Please support our effort by making a small donation. Thank you!

x

October 28, 2015

THE WEEK IN REVIEW

Readers may recall from last week that we wondered what happened to all the graphic artists used by the criminal gangs to create the majority of their malicious emails. No need to wonder any more… They are back and doing a great job! We hope they had a nice week off. Check out these two lovely scam examples of their graphic work. Affordable pet insurance and juicy steaks available by online order…

1-Affordable pet health insurance2-Order delicious juicy steaks online

 

Sample Scam Email Addresses

2 Days –Left… Only $5!!!!

Affordable Pet Health Insurance

Cut your; Electric bill in half!!!!

Design a Professional Website, For a Business

Fight-Hair Loss

Important Information about Your Card Membership Details

Jailed For Discovering Hearing Loss Remedy

Learn More, About Lower Car-Payments

ORDER SHIPMENT CONFIRMATION

Personalized Christmas Letter from Santa to Your Child

Priest discovers free electricity Secret

Send A Fax, From Your Email

Watch – Your Childs & confidence Rise..

Sample Scam Email Subject Lines

Alliance-security-(YOUR EMAIL)@zentorva.com

BloodPressureCure@whertotruth.download

GPSNavigationSale@zeissf.download

Green.Energy@com-pdckf.win

Halloween-Decorations@com-ikeo.win

Letters-From-Santa@com-hekgo.win

LG-Fall-Overstock@com-tipaw.win

MobilePay@cityleading.download

ReverseMortgageSupport@uvh.download

SamsClub@com-offyz.win

UsedCarDeals@com-dlfax.win

VacationtoHawaii@flashtoggle.xyz

VHALoadLenders@archichally.download

 

 

 

 

Phish NETS: Actually Paypol & Paeyipal and Bank of America!

PayPal has been a major phishing target for criminals since the online bank was created. One of the first and most successful scam phishing domains set up by criminals in 2002 was the domain paypai.com. It was such a simple and brilliant trick because it was difficult to tell the difference between an i and l in early web browers. Many recipients thought they were clicking paypal.com. We recently saw two similar Paypal phishing scams this week. Mousing over the links revealed that they both lead to shortened URLs created at Bit.ly. (A URL is simply a link. If you don’t understand what shortened URLs are and why they are risky, read our article Risks of Shortened URLs) The first email came from service@paypol.com while the second came from an address in Indonesia (Country code is .id). If you read each carefully you’ll notice odd grammar and capitalization, an indication that these were not created by native English speakers.

3-Paypol phish

4-Paeyipal phish 1

Criminals typically use URL shortening services to hide where a link points to. Unless you know how to unshorten it, it’s impossible to know where you land across the Internet until it happens. And that might be too late if malware is waiting for you. We used LongURL.org to see where these links would lead us and you can see below that it isn’t Paypal! (Another good tool to lengthen shortened URLs is URLex.org) We discovered that Bit.ly/payponz directs the user to a website called daylightfmb.com, while bit.ly/1Mlopmt sends the visitor to paeyipal.com.

5-Paypol url unshortened

6-Paeyipal url unshortened

Daylightfmb.com is the website for Daylight Microfinance Bank in Lagos, Nigeria. Their website has been hacked and is being used to host the Paypal phishing scam. Paeyipal.com was registered on October 10 through the registrar Enom.com and the website title given to Enom was “Send Money, Pay Online or Set Up a Merchant Account – PayPaI.” Enom is either completely incompetent or they simply don’t care if we get scammed. Either way, Enom makes money too. The Daily Scam has often found scam domains registered through Enom.

After making sure that malware was not waiting to infect our computer, we visited the link in the first email stating “unfortunately, your online access has been blocked.” Here is the phishing site we were sent to at the daylightmfb.com server. Looks legit but is a complete scam.

Just delete!

7-Paypol phish site

This past week we also saw this Bank of America phishing attack with the subject line “Irregular account activity !” Notice that the “from” email address was spoofed to look like alert@bankofamerica.com. In this case, the email came with an attached web file (html file) that opens your web browser and makes it look like you are logging into Bank of America. This form simply sends all your personal login details to the criminals.

Just delete!

8-Bank of America irregular activity detected

Home Solar Panels, Hybrid Cars & Sears Window Installation

Though these three emails all look like great deals for environmentally conscious, “green minded” individuals, they are all lies meant to trick the recipient into clicking a malicious link.

The email pushing home solar panels came from a domain called leepdrain.xyz which was registered less than a week before this scam was delivered. According to a WHOIS lookup, the website was registered to a “Manny Ramirez” in Boston and is being hosted on a webserver in Hovedstaden, Denmark. (Also, notice the random text at the bottom of the email meant to fool antispam servers.)

9-Home Solar Panels

“Drive farther on less fuel with a hybrid.” So says the email from ShopHybrids@outepeckling.download. Sounds great to us! Except that it is also a lie. The domain outepeckling.download was registered on October 23, the day the email was sent and Google cannot find any website at this domain. We found more than 12 inches of orange blank space underneath the “unsubscribe” box at the bottom of the graphic. We dragged our cursor through it and discovered hundreds of orange words/phrases/sentences meant to fool antispam servers.

Just delete.

10-Fuel efficient hybrid car

 

This last bogus email wants you to believe that you’ve scheduled a discounted window installation through Sears Home Services. However, the email is a scam and, according to a WHOIS lookup, the domain webanalyticsclicknow.com was registered by someone named “Rioplatense Rioplatense” from Baltimore, MD but the website (which doesn’t exist) is being hosted in Panama. We found the person’s name so interesting that we Googled it and learned that rioplatense is actually a dialect of Spanish spoken in certain regions of Argentina and Uruguay. And it appears that Mr. or Ms. Rioplatense has at least 4,538 other domains registered in his/her name. Can you guess who the Registrar service is? Yup. Enom again. We’re beginning to wonder if Enom registers any legitimate domains at all.

Delete!

11-Sears special window installation

 

TOP STORY: FanBox Account Alert

This week’s top story begins with an extremely unusual email because the email legitimately comes from FanBox.com and contains links that lead to FanBox.com. The $64,000 question is what is FanBox.com and why should our readers be concerned? FanBox was launched in 2007 and is a subsidiary of a company called SMS.ac that has been around since 2002. The “dot-ac” indicates that the domain was registered in the Ascension Islands. Wikipedia does a nice explanation of SMS.ac and FanBox, citing multiple instances of very shady business practices, some of which led to hefty fines against the company. Check out this short 2009 video from Channel 6 News in San Diego about FanBox and read some of the comments below the video.

12-Fanbox - protect your account

 

If you do a Google search of FanBox you’ll find many complaints against them. They have very questionable business practices and seem to put out spam like the email above to entice new users. The Better Business Bureau, which had rated FanBox with an “F” rating now rates it as “A” and this seems rather strange. You can read both glowing and vitriolic comments against FanBox on the BBB website.  However, if you click the complaints tab at the BBB, you’ll see there are 157 complaints against the company and as recently as October 20. The Rip Off Report also has many complaints filed against FanBox.  Check out the number of articles Google found in the last month alone claiming that FanBox is a scam.

With certainty we can only say that the recipient of the email above did not have a FanBox account and certainly never earned $1,862.39. This company’s business practices seem so shady, and there are so many people complaining about them, that we are calling FanBox a scam.

Best to stay away.

13-Fanbox spam scam

 

FOR YOUR SAFETY: Your iPhone Has Shipped, Attached Purchase Order & FedEx Shipment

Imagine getting an email from Rogers.com, a legitimate Canadian online electronics retailer, telling you that your new iPhone 6 has shipped. All links in the email lead back to Rogers.com and it appears to have been sent from Rogers.com. However, it’s all a lie. Look carefully at the line in the email below that states “For complete shipment details, please open and review the attached document.” GOTCHA! The attached Word document has a malware script embedded in it that will be the beginning of a major headache for unsuspecting victims.

Now delete.

14-Apple iPhone has shipped from Rogers


Like the Rogers.com iPhone shipment scam above, this email asking you to “Please see attached purchase order” is just another scam to engineer your behavior to open an infected Word file. Both email addresses in these emails are expertly spoofed to look like they have come from the real companies but they did not.

Delete!

15-Please see attached purchase order

 

Finally, “your package has arrived!” You remember, don’t you? It was… Uh. It was that… Uh. What package? See the attached Word document? Need we say more? Now what are the odds that all three of these very different scam emails came from the same criminal gang? We’re taking bets they did.

Delete!

16-Shipment completed for FedEx parcel

ON THE LIGHTER SIDE: Nike Job Offer

We like to think of ourselves as smaht and hahd-working Bostonians deserving of a good job that pays a good wage. So we were really happy to see this offer from Rodney Glen to do marketing research for Nike. We are so excited we’re even gonna wear the Nike gear while doing the work!

17-Nike looking to hire

That’s how dedicated we are!

Until then, surf safely!