Copy
THE DAILY SCAM NEWSLETTER — JUNE 2, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 354


THE WEEK IN REVIEW

In this week’s Top Story, we’ve got a story to tell you that surprised us! (We’re not easily surprised.)  We bet you won’t see the end coming until it hits you!

As you see in our Phish Nets column every week, phishing scams have increasingly turned to the simple trick of thanking you for your purchase of something YOU KNOW you didn’t buy!  You’re informed of the cost, usually many hundreds of dollars, and that it will be shipped out soon.  BUT, if there is a problem with this order, you can call the scammer’s phone to cancel it.  Yeah, right. We’ve learned two important things from our own efforts, and the stories told to us by many TDS readers who have called these scam numbers. 

  1. The cybercriminals almost always have an Indian accent.  (Sometimes people also hear many people in the background when the scammer pauses, indicating he is in a call center of many scammers.)

  2. The scammer ALWAYS tries to give you a reason WHY it is necessary for you to download software that will allow him to access and control your computer remotely.  This is YOUR GREATEST THREAT and how the scammer can do the most damage to you!  In this effort, we’ve learned that their preferred applications they want you to install include:

    • Anydesk software from anydesk.com
    • Teamviewer.com
    • RemotePC.com
    • LogMeIn.com

If you make the mistake of calling a phone number on a suspicious email, or seen in a pop up on your computer informing you that you have a virus or malware problem, and the person you speak with wants you to install software so he can access your computer, HANG UP!

During this past pandemic year, in which millions of people across the world lost their jobs, cybercriminal gangs have greatly increased their number of employment scams. To a victim of such a scam, this is pain on pain! The great majority of these scams are just a form of “advance check” scam.  The check will bounce, after you’ve sent your hard-earned money to the scammers for one of many pretenses. We’ve heard from many people who have been targeted by these blood-sucking monsters.  A very recent employment scam reported to us on May 27 came from a man we’ll call “Mateo.” 

Mateo received an invitation to apply for a job as a “Procurement Manager” from someone identified as Marta Weber who represented a company called Baumann Schulz Import. (Marta’s email is us@baumann-schulz-import.com) Marta Weber sent Mateo a long detailed description of his duties and how the company expected him to use HIS personal credit card to pay for things and that he would be reimbursed.  Mateo saw through this fraud.  The reason we mention this particular fraudulent company is because the domain, baumann-schulz-import.com, was registered in early July, 2020 and has a bogus website.  This suggests that this scam has been going on for nearly a year, and no one has been able to shut it down.  We’ll be sure to work on that!
Notice in this screenshot that this company says they have been in business since 1990! Through a Google search, we’ve found multiple websites showing that this company was first registered in July, 2020. (e.g. OpenCorporates.com) It didn’t exist prior to this date! We’ve also found LOTS of people describing this scam on ScamPulse.com. Finally, this bogus company is also called Baumann Schulz Import Export USA LLC, Baumann Schulz Export USA LLC, and Baumann & Schulz Import-Export GmbH.  (This scam company is NOT the same as the legitimate shipping company in Texas called Schulz USA Inc.)
 


 

Our advice is pretty predictable…

  1. Any job in which you have not, or can not, video chat or speak in person with the people who are hiring you IS A SCAM! PERIOD! Try insisting on a video chat and see what excuses the scammers give!

  2. Any employer who is willing to hire you after only a text-based exchange, and without checking your references, for a job they say will pay $50,000 or more per year, IS A SCAMMER!

With this perspective, we invite you to enjoy this invitation from “Michael Henry” via text to one of our readers.  The recipient was invited to apply for a job as a “Whole Foods Market store Evaluator.”  This unique position required the person to purchase gift cards at Whole Foods, scratch them and send the numbers back to Mr. Henry! You know, your average job.



Finally, enjoy this phone message recording that threatens to have you arrested unless you call 501-215-8870 to clear up the problem!

Click to listen:

Daily Scam Home Page

 

PHISH NETS
Chase Bank, Paypal, and Amazon

We’ve seen these kinds of phishing surveys for many years.  This one pretends to be a Chase Bank questionnaire.  Why would a bank questionnaire come from the domain HollywoodActorsGuide[.]com!? And don’t be misled by the statement “this is an independent survey.”


 

Check out the screenshot we took from this Hollywood website (see below) and notice the pressure for visitors to get started immediately!

  • “Supply is extremely limited so act fast…”

  • Bottom page timer saying that “Offers could expire in…” We were given 7 minutes.  (If you wait the full 7 minutes for the offers to expire, the counter just starts over again at 7 minutes!)

Don’t believe those bogus “been verified” reviewers!  They are all fake. If you have any doubt whatsoever, look at the next screenshot for another survey webpage we found at “RealSurveyClub[.]com.”  It contained the EXACT fake quotes as those on HollywoodActorsGuide[.]com but with different names and photos applied to the quotes.  We found several additional sites with these fake reviews by searching for the quotes from these “verified” reviewers!  This included fake reviews for two Tostitos products on Amazon from a seller called “Off the Beaten Path” as well as a review on a free website service called Blogspot: xdi123.blogspot.com. (As of May 29, Amazon has removed nearly all of the reviews from the vendor of these Tostito products).






 

Below are two different Paypal phishing scams sent to us by TDS readers. Both were sent from generic Gmail accounts. The first was a supposed purchase made through Sears, for $739.95 (According to Brostocks.com, there are still about 37 Sears stores in operation around the US.) Fortunately, “if you wish to void the charges please connect with our Support Team Executives,” otherwise known as “Scam Team EXPLETIVES,” at 812-226-4194.


 

The second Paypal phish informs you that you have authorized an annual subscription to Netflix for $649.99. (SERIOUSLY?!) You are told that you can call PayPal Customer Service via their toll-free scam phone number 810-242-6869. Of course this is not PayPal’s customer service number. And it isn’t toll-free. The 810 area code is for an area of Michigan. Here’s a challenge to all our readers… If you feel up to the challenge, the next time you get one of these Phish containing a telephone number as the means to refute a charge found in a fraudulent email, turn on your favorite sound recording software, call the scammers and record the conversation. Play dumb, ask for explantations, act confused but DO NOT give them any personal information or install any software (though you can tell them you did!) Then send us your sound file to post for our readers!



 

 

What’s a TDS newsletter without an Amazon phish?  Here are two sent to us by our readers.  Both are, thankfully, pretty lame. Not coincidentally, the first was also sent from a generic Gmail account, though pretending to be for a service at Sapean Solution. Lots of people are posting about these fraudulent emails on Scampulse.com. The second phish came from a domain that is for sale once again, Memure-logbase1[.]com, rather than from Amazon.com. It contained a pdf file with a phishing link.

Deeeeleeeeete!






Daily Scam Home Page

 

YOUR MONEY
Bank of America Promo Survey, Costco Wants Your Opinion

It PAINS us to be repetitive! But apparently, people respond to these fake promotional surveys, or requests for your opinion, because we see cybercriminals sending them week after week! They are malicious clickbait! Please show these to your friends and family! Forward our newsletters to your contacts and tell them to watch out for these tricks! 

The words “Bank of America” are shown in the name section of the FROM email address below.  You’ll see that this email really came from another generic Gmail address called “brookemills1983.”  (We wonder if a woman named Brooke, who graduated high school in 1983, had her email account hacked and used for malicious purposes.) All links in this clickbait point to the exhilarating website called “excitement[.]miami.”  It should be no surprise to our frequent readers that this oddball domain was registered in Iceland in early April.  Due to breadcrumbs we’ve found in the last few weeks, we think these scams are coming from a cybercriminal gang in India, perhaps the one we call the Hyphen-Poopy gang (though they are no longer using 2 random hyphenated words in their malicious clickbait lately.  We guess they read our newsletter too!)




 

Costco may want your opinion, but this next clickbait didn’t come from Costco!  If you look very carefully at the subject line, you’ll notice something rather odd, unless you understand scammers. Following the name taken from an email address, the subject reads “Earn $5O Costco reward - open immediately!” In an effort to try to fool anti-spam servers, the criminals who sent this email used a capital O instead of a zero 0 to create their number 50.  Only criminals try tricks like this.

The link in this email points to a subdomain called “JustClickHereToMoreInfo2021” and a domain called myarije[.]com. (The subdomain comes first, and is separated from the domain name by a period.) Were YOU to click the link in this email, you would discover that when you arrived at myarije[.]com, you would immediately be redirected to a malicious domain called brozens[.]com.  Brozens[.]com was registered in Iceland! It is also being hosted on a server in Moscow.

‘Nuf said!
 







Daily Scam Home Page

 
 

TOP STORY
Cryptocurrency Scams with a Nasty Twist!

As we mentioned in our last newsletter, cryptocurrencies are all “the rage” and trending heavily across the Internet.  You may remember the scam email last week that used an image and fake content about Sacha Baron Cohen.  The response we got from TDS readers opened our eyes even wider to the scams and threats disguised as cryptocurrency hype, including a new scam we had never, ever heard about before!

Just a few days ago, a professional translator from Europe, whom we’ll call “Jean-Luc,” contacted us to share an experience he had on the new Facebook Dating app. He was contacted by a charming young Chinese woman named “Lena” who, he said, had “a very good pitch.” After meeting on the Facebook Dating app, Lena suggested they continue communicating on WhatsApp. Over a few days, she sent Jean-Luc pictures of herself, her office, and even short voice recordings presenting herself as an active young woman who works so hard that she can't get a proper boyfriend.



Click to listen:




 

After a couple of days of back and forth messaging ("how are you this morning?" "I am so happy to be able to chat with you,” etc.) she told Jean-Luc that she got a really hot tip from her Uncle, who works for Facebook!  The hot tip was about Facebook’s cryptocurrency called “Libra” and Lena says her uncle will include Jean-Luc! Isn’t THAT exciting? However, Jean-Luc knew something wasn’t right about this new “inside tip” because Facebook, which announced its interest to develop a cryptocurrency in 2019, had also changed the name recently from Libra to Diem. (Read this recent CNBC article “Facebook-backed Crypto Project Diem Abandons Swiss License Application, Will Move to the U.S.”)
 






 

Here is a very clever “sleight of hand” we didn’t see coming. Lena urged Jean-Luc to visit the "official" website called "facebook-libra[.]one" and download the APK file (An APK file is an Android phone file) Lina also said that the APK file was not available yet on the Google Play Store because it's so “advanced.” Jean-Luc, now suspicious, downloaded the APK file to his Google drive (not his computer!) and immediately uploaded it to VirusTotal.com. VirusTotal.com raised lots of warnings and informed him that it contained malware! Further investigation using a WHOIS showed that facebook-libra[.]one was registered anonymously in China on April 19.

This entire effort by scammers was a form of misdirection to target him with malware! (We thought this might be a money scam related to a bogus cryptocurrency.) Jean-Luc did some additional investigation once he realized the threat and discovered that those lovely audio files from Lena were actually audio files taken from video games!  Jean-Luc also found other men on different Crypto forums talking about being contacted in exactly the same way by Chinese women via the Facebook Dating App! With this perspective, it took no effort at all to find articles online talking about this scam in 2019 and 2020. Here are two such links about this scam targeting Tinder users:

https://www.crowdfundinsider.com/2019/11/154015-beware-the-tinder-cryptocurrency-seductress/

https://bravenewcoin.com/insights/swipe-right-to-lose-crypto-on-tinder-other-scams-to-avoid

According to Wikipedia, Dogecoin is a “cryptocurrency created by software engineers Billy Markus and Jackson Palmer, who decided to create a payment system as a joke, making fun of the wild speculation in cryptocurrencies at the time. Despite its satirical nature, some consider it a legitimate investment prospect.”

One of our honeypot email accounts received this email from a domain called Marvilons[.]com offering us a “Special Gift: $1000 of Dogecoin.” Suspiciously, the links in the email pointed to a very LONG link on the link-shortening service at Bit.ly. Moreover, when we used Unshorten.it to unshorten that link, we discovered that a click is redirected back to a very short link at Marvilons[.]com. This is a MAJOR red flag!





We asked ScamAdvisor.com to evaluate Marvilons[.]com and this tool told us that the rating for this website is very low! Caution needed! Further investigation using our favorite WHOIS tool tells us that this not-so-marvelous domain was registered last year in Iceland and the site is hosted on a server in Helsinki! If you are truly interested in exploring investment opportunities in cryptocurrencies, we advise caution, for many different reasons!  Another example involves our Super Scam Fighter, Rob L.  He’s been communicating with someone claiming to represent the International Monetary Fund named “Mrs. Anthony Stella.”  Mrs. Stella is encouraging our friend to purchase cryptocurrencies through the website “Cryptex-Club[.]Club.” Once again, ScamAdvisor.com has rated this domain as VERY RISKY. Of course it was registered in Iceland last year!

Daily Scam Home Page


 

For Your Safety
You have 7 Unread Emails

One of our longtime readers is the Safety Officer at a special manufacturing plant in Southern USA. She sent us this malicious email that was disguised to look like it came from her to various employees at the plant.  The link in this clickbait could very likely lead to ransomware, like the kind that recently targeted Colonial Pipeline.
 



Daily Scam Home Page

Textplosion
I Met You on Tinder

For the record, Doug is happily married! He’s not on Tinder. But he got this lovely text from “SweetJennie4” at 240-590-7368. And in case you are wondering, “hmup” means “hit me up” but the more common acronym is “hmu.” 

No thanks Jennie!
 



Daily Scam Home Page

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp