Please support our effort by making a small donation. Thank you!

x

October 30, 2019

THE WEEK IN REVIEW

Not everything we write about is technically a scam.  However, if it isn’t then it is deceptive and so manipulative as to rise to a level that warrants attention.  Here is a perfect example that arrived in a TDS reader’s inbox. The only reason, we’re told, the person opened the email was because the subject line wasn’t true! He wanted to see why Amazon thought he had just spent $21.12.  Had his account been hacked and used by someone else? As it turned out, the subject was just manipulative marketing to trick him into opening the email to read an advertisement.  

We’re not sure how you feel about this type of manipulation, but through our lens this is offensive.  Lies used to engineer your behavior are still lies.

 

Many years ago we posted a short article on our website titled “Typos Hurt. Never Goggle!”  It refers to a website named goggle-DOT-com that is notorious for using malware to target those who mistype Google and visit the Gog gle website accidentally. We checked it a few days ago to see if it had been cleaned up or taken down and nothing has changed!  So be careful what you type online as it may have unintended consequences! See screenshots from October 24:

 

 

 

We urge all our readers to read this excellent article posted on October 27 on CNN.com about how to recognize and avoid this very clever bank phishing scam that has been used to steal nearly $50 million dollars from Americans.


Phish NETS: Re-Validate Your Email Account

This next email, sent from an address in Germany (“.de” = Deutschland = Germany) is such an obvious and poor phishing scam, thank goodness!  The links point back to a free website service that is used to create online forms. We LOVED how these criminals spelled “administrator!”

YOUR MONEY: Protect Your Home and Take Your IRA to the Next Level

Just like hundreds of malicious websites ending in “.best” we have also brought attention to malicious websites ending in “.monster.”  In honor of Halloween, we would like to conjure up a couple more nasty monsters intended to poison your computer by installing scary malware.  Let’s start with this oxymoron email advertising that it wants to “protect your home.” This email claims to represent ProtectYourHome.com, a website promoting ADT home security products and services.  However, look carefully at the FROM address. The email address may begin with “defend_your_home” but it was sent from the domain defendrect[.]monster. This domain was registered on the same day the email was sent and not by anyone connected to Defender, Protect Your Home, or ADT.

Additionally, the first directory in which these malicious files sit on their web server is called “paste-censurer” so this malicious email was very likely created by the same criminal gang who often uses two random hyphenated words in their directory structure via automated software.

And how about this other scary monster using the subject line “Take your IRA to the next level by investing in Gold.”  The domain goldtrust[.]monster was also registered on October 25, the same day this email was sent.  Once again, check out the random two word directory we found in the link… counterfeiting-banquets!

Happy Halloween!

TOP STORY: How Many Red Flags Can You Spot?

We talk about “red flags” as suspicious oddities in an email, text, advertisement or post that raise questions about the authenticity of the content and/or sender.  Sometimes we are able to dodge Internet hand grenades because of our ability to spot red flags and thereby avoid clicking a malicious link or download an attachment containing malware.  This next email is a perfect example of a communication that contains several very important red flags of varying severity! It was sent to us by a TDS reader who is both the Safety Director at her company and the person who registered the company domain with GoDaddy.com.  We’ll call her Marie. Marie asked us for our opinion on whether this email was legitimate and our reply was “absolutely not!” We spotted eight red flags –of varying degrees of concern– that raised the hair on the back of our collective necks enough to advise Marie NOT to click the “Account Verification” link. 

We know that many of our readers are savvy enough to spot these red flags!  So how good are you? Look over this email very carefully to see how many red flags you spot that lead you to believe this email is not what it appears to be.  Our red flag list is below.

Here is our list of red flags.  If you see others that we have not included, please let us know by email: [email protected]!

  1. The email says it came from “GoDaddy” but the actual email address that follows this is a person’s name using a German media company that offers a free webmail service.  Their domain is “t-online.de.” In other words, this email didn’t come from the domain godaddy.com or any domain owned by them.
  2. The layout of this email is very unprofessionally crafted.  Several empty gray boxes, varying text sizes, and the space between “Verification” and the exclamation mark are examples of what we mean.
  3. The grammar and punctuation in the first paragraph is awful and awkward.  We believe that the person who crafted this email does not speak English as his or her first language.
  4. The recipient is told that her account AND domain will be instantly suspended if she doesn’t log in to re-validate the account.  Services simply do not send such demands to their clients.
  5. The footer contains the remark “*Expiration date is subject to change.”  What expiration date? No expiration date is noted in the email. Expiration of what? (We checked the WHOIS record for this company’s domain and found that it doesn’t expire for months.)
  6. GoDaddy is an Internet Registrar, Name Server provider, domain reseller, and web-hosting service.  Why would they put out a link to validate an account that points first to an email service at emailsrvr.com, a service provided by Rackspace.com?
  7. There is not a single place anywhere in this email that GoDaddy refers to the client by name or domain name.  However, four times the email lists the recipients email address as the only way to identify the recipient. Wouldn’t GoDaddy know it’s clients’ domain name or the contact name of the person who registered that name?
  8. The email lists GoDaddy support number as 1-877-GoDaddy.  This translates to the phone number 877-463-2339. We conducted a general Google search, as well as a site specific search (site:godaddy.com 877-463-2339) for that phone number and it doesn’t show up as any phone number associated with GoDaddy at all!

A critically important tool for evaluating the authenticity of an email is to use a WHOIS tool to look up registration information about a domain.  There are many but we especially like the one at Domain Tools.  Here’s an opportunity for you to use this tool to evaluate the authenticity of an email.  Check out this email that appears to come from the website “We buy homes 4 cash.” However, the email came from, and links point back to the domain NewsNowToday[.]info.  Visit the WHOIS tool at Domain Tools and enter that full domain name, WITHOUT brackets around the period, into the search field.  This email was sent on October 22. Two important questions about authenticity are… When was that domain name registered?  And where is it being hosted? What do you learn? (Answers below.)

When we looked up this News Now Today domain, we saw the following…. (It helps to look up 2-letter Internet country codes.)

FOR YOUR SAFETY: No Subject from Friends

We love getting interesting links to articles, funny memes and other Internet delights in the emails we get from friends.  Who doesn’t? However, when we get emails like this one from Michelle ALARM BELLS ring loudly! This is not Michelle’s email address, though her full name preceded the email address.  This email came from a server in Germany representing the European Union and that link is just another malicious landmine. Step away from this trip wire!

Until next week, surf safely!