Copy
THE DAILY SCAM NEWSLETTER — MAY 26, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 353


THE WEEK IN REVIEW

What a crazy week it was! But before we dive into all of that, let’s take a moment to smile about a most sincere, though hysterically lame effort by a Nigerian 419 scammer. If you’re not in a smiling mood right now, we think this might help!  Like so many advance fee scams, this one begins with the same three words that should automatically trigger your urge to hit the delete key… “Good Day Beneficiary!”  There are so many mistakes and red flags in this email, like the fact that you are asked to reply to someone representing the “bank of Arizona” at his address in New Jersey.  Or the fact that he uses a 6-digit zip code!  Or that the sender references the United States as “Usa.” But be quick about it because you only have “less than 48 hours” and then this offer will disappear!
 


 

Equally lame, but potentially much more dangerous, is this email offer sent to Doug at TDS from someone named “Kristen Clegg” who claims to work for Verizon as a “Senior Project Manager” in Fiber Construction. Kristen contacted us using one of our email addresses that is EXTREMELY odd for her to choose. She says that a new fiber project in Boston, MA is going to provide “new options/pricing for your business.” She invites us to make an appointment with a “fiber engineer” by clicking a link to their calendar at VerizonAlerts[.]com. Even if we were a business in Boston, this email is filled with many red flags but we want to focus on one...
 



Verizon.com is a company with a long history, a telecom giant in the United States.  A WHOIS lookup of its domain shows that it was registered through MarkMonitor.com under the name “Verizon Trademark Services LLC” in March of 2000 and uses an Internet name server at Edgecastdns.net. (Name Servers direct traffic on the Internet between your request and the actual location of a website on a server.  Think of them as a kind of digital yellow pages.)



By contrast, a WHOIS lookup of the domain verizonalerts[.]com reveals that it was registered anonymously through GoDaddy.com about 6 months ago, in mid-December, 2020. The domain uses the name server called Cloudflare and is being hosted on a website in France owned by the Internet provider OVH. All of these differences, especially having its website hosted on a server in another country, STRONGLY suggest that verizonalerts[.]com is being used for malicious purposes. Even ScamAdvisor.com thinks that this website is risky! And so, to Kristen Clegg’s request for us to click the link to set up a time to speak to an engineer we say NO THANK YOU!


 

Last week’s Top Story, Package Reshipping Scammers Are Relentless, was about the deluge of fake shipping businesses tricking Americans to move stolen merchandise and then ghosting them after a month’s work instead of paying them for their time. In our articles, we exposed the 15th and 16th fake website we’ve connected to a Russian-speaking cybercriminal gang (likely from Russia or Ukraine). No sooner did we get that newsletter published that we received information to help us expose the 17th fake business by this criminal group AND learned of an 18th fake business they used back in January. The 17th fake business is called “Ship Gecko Logistics LLC” (SGL Post) at Ship-Gecko.com. The 18th company was called Sinoway Operations USA and a woman named Amanda confirmed, on her LinkedIn page (as of 5/23/21) that she had been shipping stolen merchandise because police showed up at her door to question her about it.

 

Daily Scam Home Page

 

PHISH NETS
Paypal, Wells Fargo Bank, and Facebook Alert

One of our longtime readers sent us this email that appears to come from “Paypal Service” but came from a gibberish account at Oracle.com, an American technology company.  “Your PayPal account has been temporarily restricted” due to suspicious activity, of course.  However, the link in the email doesn’t point to paypal.com.  It points to an email tracking company domain (registered in Spain and hosted in Ireland). More importantly, that link contains a redirect in it that will forward you to a nefarious website registered last December and called nightraid[.]org.

Deeleeete!



Another longtime reader sent us this phish pretending to be from Wells Fargo bank.  “Account is blocked for safety.”  We just love how ALL of these fraudulent emails never address the recipient by name.  It’s either by email address or “Dear customer” or something like that.  LUNGE for the delete key! 


 

This next phish is unusual because it does not directly lead to any financial accounts.  It phishes the login information to your Facebook account. (IF, however, you use the SAME password for your personal email and/or your bank/credit card or other financial accounts, scammers are clever enough to discover this once they have your social media login.  DO NOT USE the same passwords! Read our article for tips & tricks to make a set of strong passwords that are easy to remember!)


This email came from a Microsoft owned email domain called onmicrosoft.com, not facebook.com! The link to log into your Facebook account points to a malicious domain called “clickfunnels[.]com.” Once again, many thanks to another longtime TDS reader who sent this to us!  Cybercriminals are able to monetize access to our social media accounts in many ways.  For example, targeting our friends and family with malware while pretending to be the account owner!

 

Daily Scam Home Page

 

YOUR MONEY
Sacha Baron Cohen Reveals Cryptocurrency Investment Secret and Rebuild Decaying Teeth

Can you name two disconnected things that are popular and “all the rage” lately? How about cryptocurrencies and Sacha Baron Cohen? Both have been all over the media for very different reasons.  And so it wasn’t any surprise to us that cybercriminals grabbed an image of Mr. Cohen that is available from many websites, (including this February, 2021 article at TheGuardian.com titled “If you’re protesting against racism, you’re going to upset some racists.”) and created a fake “special report” titled “How to flip £99 into £21,490 in less than a fortnight!?” This email wants you to believe that Mr. Cohen turned the equivalent of about $140 USD into more than $30,000 in less than two weeks. Yeah, right. Moreover, the article shows that it has been shared nearly 7900 times across multiple social media platforms and has more than 116,000 comments!  LIES, LIES, and more LIES! This is plain old malicious clickbait. We used Google to search for this content and found NOTHING. But we can state the fact that all links in this facade point to a malicious website called Oplaewe[.]com.  Visitors to this website’s top page will see an online form to enter their email address so they can “unsubscribe” along with the text “SUBMIT YOUR APPLICATION NOW!”

We are certain this oddball website is malicious because it was registered about 2 weeks before this email was sent and the website is sitting on a server in Seoul, South Korea.  It was registered by someone named “Avah McNeil who claims to be located on a street in Nashua, NH that does not exist! “857 West NH, NH 03060”

‘Nuf said!




 

According to a 2015 report published in an article on Today.com, by the time Americans hit age 65, about 96% of us suffer from some amount of tooth decay. Maybe that’s why cybercriminals feel confident to use garbage content like what’s in this email to trick people into clicking malicious clickbait! “1 sure sign your teeth are being eaten from the inside out and what to do about it.” This BS came from the oddball domain acanzesi[.]today. Below this email content was a LARGE empty grey box. When we clicked and dragged our mouse through it, we found grey text against that grey background so it would appear hidden. That text is meant to help get this malicious junk through anti-spam filters. It rarely works.

The malicious domain, acansesi[.]today, was registered in India 3 days earlier.  We ALL know what that means!






Daily Scam Home Page

 
 

TOP STORY
My Cup Runneth Over With Amazon Phish

During the nearly 8 years we’ve been doing this work, we’ve never seen such a deluge of phish targeting Amazon customers! Last week we had reported on a woman who received 11 phone calls within 2 hours from 8 different phone numbers, all informing her that there was a fraudulent charge against her Amazon account. The voicemail message asked her to press 1 to speak to an Amazon customer service representative. Last week, one of our relatives received about 14 phone calls during a 2 day period, all telling her that there was a problem with her Amazon account, or there was a $700 fraudulent charge against it.  She was asked to press 1 to speak with an Amazon Customer Care representative.  Here are just a few of the phone numbers the scammers used:

978-239-4045
978-239-3624
978-239-6598
978-239-8280
978-239-2781
978-239-5864
978-239-2278  

It seems the Indian scammers are now using phone calls like short burst machine guns to scare victims into returning their calls.  Doug happened to be there when one of the calls came through and he quickly started a recording and pressed 1.  A man with an Indian accent, who is barely understandable, answered.  You can also hear in the background a boiler room of other scam callers when the fellow stops talking. 

Click to listen:


 

The scammer wanted Doug to open a web browser, visit the website AnyDesk.com to download and install their software.  Had he done so, the AnyDesk software would have used to give the scammer access AND COMPLETE CONTROL over Doug’s computer!  That is extremely dangerous, as you can imagine.  After a short conversation though, the scammer knew we were just baiting him and he hung up.  It is NEVER OK to download and install software to give someone else complete access/control of your computer UNLESS you have 100% trust and faith in the individual.  Certainly not something to provide a stranger!

 

But also last week, many TDS readers sent us Amazon phish that landed into their inboxes, including our Super Skilled Scam-Baiter friend, Rob L. He received the scam email message below “from Amazon Order Confirmation” about a $912 laptop charged to his account.  He was invited to cancel this charge by calling the scammers at 888-200-1235 and he promptly did!  (Many others have reported this phone number as an Amazon scam caller on 800Notes.com.) Rob said the scammer answered as “Amazon Customer Service representative.” He told them the order ID from the email and said it's not his order. They informed him that this purchase activity was from Texas, and he played a stellar acting performance as he told them he doesn’t live there and it wasn’t his charge.

In response to all of this, the scammer told Rob that they needed to take over his computer using a program called Teamviewer.  Rob is a professional scam-baiter and he has an old computer set up with fake credit cards, phony IDs and a bunch of fake passwords on that computer’s desktop. He was playing dumb and was just about the allow the scammers access to his computer-bait when he suddenly got an important personal call and had to hang up on the scammer. The scammer got lucky and lived to scam another day!  

Look carefully and you’ll see that Rob’s email came from a generic Gmail account called “deliveryamzship” instead of Amazon.com. (Notice that this email doesn’t even address the recipient by name, or tell you what model of Samsung laptop.)
 



Similarly, this email, coming from another generic Gmail account, tells the “Valued Customer” that her order has been placed for $589.21 by “Your Checking Account.” (That’s not how checking accounts work.)  Again, a bogus scammer phone number is provided to “stop the order.” But look how the scammers broke up their phone number so that it can’t easily be searched in a search engine look Google!



And then we have the usual clickbait emails like this one from re-methodspayments101[.]com (instead of from Amazon.com) to say that your Amazon account is on hold.  To verify your account, all you have to do is click a link to a phishing page on a Google drive document.



And then another longtime TDS Reader sent us an email telling her that her Amazon Prime account was set to renew, but her billing information was no longer valid. The email contained an attached pdf file with a phishing link embedded in the pdf file.  (See the screenshot below.) Amazon will NEVER send an attached file containing a link to sign into your Amazon account! 


 

And so when we said “my cup runneth over” we weren’t kidding!  It was overflowing with Amazon phish!

Daily Scam Home Page

 

For Your Safety
Want to Get Your Book Started?

Cybercriminals continue to bait one of Doug’s cell phone numbers. Obviously, they are really excited for us to publish a book about their scams and are offering to help us! This text from 855-652-0640 contained a link to a website called urarg[.]com.  This domain was registered in Iceland less than a month ago.  We’ve seen many malicious domains registered in Iceland in the last few weeks and we don’t believe this is a coincidence.  We think there is a good chance that these were all registered by a cybercriminal gang from India.  That link is most certainly malicious! 

Deeeeleeeete!
 





Daily Scam Home Page

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp