Copy
THE DAILY SCAM NEWSLETTER — MARCH 17, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 343


THE WEEK IN REVIEW

Last week we started with an example of an email we received through our website’s contact form and pointed out how very suspicious it was. THIS HAPPENS EVERY WEEK! **sigh** We don’t want to belabor the point, but these emails do serve as educational tools! Take this email from “Rubin Stobie” that arrived on March 11. Rubin wrote to tell us that we can advertise our blog for free!  He offered an article that “shows 5 cool ways to get lots of free ad exposure.”  Like last week’s email from “Kelle Steinberger,” Rubin used Gmail, a free email service, rather than a legitimate business email. And the link in his email was created through a shortening service (bit.ly).



 

The ONLY legitimate reason for using a shortening service is because a link is soooo long that you want to make it convenient to paste into something like an email.  There are many tools to UNSHORTEN these manipulated links to see where they will actually send you if clicked. Our favorites include (in order):

Of course, we unshortened Rubin’s link and found ourselves heading down another rabbit hole.  The shortened link pointed to an IP address instead of a domain name.  Generally speaking, website developers want to build name recognition, so it is very strange NOT to see a website name.  The most common reason for people to use an IP Address INSTEAD OF a domain name is because they want to hide something. Did you know you can use a free service like IPLocation.net to tell you where an IP Address is hosted in the world?) But wait! Our test didn’t stop at this IP address! Sucuri.net informed us that the web page located at 18.188.116[.]199 redirects visitors again to another website called ClassifiedSubmissions[.]website.  That’s TWICE that visitors will be redirected!



 

Did any of this sound familiar to you?  This is EXACTLY what happened in the email from Kelle Steinberger that we presented in the opening of last week’s newsletter! We ended up on a website called classifiedsubmissions[.]club at the end of that rabbit hole.  This is, of course, no coincidence.  Someone really wants us to visit these websites. Hmmmm, no thanks! We’re good.

We’ve been writing a lot lately about package shipping scam jobs posted by the same criminal gang. We believe these criminals are native Russian speakers based on a string of clues we’ve found.  We’ve exposed 14 of their fraudulent websites so far! We mention this because we learned something very new, and clever, about this criminal gang that surprised us.  We asked one of their victims how she first learned about the bogus job she was offered as “warehouse coordinator” to repackage and reship merchandise that was likely stolen or illegal to ship.  She told us that she was contacted by a Career job website called CareerUSAhub[.]com.



 

We’re skeptical guys.  The fact that this job search website includes “USA” felt to us like they’re trying too hard to be associated with the United States, so we used a WHOIS tool to investigate this job site.  Remember, it was a person using an email address from this Job site who invited the woman to apply for a job that we KNOW is a fraud!

The WHOIS showed us that CareerUSAHub[.]com was registered through a Registrar and hosting service in Ukraine called Ukrnames, AND this “USA” job website is being hosted on a server in Kiev, Ukraine.  Does any of this sound like “USA” to you?  According to Wikipedia, nearly a third of Ukranians speak Russian, and the Ukranian language is very similar to the Russian language. To read more about this scam and the criminals behind it, read our article Package Reshipping Job Scams - Round 3.


 

One of our TDS readers reported that she received a fraudulent phone call from 978-514-9281.  A man, she said, claimed to be from the Social Security Administration.  She recognized it as obvious fraud. A search for that phone number does not show anything related to the Social Security Administration, just oddball websites that are dangerous to click! 

Happy St. Patrick’s Day!

Doug and Dave

 

Daily Scam Home Page

 

PHISH NETS
Amazon and Your Support Plan Will Renew Today

Cybercriminals must be finding emails like this to be extremely successful because they’ve been sending lots of them!  Like so many, this one wants you to believe it came from Amazon but it really came from someone’s Gmail account. “Thank you for your order.  We’ll send you a confirmation when your Order ships.” Most of the links to investigate the details of your order point to a phishing domain hosted at the look-alike Amazon wannabe website called amazoncar[.]store.  This crap domain was registered anonymously just 16 days earlier. A phone number is also provided and it DOES NOT belong to Amazon!
 







One of our TDS readers got this REMINDER text from 612-448-3220 to inform her that “your support plan will renew today.”  Unless she called 855-599-0594 to cancel, she would be charged $299.99 to renew Geek Squads.  This is malicious clickbait meant to trick recipients to engage these scammers over the phone.  And they can be VERY convincing!  This number has been reported as a fraud many times on NumberGuru.com.





Daily Scam Home Page

 

YOUR MONEY
Congratulations from Fedex, Your Norton Subscription is Expired

“Congratulations” says this “Order Confirmation” presumed to be from Fedex.  Your order has been placed successfully!  But this email didn’t come from Fedex.  It came from the crap domain moviesdate[.]com and the links point back to this domain. The Zulu URL Risk Analyzer was able to confirm that these links were 100% malicious!

Deeeleeeete!





 

We’ve seen lots of malicious emails in recent weeks disguised as subscriptions for the very products that are meant to protect us from malware.  This one claims to be from Norton 360 Antivirus software but came from a randomly generated domain name that has never existed.  It was spoofed.  The links in this clickbait point to a website that seems to give a nod to UK citizens called FindsCrown[.]net. Perhaps unsurprisingly, that domain is hosted in the UK and was registered last September.  Does any of this sound like Norton.com?





 

Daily Scam Home Page

 

 
 

TOP STORY
A Picture is Worth 1000 Words

This old English adage couldn’t be more true for this week’s Top Story. It comes to us from our friend, and Scam Hunter, RobL. He loves stringing along the Nigerian 419 Scammers, wasting their time, and exposing their supporting fraudulent websites such as fake online banks.  RobL. recently sent us this email that has been part of a thread in which he has been communicating with someone identified as “Missionary Carol Mitchell.”  We’re so sad to report that Missionary Carol Mitchell is dying, and without heirs.  Fortunately for RobL., Missionary Carol Mitchell has asked her New York lawyer, William A. Simon, to make RobL. her “next of kin.”  RobL. will inherit $6,000,000.00 dollars!  Go Rob!  He is now expecting to hear from Attorney Simon and CIT Bank about the details.
 


 

Missionary Carol Mitchell claims to work for the Saints Peter and Paul Catholic Church, located in San Francisco. To help RobL. get to know his new new next-of-kin dying relative, Carol sent a bunch of photos of herself and has, in turn, asked that RobL. send her some photos so she “will pray for you through the pictures before I die.” Awwwww.  Doesn’t this just break your heart?!

But let’s back up a moment to the start of their conversation. To help support her claim that she was sincere and the person whom she claimed to be, Carol Mitchell sent RobL. a photo of her United States passport.  Click on the picture of the passport and zoom in to look very closely at her photo...





Did you notice anything unusual about Carol Mitchell’s photo?  RobL. did, and so did we!  Over Carol Mitchell’s left eye (right side) appears some very faint white text.  The letter “o” also appears on the neck of this woman, near her collar.




We figured out that the faint white text says “depositphotos.”  DepositPhotos.com is a royalty-free photo and stock image website. With that information, we went hunting for an elderly Asian woman on DepositPhotos.com and had no problem finding “Missionary Carol Mitchell’s” photos.  There were many of them! They were originally taken by a photographer named Ampyang back in 2010.


 

The Nigerian 419 scammers who created this advance-fee fraud have really good photoshop skills but no one is perfect!  In this photo from DepositPhotos, you can see the white letters stamped across the woman’s face above her left eye and at her neckline. The scammers took out just the photo of the elderly Asian woman and pasted it into the US Passport after additional photoshop work, but left in the letters stamped on her face. (You can see that her jacket matches what she is wearing in the passport photo too.)


RobL. tells us that the scammers sent him other photos of this same woman, claiming to be Carol Mitchell but they were also taken from stock photo websites.  This included “Carol” in her hospital bed which was also found on DepositPhotos.com.



 

A picture is indeed worth a 1000 words!  In this case, the words include fraud, scam, cheat, fake, forgery, sham, phony, falsify, counterfeit, and lie! Thanks RobL for continuing to expose their fraud!

FOOTNOTE 1: RobL also pointed out that this same scam, using the same names for the lawyer and sick woman, have been in use for at least a year and a half.  You can see many of the emails in this advance fee scam posted on ScamSurvivors.com.

FOOTNOTE 2: The photos used by these scammers are also on other stock photo websites such as DreamsTime.com, but the copyright markings placed on the images made it impossible to use them in the Passport image unless you are willing to pay for them!


Daily Scam Home Page

 

FOR YOUR SAFETY
Pfizer COVID-19 Survey

This next email from foundrygator[.]net has soooo many red flags!  “Yours -Vaccine have arrived!” “congrats, you’ve been selected Pfizer C0VID-19 Survey Registration Confirmed”  The links in this malicious clickbait, once again, point to an IP address rather than a domain name.  We used IPLocation.net to see where that IP is located and were not surprised to see that it sits on a server in Moscow, Russia!  This is malicious, through and through!





Textplosion: Message from Venmo and Congratulations from Amazon!

On March 11, Doug received a text from 843-353-8586, identified as Venmo, to say that “we have seen an unrecognized transaction in your account.”  He was provided a link to click to a website named onesecreminder[.]us. We weren’t surprised to learn that this domain was registered one day earlier in Romania.





Finally, from 714-400-7615, one of our readers received a text claiming to be from Amazon. “Congratulations, you came 2nd in today’s Amazon Earpods raffle! Click this link to arrange delivery.”  Of course the link points to a crap domain that was registered anonymously the day before and the website is hosted on a server in Hong Kong.  That seems like Amazon, right?






Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp