Copy
THE DAILY SCAM NEWSLETTER — SEPTEMBER 16, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 317


THE WEEK IN REVIEW

We all know the expression “misery loves company.”  We would never truly wish this misery on anyone but it turns out that cybercriminals are poisoning Google searches to trick people into clicking malicious links using content from LOTS of websites and blogs!  Read our Top Story below called “Save Your Marriage” and you’ll see what we mean.

Here’s another fun game for our readers.  Two questions.  The first should be easy if you’ve been paying attention to our newsletters, but the second is harder.  Below is a “Delivery Alert” message presumably sent by the U.S. Customs Commissioner, named Mark A. Morgan.  Of course, this isn’t true and this is just another “419” scam from Nigeria.  However, despite the fact that Mr. Morgan tries very hard to lead you to believe he is an official for the U.S. government, there are two DROP DEAD GIVEAWAYS that tell you he is lying:

  1. What country did this email come from? (hint: look for a 2-letter country code in his email address)

  2. What country (or region) is his “contact email” associated with?
    (Answers at end of newsletter!)


Daily Scam Home Page

PHISH NETS
Please Update Your Payment

This smelly phish is trying very hard to collect your credit card information.  It certainly didn’t come from Netflix.com and the link for “Try Again Payment” doesn’t point to Netflix.com!  The email came from the oddball domain bdad[.]cz which was registered on June 18.  There are sooo many things wrong about this email, not least of which is that the primary clickable link will redirect you to a website, terasamenggangu[.]com, that was registered just a few hours earlier! Freshly baked bread is delicious, but freshly registered domains are malicious! Lunge for the delete key (and pass the butter)!


 


 

YOUR MONEY
View Jobs/Apply Now and Get 15 Bottles of Wine

A longtime TDS reader of ours is retired.  She’s not looking for work and hasn’t posted her resumé online.  And yet, she received the email below that came from an empty website called “trainscharlotte[.]com.”  (The website contains nothing more than ten links to other websites such as Amtrak, “Rail Job Openings,” “Toll Roads,” and other oddly related links.  More importantly, the link for “View Jobs & Apply Now” points to a domain that we’ve demonstrated multiple times to be 100% malicious!  The subdomain and domain is “track[.]agjtrcker[.]com”  Stay as far away from this malicious clickbait as you can! After getting hit with malware, you’ll be forwarded to a job search website and you won’t even know what hit your computer!






We like wine and were flabbergasted when one of our honeypot email accounts got this offer of 15 bottles of wine for 71% off!  Until, that is, we noticed it didn’t come from Splash Wines. This email was sent by someone named “Melisa Nesser” @ splasi[.]work.  Mousing over the links in this clickbait reveal another directory created by combining two hyphenated words: tempering-shoelace.  For more than two years we’ve been writing about a cybercriminal gang who uses automated software to create a directory (folder) of two hyphenated words in their malicious clickbait.  Another tell-tale sign of this cybercriminal gang is the opening line in this email… “This offer is for United States only.”  And, for the record, splasi[.]work was registered the day before we got this email.  Run, don’t walk to the nearest delete key!




Daily Scam Home Page

 
 

TOP STORY
Save Your Marriage


Many of our readers know we discovered about two weeks ago that our content was being misused to poison Google searches.  We’ve now determined that cybercriminals have been poisoning Google with content from LOTS of websites and blogs, not just ours.  We stumbled upon another poisoned message when we started to dig into an interesting email that arrived into one of our honeypot accounts.  The subject line reads “This Saves Your Marriage… Starting Today!”


 

This email has all the signs of being spam (at best) but is most likely malicious clickbait at worst.  It came from the crap domain called immuneston[.]bid.  In our experiences, no legitimate website uses the global top level domain called “.bid.”  It took the Zulu URL Risk Analyzer seconds to see that malware was waiting at the end of the clickable links in the above email, and our favorite WHOIS tool informed us that the domain immuneston[.]bid had been registered on the same day the email was sent!






And then we started to wonder about the content in that malicious email.  It almost felt like some infomercial calling upon all failing marriages to come to the altar of salvation.  So we decided to Google the opening line that began with “when I first met Kelly…” and were very surprised by what Google returned!  The first sentence showed up, word for word, on a couple dozen websites across the Internet.  Here’s a screenshot of the top five returned links.  We were able to easily confirm that the source of this content came from a man named Edward Lauraldale and posted on his site called “save the marriage .com.”  But look at some of the other crap domains that this text also appeared on….


 

Someone has been posting Mr. Lauraldale’s content on lots of sites across the Internet, including:

  • An eMarketing health and fitness sit
  • Imtocopilla[.]cl (The official website for the municipality of Tocopilla, Chile)
  • Pinterest accounts in Chile, France, and Spain (including a “funny height challenge” account)
  • A sketchy shopping site that primarily sells nail/face products and is very poorly rated by ScamAdvisor.com (DO NOT VISIT IT!)
  • A Facebook account that did something to violate their rules and the account was subsequently closed:
 
  • A SUPER sketchy website called bostonbroker[.]info containing many pages of suspicious content. (This domain was registered on January 28, 2020.

This unusual list of websites also included San Michele Laboratory in Italy. (See the screenshot above.) This site especially caught our attention because our content was posted on about a dozen websites in Italy. We decided to search for this Italian website, called “laboratoriosanmichele[.]it.” (We DO NOT recommend that our readers EVER do this unless they are skilled in using various browsers! E.g. Doing this search using Chrome will actually SEND you to the website and possibly resulting in a malware infection, but Firefox will not.)

Again, we were surprised to discover that this Italian website also included a web page called “Costco Laptop Store Pickup!”   VirusTotal.com easily confirmed that this bogus page had malware lying in wait to attack visitors’ devices….





 

All of this insanity confirmed to us that the manipulation of our content was a small part of a broad and extensive attack on citizens across the world by weaponizing the Google search engine.  This has happened before, back in 2016 as we recall.  Google now has a serious problem and it is very likely leading to malware infections on thousands of people’s devices.  COVID-19 isn’t the only pandemic raging on the planet right now.  We urge all our readers to be very cautious about the links they click!

By the way, since last week’s list of malicious websites on which we’ve found our content, we can add the following sites:

  • New.stanko-volga[.]ru (hosted in Russia)
  • Miapot.dressdiscount[.]xyz
  • aoge.starchitecture[.]it

Daily Scam Home Page

 


FOR YOUR SAFETY
A Simple "Hello" Spells Trouble

Another one of our honeypot email accounts received this one word email.  This may seem innocent enough but if it were sent from a real friend or acquaintance wouldn’t you expect more than one word?  At best, this email is asking you to confirm that your email address is current and that you’ll open bogus stuff like this.  At worst, you’ve just begun to engage with some scammer at the other end who is likely to ask you for a favor like buying gift cards for him while disguised as someone you know.


ANSWERS:

Mr. Mark A. Morgan’s email was sent from the address “info887 @ gvsah.in”  The “.in” indicates that the email came from India!  This “U.S. Customs Commissioner” then asks that you send your reply to “us.office @ yandex.com.”  If you did a quick search to learn about Yandex, you would have learned that it is a free email service based in Russia, with offices in Eastern Europe and a few other countries.  NOT the United States!  Anytime you see an email from Yandex.com, keep that in mind!


Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp