September 6, 2017

THE WEEK IN REVIEW

Last week we posted a new feature article (Amazon Customer Support… NOT!) after learning firsthand from a woman who was scammed and emotionally shaken by criminals pretending to be Amazon customer support representatives.  Nearly a week later we visited Google again and searched the following words…  Amazon prime customer service number.  Look at the top result highlighted by Google from nearly ten million results.  Do you think this is legit?

[hr_invisible]

We sure hope you answered no!  The criminals perpetrating this scam are still successfully poisoning Google’s search engine’s results.  If you haven’t yet read our article, you should.

In this season of “back to school” the most prolific criminal gang pushing out malicious emails is once again using scare tactics disguised as possible pedophile activity in your neighborhood.  Don’t fall for this alarmist crap! It is dangerous click bait. “You are receiving this email because there may be a risk of Sex Offender activity in your area.”  The email is disguised to look like it comes from the company “Kids Live Safe” in Santa Barbara, CA.  However, the links in the email point to the domain uirteem-DOT-online.  This domain was registered the day before the email was sent by someone named “Terri Nortan” from American Samoa (Samoan Islands).  The website is being hosted on a server in Navodari, in northern Romania.

By the way, before you consider visiting the real “Kids Live Safe” website and signing up for their services, you might want to read the 30 one-star reviews posted on hiya.com (plus two five-star reviews, possibly planted there.)

[hr_invisible]


Sample Scam Subject Lines:

Are You Covered? Extend Your Vehicle Coverage Today!

Are You Online? Browse Mature Singles In Your Area!

Comfortable Belt That Fits Everytime

Does your military service qualify you for special government programs?

Fw: media on the offer

I contacted you after a serious thought

Improve you fuel economy in a used car

Invoice

Government Programs Reduce Monthly Mortgage Payment?

Read PRIVATE MESSAGE of Josephina Tien

Thanksgiving savings on new heaters & furnaces

Why Are So Many Guys Loving Harry’s?

Yahoo what do you consider about this stuff?

 

 

Sample Scam Email Addresses

“Amazing Hybeam” <flashlight @ flashlight.com>

AIG Direct Insurance <AIGDirectInsurance @ werdsk.faith>

“Diabetes-Loophole” <Diabetes_Loophole @ groupjck.us>

drivecar @ drivecar.com

Firearms Gun Holster <FirearmsGunHolster @ jdesde.date>

“Google MCV Award” <google @ postmaster.co.uk>

HARP REFI QUIZ <HARPREFIQUIZ @ kfdwsh.date>

LendingTree Partners <LendingTreePartners @ last2make.date>

Match.com <Match.com @ jerdsw.online>

My Shed Plans <MyShedPlans @ utreds.date>

NextPaydayAdvance <NextPaydayAdvance @ ertdsa.date>

“Proflight-Simulator” <Proflight_Simulator @ noliedib.us>

“Used Car Options” <usedcaroption @ caroption.com>

 

 

[hr]

[hr_invisible]

Phish NETS:  Regions Bank, LinkedIn And A Basket of Apples!

Once again, many phish in this week’s sea of scams.  Let’s begin with this phish targeting mobile users of Regions Bank, a bank with more than 1700 locations in fifteen states. “Dear Client, You’re required to verify your online security…” says an email that came from posts.com.  A mouse-over of the link “Verify access here” reveals that it points to a website in Italy.  We followed that bread crumb and found it hosting a phishing scam targeting mobile phone users using a fake phone app window. (See below.)  Ouch! By the way, it is very hard to detect authenticity of location and domain on a smart phone.

DELETE!

[hr_invisible]

We rarely see phishing scams targeting LinkedIn users but caught this one sent from the email address emailing @ rettsstat.org.  “Please confirm your email address.”  The link points to a website hosted in Saudi Arabia.  (2-letter country code = sa)

We found more phishing scams targeting Apple account holders than we have space to show!  Here’s a basket of rotten Apples.  This first one was the most sophisticated, with a spoofed sender’s email address that looks like a real Apple email address.  However, in addition to the fraudulent link revealed by a mouse-over, read the email carefully and you’ll notice the awkward English.  The links for both “Log in here” and “appleid.apple.com” point to a phishing site hosted on a website with a LOOOOONG domain name meant to trick you into thinking it belongs to Apple.  “Reminder-onlinesupportall.mail-apple-id.apple.com-service-online…..”  As phony as a $3 dollar bill.

[hr_invisible]

Then there is this supah-lamo email that won’t fool anyone (we hope)!  In fact, we’re not quite sure what the heck it’s asking! Can you?

[hr_invisible]

And then was this phish about phish!  It targeted Apple Global Service Exchange users. (The Global Service Exchange or GSX, is Apple’s global repair service for techs and service providers.)  It looks like it came from Apple but had a Gmail reply-to address.  Also, the attached shtml file is dangerous to open because of the possible malicious code it might contain.  We cracked open the file and discovered that all the phishing information it collected on GSX members would be sent to the domain 2285ng-DOT-com. This odd domain was registered on August 29, 2017 by someone from Hong Kong.  This domain is being hosted in Panama.  Sound like Apple Computer to you?

[hr_invisible]

[hr_invisible]

[hr_invisible]

YOUR MONEY:   Texting Neck, Amazon Pre-loaded Card, and Key Smart

Do you have “texting neck?”  This syndrome is real, but the email below is not.  If you are looking for real information about this syndrome, caused by continued and prolonged head tilting to look at your smartphone, there are many credible sites to understand and deal with this problem.  Just don’t believe this click bait from TEXTINGNECK @ qwpoitr-DOT-date.  The domain was registered on August 30 by someone supposedly from Connecticut but with an email address at Yandex.com, a Russian email service.  The site is being hosted in Hamburg, Germany.

A big, fat delete.

“Time to unlock your Amazon pre loaded card” says an email sent by Courtney from sportsclubav-DOT-com.  The real SportsClubAV-DOT-com, located in Lancaster, California closed its business in early October, 2016.  We’ve found these bogus emails being generated from the online gun-of-a-website called FakeMailGenerator-DOT-com.    Read our Top Story posted in November, 16, 2016 about this dangerous website, routinely used by criminals to target you.  It is titled Leaving a Gun on the Coffee Table.” And then delete.

 

“Say Goodbye Ancient Key Ring”  Any email that comes from a domain name ending with DOT-date is very suspicious and likely malicious!   …like this email from TheOriginalKeyOrganizer @ keylowchain21-DOT-date.  This email does not represent the real KeySmart product people.  It’s just another wolf in sheep’s clothing.

[hr_invisible]

[hr_invisible]

TOP STORY:  Invoice Receipt for Your In-App Purchase

This email came to us via a very sharp-eyed reader over 65. Technically, this is just another phishing scam.  However, it was crafted very differently than any other phishing scam we’ve seen and thus worthy of your attention.  Let’s begin with this email from “Order Information” received by one of our readers.  “Dear Customer, This is an automated email generated by the computer.  We want to let you know if you have purchased an item, if it is not you please cancel and enter your computer data but if you do ignore this message.  thank you by ApplePurchase.”  And attached to this email is a Word document.

[hr_invisible]

Of course we expected that Word document to carry a virus or malicious script but were surprised to find that it didn’t.  It was as clean as a whistle! (Idiom) So we opened it!  As you’ll see below, we are looking at an invoice for the purchase of an app called Bigo Live.  (Bigo Live is a live web-streaming app similar to the “old” website Chat Roulette.  Here’s a sad review supposedly posted by an 11-year old on Apple’s site recently about this app…

“Crap by Jade_865

This app is stupid with the most pedifloes in the world they will just u and kill u this app is terrible I do not recommend this no one should be on this I got in big trouble for being on this app and I’m 11 and no on should be on this even if u are 17 or not don’t ever go on this and if anyone gives a good review on is a creep and a pedifole every on one here is stupid and should go to jail”

What Jade is referring to is the fact that some men use video chat apps like this to expose themselves to strangers across the Internet.  However, the value or inappropriate use of this app isn’t the point, is it.  The invoice is another form of click bait.  A curious recipient is likely to click one of those three links.  All of them point to the website bit-DOT-do and a directory called payment-information.  Bit-DOT-do is a shortening service so this means that “payment-information” will forward you to some other website. 

[hr_invisible]

Using Screenshot Machine, we followed the breadcrumbs to their final destination just to confirm what we already knew…

[hr_invisible]

The end of this rabbit hole is an Apple ID look-alike site.  A Phish.  A clever piece of social engineering designed to lure you into revealing you’re Apple account credentials.   With those credentials, criminals can steal some easy money.  And if they are really lucky, they can use your password to gain access to other accounts you own.

Virustotal.com informs us that one service had already identified the bit-DOT-do link as malicious.  Hopefully others will follow suit soon.

[hr_invisible]

[hr]

FOR YOUR SAFETY:   Invoice and Encrypted Message

“Attached is a Estimate/Invoice”  Fortunately, even Google recognized that this email attachment contained a virus.  This was sent to us by a TDS reader who works for a small business.  She said she sees many of these every week.

[hr_invisible]

Can pdf files contain malware?  YOU BET THEY CAN!  Take this email with the subject line “Encrypted Message CD 09/02”  “Good Morning, Please view the Closing Statement, Closing disclosure ,Payoff Statement…”  The attached file, named CD.pdf, is malicious.  Don’t take our word for it.  We asked Virustotal.com to have a variety of services review the pdf.

[hr_invisible]

[hr_invisible]


ON THE LIGHTER SIDE:  I Am Mr. Rex W. Tillerson

We hear from so many famous people that we think we’re special.  Yes, even Rex Tillerson reached out to us while taking a moment from his busy day.  It’s a long email filled with lots of information but in the end we know we’re due for a big pay out!  Being the empathtic and loving souls we are, we wrote back to Mr. Tillerson and told him to donate the entire $1.85 million dollars to Harvey victims in Texas.  We’re still waiting for our response.

 

U.S Department of State
2201 C Street NW
Washington, DC 20520.

Your ATM Visa Card Will Be Shipped Through USPS To Your Address I am Mr. Rex W. Tillerson, United States Secretary of State by profession. This is to inform you officially that after our investigations with the Federal Bureau of Investigation (FBI), Central Intelligence Agency (CIA) and other Security Agencies in the Country for the year ended 2016 and 2017, we discovered that you have not yet received your over due fund.

I have made it my first point of call since taking office to settle all Outstanding Payments accrued to Individuals or Corporations with respect to local and overseas contract payment, Debt Rescheduling and Outstanding Compensation payment.

This is to make sure all Outstanding payments are settled beginning of this fiscal year 2017. On Behalf of the entire staff of the U.S. Department of State and the United Nations in collaboration with World Bank, we apologize for the delay of your contract payment, Winning or Inheritance funds from most of African Countries and all the inconveniences you encountered while pursuing this payment.However, from the records of outstanding beneficiaries due for payment with the U.S Secretary of State, your name was discovered as next on the list of the outstanding payment who has not yet received their payments.

From: “U.S Department of State”info@staff.ua  [TDS NOTE: DOT-ua is the 2 letter country cold for United Arab Emerites]

Subject: U.S Department of State|
Date: 2017-09-01 10:58AM

Note that from the record in my file, your outstanding contract payment is $1,850,000.00 USD (One Million, Eight Hundred And Fifty Thousand United States Dollars) loaded in an ATM Visa Card that allows you to make a daily maximum withdrawal limit of $5,000 Five Thousand Dollars).

I have your file here in my office and it says that you are yet to receive your funds valued at $1,850,000.00 USD (One Million, Eight Hundred And Fifty Thousand United States Dollars). This Funds will now be delivered to your designated address or your preferred payment option.We have perfected all modules on how to bring this fund to your house without any problem, but be aware that United Nations and the United States Government has only authorised my office to release the Sum of $1,850,000.00 USD to you as true beneficiary of the Fund.

Note that your loaded ATM Visa Card will be mailed to you through Priority Mail Express (USPS) to your designated address immediately you admit full compliance to this email. Due to my busy schedules You are advised to kindly get in contact with our correspondent Mr. Harry White with the below details enclosed to help ensure safe mailing of your ATM Visa Card:

Your Full Name:
Your Contact House Address:
Name of City of Residence:
Country of Residence:
Direct Mobile Telephone Number:
ID Card, DL or Passport Copy:
Age and Occupation:

Contact Mr. Harry White immediately by replying to this email or emailing the address below:

Name:                 Mr. Harry White
Email:                 wmrharry@gmail.com
TELEPHONE:      (509)-955-1619

He is obliged to treat your case with utmost urgency as soon as you contact him and fill out your correct details including all reachable phone numbers for him to get in touch with you via phone and email.

NOTE: Every documentation proof for your fund have been packaged and sealed to be mailed together with your Visa Card to your address. Therefore, the only obligation required of you by the laws of the Government of United States and the financial Monetary Policy of the Supreme Court, states that; you as a beneficiary must officially obtain the irrevocable LEGAL STAY OF PROCEED from the Supreme Court of USA, as a means to justify the legitimacy, transparency and clean bill of funds from USA so that by the time your funds gets to you, no authority will question the funds as it has been legally certified free from all financial Malpractices and facets. The LEGAL STAY OF PROCEED is valued at a cost of ( $320) please take note of that.

As soon as the above mentioned $320 is received, The LEGAL STAY OF PROCEED will be secured on your behalf immediately. I need all the compliance that I can get from you to ensure we get this project accomplished. Personally, I am very sorry for the delay you have gone through in the past years. Thanks for adhering to this instructions which are meant for your sole benefit, once again accept my congratulations in advance.

Thanks for your cooperation as your quick response to this email notice with adherence to the above instructions is highly anticipated.

Yours Sincerely,
Mr. Rex W. Tillerson.

Until next week, safe surfing!