THE WEEK IN REVIEW
Every week we see many short and simple emails or texts meant to engineer a click or response from the recipient. These seemingly personal manipulative texts and emails are designed to make you curious enough to engage with the sender. In the past week we saw an explosion of them, like this one sent from someone’s hacked AOL account. (The link leads to malware.) And so we are devoting both our Top Story and For Your Safety columns to these nasty short notes since we have so many!
These little bullets take much less time, skill, and effort to create than the fancy malicious emails pretending to be ads in our “Your Money” column, but they are just as deadly.
By the way, we’ve written so many times about “mystery shopper” scams that it begs the question… are any of them legitimate? Here’s one of the Mystery shopper scams that keeps reappearing this fall. This bogus email for an employment offer leads to a bogus web page on a hacked webserver. It claims to represent the Mystery Shopping Providers Association looking for a “secret evaluator.”
Here are a few links to some of our previous feature articles about fake job scams:
http://www.thedailyscam.com/secret-shopper-scam/
http://www.thedailyscam.com/job-opening-for-you/
http://www.thedailyscam.com/scam-collection/work-at-home/
http://www.thedailyscam.com/employment/
[hr_invisible]
Sample Scam Subject Lines: CONGRATULATION!!! DHL BILL OF LADING DOCUMENTS Emailed Invoice – 843556 Heated over your electric bill? Cool it down by switching to solar! How to build a beautifully designed home using shipping containers. How to save my marriage free help? Important fix for your website Order Re omg wow! Receipt Scanned document Scanned image from MX-2600N Seriously… What if this company went tenfold by tomorrow?
Sample Scam Email Addresses “Cure For Kidney” <disease @ disease-DOT-com> “Diabetes Busting Research” <Shocking-research @ eccevt-DOT-bid> “Ear-health” <tinnitus @ tinnitus-DOT-com> Everett Credit Union <yourlocalcompanynow @ gmail.com> everyfamily@everyfamily.com “Ez-Wood-Project-Designer” <Ez_Wood_Project_Designer @ volnews-DOT-bid> PhotoBank <eridani @ free.fr> Renewal By Andersen Windows <RenewalByAndersenWindows @ reneuyiopt-DOT-date> “Stunning trick for burning belly fat” <contact @ flatsbellyfast-DOT-bid> “The Mayo Clinic Diet Online” <mayodiet @ mayodiet-DOT-com> “Toenail is falling off” <Toenail is falling off @ nailfungusremovalguide-DOT-online> UGG <Booot @ winter-sale-boot-DOT-top> “Voice Message Server” <server@5160055424.[YOURSERVER].com>
[hr]
[hr_invisible] Any time you receive a notice from a financial account that begins with “Dear Customer” you ought to be on your guard. It doesn’t mean these are all phishing scams but if these notices are telling you that there is a problem with your account and advise you to log in or activate something, then lunge for the delete key! Like this email that seems to come from PayPal. But look closely and you’ll see that it comes from oaypal @ service-DOT-info. The link for “Confirm Your Account” points to a hacked webserver in South Africa (.za = 2-letter country code for South Africa). Delete! [hr_invisible] Your USAA Online Banking has been locked! And blocked! “For your protection,we have blocked access to your online banking account because there were attempts to change your account information from an unauthorized party.” That’s startling! But look in the upper right corner of the email…. USAA # ending in XXXX. XXXX? Seriously? And the from email address is meant to sound official but is as phony as a $3 bill. And so is the website you’ll be sent to if you click the link for “Initiate the verification process.” – 123sportsbetting.com. Now deeeeleeete! We’ll be upfront and honest here… We’re not entirely sure if this next scam is a phishing scam or just click-bait to a malicious website. We tried to locate the page on the webserver to find out but were not successful. In any case, this can’t be good for you. “Drop Box: You have a new file” But the email came from dpbox-DOT-co. “.co” as in Columbia. And the link doesn’t point to Dropbox.com, but drotbox-DOT-co. You know what to do. [hr_invisible] [hr_invisible]
Phish NETS: PayPal Account, USAA Banking, and DropBox
We’ve seen bogus ads for designer products offered at unbelievable sale prices. They make great click-bait because everyone loves a good deal. Here’s another one, this time for UGGS boots. Up to 80% off! But if you look closely at this ad you’ll see that English is not the author’s strength. “Order One Boots Get One Gloves Free” The email came from the domain gggg-boot-sale-DOT-top and links point back to the malicious domain qzbndv-DOT-loan. Time to give this email the boot! [hr_invisible] Want to learn about “the hidden airline loophole that let’s you book $1000 flights for $20 or less?” All you need to do is click the link to watch their video! When people do this, they are often told that they need to install or update some software to see the video. Can you guess what’s in that software? Yup. Maaaalwaaaare! Bad software. Just delete now. [hr_invisible] This next piece of click-bait is meant to entice someone with good wood-craft skills to click it and infect his or her computer with malicious software. “Make money with your woodworking skills” We liked their subject line…. “open this NOW” It could just as easily have said “infect your computer NOW.” The links in this email point to a domain, wprofitfr-DOT-bid, that was registered using a private proxy company in Panama on the day the email was sent. Delete. [hr_invisible]
[hr_invisible]
YOUR MONEY: UGG Sale, Cheap Flights, and Make Money From Woodworking
Just about everyone we speak to reports that they receive random texts and emails from people they either do not know or can’t identify. Some of these are downright creepy. Even if these messages don’t carry a malicious attachment or contain a malicious link, they are meant to trigger a response. Our advice in each of these possibilities is to resist. Don’t download, don’t click, and as you’ll see from these three recent messages sent to us by one of our TDS readers… Don’t reply! The reader first received this message from an unknown source… “ATTN [name] We Have an IMPORTANT Message for You” “Click Here” That’s the worst thing you can do! And see the two links at the bottom of this message… “If you wish to unsubscribe, please click below link” and “If you’d Like to unsubscribe or have received this message in error please click here…” Those are equally dangerous click bait! [hr_invisible] And then about a week and a half later our reader gets this rather strange message from “Jessica” saying “I saw you last day, I knew it…” and “Hi, We Need To Talk” No, you don’t need to talk! Do not engage with “Jessica.” We don’t know what “her” game is but we are certain of two things… [hr_invisible] And then, another two weeks later, our reader received this ominous message from “hey”… “surpriiiiise!! I swear you didn’t expect i can reach you by email…” If that isn’t creepy, we don’t know what is! Again, this message is meant to garner a response… Who is this? What do you want? Do I know you? But RESIST! It will only confirm for these bastards that they can get your attention. Do Not Reply! [hr_invisible] No doubt, our long-time readers are thinking “no way would I reply” because they know better. But what about your kids? Or your elderly parents? Or your friends who aren’t too savvy using their smartphones? Can you imagine any of them replying to these messages? If you can, show them these messages and ask them what they think? Ask them if they want to receive our newsletter! [hr_invisible]
[hr_invisible]
TOP STORY: DO NOT REPLY!
[hr]
FOR YOUR SAFETY: Social Engineering at its Worst
Criminals are flooding the Internet with many different types of malicious click bait. There are so many varieties. And when we say flooding we’re not kidding. Look at this screenshot of emails hitting one of our honeypot servers in a matter of seconds…
[hr_invisible]
These emails all looked like this one below: Your document receipt is ready for signature. “Review Document” None of the links pointed to Docusign.com. The link in this one points to a website that seems benign, celebration-learning-DOT-com. But this website was registered by someone from Canada and is being hosted in Kuala Lumpur. Google cannot find any such website or information about it. And it is not Docusign.com!
[hr_invisible]
In no particular order, here are several other small, targeted malicious emails meant to result in a malware infection of your computer…
[hr_invisible]
[hr_invisible]
[hr_invisible]
In this “Revised final invoice” you are led to believe there is an attached Excel document. However, that icon is just an image linked to malware on a hacked webserver.
[hr_invisible]
ON THE LIGHTER SIDE: I Am Steven Mnuchin
We hear from the best people, bigley guys who tell us that they have money to give us, believe me. Like this email from Steve Mnuchin, our current United States Secretary of the Treasury. Aren’t you impressed that Secretary Mnuchin would trust us with his phone number and personal Gmail address? This is huge! We certainly plan to “reply him back.”
from: “TREASURY DEPARTMENT”<info@treas.com>
Subject: FUND RELEASE
Date: 2017-10-16 12:05PM
Dear Beneficiary,
I am Steven T. Mnuchin, Secretary of the Treasury under the U.S. Department of the Treasury. You can get more details about me here;
http://www.treasury.gov/about/Pages/Secretary.aspx
At the recently concluded meeting with the World Bank and the International Monetary Fund(IMF), an agreement was reached between both parties for us to settle all outstanding payments accrued to individuals/corporations with respect to local and overseas contract payment, debt re-scheduling and outstanding compensation and Inheritance payment. Fortunately, you have been selected alongside a few other beneficiaries to receive your own payment of $3.5million (Three Million Five Hundred Thousand United States Dollars only).
We have been notified that you are yet to receive your fund valued at $3.5million. This money will now be transferred to your nominated bank account,make sure you avoid dealings with anyone who claim to have your funds because your money right now is in possession of the FEDERAL RESERVE BANK and they will allow you go on their online banking to make transfer of your funds yourself.A user ID and password will be given to you to access your funds online for payment transfer.Stop all dealings with anyone who claim they have your funds,this is for your own good.
You are advised to kindly reply this email with the below details enclosed to help us process your payment;Reply me back on: steventreasuryoffice@gmail.com
(1) Full Names:
(2) Residential Address:
(3) Country of Residence:
(4) Age
(5) Phone/Cell Number:
(6) Occupation:
Feel Free to contact me below is my telephone number;
+1 315-895-1847 (please i prefer text messages if I did not pick may be busy with meetings).
Looking forward to hearing from you and God Bless America.Reply me on: steventreasuryoffice@gmail.com
Yours faithfully,
Steven T. Mnuchin
Secretary of the Treasury
(U.S. Department of the Treasury)
send your reply to: steventreasuryoffice@gmail.com
Note: The information contained in this e-mail is private & confidential and may also be legally privileged. If you are not the intended recipient, please notify us, preferably by e-mail, and do not read, copy or disclose the contents of this message to anyone.
Until next week, safe surfing!