October 3, 2018


“How to cook phish!” That’s what we ought to call this week’s Top Story, as we descale these slimy creatures.  But we’ll stick with the title we used fifteen months ago when we first ran it…. “Phishing Tricks to Know.”  We have never felt the need to repeat a top story, until now.  Last week we heard from several readers who sent us their smelly phish, including a new phish we’ve never seen before!

A reader in Florida sent us this partial screenshot of a phish that targeted someone at his company.  It claims to represent PNC Bank, which operates in nineteen states across the U.S. The link LOOKS like it points to a secure (https) connection for the legitimate website pnc.com, but it actually points to a phishing website.   Link spoofing is not hard to do. Read the opening paragraph and you’ll see that the language used is exceptionally phishy!

Phishers often tell their targeted victims that their accounts have been suspended or temporarily closed UNTIL they click a link to verify their information.  This is just a nasty form of social engineering. As you continue reading below we’ll go over the finer points of catching a phish.

We have recently heard from several men who were targeted with sextortion, a terribly upsetting and embarrassing scam.  One man told us his first contact with the extortionist was via a website that promised to connect him to women who offered online sexual interactions.   Another man sent us this screenshot of a lure to a similar website. The email address was surely spoofed to appear as though it came from Ebay.com. We tell our readers this because it pains us to see anyone targeted in this way.  The domain linked to this email was moexception[.]com.  It was registered in early August through a private proxy service.



Phish NETS: Spotify, Navy Federal, and Chase Bank

This first phish was unusual for several reasons, starting with the fact that we’ve never seen a phish pretending to be Spotify.  The TDS reader who sent this also informed us that he actually clicked the link and it sent him to a login web page for Apple ID! However, he may have more to worry about than just being phished based on what we learned from VirusTotal.com.  (See screenshot below.)

Most importantly about this phish, notice these four critical points:

  1. The email did not come from Apple.com, nor Spotify.com.  It can from the domain supports-accs-acnt-lnforms[.]com.  This domain was registered the day before the email was sent using a private proxy service in Canada.
  2. The links don’t point to either Apple.com or Spotify.com.  They point to the domain htl.li which is a link-shortening service for HootSuite Media.  That means that you’ll be redirected through them to somewhere else on the Internet.  In this case, the redirect sent our reader to an Apple phishing page at the domain appid-covverage-fomrs.ml  (“.ml” is the 2-letter country code for Mali)
  3. Apple and Spotify are two completely different companies and their accounts are not related in any way.
  4. If you take the time to read the short text in this email, you’ll find two grammatical errors which should ALWAYS raise your suspicions about the authenticity of an email sent from a legitimate service or business.



Another TDS reader again sent us the next two poorly constructed phish.  The first claims to represent Chase Bank and uses a shortened link created with the service Ow.ly and the subject line “Alert Notification Online Banking.”  The email may be lame but the phishing website is not, as you can see below.


Finally, we have this last laughable phish that pretended to be an email from Navy Federal Bank.  Fortunately, it is also very easy to see that it is fake. The links point to a file on the domain foofighterstourhq[.]com.




YOUR MONEY:  New Costco Survey Reward

Though it feels like we may have beaten this subject to death, the most prolific Internet criminal gang continues to target Americans with emails disguised as surveys offering rewards.  This one appears as a Costco wholesale shopper survey and has links sending visitors to another redirect starting with the Microsoft servers at safelinks.protection.outlook.com and then followed by the dynamic link service at ddns.net.  The email came from a domain registered on September 5, 2018 in the European Union (“.eu” = 2-letter code for European Union) as hackmicro[.]eu.  Clicking “See Today’s Deals” sent us to a malicious domain we’ve identified multiple times in recent weeks…. ironappworks-inc[.]com.


When we followed that link to “ironappworks-inc” website we were greeted with this popup informing us that this “special offer available today only” (September 24, 2018).  We LOVED the customer reviews at the bottom, especially the one by “Kevin D.” Isn’t it just like a guy to say “I love taking these surveys!”




TOP STORY:  Phishing Tricks to Know – Again!

Most phishing emails are lame and easily revealed if one simply pays attention to the from address or the address that appears in the lower left corner of your browser window when you mouse-over (BUT DO NOT CLICK) the primary link provided in the email.  Our Phish Nets column has exposed hundreds of these phishing emails during the last few years. However, we periodically see very clever phish in this criminal ocean that surpass the usual riff-raff in their craftiness.  These better-than-most phish use one or more of the tricks below to make them seem, at first glance, more legitimate.

(1)  The link, revealed by a mouse-over, begins with https

The “s” in https means “secure” as in a secure transfer of information between your computer and the website you communicate with because your data is encrypted.  This is incredibly important when sending/receiving very personal data such as financial information.  Turning an http website into httpS site requires something called an SSL certificate.  It must be purchased from a legitimate and recognized SSL provider. Companies and organizations have to jump through many hoops to prove who they really are in order to get an SSL certificate and become https sites.  TDS is only aware of a small handful of instances when criminals were able to secure SSL certificates for their bogus web sites, but even these were quickly exposed and then taken down.

Seeing a link that begins as “https” is therefore very reassuring!  This is why phishers will work hard to either hack an https site or use sites that begin with https but then forward you to their non-https site.  Many URL shortening services begin with https AND are intended to forward a user somewhere else on the Internet. Take this email saying “Welcome to Amazon.”.  (By the way… there is such a thing as an Amazon “mechanical turk.”)

Mousing-over “Confirm your account now” shows a bit.ly link that begins with https.  But bit.ly is just a shortening service that has its own SSL certificate.  Like all shortening services, bit.ly takes long links and makes short links out of them for people to use and share.  What you should see when mousing over is www.amazon.com/.  After clicking this link, a visitor is forwarded by bit.ly to a large white web page on a phishing site with this Amazon-look alike in the middle of it:

(2)  Obfuscate a link so severely so that it is hard to figure out where it actually sends you

We tried using some of our regular tools to find out where this shortened bit.ly link leads to in the above Amazon phish.  We discovered that the domain and subdomain are soooo long that the link exceeded the display space! We were unable see where the link pointed!  That was very clever of these criminals. However, we realized that a tool like the Zulu URL Risk Analyzer will show us the full link no matter how long or how many subdomains it contained.  Zulu showed us that the fully exposed scam link contains eleven subdomains (each is separated by a period from each other and from the domain.)  If we counted correctly, there are 195 characters in the subdomains of this link.  We’ve drawn attention below to the two subdomains at the very beginning of the link, amazonup and comi, as well as the actual domain itself.  The actual domain is johniim[.]net and a WHOIS lookup  from 2017 informed us that it was registered on June 24 through a private proxy service in Australia.  That was the very same day that the phishing email was sent!

(3)  Create a subdomain that makes the real domain look like the company the email is supposed to represent

Criminals create a subdomain that adds legitimacy to the phishing scam.  Remember…Anyone can create a subdomain to say anything at all!  Notice in the full phishing link revealed above by Zulu… the first 2 subdomains a user will see are amazonup.comi.  Not exactly amazon.com but close.  In our Phish Nets column of June 14, 2017 we wrote about a phish that uses “apple-id” as a subdomain.

(4)  Create a domain that is believable to represent the company being phished.

One of the most successful phishing efforts in the history of phishing scams, in our humble opinion, was the use of the scam domain paypai created by phishers in 2000 and reported about in this article at zdnet.com. The lower case “i” looked a lot like an l in web browsers at the time and fooled lots of people.  But phishers have also been known to create domains that seem legitimate.  Take this phish below.  “Dear Customer Your Apple ID has been suspended” says an email from apple[.]SSL[.].com!  (In our April 19, 2017 Phish Nets column we exposed a phish using the subdomain apple in the domain apple[.]SSL[.].com.)  The linkVerify nowin the email below points to the domain 0cloud-iverify[.]com and it begins with https!   How they managed to get an SSL certificate we’ll never know but this is not the same as visiting apple.com!  Look below and you’ll see a screenshot of the website found at 0cloud-iverify[.]com.  According to a WHOIS back in 2017, the domain 0cloud-iverify.com was registered on June 21, 2017 by Carsten Hinkel from Munich, Germany and was hosted on a web server in Hong Kong.

Sound like Apple to you?


FOR YOUR SAFETY: “From” Hell, Again!

Last week we saw a surge of very malicious emails with links to malware that appeared to come from people whose email accounts had been previously hacked.  One of the many ways that hackers can monetize a hacked email account is to collect email addresses from the account’s contact list. They then target these contacts with links to malware, hoping a click will infect the recipient’s computer or phone.  (There are so many other ways to make money from stolen email accounts!) For example, one type of malware is a keylogger that captures everything typed into your keyboard, such as the login credentials to your credit card or bank account.


Until next week, surf safely!