Copy
THE DAILY SCAM NEWSLETTER — JANUARY 6, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 333


THE WEEK IN REVIEW

HELLO 2021!
My God, so many of us couldn’t wait for your arrival! And to 2020, slinging mud as you walked out that door, we didn’t believe your “cash relief” offer sent as a text on December 30th from 504-214-3150 was real.  “Notice: Grants are available for financial assistance this year. They don’t need to be paid back. Tap now to apply here: h t t p:// cashrelief[.]us” So we’re throwing that crap right back in your face!  Good riddance!






 

REAL cash relief, without any strings attached, was finally approved by the US Government!  NO ONE ELSE is going to give you cash (except maybe mom or dad).  And we see that cashrelief[.]us was registered to someone identified as “TMTM TMTM.”  Who? “The More, the Merrier?” “The Muppets Take Manhattan?” Or perhaps “too many to mention?” No matter what it stands for, we’re certain it’s a scam domain! According to DomainBigData, the Registrant called TMTM TMTM has registered hundreds of domains in the last couple of years.  MANY of these domains have names associated with auto insurance and US Government grants like “bestautorate[.]us,” “autoinsuranceatax[.]us,” “usgovgrant[.]us,” and “grantsfromgov[.]us.”  Don’t assume any of them to be what they claim to be! (By the way, the address listed on DomainBigData for TMTM TMTM is a Parcel Plus shipping service that offers postal mailboxes. This is a common tactic of scammers.)

We would like to remind TDS readers of the many social engineering tricks criminals use to initiate a dialogue with potential victims.  It can begin with something as innocuous as a question, or statement like “I sent you an email and there was no response…”  Check out this email from “Form Office” using a generic Gmail account. But your reply will instead go to a different account, a Yahoo account named “mailoffice120.”  This is classic Nigerian 419 scam behavior! With due respect…




Another trick used as malicious clickbait by cybercriminals takes advantage of something called “tribal behavior.” Humans have evolved to belong to groups (tribes.)  That group can be a political, religious, or dozens of other types. This has been very evident in the political groups that have become increasingly entrenched in their own dogma during the last few years. Quite simply, cybercriminals try to appeal to that tribal dogma as a means to engineer clicking behavior. Here’s a perfect example... Do you know your 2nd amendment rights? Advocates for unrestricted 2nd amendment rights are part of a tribe. We are not demeaning or putting down anyone who supports the second amendment, gun rights. We are not disagreeing with the 2nd amendment. We’re only saying that many who vehemently support the 2nd amendment exhibit some tribal behaviors. Many have a longing to be associated with this cause and identify with others who feel similarly.  This desire has been weaponized by the notorious Hyphen-Poopy gang of cybercriminals. (Many previous newsletters describe the Hyphen-Poopy gang to readers.) Check out this email appealing to anyone who is interested to protect their 2nd amendment rights by clicking a link to download a copy of their rights.  The email begins “Fellow Patriot” though we’re convinced it was sent by cybercriminals from another country...




The email came from, and has links that point to “pleqgn[.]casa” (Not “Tac & Survival” as suggested).  Not only was this domain registered in India the day before we got this email, but this domain is hosted on a server in Romania AND contains a redirect that will forward visitors to a VERY MALICIOUS website we’ve written about many times in the past few months… plazabest[.]com.

Ouch!
 




Daily Scam Home Page

 

PHISH NETS
Amazon and iCloud Account Notification, and Barclays Bank

“Dear Customers, we have placed a hold on your Amazon account and all pending orders” says an email that came from maallink[.]online, not amazon.com! The link to “Verify Account” points to the oddball domain aleiamaioxmad[.]com.  It was registered just hours earlier on January 1st! A visit to this domain shows a button inviting visitors to continue to Amazon.com.

Total BS!









“Your iCloud ID has been locked for security reasons.” NONSENSE!  This email didn’t come from icloud.com or apple.com. The link to “Verify Account” points to a managed list that will forward you to a malicious website on lnk[.]to.

Deeeleeeete!





 

Anyone sensible enough to look at the link revealed by a mouse-over in this final phish can see that this email from “Barclays Bank Alerts” didn’t come from barclays.co.uk or barclaysus.com. Both are legitimate websites belonging to Barclays bank.  The email actually came from David of The Daily Scam!  Yes, that’s right!  One of  David’s email accounts was hacked and misused in late November!  But David’s pain in late 2020 continued well into December and only got worse.  It is our Top Story this week and we call it “A Digital Mugging.”




Daily Scam Home Page

 

YOUR MONEY
Home Depot and USPS Rewards Survey

Gift cards make for very lovely clickbait!  Here is one that claims to be a $100 gift card from Home Depot but came from a domain called nervative[.]com. This domain was registered in France last March and is hosted on a server in Turkey. “We have been trying to reach you - Please respond!” Don’t respond unless you WANT a malware infection!  The links in this clickbait point to malware sitting on a website called subsequestimate[.]com.





 

Have you ever visited India?  This next email is NOT the way to go about it!  It came from a website in India called digitalfalcons[.]co[.]in and points to a malware-laden website in India called inlifescience[.]co[.]in.  (“.in” = India)  Once again, the message begins “We have been trying to reach you. Please respond” but look how it has been obfuscated in the Subject line to try to fool anti-spam servers!  

Daily Scam Home Page

 

 
 

TOP STORY
A Digital Mugging

Just like so many thousands of people across the world, we are targeted by cybercriminals.  Sometimes though, we feel it is personally directed at us because of the work we do to expose their fraud. This past November and December was such a time. On top of co-producing the ginormous web portal, The Daily Scam, David runs the Creative Collaborative,  Deutsch Creative, that specializes in digital design and publishing. In late November 2020, David’s company email account was spoofed and he didn’t find out UNTIL he suddenly started to get rejected emails by the hundreds that he never sent.

All of these emails were found to be malicious or fraudulent, including the Barclays Bank phish in this week’s phishing column above and the email below pushing Viagra pills. By the time David changed his passwords, the damage had been done, and on more than one occasion, SiteGround, David’s hosting service shut down his accounts until he was able to prove that his email address had actually been spoofed and that these hadn’t been sent out via his address. This exercise was highly taxing, especially the second time, but exactly what he had hoped would be the response from his provider. Kudos SiteGround.


 

But the “digital mugging” didn’t stop there.

All of David’s social media accounts were hacked. The user names of all of his accounts were changed and he couldn’t regain access to them. This hacker didn’t do anything malicious (yet) but they made it impossible for David to have access to his own sites. Instagram, Twitter, SnapChat, Facebook and who knows how many other accounts. 

Some people don’t take passwords very seriously while others don't want "big brother" sniffing inside even the most mundane of what's inside their digital wallet. Sometimes however, the offer a free jelly donut can get people to drop their shields. You can go into a donut store, and in order to get a discount, you happily sign up for a donut loyalty card and lower their force fields.

We were just discussing how amusing it is that sometimes a donut store’s password is twelve digits with two special characters, a number and a dipthong, but your bank or trading account only requires a four digit PIN. It starts to make you think that there’s no reason for passwords, but the bank’s four digit PIN is often a single hurdle in a series of many to prevent entry, whereas the twelve digit donut code that pretends to have value, most likely doesn’t have any encryption, and the data is just flying unprotected through the ether. Once a hacker finds the lowest common denominator into your password/user-name, they send it out through all of social media, looking for that combination, and once in, they control you. This is one of the most important reasons not to use the same password over and over again!

In mid-December David had a series of fraudulent charges made against his personal credit card. His bank called him and said they needed to verify some charges. He asked how many charges there were? The bank’s agent said more than a dozen and asked, when was the last time he used his card. David told the agent that he had made a charge on the way to the gym that morning and then at about 2:00 pm he went to grab some coffee and his card was denied. He asked the agent when the charges were made. The agent reported that they were all interestingly logged at the same time. Multiple pizza delivery charges, some adult website charges, purchases of Apple gift cards; nothing over fifty dollars, but close to $2500 in total. After they were all stopped, the bank updated his card and issued a new number. But then new fraudulent charges appeared on the new card! He had to update his card multiple times before this craziness stopped. And it’s not just making a call, each time you do this you need to sign affidavits at the bank and everything attached to that card stops working, auto-payments, online accounts, etc. The domino effect created by this is often part of the joy the hacker gets from the chaos they create.
 

It gets even better.

On December 16, David was charged 7 cents for an advertisement posted on Facebook, made via his business account. Someone had clicked on the Ad.  Only he hadn’t posted any ads!  


 

Soon after, Facebook informed him that he had violated their “terms of agreement” because he had posted “inappropriate advertising.” Of course he hadn’t done any of that!  When he went to sign in to Facebook, he was prompted to choose an account to go into, and that took him completely by surprise. It was then that he discovered multiple Facebook accounts had been created in his name. They had no photos, but did have his cell phone number and email address. There were also no posts, no friends, and no pictures at all.  And yet, it was registered in his name. 

And that’s not where it stopped. There were a half dozen “David” accounts with different pictures, but no content.

On December 26, David received additional ad notifications from Facebook that he had placed ads that did not comply with Facebook’s advertising policies.  Also, very interesting was the fact that this particular ad was written in Vietnamese and titled “How to Borrow Money.” Wouldn’t you think Facebook’s artificial intelligence would notice that David neither spoke Vietnamese nor did anyone with whom he was connected via Facebook, and therefore understand that his account had been hacked? There were also ads in French. David doesn’t speak French or ever post in French for clients. This, coupled with David making every effort to report to Facebook that he had been hacked, his account abused and that he needed help.



 

Not only did this new account get misused, but it created a conflict with his real personal account.  David said  “I can’t use my old account. When people send out messages, responses, etc. I get the notification, but can’t respond to it. I have to log out of the account that doesn’t work and then log into the new account, and still I can’t see the message unless I go to the person’s site and check out what they publicly sent.” Somehow, the criminals had managed to create an account that completely confused Facebook.

David attempted to log into his Facebook account to see if this was just a one-time event or learn whether something more sinister had happened. He discovered that he was now locked out of his REAL account due to the abuse associated with his other newly named accounts. He got the message that he needed to prove his identity by uploading a license, passport or other type of identification. Of course, this felt a bit sketchy. After finally giving in and uploading his license photo he received this notice: “We Received Your Information. If we still find that you’re not old enough to be on Facebook, your account will remain disabled. This is because your account doesn’t follow our Terms of Service. We’re always looking out for the security of people on Facebook, so until then you can’t use your account.” 

Old enough?? Facebook now thought that David was under the age of 13!  No doubt, this trick was also perpetrated by the criminals who set up the fake account for him.


 

Several interesting things have come out of this attack. The first and most obvious concerns Facebook Customer Service. There is none!  It turns out that when users have problems with their accounts on Facebook, there is NO ONE to communicate with.  Literally no one!  Even Facebook’s own “help center” (said with obvious sarcasm) tells you that there is no way to speak to a customer service representative.  We feel that this monolith, centered around the concept of bringing people together in a digital social world, treats its users in the most uncivilized ways... like pieces of data and nothing more.  From our perspective, this experience has confirmed that Facebook truly doesn’t care about its members. We are the products, not the customers!





There was one other thing that the hacker was doing. Every morning, David would receive two emails with 8-digit reset-codes. These numbers were obviously phony because when they were input into the Facebook "password reset" field, Facebook would respond with an error message telling him that his codes should only be 6 digits!





 

When David tried to reset his Facebook password, the two-factor authentication of Facebook would send him actual six-digit codes that would get past one gate, but only stopped him at the next.

It’s pretty clear that we lost this fight with cybercriminals. David said “It’s OK. It only cost me time, and I always imagined that this kind of thing would eventually happen, but on the plus side, 7 cents was credited to my account, so I've got that going for me, which is nice.”  And so, for this round… The Daily Scam: “0” / Cybercriminals: “1”   However, we’re still here, more dedicated than ever to reveal internet/smartphone fraud and teach people how to better protect themselves.  And in a few days, David will be able to take off his bandages.

A final note… David also volunteers for Rotary International, and although these hackers were just a thorn in his paw, they damaged a number of important student scholarship fundraising events, and that’s the real crime. 

Daily Scam Home Page

 

 


FOR YOUR SAFETY
Application Approved and Wells Fargo Wants to Give You Money

During the past months we’ve reported on several malicious domains that are made to look like they are email tracking services for some marketing firm or other.  But they are not.  Just more clever malicious clickbait.  One of these is a domain called ahxtrckr[.]com.  Check out this email from “lindnermiranda[.]com” informing you that your “FUNDING APPROVED.”  This is NOT from the US Government with information that your financial assistance is waiting for you at the end of the link! The domain ahxtrckr[.]com was registered back in early October and sits on a server in Germany.  This same domain has been used in multiple malicious clickbait, including the email below claiming to be from Wells Fargo bank.  As if Wells Fargo bank is going to give you $1000??? Remember, this is the bank that created thousands of fake user accounts without permission so that they could charge more fees to their users!

Deeeeleeeeete!








 

Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp