September 5, 2018

THE WEEK IN REVIEW

We are always grateful to hear from our readers, and often surprised by the scam texts, emails and stories they share with us.  In last week’s Top Story we described a deceitful marketing campaign that some marketer is using to promote their clients’ websites.  In that story we “outed” a fake Library called Sutter Library and a fake librarian and mother named “Henlee Phillips” who sends email requests on behalf of her son, Elliot.  After that story ran, we received an email from a school who received a similar email request from “Henlee Phillips” on behalf of Elliot. This time “mother and son” were working on math skills and wanted the school to post a link to a math guide found on the website of a small university in Missouri.  More deceitful marketing BS…

It is important to remind readers that criminal gangs will use subjects and language that is designed to generate an emotional response from their targets to generate a click.  Resist the urge to click! Be skeptical about the content that is sent to your devices! Here’s a perfect example. This recent email landed in a school employee’s inbox with the headline “Child Predator Risk Warning.”  We don’t believe this was a coincidence that the recipient works at a school. The email is a warning about sex offender activity in the employee’s area. Of course it is total click-bait and leads to malware.

The crap domain that the email came from, and links point to, (kdslvesfe653[.]xyz) was registered on the day the email was sent (August 30, 2018) by an organization called “prozoned” in India.  There’s a forwarding script waiting for you on that website that will send you to another website we have already identified as malicious (compsabid002[.]com).  It’s worth noting that the global top level domain used by this criminal gang is xyz.  We have never, ever seen a legitimate use of the gTLD “.xyz.”

Read our latest feature article about an attempted extortion: Phone Malware Recording You

[hr_invisible]


[hr_invisible]

Phish NETS: Schwab Brokerage Account, USAA Bank, Bank of America, and American Express

“Review Alert” “During your last review, One or more of your account profile was entered incorrectly.”  The capitalization and grammatical error in this sentence suggests that English is not the sender’s first language.  The email may say “From Charles Schwab” but our readers know that the only thing that matters in the “from” address is what appears after the “@” symbol.  “John[.]com” is not Schwab.com!  Can you figure out what country the link for “Sign-On To Review” will send you to? (Look for the 2-letter country code in the link!)  We’ll give you a hint… When you travel there be sure to go during Carnival and also find time to visit the rain forests!

USAA Bank account holders get targeted a lot by phishers.  This phishing email appears to have been sent from an address at Boston University (bu.edu).  Check out the upper right corner informing you of the last 4 digits of the account! Like the phish above, the link associated with “Sign-On To Approve” points to a website in Eastern Europe.  See the 2-letter country code… “.cz.”  Cz is for the Czech Republic!

Another TDS reader sent us this phish disguised as a Bank of America alert.  However, the amateurs who created it messed up their scam link. We think they tried to make the link appear as bankofamerica.com but then point to a different website.  Instead, they messed it all up. They dropped the .com so the link is broken and points to bankofamerica WITHOUT any global top level domain such as .com.  Find the grammatical error in the email.

It isn’t too hard.

This phish disguised as an American Express email was also sent from an email address in Brazil.   We didn’t get a functional link from the reader who sent it, but you get the idea.

Deeleeete!

[hr_invisible]

[hr_invisible]

YOUR MONEY:  Kroger Secret Shopper

We’re finding a number of old scams are being resurrected lately, including the “secret shopper” scam.  These are just variations of the advance check scam that requires the recipient to deposit a fake check and then wire his or her REAL money to the scammer.  For some reason, Kroger’s grocery store is the most common company that criminals pretend to represent for this scam. Check out this job offer that was correctly spoofed to appear as though it came from the very real kroger.com.  Everything about this email invitation seems reasonable except for one critical point.

Can you spot it?

A mouse-over of “Join Us” shows that it points to a website called trustecono[.]com, not kroger.com.  This domain was registered in 2016 by a marketing company located in Beirut, Lebanon called Smart Online Marketing.  Kroger, on the other hand, is headquartered in Cincinnati, Ohio and the domain was registered in 1993.  When you arrive on trustecono[.]com you’ll be asked to apply by first providing personal information starting with basic information.

We’ve wrtten about this scam multiple times before, including our feature article Secret Shopper Scam.  Other articles have included these previous newsletters:

http://www.thedailyscam.com/september-20-2017/

http://www.thedailyscam.com/october-18-2017/

[hr_invisible]

[hr_invisible]

TOP STORY:  Take a Survey for Rewards

Social engineering of your Internet and smartphone behavior happens in hundreds of ways from legitimate businesses, marketers, and criminals alike.  One of their most often used manipulative tools is to offer money or other rewards for the completion of an online survey. The fact that surveys are frequently used by legitimate pollsters and marketers, (though annoying) means that fake surveys that are malicious mimics are very effective ways to target people.  This technique occurs in the natural world in reverse and is called Batesian mimicry.  In Batesian mimicry a harmless animal, such as a butterfly, has evolved an appearance that is very similar to a poisonous butterfly.  Predators who have learned to avoid the poisonous butterfly will also avoid the harmless mimic. Nice survival trick!

In a kind of reverse Batesian mimicry people become so used to taking surveys (or being asked to take surveys) that they may not look too discriminately when asked to take a survey.  Especially when that survey offers to pay them for their effort. Here is a recent survey sent from dealessentials[.]biz that offers “at least $50” in Amazon product rewards.  Let’s look more closely at this mimic…

  1. The domain dealessentials[.]biz was registered in October, 2017 by someone using a private proxy service in the Bahamas.  The domain is being hosted on a webserver in Chisinau, Moldova.
  2. The “From” address starts with Amazon.com but the actual email address of the sender is clearly NOT from someone at Amazon.com.
  3. Links in this email point to a VERY LONG link created through the link-shortening service called ow.ly.  Why would Amazon hide their link through another company’s link shortening service?
  4. According to the Better Business Bureau, the only business located at the address in Newhall, California found at the bottom of that email is a service called “Russian Beauty Online!”  And, for what it’s worth, this Russian business has an “F” rating, along with several customer complaints. Big surprise.

We used some tools to investigate that link through Ow.ly to see where it might lead and the results are unequivocal… Malicious files found!

Just a few days after getting that Amazon survey mimic, we received a survey that appeared to be from Costco with the subject line “Final Notice: Costco Survey Offer expiring soon!”  Once again, you are invited to participate in a survey and receive an offer worth over $50. But hold on dear reader! Look at the text that appears AFTER the “@” symbol of the sender:  jZKLv[.]barn[.]perkpoor[.]com.

Perkpoor[.]com?  A WHOIS lookup of this oddball domain shows that it was registered not by Costco, but by someone named “Cameron Peake” from New Mexico in February, 2018.  Also, this oddball domain is hosted in Tula, Russia. And the links in that Costco survey SEEM to point to an address at Outlook.com but in reality they don’t.  We wrote about this misleading link coding two weeks ago in the “Your Money” section of our August 15 newsletter.

Our general advice, avoid surveys altogether.

[hr]

FOR YOUR SAFETY: View All Invoice Documents

Despite the contact information, we’re pretty confident that the Vero Beach Canine Country Club was not responsible for sending this “Invoice Document.”  A mouse-over of the link “VIEW ALL DOCUMENTS” points to a very unique link we’ve never seen before… sipsofwellness-DOT-icu.   Apparently, this new global top level domain was made available by ICANN in May, 2018.  We’re likely to see more malicious domains ending with “.icu.” As for this one at sipsofwellness, the review by VirusTotal.com is crystal clear.  MALICIOUS! This domain was registered on August 26, using a private proxy service in Pakistan.

[hr_invisible]


Until next week, surf safely!