Please support our effort by making a small donation. Thank you!

x

October 23, 2019

THE WEEK IN REVIEW

For several weeks now we’ve been warning readers about website names ending with the global top level domain “best.”  You would see these as “any-domain-name.best”  These have all proven to be malicious and we continue to see hundreds of them targeting netizens with clickbait content of all types.  Recent content has included:

Tinnitus relief method (Veteran almost commits suicide)
Bruce Lee’s Assassin Speaks For The First Time
STOP your diet, do this instead (takes 7 seconds flat)
Elon Musk released the patents of the technology behind electricity storage
Bizarre cure safely destroys toe and nail fungus
Special Forces “dirty trick” makes YOU dangerous in a fight

To confirm our suspicions that cybercriminals have been registering an overwhelming number of malicious domains through the gTLD DOT-best, we visited nTLDstats.com to see what it could tell us.  Unsurprisingly, nTLDstats.com showed us that there has been a significant increase in the purchase of DOT-best gTLD domains since early July.  You can learn more about these statistics here.  Stay away from any website ending in “DOT-best!”

 

 

One of our readers sent us this lovely voice message about the suspension of her social security number!  What is so funny is that the caller is a woman speaking with an British accent. The audio is difficult to hear so read along with the text below…

 

 

“Communication… The reason for this call is to inform you our department has decided to suspend your social security number and its benefits and file a lawsuit against you. As we have received suspicious complaints and activity on your social security number, your social security number is getting _____ for money laundering and fake loans.  If this is not getting done by you please press 1 now. To speak with our officer to resolve this, present your social security number to suspension or call on ____ 888-675-6247. Thank you.”

Lots of folks online are reporting this scam call:

https://800notes.com/Phone.aspx/1-888-675-6247

https://lookup.robokiller.com/p/888-675-6247

For more than two years we’ve been writing about a phone scam that began with “Todd” informing you that you had won $25,000 or an SUV because your name was picked from a contest you had entered some time during the last six to eighteen months.  Todd morphed into Alex into David into Ryan into Brett, and also included calls from a woman who identified herself as Jenna, Katie and Melissa. This scam is still going strong and people have reported hearing from “David” again last week. They told us that they had won $25,000 in the “Hot Cash Giveaway.”  They were told to call David back at 877-220-2051 extension 620. Lots of people online have complained about receiving this scam call:

https://800notes.com/Phone.aspx/1-877-220-2051

https://findwhocallsyou.com/8772202051?CallerInfo

https://www.reportedcalls.com/8772202051

 

 

To read more about this scam and hear “David” identify himself by all his names, visit our article about this scam! We would LOVE to hear from anyone who actually called “David” back to learn how this scam played out! 


Phish NETS: Navy Federal Credit Union

Foreign criminals love targeting Americans, especially when those Americans are service men and women, or Veterans.  And so they have often created phishing scams targeting Navy Federal Credit Union account holders, a bank for current and former service members.  The FROM address of this email contained the email address of the TDS reader who received it. That is the first sign that something is wrong with the credibility of this email.  Mousing over the blue link for navyfederal.org shows that the link really points to guidedg[.]com, a website registered in China years ago but NOT to be confused with GuideDog dot com.  This misguided website redirects you to another website it China. Look below at the top page you’ll see when you finally land on shandongheguojituan[.]com.  This second Chinese website has as its title “Happy Zodiac Official Website” but the page we landed on sure looks like the Navy Federal Bank site.  Our Zodiac fortune doesn’t see any good outcome in these stars.

Just delete!

YOUR MONEY: Get Over 60 HDTV Channels Without Paying a Dime and You Are a Victim of Identity Theft

Montenegro is a country in Southeast Europe on the Adriatic Sea, across from the western coast of Italy. It is surrounded by Bosnia and Herzegovina to the northwest; Serbia and Kosovo to the east, and Albania to the south.  And it is also the country you’ll visit when you click the links in this next email. Someone registered the domain Hesslankotwall[.]me, which uses the 2-letter country code for Montenegro (“.me.”), for this scam.  We are led to believe that a website hosted in Montenegro is offering information to Americans how to get more than “60+ HDTV Channels Without Paying a Dime.”  “Get all your TV channels in HD for free” says this email received by one of our TDS readers from the domain negligenceunanimous[.]com. Nice website name, right?  And if you think about unsubscribing from this clickbait you’ll discover that the link is just yet another clickbait to infect your computer.  According to Google, the address listed at the bottom of this email is a UPS store in Middletown, DE and there is no “Suite 1325.”

Lunge for the DEEELEEETE key!

Imagine getting this VERY lame attempt to convince you that you had been a victim of identity theft and were entitled to a refund, according to the “Internal Revenue Agency.”  However, in order to get your refund you have to log into your account and request an approval. The email came from a hacked website called hanatoyo[.]com, which is actually a Japanese Funeral Home located in the Ibaraki Prefecture of Japan.  Adding to the humor of this email is that the link for “request approval” points to a website called playwithmeabc[.]com.  But that isn’t where your journey for a refund will end.  Playwithmeabc contains a redirect that will send you on to another hacked website registered in the UK that supports African Development called adsglobal.co[.]uk.

TOP STORY: Spear Phishing a Rotary Club

This week’s Top Story is a spear phishing tale that targeted a small town’s Business Rotary Club members.  Spear phishing is a very targeted form of phishing fraud. It requires the criminals to conduct online research to learn about a company, non-profit or organization.  With enough information, cybercriminals then pretend to be key people of the organization in their effort to trick others who control the flow of money into transferring funds to accounts controlled by the criminals.  The Rotary Club has given us permission to tell their tale but we’ve taken steps to remove their email addresses and full names to protect their identities. Gail is the President of the Rotary Club. This story began with a short email from Gail to Carl at 10:09 am on a Monday…

To which Carl simply responded with a “no.”

Except, that “Gail” was not contacting Carl through her regular email account.  The email, sent in her name, came from “presidentceo098” @ protonmail.com. Proton Mail is a free, encrypted email service in Switzerland.  But now that “Gail” had Carl’s attention, “she” followed up a few hours later to ask that he transfer some funds to pay for administrative expenses.

Understandably, Carl was a bit suspicious about the request and the “administrative expense” and hence he asked for some clarity.  “Gail” responded by saying it was for “a community development program in the area” which might make sense since the Rotary Club is well known for their community development.  However, the “area” to which Gail was asking payment be made was nowhere near their area!

The scammer, pretending to be Gail,  asked for a wire transfer to a person identified as Deborah Tillery, from 97 summit Avenue, Newark NJ 07712.  Furthermore, Carl’s suspicions were enough that he contacted the Board of Directors to ask about this payment request.  It was then obvious to everyone that “Gail’s” email address was not legitimate and they ended communication with the scammer.  So what did this cybercriminal do after realizing that his plot failed? He contacted at least one other member of this Rotary Club the next day!  This time he used a Gmail address while pretending to be the Club President!

Fortunately, the Board had notified its members and the local police about the attempted fraud.  It turns out that this cybercriminal sent several emails from suddenlink.net, protonmail.com, and gmail.com.  The lessons here are very clear….

  1. Look carefully at the email addresses of the sender.
  2. Never move money to anyone, anywhere on just the say-so of an email.  Double-check over the phone or in person with the individual who is authorized to make the request.

As the former President of this Rotary Club has described this fraud… “This is, unfortunately, a very classic pattern of a wire transfer scam that has been making its rounds. The scam artists use the organization information that is publicly available on an organization’s website to then spoof an email from the president to the treasurer (or to the accounting manager in case of a commercial entity) to issue an urgent wire transfer.”  

Lesson learned!

FOR YOUR SAFETY: Amazon Confirmation!

This email begins with the address “billing @ amazon.com” after FROM but that text was only placed in the name field and is deceiving.  The real address follows the “@” symbol found within the greater than/less than symbols < > as cs-awsservice87692[.]com.  This domain was registered in Japan to someone called Bujong Inam last March, 2019.  The link “Update Now” looks like it points to a “safelinks.protection.outlook.com” server but the link itself contains a redirect to a website in Denmark called ah-modegarn[.]dk.  Normally, we would simply assume this was another Amazon phishing scam. However, it turns out to be worse.  The Danish website is armed with malware waiting to explode upon arrival. Run for cover!

 

 

 

Until next week, surf safely!