubscribe address at the bottom of the email.  InsuredYes.com is a very legtimate website that serves as a “source for finding information relating to health, life, auto & home insurance and insurance quotes.”  But what about enrollmentmarket-DOT-com?

We asked the Zulu URL Risk Analyzer to evaluate the link (which contained the words “laughing-granddaughter”) and Zulu stated an 80% chance that this link is malicious.  It also informed us that EnrollmentMarket-DOT-com forwards the viewer directly to InsuredYes.com.  Could Zulu have made a mistake?  A simple WHOIS look up reveals the fraud!  WHOIS tells us that EnrollmentMarket-DOT-com was registered on November 2, the day the email was sent, by someone named “Cammie Macpherson” from Florida.  And Cammie described the website as “Ford – New Cars, Trucks, SUVs, Crossovers & Hybrids | Vehicles Built Just for You‎ | Ford.com.”  A screenshot of the website on November 2 is also available.  It shows the website’s name as “MyDealz” and is written in German.  The top paragraph, translated from German, begins with “At mydealz you’ll find the hottest deals, bargains and deals from your favorite brands and dealers.”

We don’t know exactly what their game is.  Could your computer pick up an infecting piece of malware on the way to InsuredYes.com?  Quite likely.  We notified NameCheap.com, the registrar used by “Cammie Macpherson,” on November 3 that we think this site is fraudulent.  To their credit, NameCheap informed us two and one-half hours later that they had confirmed the fraud and taken the site down!  Kudos to NameCheap!  Other Registrars, such as GoDaddy, have taken a week to respond to our emails.

Here is another pitch for you, the consumer, to find affordable health insurance.  As professionally designed and loaded with information as this email is, the fraud is immediately obvious!  Just look at either the from address or the link revealed by a mouse-over (bottom left corner of the email).  This email came from the domain planwertynm-DOT-date.   Besides the fact that Google cannot find any such domain, a WHOIS lookup tells us that the domain was registered by someone named “Sarah Moyer” on November 3, the day the email was sent.  No business name is listed. No website screenshot can be found as is typical.  Not even a description of this business is listed.  But “Sarah” left us one little bread crumb as to who may be behind this nasty click-bait targeting Americans.   Sarah’s email is listed as sarah.moyer “@” yandex.com.  Yandex is a very popular Russian company offering Internet services, including free email in Russia, Ukraine, Belarus and Kazakhstan.  Along with the similarity in design and pattern to hundreds of other malicious emails we’ve seen, we believe that this hand-grenade targeting Americans was delivered by the most active criminal Internet gang located somewhere in Russia or Eastern Europe.

NOTE: EVERY domain name that ends in DOT-date or DOT-review is fraudulent! (We pointed this out in our last newsletter’s Top Story.)

Below are more of these malicious emails created by the same criminal gang and meant to fool Americans during this open enrollment period for health care.  Notice that they all end with the paragraph saying “You received a Mail from TedMed Inc.  This is an Ad Agency Located in USA.”    There is no TedMed ad agency.  TedMed.com is the independent health and medicine edition of the world-famous TED conference.  In fact, there is no “Washington, Maryland” or zip code 2008.  Washington is a county of Maryland using the following two zip codes: ‎20744, 20749.

Someone call the Internet police.

[hr_invisible]

[hr_invisible]