Please support our effort by making a small donation. Thank you!

x

October 14, 2015

THE WEEK IN REVIEW

This is going to sound a bit strange but we think that the graphic designers working for the top criminal scammers are all on vacation. Or got fired. (Do criminal gangs fire people or kill them?) During the past week the number of scams using professional-quality graphics decreased significantly and we saw a big jump in text-based scams. You’ll notice this in many of the scams below.

Read our latest feature article… Craigslist Apartment Scams!

Two more things worth noting…

Last week we showed you a scam email disguised to look like it came from Sam’s Club. We saw another identical email scam this past week but we loved the bogus domain name the scammers created! “samsloveforyou.com” That’s so sweet….and deadly!

1-Sams Club Thank you

In the “For Your Safety” column of our September 30 newsletter we reported on fake invitations for women to join the legitimate publication and organization called “Women of Distinction.” While these malicious invitations have continued into the fall, we have seen an increase in them in mid-October. Please alert your friends!

2-Personal invite to Women of Distinction

Sample Scam Email Addresses

Defeat Type 2 Diabetes Naturally with THIS…

Fall LIQUIDATION: Apple iPad-Air 2 64GB Wi-Fi, $28.83, Thru 10/10/2015

Fantasy Football for Real Money

Fwd: I saw this on ABC-News last night

Hi look at my naked photos!

Hotel Deals Coast to Coast

How Term Life Protects Your Loved Ones

Professional Women’s Magazine

Re: 45 and single? Find your match today

Re: Learn how to keep your family safe

URGENT: Start making millions from Secret-Bank-Accounts

Sample Scam Email Subject Lines

ADT-Authorized-Dealer@hhadz.wang

BloodPressureWarning@securitymalfunction.xyz

Block.Carbs@yedon.win

BeatsPro.Liquidation.Sale@hvber.date

FanDuel-Fantasy-Football@gookn.top

iPad-Home-Movies@hlmly.date

Marvin.EndOfSummer.Window.Deals@dkssg.wang

Mayo-Heart-Remedy@cjpfl.top

Regrow.Lost.Hair@allreplacehairlose.date

Safe.Whirlpool.Tubs@nicebathtub.top

Sears-October-Roofing@gfggl.top

SecureYourHome@crammingseason.xyz

 

 

 

 

Phish NETS: USAA Account

USAA.com is a major financial service company offering everything from checking accounts and credit cards to auto insurance and mutual funds. And this next email ain’t from USAA.com despite seeing the “from” address as noreplay@usaa.com. In fact, if you Google this email address (instead of noreply@usaa.com) you’ll find many links that have identified this “from” address associated with phishing emails.

Fortunately a mouse-over of the link that follows “Click here” reveals that it points to the domain myresnrbeyb.com even though the text in the email reads https://www.usaa.com/  A WHOIS lookup shows that this strange domain myresnrbeyb.com was registered with Enom.com the day the scam email went out.

Also notice the minor grammatical errors in the text… “We have temporarily suspend your account…” This email is entirely fraudulent and points to a phishing page meant to capture your login credentials.

Delete!

Here’s a new type of phishing email that we’ve never seen before. “The New Swiss Bank Account for Everyone is Finally Here.” “An entirely new way to bank is exploding around the world.” Imagine all of the personal information these criminals will want to collect from you to set up this bank account! Understandably, the Zulu URL Risk Analyzer scored the link newplan.bankingsystemliked.wang as 100% MALICIOUS!

Delete!

 

Your Money: CVS Voucher, Amazon Rewards, Kmart Promotional Credits and Trivago!

We saw sooooo many of these nearly identical reward scams during the past week. No pictures of smiling families. No colorful graphics. No company logos. Just plain text. Did the graphic designers all go on vacation? Are they still alive or did the crime bosses kill them off because they demanded more money? We’ll never know but we’re certain there is a story to be told behind this sudden change in design! In the end it doesn’t matter. All of these are malicious!

Delete! Delete! Delete!

5-CVS Voucher giveaway

6-Amazon Reward

7-Amazon promotional credit

8-KMart Promotional credit

There were, as expected, a few exceptions that weren’t just old re-used graphic scams like the “Exclusive Halloween Discounts” email below. One of the best and most unique was this scam email disguised as a Trivago travel ad. Notice that the mouse-over also shows that the link leads to a strange domain called hdype.wang. Hmmmm…. “Dot-wang” was the global top level domain (gTLD) also seen in the Swiss bank account scam above. Coincidence? Hmmmm….

9-Trivago

Please be on the lookout for scams disguised to be special sales, discounts and opportunities for the upcoming Halloween season such as the two below. The first is for “Exclusive Halloween Discounts” but the “2015 CYBERBLOWOUT” graphic is identical to other emails we reported on in September.   We also saw many scam emails for Halloween pet costumes and loved every one of them! Even though they all contained malicious links meant to infect computers. Cute, but deadly.

Delete!

10-Halloween discounts11-Amazing costumes for your pet

 

TOP STORY: Cargosmart Sea Waybill Notification

There is a very good reason why we chose to make this scam email our top story of the week. It is so convincing, and has such broad use, that it is extremely effective and dangerous! We’ll admit at first glance we thought it was legitimate because it was sent to an organization that periodically receives overseas deliveries.

Cargosmart is a legitimate overseas shipper and the email sender domain btc-bci.com is owned by Blomningdale Communications, a voice, data and video provider in Michigan. Also, the various links such as “Accept” for the Waybill draft point to oocl.com, Orient Overseas Container Line. Everything about this email seems legitimate and appropriate when expecting a shipment from someone overseas. There is just one small problem… The attached zip file at the bottom of the email contains malicious software designed to infect computers.

Now let’s look more closely at the email. What are the “red flags” that should raise our suspicions? The sender’s email address name is peculiar as “sidearmwy12.” But most importantly is not what’s there but what’s missing…. Look carefully at the email and you’ll see that there isn’t a single piece of information that identifies the recipient or what the recipient ordered. Sometimes we think that companies who are frequently targeted should create a set of conditions about emails, faxes and other electronic communications to better safeguard themselves. First and foremost, if a communication doesn’t contain any identifying information, it should automatically be treated as suspicious. Now delete!

By the way, a Google search reveals that others are talking about this type of scam across the Internet. Check out:

http://www.hoax-slayer.com/fake-cargosmart-bl-draft-malware-email.shtml

http://www.onlinethreatalerts.com/article/2015/10/6/fake-and-malicious-cargosmart-email-bl-draft-is-ready-for-review/

 

 

FOR YOUR SAFETY: Artists Required, Australian Business License, HelpDesk Migration to Exchange

We have never seen anything like this next email before. Looking for artists to join a website called AllArtistsRequiredNow.club. Isn’t it an odd sounding domain?   And unlike most scam domains, it was registered back in January of 2015 as opposed to the day the email was sent. Quite frankly, we weren’t sure what to make of it unti the Zulu URL Risk Analyzer gave it a malicious score of 94 out of 100 possible points.

Delete!

 


Here’s another one we haven’t seen before but it is likely targeting Ozzies from down undah. Crikey mate, that attached zip file is chockers with malware! That’s a fair dinkum scam, that is.

Finally in this week’s For Your Safety column we bring you a little message from the technology Help Desk. They are “currently Migrating your outlook account to Microsoft Exchange 2015.” If you read the rest of that email, it barely makes sense. Another indication that English is not likely the first language of these scammers. It almost makes you want to call and thank your 6th grade English teacher! By the way, ezweb123.com is a free website builder service. Check out what VirusTotal.com had to say about the full domain and subdomain offered for the link systemaccountupdate.ezweb123.com.

Then Delete!

16-Helpdesk virustotal score

ON THE LIGHTER SIDE: A Good and Honest Man

Do you know a good and honest man with serious intentions? We were so impressed with Dzhulija’s search for romance. It’s sounds so sincere and she sounds so lovely, doesn’t she? Please help us find her the love of her life!

I want to find a soul mate

Until next week. Surf safely!