The Daily Scam Newsletter (January 13, 2021)

THE DAILY SCAM NEWSLETTER — JANUARY 13, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 334

THE WEEK IN REVIEW

Sometimes scammers make us laugh, for all the wrong reasons of course! Here’s one recent example. We want you to meet “Mr. Bill Gate” from his “prviet email.” Mr. Gate(s) has been in an email conversation with a gentleman who truly enjoys wasting these scammer’s time and energy. In fact, there are a few folks who routinely respond to these “advance fee” scams just to waste their time and energy and share their conversations with us. They enjoy it and we enjoy hearing from them! They all think that wasting an hour of a scammer’s time means these scammers have an hour less to target vulnerable people. It’s a noble cause and we commend them for their effort!

Though our “textplosion” of November and December has slowed, we still periodically get scam, or very suspicious, texts sent to us. (And TDS readers share them as well.) Here are a few more. No doubt, the links in all of these lead to phone malware infections!

We know Congress finally approved stimulus money for people and businesses in need but this text is NOT from our government! “Hurry to claim your $144.13. But be quick” said this text from 469-722-3748. The domain used in this text, gjcjj[.]biz, was registered anonymously on January 5, the day before the text was received.

Someone wants to pay cash for Doug’s house! How exciting is that! The text came from 863-451-9027 on January 4 and the domain in the link, y2m5n[.]com, was registered just a few hours before he got that text. Doesn’t that suggest a REAL legitimate website is waiting for him?

HELL NO!

Daily Scam Home Page

PHISH NETS
Wells Fargo Bank, PayPal and AOL

This smelly phish has sooooo many warning signs that scream out “NOT REAL!” Look at the FROM address and notice the number substitutions in the name “Wells Fargo Online Banking.” (This is done to try to avoid attention from anti-spam filters. This name is followed by both a gibberish username and domain name of ygfygfbrriv[.]com. The link to “VERIFY” your account points to a hacked website for Luca Santucci in Italy. (“.it” = Italy)

Delete!

Lately, we’re seeing an increasing number of phishing scams that are also connected to malware infections. This is more than double the pain as the malware may enable cybercriminals to gain access to many accounts owned by the victim and acquire a lot more personal information. Imagine how that could turn your life upside down! For example, one form of malware installed by the bad guys might be a keylogger which captures every keystroke you make on your computer, including the websites on which you make them!

Fortunately, most cybercriminals are from other countries where English is not their first language and they don’t have an eye for detail. As we saw at the start of this newsletter, the mistakes they make using their limited English, Google translate, or other errors, can provide critically important tips that something is wrong. Check out the funny mistakes in this recent Paypal phish that came from a server in Japan. (Notice the “.jp” in the FROM address.) The links in this email point to cuturl[.]net, not paypal.com.

Two of our services informed us that malware was also waiting at the end of that link to cuturl[.]net. We used a screenshot service to pay a visit to the link to see what it would show us and it was very clear that a victim is presented with a reason to wait WHILE THE MALWARE DOWNLOADS to his/her computer! (See screenshots below.)

Here is another phish disguised as an email from Paypal. Again, the registered domain is a bunch of gibberish letters and numbers, that has NEVER been registered (according to our WHOIS lookup). The bogus domain used in the FROM address for the Wells Fargo Bank phish above was also never registered. It makes us speculate that the same cybercriminals sent out both phishing emails.

Fortunately, at least two online services

Like other recent smelly carp, this phish not only tries to capture your login credentials, but also hits you with malware when you do! It’s disguised as a warning from AOL, but came from the domain telus[.]net. More importantly, the link to login into AOL points to a very misused link at Googleapis, clearly shown to be malicious, including a malware bear trap.

Deeeeleeeeete!

Daily Scam Home Page

YOUR MONEY
Ace Hardware Rewards

As we’ve stated many times, malicious clickbait disguised as a “reward survey” is very effective in engineering someone’s clicking behavior. What makes this one unusual is that we’ve never seen malicious clickbait disguised as a survey for Ace Hardware. This recent email came from an old domain called southgul[.]com. This domain, registered back in 2013, appears to have no content on it at all and Google knows nothing about it, despite it’s respectable age status. The link to begin your survey points to another VERY DANGEROUS website called orangerushtrk[.]com. Fortunately, the Zulu URL Risk analyzer had no problem seeing the malware lying in wait.

The cybercriminals who created this email try to convince readers that it was created by a marketing company called Gold Crown Publishing, of Las Vegas NV. We’re certain it wasn’t. However, even if it was, don’t assume that all “marketing companies” are created equally, or operate ethically. A visit to the BBB.org website shows us (as of January 10th) that the real Gold Crown Publishing is NOT accredited with the Better Business Bureau and the company has a D+ rating.

(Another example of UNETHICAL MARKETING concerns a website that seems to support/promote “Texas Women for Natural Gas.” However, a journalist for the magazine Mother Jones discovered last December that this website was completely fabricated with fake names and photos of women who supposedly supported and worked for the natural gas industry in Texas. They didn’t. It was a pack of lies. Don’t believe everything you see online!)

Daily Scam Home Page

TOP STORY
Clever Look-Alike Domains

Cybercriminals range from incredibly stupid (like “Bill Gate”) to exceptionally clever. Just last week a woman contacted us about a job she was offered after a text-based interview process. She became increasingly suspicious that her new job wasn’t legitimate, and asked for our opinion. Of course it was another “advance check” scam disguised as a job offer. But what made this scam more interesting (and effective) was the fact that the criminals had created and used a domain that was a perfect compliment to a real business website. (We’ve published an article citing more than 175 real businesses used by these Nigerian scammers.)

The woman, whom we’ll call Zoe, had been invited to interview for a job with Cox Automotive Inc. Provided during the interview process was a pdf file titled “Pre-Job Briefing.” It included a logo for the company, as well as a link for the Cox Automotive website at coxautoinc.com. According to Google, Cox Automotive employs more than 30,000 people.

CAN YOU IDENTIFY SOMETHING IN THESE EMAILS THAT MAY SUGGEST THEY DO NOT REALLY REPRESENT COX AUTOMOTIVE INC?

We hope TDS readers noticed that these emails came from a domain that is similar to, but not the same as coxautoinc.com! The emails were sent from coxautoinc.careers. There is a SIGNIFICANT difference between these domains as you’ll see below. The real business domain was registered in the United States in 2014 to the company mentioned on their website as Autotrader. However, coxautoinc.careers was registered anonymously in Panama on December 14, 2020.

Making this fraud more difficult to see through is the fact that if you visit coxautoinc.careers, you’ll discover that you are redirected to the legitimate website for this business at coxautoinc.com.

After being hired by these scammers, Zoe received official documentation that included a legal-sounding document that detailed benefits and job responsibilities to be signed by her. The scammer, disguised as “David Orchid” had signed and dated the contract, revealing another tiny suspicious “tell” that something about the agreement was odd. In the US, people write a date as month, day, year such as 1/13/2021. But in the rest of the world it is written as day, month, year. “David Orchid” dated his offer letter of January 6 as 6/1/2021 instead of 1/6/2021. Zoe was also sent an “expense reimbursement agreement” in which the scammers set up the next step of this scam, sending a fake check and asking that Zoe use her REAL money to pay for things on behalf of the company after she deposits her check. The check will bounce, of course, long after Zoe has wired her hard-earned money to these criminals disguised as sellers of equipment Zoe is told she must buy.

It pays to be skeptical online and verify, verify, verify!

Daily Scam Home Page

FOR YOUR SAFETY
You Appear in this Video and Your Package is Stopped

There is a Facebook scam that has been circulating in various forms via posts and Instant Messenger for years. A friend’s account gets hacked and the hacker sends a malicious link connected to an image that says something like “I think you appear in this video.” This just happened to a friend of Doug’s. Shortly after, the friend posted a message confirming that his account had been hacked and he didn’t send the message that went out on Facebook Instant Messenger. The link either leads to a malware infection or a phishing site that will capture login credentials and personal information, including targeting the next group of Facebook friends.

This next email informed us that a package being sent to us was “stopped at our post.” The email came from a server in Belgium. We don’t tend to get any packages from Europe. Once again, security services had no problem spotting the malware at the other end of that link, or the fact that we would also have been forwarded to a real and legitimate service called RoyalMail.com.

Ouch!

Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe

SUBSCRIBE

Produced by:
Deutsch Creative