THE WEEK IN REVIEW
We would love to say that many online criminals are as lame as the ones who created these two phishing scams. Sadly, our Top Story and overall theme this week is a report to our readers that the criminal gangs targeting us online are more sophisticated than just two or three years ago. This has been a trend we’ve seen coming for many months through the use of very sophisticated deceptive links as well as some deceptive domain names that they register without any fear of being denied or having further questions raised. An example of such a domain used in a phishing scam early in the summer was id-americanexpress[.]com. It was registered in May using a private proxy service and has nothing to do with the real company American Express.
Before we dig into the topic of more sophisticated threats below in both of the Your Money and Top Story columns, let’s enjoy these feeble attempts to phish your American Express and Bank of America account information. In this American Express phish, the criminals thought they were so clever to show an email that appears to come from “amex1[.]com” (which does not belong to American Express) but then entered it incorrectly by including a space. But the real gem comes in that opening sentence and the incorrect use of Capital letters. Finally, the link for the ALL CAPS line “CLICK HERE…” is missing and appeared alongside, clearing showing the reader that it leads to the website viecindore[.]com.
We also received this email from a TDS reader that seemed to come from “Bank of America Alert” (but an Outlook.com email address). “To: You” The email contained only a link, very clearly showing that it pointed to a hacked website for a Pizza shop in Peterborough, UK (United Kingdom). Banks will often offer perks to their clients but we’ve never heard of a U.S. bank offering pizzas in England! Do you think they deliver?
Read our latest feature article about two employees at a company who discovered and stopped a $12,000 scam!
They are our $12,000 Heroes!
[hr_invisible]
[hr_invisible] This Apple phishing email informs you that your Apple ID was used to make an online purchase from a device that was not related to your ID. They ask you to view details. That’s great advice! We, also, want you to view the details of this email… Like the fact that the “from” address doesn’t show “apple.com” after the @ symbol. It shows cybermesa[.]com, a telecom service in New Mexico. And the fact that mousing over the words “View Details” reveals a link pointing to synteracthcrinfo[.]com instead of apple.com. That oddball website is being hosted in Tokyo. This “Recent Order” gets a big, fat delete! Thousands of people who own or maintain websites have generic email accounts that are not part of the big free services like Gmail, Yahoo, Hotmail, and others. We believe these next two phishing scams targeting generic email account holders were created by the same criminal. The first one, with subject line “Unusual Activity Detected,” came from a website called atlasmachineryindia[.]com, a used machinery shop in Bharuch, india. A mouse-over of “Verify Now” reveals that the link points to a shortened link created at the service tinyurl.com. The second generic email phish came through a German email service (“.de” is the 2-letter country code for Deutschland = Germany). “You have (10) incoming e-mails rejected.” The link for “Verify here” also points to a shortened link created at tinyurl.com. The fact that both of these phish used the service tinyurl.com AND were sent a few hours apart, leads us to believe they were created by the same person(s). Just delete. [hr_invisible]
Phish NETS: Apple Notice About Your Recent Order and Your Email Account
As we noted in our opening paragraphs, criminals are getting more sophisticated and obscure about hiding their real criminal intentions in the links they push out to consumers. Take this pre-approved offer to connect with a variety of financial lenders. It appears to have multiple endorsements and come from the real website Guidetolenders.com. However, none of this is true. The “From” address is so obfuscated that it doesn’t seem to provide any hint as to WHO the email came from. (However, the “from” domain is vbwtnmvxld[.]net.) We have also noted many times in the last couple of months that a very sophisticated criminal gang has been misusing Microsoft server links that appear to point to safelinks.protection.outlook.com but there is NOTHING safe or protective about these links. In reality, these links contain obfuscated redirects to malicious domains. Even these redirects can sometimes be dynamic and changing because of a DDNS service (Dynamic Domain Name System) to which they connect! This link redirects from the Outlook server to a domain called ovalable[.]net. It was registered just four days before the email was sent by someone named “Anna Fraser” from “Rural Farm Supply” in Florida. However, ovalable[.]net will further redirect you to another domain, and the final destination, named autorainy[.]com. As you can see below, VirusTotal tells us that at least two online services have identified autorainy[.]com as malicious. Wouldn’t it be wonderful to find lost money left in some unclaimed account by your recluse, great-Uncle what’s-his-name, and you are the only heir? Once again, if you look carefully at this next email, you’ll find many red flags that should raise suspicions about its legitimacy, starting with the “From” address. The email came from the domain vx7uo[.]website which was registered through a proxy service in Panama on September 12, the same day the email was sent. Even the TDS reader who sent it to us commented on the bizarre characters used to create the subject line. The subject appears as “We have found your missing money.” The actual ASCII characters used to create the subject line are “We hAVE F0Und Y0UR MissIng M0neY.” (Note the use of three zeros.) We believe this is an effort to try to get the email through anti-spam filters. The entire content of the email seems credible except for that opening line… “Are You Owned Money?” The links in this email point to LinkedIn’s shortening service. The criminals who created it modified the shortening service during the course of 2 days while we were studying it. You can see below that URLEX found the link first redirected to a domain called gleekplay[.]com. But two days later the shortened link was modified to point to the dynamic domain service called doomdns[.]org. On the day we followed these breadcrumbs, the Zulu URL Risk Analyzer informed us that the doomdns[.]org link will send us to a website hosted in Italy. But we stopped at the virtual border. Before we said goodbye to this crap we grabbed a screenshot of the final destination. It looks like a website designed to phish for LOTS of personal information. After all, you’ll have to prove who you are in order to get Great Uncle Albin’s money and that is likely to mean everything from social security numbers, phone numbers, addresses and perhaps even a bank account. [hr_invisible]
[hr_invisible]
YOUR MONEY: Financial Freedom and Find Money!
One of our readers received two emails about Veterans Association benefits exactly one day apart in early September. Let’s take a look at the first one and see why it has become more challenging to identify why this is fraudulent. To a Veteran, this email appears to be very convincing. It appears to be sent from the domain veteransmortgageservices[.]com, a domain first registered in 2008. This service appears to be legitimate but it doesn’t mean that the email REALLY came from their service. It could have been spoofed. The email claims to have some time-sensitive information about the eligibility of the recipient to receive additional benefits. The email contains the recipients name, email address and home address, increasing the feeling that it is legitimate. Most importantly, look carefully at the link revealed by mousing over “Confirm Your Eligibility.” It is a secure link through a marketing service called Exact Target. Nothing appears malicious or suspicious in this link, especially since the VA service could legitimately be using a marketing company to reach out to Vets. However, that exct.net link actually redirects to a domain called streemerly[.]com. The Zulu URL Risk Analyzer shows that streemerly[.]com is being hosted in Germany. Does this name or location make sense for a website claiming to represent US Vets? Similarly, the second email also appeared to come from veteransmortgageservices[.]com and contained links that used the Exact Target marketing system. The link in this second email redirects the visitor to a domain called brrpost[.]com. Interestingly, the domain brrpost[.]com will again redirect the visitor to the domain veteransvaloans[.]com. Are we wrong about this offer? Is this just a bit of clever marketing by a firm trying to market to Vets? The domain veteransvaloans[.]com seems like it could be legitimate. However, at least two trusted sources, Kaspersky cybersecurity company (see screenshot below) and PhishTank.com, have identified this domain as a likely phishing domain. As we said at the start, it is becoming harder to peel back the many layers of deception to many fraudulent emails.
[hr_invisible]
TOP STORY: Criminals Are Getting Better
[hr]
FOR YOUR SAFETY: For Michael
Last week we reported that one of our readers, named Michael, was getting emails claiming to be from someone he knew, but not from the email address he recognized for this person. The email contained a link that led to malware. Here’s another one he received last week. Notice the casual tone in the note to Michael, AND the odd-ball link to a “.fun” domain. That domain was registered the day before Michael received that email.
Deeeeleeeeete!
[hr_invisible]
Until next week, surf safely!