November 8, 2017

THE WEEK IN REVIEW

Some of the best click bait we’ve seen delivers a message that triggers a knee-jerk, visceral response to respond.  This “Predator warning – Protect your family” is exactly what we mean.  Most parents would want to know if there is a sexual predator living in their area and click the link offered to them.  They would be clicking a link to the domain kidfghjklm-DOT-review, identified by the Zulu URL Risk Analyzer as 100% malicious because of malware waiting for your arrival.

It pays to look before you leap!

[hr_invisible]

We’ll be the first to admit that we’re not perfect at identifying all fraud or spam trickery.  Last week, Doug at The Daily Scam received a message from a guy named Will and sent to him from a social network called Badoo.com.   Upon clicking the link to view his message, he was asked to input information which he defiantly made up.  The message turned out to be a bogus ploy to trick people into creating accounts at Badoo.  It then took him 23 minutes to figure out the hoops to jump through to delete that account because Badoo captured his real email address even though he didn’t offer it!  That was 23 minutes of cursing and feeling duped!  If you ever get an email for anything at Badoo.com, delete it!  It’s spam!

[hr_invisible]

       

[hr_invisible]


Sample Scam Subject Lines:

Are You Tired Of Having Continuous Back Pain?

Bank Payment Confirmation

Chase Bank Software Update and Account Verification.

During Our Thanksgiving+Black Friday Sale, Buy 1 Window, Get 1 40% Off

Fed,Up With Fake Dating? – Try This. You Will Be Surprised!

Find the Perfect A/C At The Perfect Price

Hey (or hello)

Meet Singles Near You Looking for Love

No Low Fixed-rate Mortgage Rates? REFI Time!

Online Quiz – Is A Reverse Mortgage Right For You

RE: RE: outstanding invoice

Scanned image from MX-2600N

You Can Save 36% On Your Business Phone Bill

Sample Scam Email Addresses

A/C & Heating Specials <A/C&HeatingSpecials @ ljkfbvmdbc-DOT-date>

Auto Service Contract Quote <AutoServiceContractQuote @ kjresioe-DOT-review>

FHA Rate Guide Info <FHARateGuideInfo @ fhaioputrtu-DOT-date>

Home Warranty Special <HomeWarrantySpecial @ homchqazcd-DOT-review>

HVAC-Discounts <HVAC-Discounts @ hvacmjuiopl-DOT-review>

KeySmart – Key Organizer <KeySmart-KeyOrganizer @ sweioj-DOT-date>

Match Offer <MatchOffer @ thaiiiifood-DOT-win>

Renewal By Andersen Special Offers <RenewalByAndersenSpecialOffers @ ridjfrtw-DOT-review>

SeniorPeopleMeet.com Dating <SeniorPeopleMeet.comDating @ seniasdfghj-DOT-review>

Shed Plans <ShedPlans @ sheyuioplk-DOT-date>

Stealth Sunglasses <StealthSunglasses @ tactpknefbkt-DOT-date>

Total Home Protection <TotalHomeProtection @ totaqaxipmgr-DOT-review>

Vonage Business Partner <VonageBusinessPartner @ vonfghjklas-DOT-date>

WalkinBathtubQuotes <WalkinBathtubQuotes @ vfderd-DOT-review>

[hr]

[hr_invisible]

Phish NETS: Bank of America, Chase Bank, and Mail Security

This phish for Bank of America has soooo many red flags in addition to the link recipients are asked to click.  Look carefully at the from address.  …or the account number.  …or your last log in date in the “Security Checkpoint” at the middle of the email.

Then delete.

This is disturbing.  Imagine getting an email telling you that “your instant payment of $3292.80 to” someone was sent.  Click the link to get your detailed information.  This is not an email from Chase Bank and the link doesn’t point back to Chase Bank!  It points to a website in Slovakia.

Delete.

And then we found a number of emails that appeared to be phishing scams for Chase Bank but they were just virus hand-grenades lobbed in our direction.

[hr_invisible]

Finally we saw this phishing email targeting Gmail users’ web mail account via Chrome. “Someone recently used your password to try to sign in to your Account.”  “If you do not recognize this sign-in attempt, someone else might be trying to access your account: cancel the request immediately.”  Look at the link revealed by the mouse-over.  Do you think it points to Google?  If you look more closely, you’ll see that the link contains a built-in redirect to a website in India named gramrajasthan-DOT-in.  (.in = 2-letter country code for India)

[hr_invisible]

[hr_invisible]

YOUR MONEY: Detox My Mac and Burglary Happens

Apple computer owners often have the misconception that they are risk-free of viruses and malware unlike the Windows operating system.  It is not true!  What IS true is that there are millions MORE malware targeting Windows computer owners than Macs.  However, there are still thousands of malware that have successfully targeted the Apple operating systems.  It is critically important that Mac owners install protection too.  We recommend a product called Sophos (Sophos for Mac.) And it is free!  However, there are also many questionable products out there claiming to improve Mac performance and most of them are just Crapware, Adware, or worse.

Here is an email pretending to be one of these questionable Apple products… Detox My Mac.  “Clean up your Mac computer before it is too late” says an email that came from skyroad @ grandefragrance-DOT-com.  At the bottom of the email, recipients are told to “write to 3822 Gold Street, Miami, Fl” to unsubscribe.  Google cannot find any such street in Miami and the only reference we found to it are spam sent to a website.  Most importantly, the links in this crap point to the website called khamoshiyaa-DOT-com which was registered in September by someone named “raju verma” from Bhopal, India.

A BIG, FAT DELETE!

Footnote: We do not recommend installing the real “Detox My Mac” because of the many negative reviews we’ve found online, inluding this review on Youtube. A blogger named Vaughn has listed 22 programs never to install on your Apple computer.  We recognize many of these as crapware.

Did you know that “Burglary Happens?”  Fortunately, there is this offer from Vivint, or so they want you to believe.  The email came from an address at the crap domain vivnmuiopl-DOT-date, not vivint.com, which is a real home security company located in Massachusetts.  The crap domain was registered by an “Archie Jordan” and is being hosted in Germany.  This is malicious click bait!  Look below to see what the Zulu URL Risk Analyzer thought of the link  you are asked to click…

[hr_invisible]

[hr_invisible]

[hr_invisible]

TOP STORY: Health Insurance Enrollment Pain

The criminal gangs that target us are smart.  We’ve seen them use seasonal events to trick us into clicking malicious links to gain access and control of our computers, or simply hold them ransom until we pay a fee.  These bastards know that the American Health Care system holds “Open Enrollment” from November 1 through December 15 for Americans to choose or modify their health care plan for 2018. (Confirmed on the U.S. government website HealthCare.gov.) At the start of November we saw an increase in malicious emails disguised as health care and insurance company advertisements.  Let’s start with this extremely deceptive pitch on November 2 from a legitimate-sounding website called EnrollmentMarket-DOT-com.  “2018 Open Enrollment is Here! Don’t miss your chance!”  The name “InsuredYes.com” appears in the from address (but in front of the @ symbol!) and in the unsubscribe address at the bottom of the email.  InsuredYes.com is a very legtimate website that serves as a “source for finding information relating to health, life, auto & home insurance and insurance quotes.”  But what about enrollmentmarket-DOT-com?

        

We asked the Zulu URL Risk Analyzer to evaluate the link (which contained the words “laughing-granddaughter”) and Zulu stated an 80% chance that this link is malicious.  It also informed us that EnrollmentMarket-DOT-com forwards the viewer directly to InsuredYes.com.  Could Zulu have made a mistake?  A simple WHOIS look up reveals the fraud!  WHOIS tells us that EnrollmentMarket-DOT-com was registered on November 2, the day the email was sent, by someone named “Cammie Macpherson” from Florida.  And Cammie described the website as “Ford – New Cars, Trucks, SUVs, Crossovers & Hybrids | Vehicles Built Just for You‎ | Ford.com.”  A screenshot of the website on November 2 is also available.  It shows the website’s name as “MyDealz” and is written in German.  The top paragraph, translated from German, begins with “At mydealz you’ll find the hottest deals, bargains and deals from your favorite brands and dealers.”

We don’t know exactly what their game is.  Could your computer pick up an infecting piece of malware on the way to InsuredYes.com?  Quite likely.  We notified NameCheap.com, the registrar used by “Cammie Macpherson,” on November 3 that we think this site is fraudulent.  To their credit, NameCheap informed us two and one-half hours later that they had confirmed the fraud and taken the site down!  Kudos to NameCheap!  Other Registrars, such as GoDaddy, have taken a week to respond to our emails.

Here is another pitch for you, the consumer, to find affordable health insurance.  As professionally designed and loaded with information as this email is, the fraud is immediately obvious!  Just look at either the from address or the link revealed by a mouse-over (bottom left corner of the email).  This email came from the domain planwertynm-DOT-date.   Besides the fact that Google cannot find any such domain, a WHOIS lookup tells us that the domain was registered by someone named “Sarah Moyer” on November 3, the day the email was sent.  No business name is listed. No website screenshot can be found as is typical.  Not even a description of this business is listed.  But “Sarah” left us one little bread crumb as to who may be behind this nasty click-bait targeting Americans.   Sarah’s email is listed as sarah.moyer “@” yandex.com.  Yandex is a very popular Russian company offering Internet services, including free email in Russia, Ukraine, Belarus and Kazakhstan.  Along with the similarity in design and pattern to hundreds of other malicious emails we’ve seen, we believe that this hand-grenade targeting Americans was delivered by the most active criminal Internet gang located somewhere in Russia or Eastern Europe.

NOTE: EVERY domain name that ends in DOT-date or DOT-review is fraudulent! (We pointed this out in our last newsletter’s Top Story.)

        

Below are more of these malicious emails created by the same criminal gang and meant to fool Americans during this open enrollment period for health care.  Notice that they all end with the paragraph saying “You received a Mail from TedMed Inc.  This is an Ad Agency Located in USA.”    There is no TedMed ad agency.  TedMed.com is the independent health and medicine edition of the world-famous TED conference.  In fact, there is no “Washington, Maryland” or zip code 2008.  Washington is a county of Maryland using the following two zip codes: ‎20744, 20749.

Someone call the Internet police.

[hr_invisible]

[hr_invisible]

[hr]

FOR YOUR SAFETY: Hi Friend and Scan

Imagine getting this random email from “antin declan” from India (“.in” = 2-letter country code for India) saying “Hi friend! I’ve never seen something similar to that before, it’s fantastic!  You must take a look website”    Mousing over the link for “website” shows an Indian travel company website.  But don’t be so quick to click that link!  Look below what Google says about this travel website.  There is very likely a land mine waiting for you at the other end of that link.

[hr_invisible]

We don’t know Leland.  We don’t know royallepageteam-DOT-ca (“.ca” = 2-letter country code for Canada).  And we don’t know what that noname attached file is but we’re certain it isn’t good for us!  By the way, Royal Lepage Team is a realtor in Canada with a different website domain.  Just step away from this booby-trap.

 

[hr_invisible]


ON THE LIGHTER SIDE: 

Poor Theresia!  Our heart bleeds for her!  But we are impressed that Mrs. Andres is a Muslim who wants to support a Christian organization.  Perhaps we can all follow her lead to reach out to those different than ourselves and offer help!

From: THERESIA ANDRES <hanahamza1975@gmail.com>
Subject: from your sister Theresia
Date: November 2, 2017 at 12:12:46 AM EDT
To: undisclosed-recipients:;
Reply-To: theresiaandres1975@gmail.com

Most Respected friend

May you be prosperous, and how are you doing? My intention of contacting you is to solicit your assistance for a project, which will be mutually beneficial.Though I know my decision to contact you is a large extent unconventional, the prevailing circumstances necessitated my action. I am from Theresia Andries from Indonesia. I am married to Late Arthur Andries of blessed memory was an oil explorer in Libya and Kuwait for twelve years before he died in the year 2010. We were married for twelve years without a child.He died after a brief illness that lasted for only four days. Before his death we were both devoted to charity workers. When my late Husband was alive he made a huge deposit in millions of US dollars with a deposit company in oversea. (I will tell you the Amount as we proceed).

Recently, my doctor told me that I have only six months to live due to cancer problem. Though it’s my sickness. Having known my condition I decided to donate this fund to YOU / Christian organization or devoted individual that will utilize this money the way I am going to instruct here. I want this organization or individual to use this money in all sincerity to fund orphanages, widows, I took this decision because I do not have any child that will inherit this money I know that after death I will be with the most beneficent The most merciful. .As soon as I receive your reply on Email: ( zhotel03@gmail.com )

I will give you the contact information of the deposit company in the oversea where the money was deposited. My happiness is that I lived a true devoted Muslim worthy of emulation. Whoever that wants to serve ALLAH will serve him in truth and in fairness. Please always be prayerful for all your life. Any delay in your reply will give you room for sourcing for another organization or a devoted individual for this same purpose.Until I hear from you by email, my dreams will be squarely on your shoulders.

May Almighty bless you as you consider me to help me.

Theresia Andries

from your sister Theresia


Until next week, safe surfing!