September 25, 2019

THE WEEK IN REVIEW

It’s hard not to notice an increase in the numbers and types of employment scams that have targeted people in 2019 when compared to 2018, and especially compared to 2017.  Below is an email that came into one of our honeypot accounts. It’s important to note that we don’t have an account on CareerBuilder.com. The position we’re asked to apply for is “Package Manager” but no business name is given and the email came from a Yahoo account in Japan. We’ve written in greater depth about these “package reshipping” scam jobs here.

 

 

Another nasty scam that keeps turning up in our inboxes is the “I’ve installed malware on your computer and recorded you masturbating. Pay me money” scam! We’ve received at least six similar emails in the last year.  They rely on scare tactics to trick someone into believing that they are true, when in fact they are lies. There is no malware installed on your computer, and no recording of you.

Big fat delete!

 

 

Finally, if you live in the U.S. and had a Yahoo account between 2012 and 2016, you may be entitled to free credit monitoring, a $100 settlement, or more if your circumstances warrant it.  You can read about the recently announced settlement in this article from Digital Trends, and visit the claims website at www.YahooDataBreachSettlement.com

[hr_invisible]


[hr_invisible]

Phish NETS: Fully Registered Loan Agency

We didn’t capture any phish in last week’s sea, nor did we get any phish from our readers.  Instead we’ll use this week’s column to point out some things about some very likely phishing lures.  These are emails from services that claim to offer low interest loans. We get them all the time, in our work, personal and honeypot email accounts.  We can’t be alone in this regard. Take a look at this email from “Tony Fisher” who claims to represent the company called International Finance Corporation LTD.  

It takes just a few minutes to poke many holes into the credibility of his email to demonstrate that it is fraudulent.

  • Google shows that the domain of the company he claims to represent is intfico.com, but that’s not the domain Tony used in his email.  He’s given us 3 email addresses to use for contacting him.  One is a Gmail address, another is an email server in Romania (.ro = country code for Romania) and the 3rd is an email server that is often associated with scams (such as a dozen emails listed on 419scam.org.)
  • We used the “site” command to search the real company’s website (intfico.com) for both Tony Fisher and the telephone number he offered and found nothing at all.
  • The address listed in Tony’s email does not match the address listed in London on the website for International Finance Corporation LTD.

 

 

So what’s likely going on in this scam from “Tony Fisher?”  Our best guess is that it is a scammer phishing for lots of personal information.  Just imagine what kind of detailed information you’ll be asked to provide when applying for this loan!

[hr_invisible]

[hr_invisible]

YOUR MONEY: Save on Printer Ink and Big Red Buttons – Costco and Netflix Surveys

This next email is nothing new.  It claims to represent the ink service called 1ink.com, and offers a super sale on ink and toner cartridges.  But the email came from the scary domain called “poep.monster” and links in this email point back to this domain as well.  That devilish domain was registered on September 15, the day before we got this email.

Step away from this scary fellow!

 

 

 

We couldn’t help but notice how similar these next two emails were, starting with the big red button asking you to “Start your survey here.”  The Costco survey request offers a gift card valued at $250 while the Netflix survey request offers a free full year of Netflix. And neither email came from the businesses they claim to represent.  One came from the domain jobsinyourarea[.]com and the other came from resourcesinyourarea[.]com, five days later.  Both list the same address in Chicago, an office building found on West Lake Street.

ScamAdvisor.com tells us that the “trust rating” of both websites, jobsinyourarea[.]com and resourcesinyourarea[.]com is ZERO and advises CAUTION!  That confirmation is all we needed to lunge for the delete key! (Reminder: Don’t click the unsubscribe buttons in emails like this!)

 

 

 

 

[hr_invisible]

[hr_invisible]

TOP STORY: How the Best Can Be the Worst!

People are very used to seeing website domain names that end in “.com” “.org” and “.edu.”  These endings are called Global Top Level Domains or gTLDs.  In the earliest years of the Internet starting in the mid-1980’s to 1990’s, there were effectively only six gTLDs: com, org, net, edu, mil, and gov.  Each of them had certain rules about how they could be used. For example, “.gov” is still ONLY used for websites that represent the United States Government, “.mil” ONLY websites representing the United States military, while “.edu” used to represent any educational institution but since the early 2000s can only be used by colleges and universities. (Wikipedia has a list of the earliest registered domains, organized by type of gTLD. For a brief history of Top Level Domains, visit this article at InstantDomainSearch.com.) Several years into the massive growth of the Internet, more gTLDs were added such as “.info” “.tv” and “.biz” but the number of gTLDs available for use in 2001 was still only about twenty.

During last few months of 2013, ICANN released dozens of new global top level domains for the public to use. (ICANN, the Internet Corporation for Assigned Names and Numbers, is solely responsible for making gTLDs available for use.)  By 2015, more than 500 new gTLDs were released and by 2017 the number was more than 1000. In August, 2014 The Daily Scam launched our blog. In less than a year we noticed that cybercriminal gangs seemed to be the only purchasers of many of these new gTLDs and legitimate businesses simply had little interest in them. For example, we found hundreds of malicious domains that ended in  “.top” “.work” “.website” and “.click.” The Top Story of our March 11, 2015 newsletter was about the serious misuse of the gTLD “.science” and our recommendation to readers was to delete any emails that came from a “.science” domain.  These less used gTLDs are generally cheaper to purchase than a “.com” or “.org” so we believe that cybercriminal gangs are simply trying to spend less money in their effort to target netizens.  We raise this point again because we’ve noticed another increase in malicious emails that are using an obscure global top level domain first released by ICANN in February, 2014. It is “.best.” Clicking any of these “best” gTLDs can lead to the worst problems as a result of a malware infection! Check out these three examples, two about health topics and one about a “do-it-yourself” project.

 

 

 

 

 

Each of these 3 domains was registered as a “.best” gTLD less than a day before the email was sent. 

 Osteore[.]best was registered in India on 9/16/19

Culaunex[.]best was registered in India on 9/19/19

Motorin[.]best was registered in India on 9/17/19

Of course, the implication is that a cybergang in India is responsible for these threats. Each of these websites seems to operate in a similar way.  We believe that when you click the link, you’ll pay a brief visit to the “BEST” domain where you’ll be infected with malware and then you will be redirected to another website related to the topic presented in the email.  For example, the email from culaunex[.]best claims to be about a method to burn fat and boost metabolism.  It was found to redirect visitors to a domain called “fat burning fingerprint DOT-com.”  The Zulu URL Risk Analyzer also rated it as having an 80% chance of being malicious.

 

 

The same rating was given to motorin[.]best which was also found to redirect visitors to a do-it-yourself website called DIY Magic Machine DOT-com.

 

And so our advice, once again, is to stay away from these “best” websites!  We think they are the worst sites for you!

[hr]

FOR YOUR SAFETY: You Might Appreciate This

A social media trick targeting people for many months recently hit one of our spouses through Facebook Instant Messenger.  Fortunately, she was savvy enough not to click the link and instead asked us what we thought of this message that came to her from a friend.  “OMG Are you in this video?” A simple enough question but in this case it is an effective social engineering trick leading to her account becoming compromised and infected.  Even the Better Business Bureau has a web page warning about this scam: 

    BBB.org warns of social media scam “Is this you?”

 

 

Until next week, surf safely!