October 4, 2017

THE WEEK IN REVIEW

Let’s be honest.  Many of us make horrible password choices because we don’t think we can remember anything challenging enough to be considered strong.  I’m not saying any of our readers use the word “password” or “drowssap” but parents, in particular, are known for making awful password choices by using their children’s names and birthdays in passwords.  Yet, most people are completely unaware of the many available tools that hackers have for cracking passwords on websites.  Coupled with the exposure of millions of personal pieces of information from the Equifax breach (see our Top Story below.) it is just a matter of time before criminals start breaking into our accounts.

Computing power alone makes passwords under ten characters in length easy pickings.  Test your own password to see how long today’s computers would take to crack it.  Yes, this is a safe site to test it on.  Visit: https://howsecureismypassword.net/

And then visit our tip sheet “How to Create Strong Passwords”

We have often stated how criminals effectively use emails disguised as delivery notices to install malware on your computer.  Lately we have seen many similar emails disguised as DHL services.  This sample email was spoofed to appear as though it actually came from DHL.com but it didn’t.  “DHL Arrival Notice” states that “your package has been arrived” and you are asked to print the receipt.  Even though the receipt appears to be a photo jpg file, Virustotal.com informed us that it contained a Windows Trojan malware code.  When in doubt, check it out!  Send your questionable files to VirusTotal.com.

 

 

[hr_invisible]


Sample Scam Subject Lines:

***Attn: Your BMW Prize Winning Update***

Drive your pup bonkers with the newest treats, toys, and gadgets

FBI LETTER[CODE:210]t

Give your dog the joy of a million belly scratches

Get Your Timeshare Market Analysis before you Sell or Rent

Invoice

Oh my god – you NEED to see this

Ready to solve your pest problem

Secure $500K Term Life Coverage For Just $14.19 Per Month!

Startling Secrets About Cruise Ship Shopping Programs

U.S. Department of State

Use This Trick TONIGHT To Reverse High Blood Pressure.

wow great adventure

 

Sample Scam Email Addresses

AIG Direct <AIGDirect @ yatcherds-DOT-review>

Bank of america <service.inc @ support.com>

“Fatty Liver Disease Solution” <fattyliver @ fattyliver-DOT-com>

“Fidelity Life Insurance Co” <FidelityLifeInsuranceCo @ ultration-DOT-stream>

“Fidelity Term Life Quote” <FidelityTermLifeQuote @ acrositive-DOT-stream>

“ForeignBeauties” <ForeignBeauties @ contrabow-DOT-stream>

“Free Electrcity” <barkbox @ barkbox.com>

FREE trial membership for eBooks!

NBC Daily News <nbc.daily.news @ labradorretrieverpuppiesblog-DOT-com>

“New Car Deals” <NewCarDeals @ recordine-DOT-stream>

Prime Rewards <prime.rewards @ linedrivetournaments-DOT-com>

Replace Your Appliances <replace.your.appliances @ titlebooksonline-DOT-com>

service <service @ buy-now-great-DOT-top>

 

[hr]

[hr_invisible]

Phish NETS:   Facebook Promotional Payment and Instagram Support Service

We cannot tell a lie.  The two scams in this week’s Phish Nets are technically not phishing scams.  We thought they were, but after investigating them we learned that the links lead directly to malware intended to infect your computer.

Either Michael at PreventBlindness.org had his email hacked or, more likely, the email was simply spoofed.  Either way, this notice of a “promotion payment” certainly didn’t come from Facebook.  A mouse-over of the link for “View notifications” shows that it points to a hacked website for a Florida air-conditioning company.  If you look up the domain GreatCooling-DOT-com in Google (DO NOT visit this site!) you’ll see that even Google thinks the site has been hacked.  Both Avira and Fortinet have identified malware waiting for you at the end of this link.

 

[hr_invisible]

This is the first time we’ve ever seen a scam target Instagram but this one is so amateurish that it is laughable!  The email came from the domain animail.net, which seems to be used a fair amount for sending spam mail according to what we learned online.  “Instagram New Messages Support Service Maria Wallace”  “Hi Dear Mr/Mrs You will receive your first e-mail as soon as you have confirmed your e-mail address by clicking the link below.”  Of course the link points to another hacked and misused web server hosting malware.  Like the bogus Facebook message above, this is a landmine waiting to be stepped on.  Both BitDefender and Fortinet has identified malware waiting for you at the end of that link.

 

 

[hr_invisible]

[hr_invisible]

YOUR MONEY:   Pandora Factory Outlet, Amazon – Crack the Egg, and Sam’s Club or Costo?

Last week we talked about fashion giants Ray Ban, Michael Korrs and Oakley.  This week we begin with a bogus email with deep discounts for Pandora jewelry.  But if you look closely enough at this offer you’ll realize it is donkey-poo.  The email didn’t come from Pandora.com and the links don’t lead back to it.  They lead to a hacked webserver for a school in Jedda, Saudi Arabia.

Just delete and visit your local Pandora.

 

[hr_invisible]

We’ve seen these clever “crack the egg” promotions before, especially around Easter.  How cute.  Crack the egg to find a reward inside.  But the only reward you’ll get is a nasty computer infection.  Notice that the link in the email points to the shortening service ow.ly.  We unshortened that link using urlex.org and discovered that you will be sent to a website called sweeterfaster-DOT-com in Latvia.  We previously reported on this dangerous website in our September 7, 2016 newsletter (For Your Safety). But you won’t stay at sweeterfaster-DOT-com for long!  There is a forwarding script on sweeterfaster that will send you to another malicious website called powervip-DOT-xyz.

Deeeeleeeete!

 

 

 

We think criminal gangs continuously rework many of the same old scam layouts and designs by substituting new content.  These poor, tired, overworked souls ocassionally make mistakes.  Take this email with the subject line “You Could Get A $50 Costco Gift Card, Participation Required.”  Yet, when you open the email you’ll discover that it is listed as a promotion for Sam’s Club, not Costco.  Oops!  Is someone going to get fired for this mistake?  We sure hope so.  All links lead do a malicious domain called franding-DOT-stream, which was registered on May 11 to a non-existent company we’ve written about several times called Monolith Holdings, LLC.

Just delete.

[hr_invisible]

[hr_invisible]

TOP STORY:  Equifax and the Scam Fallout

By now, most everyone has heard about the seriously egregious breach of security at Equifax because Equifax didn’t patch a vulnerability in a server’s software.  As a result, more than 140 million Americans had very sensitive data stolen including social security numbers and detailed credit information.  The fall out from this continues, including the “early retirement” of the Equifax CEO Richard Smith. (Don’t feel too badly for Mr. Smith.  He’s leaving with a payout of $90 million dollars, or about 60 cents for every American citizen whose data was stolen.)  Also, our Congressional leaders are considering new rules for the credit reporting industry.  Let’s hope they can, at least, get this done!

Though we could go on and on about the Equifax fiasco and how badly it will hurt people as their data hits the dark web, this week’s Top Story is actually about scams that are preying upon our fears and concerns over this breach.  …Such as this email from Emily Hampton at Endevorhouse-DOT-com.  “Protect Your Accounts” “Equifax has been breached. You are risk for credit and identity theft.”  But endevorhouse-DOT-com can’t be found on the Internet, though the domain name is being hosted in Bucharest, Romania.

That got our attention!

 

[hr_invisible]

We asked the Zulu URL Risk Analyzer to have a look at this link to endevorhouse-DOT-com and it told us that it is A-OK.  But wait!  It also said that endevorhouse-DOT-com contained a forwarding script and will automatically send us to another website called anersonmidder-DOT-com in Hungary.  We asked Zulu to review anersonmidder-DOT-com and BANG!  100% Malicious!

 

[hr_invisible]

[hr_invisible]

Next was this email from forumsiran-DOT-com with the subject line “Criminals want your identity.”  “You are a target!  Get real-time social security number monitoring, instant suspicious activity alerts, and a $1,000,000 identity protection policy.”  Sounds good, right?!  But it is just malicious click-bait once again!

 

[hr_invisible]

The Zulu URL Risk Analyzer followed that link to a malicious webserver in Romania…

 

[hr_invisible]

We could do this all day people.  Here are a few more links about scams disguised to take advantage of the anxiety created by the Equifax data breach…

https://www.experian.com/blogs/ask-experian/after-the-equifax-breach-watch-out-for-phishing-scams/

https://www.washingtonpost.com/news/the-switch/wp/2017/09/28/online-thieves-may-be-exploiting-the-equifax-panic-researchers-say/?utm_term=.72f1bea24357

http://nypost.com/2017/09/24/this-equifax-e-mail-is-likely-a-scam/

http://www.app.com/story/money/business/consumer/press-on-your-side/2017/09/22/equifax-scams-security/690910001/

Our personal recommendation?  It’s not an easy pill to swallow.  We recommend that you lock/freeze your credit reporting with each of the three main credit reporting companies – Equifax, Transunion, and Experian.

[hr]

FOR YOUR SAFETY:  Pay This Sh**, Confirm Your Bank Details, We Found Broken Files, and Mac Media Player

Our honeypot server is pounded by thousands of invoice payment requests.  Most are carrying malware but some have links pointing to malware on far away websites.  We espcially liked the tact taken by this email….  “Pay this sh*t” already, or we will take legal action”  Of course it wasn’t really sent from Quecheeinn.com, but it does point to a webserver in China.

 

[hr_invisible]

How about this one to “confirm your bank details.”  The cute graphic leads you to believe it is an attached pdf file but it is actually a link to a website registered to someone named Nasser Hassan from Beirut, Lebanon.

 

[hr_invisible]

This next little gem is equally malicious.  “We found broken files”  That’s nice.

Delete.

 

Finally in this week’s For Your Safety column is this email that wants to be all things media to all Apple Computer users but is nothing besides a wolf in sheep’s clothing.  The email, sent to us by a TDS reader, came from radiomartil-DOT-com and contains links that point back to a website in France called 4sat.eu.

Just delete and thankful you dodged a bullet.

[hr_invisible]

[hr_invisible]


ON THE LIGHTER SIDE:   Scam Compensation Fund

Once again, we are grateful that someone from Africa acknowledges the many scams we’ve suffered from scammers on that continent and are offering us compensation.  They have already opened the bank account in our name and are ready to transfer the funds to our account here in the US!  Oh Joy!

 

From: “Miss, Francisca Obiora.” <wwwswk@ican.net>
To: Undisclosed recipients:;
Subject: Notification from United Bank For Africa (UBA)
Date: 2017-09-29 01:48AM

United Bank For Africa Nigeria Plc,
UBA House, 57 Marina, P.O. Box 2406,
Lagos, Lagos State, Nigeria.
Working Hours (Weekdays)
(Saturday) Closed
(Sunday) Closed

Notification from United Bank For Africa (UBA)

I’m writing to inform you that the Federal Government of Nigeria is keen and very determined to pay your overdue scam victim compensation fund, I would not want you to loose this fund out of ignorance, The Federal Government of Nigeria has deposit your Compensation fund US$1.5 Million United State Dollars with United Bank For Africa Nigeria. The government had a clear mandate to open an online account in your name with the bank and set up an online account that you will use to transfer your fund to any bank account of your choice worldwide.

However, the government deposited your compensation funds to United Bank For Africa Nigeria Plc. This bank has finally opened an online account in your name and your compensation fund US$1.5 Million USD has been transferred to the online account that our bank open in your favor, We want you to reconfirm your particulars/Information with this humble bank for further confirmation and verification of these fund in our possession so that you will have access to your online account with United Bank For Africa Nigeria.

Closure/Transfer of Escrow/Sundry Account #: 3079965739

I Mr/Mrs………….. write to apply to your Esteemed bank for the Closure of Escrow Sundry Account #: 3079965739 and Transfer of its proceeds US$1.5 Million USD.

Present contact address as follows:

Full name:
Address:
Country:
Date of Birth:
Age
Occupation:
Direct no.
Email:
Post Code:

We need your cooperation as we would not be held liable for the confiscation of your funds if you do not follow the directives of an immediate remittance on before the deadline as stated above.

When we acknowledge your application, We will send your online account details, You will login to your online account and proceed with your fund transfer to any bank account of your choice worldwide.

Thank you and remain bless.

Regards,
Miss, Francisca Obiora.
Foreign Operation Manager &
Fund Transfer Director.
United Bank For Africa

Until next week, safe surfing!