THE WEEK IN REVIEW
A privacy concern recently came to our attention and we wanted to raise the awareness of our readers. Most people truly have no idea how much their digital behavior and “real life” behavior is being tracked and monitored, marketed and then used to target/manipulate them in various ways. This includes criminals who may have stolen data about you. We last wrote about the ways that our privacy is unexpectedly invaded in the Top Story of our January 18, 2017 newsletter. We mention it now because BleepingComputer.com published an article at the end of September titled “Users Forcibly Being Logged Into Chrome When Signing Into a Google Service.” This may have little or no meaning to you but if you use Gmail, for example, it means that your browsing behavior is likely being collected at a time when you think that all you are doing on Chrome (a web browser) is checking email. And you don’t have a choice in this monitoring game!
Here’s a scam that is only going to be of interest to a tiny population of people in America. If you are not Chinese, a visitor from China (legally or illegally), or know someone who is, just skip this paragraph…. If you ARE Chinese or know someone who is, please be aware that scam callers are contacting people through their phones and claiming to represent the Chinese consulate. We received such a call, as did someone else we know. Here is that call:
Fortunately, we know someone who was able to translate this message. It said “”Hello! This is a notification from the Chinese Consulate. There is an important document here for you. If you have any questions, please dial 0. The Mandarin department will check the information for you.” The call came from 212-268-1268. The phone number was spoofed. According to the New Jersey Business Directory Online Library, this is the phone number for Foster Consulting, an engineering firm.
This scam targeting Chinese citizens in the U.S. has been well documented and described in these articles from the FTC, Chinese Embassy, and First Orion.
[hr_invisible]
[hr_invisible] Readers have been sending us LOTS of phishing scam emails! Many more than usual. Here are a few, starting with this very clever trick about a purchase made to your Apple account! It is a brilliant piece of behavioral engineering to send an email about “your recent purchase” because most people would instinctively think “I didn’t order this? What is it?” ..and then click the link to find out. In this particular case, the attached files that you are meant to click were scrubbed from our email account because our protective software also detected malware in them. We want you to notice that the email says it comes from “Apple Support” but look carefully AFTER the “@” symbol for the domain of the sender. It isn’t apple.com. It is appmailpurchaseaccount90[.]com. Delete! American Express card holders are often targeted by phishers. Here are two more examples sent to us by TDS readers. The first uses the subject line “Account Locked – Urgent Action Required,” a common trick. The email comes from the domain ua1e[.]com, not americanexpress.com. (Remember to look for the domain name AFTER the “@” symbol of an email address! Anyone can write anything they want in front of the “@” symbol but that doesn’t make it real!) The second smelly phish came from the domain ro[.]com and has the subject line “Urgent Action Required For Your Account.” Do you see a common theme used by these criminals in the subject lines?! (The domain ro[.]com was registered in China back in 1996.) If you mouse over the clickable text link “UPDATE AND RESTORE ACCOUNT ACCESS” you’ll see in the lower left hand corner of the email that it points to the hacked website for Technoworldgroup[.]com. The web page found at the end of this phishing link is very professionally crafted to look like the real American Express site. (see below) Finally, TDS readers sent us two different smelly phish claiming to be from Bank of America. This first one uses a look-alike trick whereby the criminals create a domain name that is similar to the legitimate domain you expect to see. The domain name used by the criminals is secmail-bankofamerica[.]com but, in reality, there is no such domain name. The criminals have attached a file called SecureMessageAtt[.]html that serves as its own web page. But the link was also cleverly scripted to look like it points to a secure – httpS – website. A big, fat DELETE! Maggie from Taiwan sent this email with the subject “Action Required.” You all know what action is required! DELETION! [hr_invisible]
Phish NETS: Apple Support, American Express, Bank of America
We are amazed and appalled that Microsoft has not been able to stop the malicious misuse of link forwarding from their Outlook mail servers. For months we’ve documented misuse of their service. The criminals cleverly use the subdomains “safelinks.protection” so that recipients are tricked into believing that these links are safe. This couldn’t be farther from the truth since these links lead to malware threats! Below are three recent examples, some of which have stolen graphics and content from legitimate businesses. A critical eye is needed to see through their charade. Look carefully at both the FROM address and, more importantly, at the link revealed at the bottom of the email by mousing over links in the email itself. Each of these Outlook.com links contains a redirect to an unsafe website. The first email pretends to be from the real company Choice Home Warranty. However, you’ll see from looking after the “@” symbol that the email was sent from a domain registered in the European Union on September 5 called rudebest[.]eu. In the revealed link at the bottom, look for “http%3A%2F%2F” and followed by vivahard[.]com. The “http%3A%2F%2F” is a link coding format that means the same as http://. In other words, after Outlook.com it says you’ll be sent to this other website. The domain vivahard[.]com was registered on August 14, 2018 by someone named “Alexandria Joseph” and is being hosted in Seoul, South Korea.
Next we have an email pretending to be from ADT, the security monitoring service. It also came from a domain in the European Union (swissfair[.]eu). Redirections in that Outlook link will send you to the domain sixthapps[.]net. This domain was registered the day before the email was sent by someone named “Normal Neal” from Iron Auction Services. And finally, we have this Kmart Survey request that offers free trials worth $50 as well as the possibility of earning a $1000 gift card, for taking a 30 second survey. The Outlook link will redirect you to a website called myeffect[.]net. This is yet another legitimate dynamic DNS service. It means that the criminals can keep changing the location of their malicious files and the service will continue to point to those files. This makes it harder to shut down the malicious sources across the Internet. WHY IS THIS ALLOWED?? Oh yeah, because there are no Internet police and ICANN doesn’t care enough about the world’s users to make sensible rules that better protect netizens. **sigh** [hr_invisible]
[hr_invisible]
YOUR MONEY: You Can’t Trust Safelinks. Protection. Outlook.Com
Anyone familiar with J.R.R. Tolkien’s “Lord of the Rings” trilogy knows the central plot element meant by “one ring to rule them all.” We would like to apply that phrase as a metaphor for our digital lives. More appropriately for our story, the phrase should be “one account to rule them all.” And what is that one account that rules all other digital accounts in our lives? Email! People don’t often realize how critically important our primary email accounts are. (Many people have more than one email account.) How many times are we asked to provide an email address so the services we use or subscribe to can contact us for many reasons, including if we lose or forget our password to those other services. Forget your banking account password? No problem! Click “forgot my password” and a reset password will be sent to your EMAIL account. Forgot your credit card password? Same thing! By our modest accounting, here is a modest list of digital services used by most adults that will happily send a reset email to your EMAIL account, should you lose or forget your password: We’re sure our readers can add to the list above but you get the point. Forget your password? No problem! Every one of these accounts will happily send you a reset email to your email account on file. It truly is your “one account to rule them all.” So now imagine the unthinkable…. Your email account is hacked. This can happen by several different reasons like… If your email account is compromised, it means that someone else can be there to receive ALL THOSE RESET and CONFIRMATION EMAILS! It’s important to point out that every single type of account from our bulleted list above can be monetized by criminals. Not just the obvious financial accounts, but the non-financial accounts as well, such as social media and telecommunications accounts. Criminals can make money from your information, by targeting your friends, relatives and other contacts. They can use your Verizon or Sprint accounts to purchase phones and have them shipped to mailbox addresses. See how important the digital keys are to your email account?! One way to help protect all your accounts, especially email, is to turn on 2-factor authentication. It is a VERY SMART digital safety practice that requires someone logging into your account to have BOTH the password AND your smartphone. After entering your password to an account, you’ll be texted a numerical code that you must also enter in order to get into your account. No phone, no access. This is a good thing! Unfortunately, not all services provide 2-factor authentication. Not even all financial services! And they should. If you have a Gmail account and want to turn on 2-step verification, log into your Gmail and then visit this link to Security. Next, scroll down and click the link for 2-step verification. If you employ a few simple tricks, it is easy to create strong sets of passwords to all your accounts, especially a strong email password. Visit our article titled Creating Strong Passwords. So hopefully we’ve convinced you to improve your password choices to your email and other accounts, and to turn on 2-factor authentication if it is offered by the services you use. But there is also another consideration. Think very carefully about the kind of very personal information that may be sitting inside your personal email account. E.g. tax documents, lists of passwords to other accounts, financial statements, etc. We don’t recommend keeping emails around that contain very personal information, especially financial and tax information. Finally, here are two more articles we’ve written that may be helpful: How to Deal with a Hacked Email Account. Why Yahoo Is the Worst Email Service on the Planet
[hr_invisible]
TOP STORY: One Ring to Rule Them All
[hr]
FOR YOUR SAFETY: Bon jour, Good News, and More Information
We are going to make a broad, blanket statement that may sound shocking…
It is NEVER in your best interest to respond to emails you receive from strangers who are asking for help, assistance or a partnership, no matter how sincere or how much money you stand to make.
(We happily invite you to disagree with us. It is sometimes tiring to look at the world through our jade-colored glasses.) Here are just three of hundreds of examples we see every year. (We don’t often publish them because we feel that 99% of our readers would never reply to emails like these… we hope.)
Bonjour! We used Google Translate to show us that Mr. Mile Tagro was saying “Hello, I need your help.” We don’t speak French, and apparently neither does the Government of Malaysia, according to a Google search we conducted. Mr. Tagro’s email address was from a Malaysian government account. In Malaysia they speak Tamil, Telugu, Malayalam, and several other Indian dialects. But French wasn’t on the list.
Mrs. J.C. Alwin thinks we’re her “long time friend” but we don’t know her. Her email came through a server in Japan but she wants us to respond to a Gmail address. No matter, she wants to give us some gifts, including gold jewelries, iPads and laptops.” Oh, and “before she forgets,” there’s $250,000 hidden inside those laptops. (We don’t make this stuff up people! Really!)
Ms. Heidi Meier also emailed us from an address in Japan. This is also interesting since Ms. Heidi Meier (or Dr. Meier Heidi, depending on whether you look at the FROM address or the way she signed her name at the end of the email) claims to be an investment broker with Taikang Finance and Loan Limited, one of the largest insurance and financial services institution in CHINA. Oddly enough, she asked us to contact her through her email address in Russia (“.ru” = 2-letter country code for Russia)
[hr_invisible]
Until next week, surf safely!