September 13, 2017

THE WEEK IN REVIEW

Our honeypot servers were hammered this past week with three types of emails carrying viruses.  We saw hundreds of them!  The subject lines were “Emailed Invoice (followed by different numbers)”, “Microsoft Store E-invoice for your order (followed by different numbers)” and “New Voice Message.”  We reported on the “New Voice Message” emails in our August 30th newsletter. Here are a couple screenshots that make our point: 

 

A reminder to our readers that criminals often align their malicious emails with our seasonal celebrations and activities.  Check out this click bait claiming to offer huge back-to-school savings on items your children need.  The email appears to come from the domain “backtoschool.com” but links lead back to the poorly spelled criminal domain backtoskool-DOT-bid.

Readers know that we recently reported on fake Amazon customer support phone numbers being spread across the Internet, including Amazon’s own community forum!  Yesterday we added 8 new phony scam phone numbers being used by criminals in the last week.  Visit: Amazon Customer Support…NOT!

 

[hr_invisible]

Sample Scam Subject Lines:

#1 Rated Overall For Tax Debt Relief

Confirmed

Get your fifty dollar CVS rewards card.

Is this you in the video?

Meet New Friends, Join the Fun!

Never Pay For Covered Repairs Again In 2017!

See what your Walgreens Rewards Card value is.

Tired Of All The Fake Dating Sites?? Try This.

Truly Disgusting…This scandalous video will make your blood boil

U.S. Department of State

Voice Message from 017206530072 – name unavailable

Why Over-Preparedness Can Kill In A Crisis

YOU-WIN!!( claimaagentdraw@aim.com )

Sample Scam Email Addresses

“Blood Health” <BloodHealth @ baselor-DOT-stream>

Family Physician News <family.physician.news @ dreshmaza-DOT-com>

“Fidelity Life Ins” <FidelityLifeIns @ pyrailroad-DOT-stream>

“From Western Union …”<monitor @ asobimo-DOT-com>

“GRANT COMPENSATION PAYMENT”<us.realpayment.instant @ us-citizen-DOT-com>

Home Warranty Special <HomeWarrantySpecial @ popstaer-DOT-host>

“IntlWomanOnline” <IntlWomanOnline @ oceanutes-DOT-stream>

“New Cars Online” <NewCarsOnline @ acessage-DOT-stream>

“Reward Coupon” <RewardCoupon @ quantitan-DOT-stream>

“Survival Super Food” <ultimatesurvivefood @ survivalfood-DOT-com>

Unlock Amazon Rewards <unlock.amazon.rewards @ kabookta-DOT-com>

“WESTERN UNION INTERNATIONAL”<b.lets82 @ oasis.ocn.ne-DOT-jp>

Whats App <dantram-bremsped @ proctors-DOT-org>

“Yoga-Burn” <Yoga_Burn @ bigbast-DOT-us>

 

 

 

[hr]

[hr_invisible]

Phish NETS:  Capital One Bank, Apple ID, DCU Credit Union, PayPal, and DiscordApp

The big jump in phish targeting U.S. citizens continues.  Starting with this email from mobile “@” mansoft-DOT-com, not Capital One if you look closely.  “Account Restriction Notification”  “We’re restricting your Capital One account(s) until we can verify your recent activity.”  A mouse-over of the link “VERIFY YOUR ACCOUNT” reveals that it points to the crap domain drucuqw-DOT-xyz, not capitalone.com.

Delete!

[hr_invisible]

It is so easy to distinguish real from fraud if one looks carefully at this junk.  Here’s another example that tries to fool you into thinking it came from Apple ID but the email came from nyweightloss.org.  “Account Info Change”  “Hello  The following information for your Apple ID was updated on….”  We found dozens of these phish.  This one says your Phone number was changed.  Others say your Street Address was changed.  None of them point to Apple.com.  This one pointed to a hacked website for vacation cottages in South Carolina.  Even Google informed us that their website had been hacked.  We’ve notified the site owner and hosting service.

Now delete.

 

Do you recognize the from email address used in this next phishing scam?  It is the same as the Captial One phish above.  Seems likely to us that the same criminal group pushing out the Capital One scam is targeting many institutions, like this phish against Digital Federal Credit Union (DCU) of Massachusetts and New Hampshire.  “ACCOUNT SUSPENDED”  “Our security team prevented suspicious sign in attempts on your online account.”  Mousing-over “REACTIVATE NOW” shows that it points to another DOT-xyz crap domain.

[hr_invisible]

This next phish that seems to be from PayPal Support is a bit more clever.  The email was sent from a generic-looking domain ppl3-DOT-net.  But that domain is no longer in use, according to a WHOIS lookup.  Instead of a link, this email comes with a very dangerous html web document identified as CompleteThisForm.  When we attempted to download and crack open this form, our virus protection software stopped us saying that it contained a trojan malware called Phish-AHB. (This malware is described here at Sophos.com)

Ouch!

[hr_invisible]

And lastly, we found dozens of these very odd phish in our Internet sea.  They seem to be phishing the login credentials for an app associated with gaming accounts called DiscordApp.   “Expired Password”  “Please update your information.”  We’re not quite sure how they can make money from this phish or what games are being targeted but… whatever.

[hr_invisible]

[hr_invisible]

YOUR MONEY:   Target Promotion, Find TV, Internet & Phone Package

If you look carefully at the from address you’ll notice that “Rewards For Surveys” actually comes from another crap domain called squation-DOT-stream.  By the way, we have ICANN to thank for authorizing hundreds of crap domains in the last few years.  Honestly…. We believe that ICANN, the governing body of Internet names, dramatically increased crap domains (which are used almost exclusively by criminal gangs) so they can earn more money from the purchase of these domains.  Even though they likely know that these domains are overwhelming used as bullets to shoot at netizens around the world.  We have often protested loudly against ICANN, including our feature article How to Make the Internet Safer For Everyone. But we digress…  “Get A $50 Target Gift-Card, Participation Required.”  Just another survey click-bait to a computer infection.

Move on folks…

[hr_invisible]

We live in the northeast and the two biggest providers of TV, phone and Internet are Comcast and Verizon.  Both have notoriously bad customer service and other issues that consumers often complain about.  So this next email certainly got our attention….  “Find TV, Internet And Phone-Packages”  But our hopes were quickly dashed after seeing where it came from… Another crap domain!  Fontember-DOT-stream. This domain was registered at the end of April of this year by an organization identified as Monolith One Holdings, LLC in Saint Kitts & Nevis (Caribbean).  This company doesn’t seem to exist on the Internet though BigDomainData.com tells us that it has a post office box in Nevis and is associated with someone named Larry Dawes.  Larry owns 17 other domains, including palacialpromos-DOT-info.  Monolith One Holdings also owns the crap domain used in the Target email above.  Sound trustworthy to you?

 

[hr_invisible]

[hr_invisible]

TOP STORY:  DHL Tracking – Another Rabbit Hole

We have shown readers many times that emails disguised as package delivery services are often used to target them.  They are used most frequently to deliver malware directly as attached files (usually zip files) or by containing links to malware, situated like landmines on web servers around the world.  This DHL-wannabe email is different than any we’ve seen before.

“Dear [email address],  Your shipment arrived our regional Office on Wednesday, 06 September 2017, However the details provided for dispatch are incomplete / incorrect.  Kindly Download Shipment Receipt, Track on our webpage link www.dhl.com/dl/tracking and also correct address to enable us proceed with Dispatch.”

[hr_invisible]

Obviously, English is not the sender’s first language and the scammer doesn’t live in the United States.  We say this with confidence because scammers often reveal a “tell” (Wikipedia “poker tell”)   in their scams.  The “tell” in this email is listing the date as “06 September.”  Though common around the world, this is a very uncommon in the U.S.  We wrote about a “tell” frequently revealed by African scammers in the Top Story of our August 16 newsletter titled “Dearest One.” 

Let’s break down the red flags in this cleverly crafted email…

  1. Though the from address begins with DHL WORLDWIDE INTL you can see that the sending domain name is bringtree-DOT-cn. “.cn” is the 2-letter country code for China.  A Google search for this Chinese domain only finds this same bogus email listed on the website TrashCanMail.com.
  2. A mouse-over of the blue link dhl.com/dl/tracking shows that it points to the web site dailyexpresslogistics-DOT-com. This domain sounds official but it isn’t dhl.com!  Google can’t find any business at this domain.  This official sounding domain was registered through GoDaddy.com on June 2, 2017 to someone named “majemu temituro” from Mexico City, Mexico with an email address majezie1 “@” gmail.com.
  3. Finally, we asked Screenshot Machine to follow the link in this email to its destination and show us what waited for us there. We found a login screen containing the email address that was targeted by the scammers in the DHL email.  This doesn’t even look like DHL.

[hr_invisible]

Bottom line: In the world of online deception, a critical eye is increasingly important.  If something feels wrong or “off” about an email, ad post, social media message, text….you name it…. Then do some investigation.  If things don’t add up, don’t click.

 

[hr_invisible]

[hr]

FOR YOUR SAFETY:   What Do You Think?  I’m So Excited and Welcome to Our New Website

Look at this clever click bait from Sylvia Gonzalez (sent from corebt.com)  The subject reads “what do you think about this stuff?”  However, the email contains a copy of a message that was supposedly first sent to Sylvia.  This reply is presumed to be a response!  But the recipient never sent the message quoted at the bottom of the email.  Also, the hot-looking, smiling couple with great bodies are just a click-bait distraction.  A mouse-over of “OPEN LINK” points to a server in Spain (“.es” = 2-letter country code for España = Spain!)  We asked the Zulu URL Risk Analyzer to evaluate the link and it said that the link was safe.  BUT it also told us that a redirect was waiting on the website in Spain to send us to another website located in Belarus which we found to be malicious.  Sylvia’s email is layer upon layer of malicious intent.

A Big Fat Delete!

[hr_invisible]

[hr_invisible]

Speaking of click-bait, we also found this simple email with the subject “I’m so excited” that seemed to come from the hacked email account of a Comcast user.  It contained a link to a website in Iran (“.ir” = 2-letter country code for Iran)  Zulu had no problem identifying this link as malicious!

From: “leafernb” <REDACTED@comcast.net>
Subject: I’m sö excited
Date: 2017-09-08 03:55AM

I’m sö excited tö tell yöu the latest media, sömething excellent has töök place) Please read aböut it here htp://arvingas-DOT-ir/shake.[LINK REMOVED]

leafernb

[hr_invisible]

We’ve reported in past weeks about random emails inviting the recipient to visit a “new website.”  They have continued, such as this one from a “Margaret Deaton.”  “We’re excited to announce that our new and refreshed website is live.”   The link points to a website in Russia.  Need we say anything more?

[hr_invisible]

ON THE LIGHTER SIDE:  Compensation to You For Being Scammed

We have had more than our fair share of scams!  Finally, someone is offering to compensate us for our losses and grievances!  Miss, Francisca Obiora at the United Bank For Africa is offering us $$ from a compensation fund.  It’s about time!

 

From: Miss. Francisca <usaa@freeway.com>
Subject: Notification from United Bank For Africa (UBA)
Date: 2017-09-09 02:08AM

 

United Bank For Africa Nigeria Plc,
UBA House, 57 Marina, P.O. Box 2406,
Lagos, Lagos State, Nigeria.
Working Hours (Weekdays)
(Saturday) Closed
(Sunday) Closed

 

Notification from United Bank For Africa (UBA)

 

I’m writing to inform you that the Federal Government of Nigeria is keen and very determined to pay your overdue scam victim compensation fund, I would not want you to loose this fund out of ignorance, The Federal Government of Nigeria has deposit your Compensation fund US$1.5 Million United State Dollars with United Bank For Africa Nigeria. The government had a clear mandate to open an online account in your name with the bank and set up an online account that you will use to transfer your fund to any bank account of your choice worldwide.

 

However, the government deposited your compensation funds to United Bank For Africa Nigeria Plc. This bank has finally opened an online account in your name and your compensation fund US$1.5 Million USD has been transferred to the online account that our bank open in your favor, We want you to reconfirm your particulars/Information with this humble bank for further confirmation and verification of these fund in our possession so that you will have access to your online account with United Bank For Africa Nigeria.

Closure/Transfer of Escrow/Sundry Account #: 3079965739

I Mr/Mrs………….. write to apply to your Esteemed bank for the Closure of Escrow Sundry Account #: 3079965739 and Transfer of its proceeds US$1.5 Million USD.

Present contact address as follows:

Full name:
Address:
Country:
Date of Birth:
Age
Occupation:
Direct no.
Email:
Post Code:

 

We need your cooperation as we would not be held liable for the confiscation of your funds if you do not follow the directives of an immediate remittance on before the deadline as stated above.

 

When we acknowledge your application, We will send your online account details, You will login to your online account and proceed with your fund transfer to any bank account of your choice worldwide.

Thank you and remain bless.

Regards,
Miss, Francisca Obiora
Foreign Operation Manager &
Fund Transfer Director.
United Bank For Africa.

Until next week, safe surfing!