Copy
THE DAILY SCAM NEWSLETTER — FEBRUARY 10, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 338


THE WEEK IN REVIEW

We would like to welcome our many new subscribers to The Daily Scam! This newsletter is possible because of the many suspicious emails, texts, website links and social media screenshots that our readers send to us every week.  We look forward to hearing from our newest subscribers too! Send your suspicious content to spoofs@thedailyscam.com. (Click on any image below to enlarge it!)

We have a small update to the malicious campaign that targeted Doug & Dave, creators of TheDailyScam.com.  Doug’s spouse received only one more malicious email disguised to look as though Doug had sent it. The domain used in the link had been registered anonymously in Panama just hours earlier, which usually means that the link is being used to deliver malware to the person who clicks it.  We couldn’t help but wonder if “cplrwepn[.]com” was short for something.  “CoP kiLleR WEaPoN” perhaps?





 

Our readers may remember that a couple of Lotteries in the U.S. hit record highs recently!  Perhaps that’s what prompted scammers to send these next two emails. The first was sent to one of our long-time readers from a generic Gmail address named “postletter1970.” It turned out to be a deep dive down a crazy rabbit hole.  The initial email claimed to represent a “Loyalty Reward” program. The link in this scam points to a crap domain called zfrmz[.]com which contains a redirect that will send visitors to a phishing form on ZohoPublic[.]com.  Zfrmz[.]com was registered in Tamil, India in 2019.






 

When you arrive at the form on zohopublic[.]com you’ll be informed that you’ve won a “Facebook Loyalty Reward Promotion.”  In order to collect your winnings you have to provide a bunch of personal information, including your Driver’s License Number, Date of Birth, cell phone number and more.  We’re certain this is just the beginning of what will be asked of you!  Victims, err….we mean “Winners” are asked to contact Albert Wagher at his email via FacebookOnlineLotto[.]com.

This rabbit hole goes deep!

 


And then another TDS reader sent us this lovely Powerball Lottery email announcing that she had just won 1.5 MILLION dollars!  But the email came from “OSAMA ABDALLA ABABNEH” from Jordan (2-letter country code “.jo” = Jordan).  We didn’t realize the Powerball Lottery had an office in Jordan!
 



Daily Scam Home Page

 

PHISH NETS
Paypal and Many New Phone Phish

Uh oh!  Looks like your Paypal account is to be closed, unless you click “Log in here” and confirm some additional information.  This smelly phish came from servicepmail[.]info, NOT from paypal.com!  And the link points to a domain called faithcord[.]com, NOT paypal.com! 

Deeeeeleeeete!


 

This next set of phishing emails are all of the type designed to trick recipients into picking up the phone and calling the scammers directly by pretending to be purchases made!  We call them “phone phish” and there are no links to click. Our Top Story in our January 27 newsletter was about this trick and titled “Thank You For Your Order.” Let’s begin with this email saying “Thank you for choosing Norton Security.” $399 seems pretty steep, don’t you think? But wait, you can call 888-297-1270 to cancel your subscription! There are many people on 800Notes.com talking about this phone number as a scam! This email OBVIOUSLY didn’t come from any legitimate service selling Norton Security 360.



 

This next email starts with “this is a confirmation email regarding your subscription auto renewal” to the tune of… $399 again!  What an odd coincidence, don’t you think?  The email came from a crap domain, wbtechpvtltd[.]online, that was registered in India just hours before this email was sent! The phone number to call, 213-438-9552, has been marked UNSAFE on fraudnumber.com by 5 people in the last week!
 

 




And finally, we have an email about a charge from Best Buy’s service known as Geek Squad.  Only this email didn’t come from BestBuy.com. It came from someone named BOTH “Carol A Roetzler” AND “Faith Feguson” at the domain uservalidationservice[.]net. You’ve subscribed to GeekSquad’s online support renewal for $299 and it is about to “Debit from your account by Today.” But wait, you can call 609-318-9561 to be victimized by these scammers!  Someone reported this phone number and scam to FindWhoCallsYou.com recently.




Daily Scam Home Page
 

YOUR MONEY
When is an Austrian Bank a Nigerian Scam?

We have a short story to share with our readers and it comes from a man whom we’ve mentioned several times, but never by name.  He’s given us permission to identify him as Rob L.  Rob LOVES to play with the scammers!  He has the patience of a saint to play their games and feed them false information, playing a dumb person barely able to use email. But quite the opposite!  Rob has been giving us many tips and leads to some scammer’s phony websites and exposing many of the tricks they use.  Rob exposed a clever ruse he recently discovered by scammers, who are likely from Nigeria.  It speaks VOLUMES why it is so important to read CAREFULLY!

Rob has revealed multiple times to us that Nigerian 419 “advance fee” scammers create fake online banks, many looking like legitimate banks, to inform people that money is ready and waiting for them.  They only need to pay the fees needed to release it.  Check out this screenshot of the very real and legitimate Austrian Bank website at Bawagpsk.com:
 




This bank’s domain was registered in Austria back in 2005. However, Rob has been communicating with someone from the Bawagpsk Austrian Bank about a deposit in his name.  This person has used an email address from the domain Bawwagpsk.com!






 

This is what we see when we visit Bawwagpsk.com. You’ll notice it is a wee bit different than the legitimate Austrian Bank site...



 

As many of our readers know, it is CRITICALLY IMPORTANT to PAY ATTENTION to the details, such as a “W” vs “WW” in a domain name!  Rob also shared another scam domain with us recently, disguised as a Bank of America website.  He’s been communicating with a scammer who used the email address bnkofamerica011@usa.com.  Apparently, Rob was told that he is the beneficiary of a large sum of money in a Bank of America account.  But instead of the BoA account link pointing to BankofAmerica.com, the link points to:

   http://bofamericas-001-site1.itempurl.com/home.htm  

Below is a screenshot showing what this bogus BoA site looks like. Not only does Rob and TDS know it is a fraud, but so does Dr.Web (according to VirusTotal.com) The scammers create this sham, invite a soon-to-be victim to log into and ‘confirm’ the large sum of money.  However, once they are invited to move that bogus pile of money out, they discover there are fees to be paid to the scammers!





Daily Scam Home Page

 

 
 

TOP STORY
It's a Numbers Game! IP Addresses

Who the heck will remember a random set of numbers for every website they visit?  No one! That’s why DNS --Domain Name Service-- was invented!  According to this well written article on Cloudflare.com “The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.”

Without DNS, every website would have to be found by its IP Address (Internet Protocol)  It is this very reason WHY EVERYONE SHOULD BE SUSPICIOUS of a website that is ONLY identified by a set of numbers!  During the last week, at least one cybercriminal gang has been playing a numbers game, sending malicious emails out that contain links showing ONLY IP addresses, not domain names.  Here is an example and how you can learn WHERE in the world you would go if you clicked that link…

“Welcome to UPS Survey” says this email from a crazy gibberish domain. You can get an “exclusive reward” by taking this 30-second survey.  Mousing over the link shows that it points to IP Address: 78[.]108[.]182[.]147.  If you visit the website IPLocation.net, you can enter that IP Address field into their search feature and have several geolocation services tell you where in the world they believe that website is hosted.  We discovered that this UPS survey is hosted on a website in Prague, Czechia!  That’s a sure sign that this is malicious clickbait!






 

Want to earn your TDS Merit Badge for Super-sleuthing IP addresses? You try it… Use IPLocation.net to look up each of the IP addresses revealed by mousing over links in these two recent malicious clickbait TDS readers sent to us. (Don’t include the brackets when using IPLocation. We use them to protect readers from accidental clicks.)

  1. Meet Beautiful Latin Singles!


     

  2. Free Medicare Health Insurance



    So…. Where in the world is Waldo if Waldo had clicked those links and infected his computer? To find out, scroll down to the answers below!


Daily Scam Home Page

 

FOR YOUR SAFETY
2 Virus Detected on Your iPhone

We recently heard from a friend who had used Safari on her iPhone to visit some websites.  Suddenly, her browser was hijacked and took her to a website called aiinstallsprivatebest[.]club (say that 3 times fast!).  “(2) virus have been detected on your iPhone.”  The message went on to say that all hell would break loose and her digital world would come to an end UNLESS she clicked the button to “Remove Virus Now” in less than 5 minutes!  (A timer was counting down from 5 minutes to zero, as if the apocalypse was minutes away.)  We assured her it wasn’t and she had no viruses on her device.  In fact, if she HAD downloaded/installed their “app” she would have indeed been dealing with a digital nightmare!  By the way, that website, aiinstallsprivatebest[.]club, was registered anonymously in Panama on January 10th.

Delete!





 

Textplosion: Auto Insurance - You need to see this

The domain, jkt[.]gl, found in the link in this malicious text, was registered through Registrar EU in Brussels in April, 2020.  Exactly what you would expect of any legitimate American auto insurance company, right?


 

From 724-344-6641 we’re told that “someone” noticed an error in our unemployment claim.  Funny, we never filed for unemployment!  The link points to the malicious domain benefits-masss[.]live which was registered 3 days earlier anonymously in Canada.




 

ANSWERS to IP LOCATION QUESTIONS:

  1. Meet Beautiful Latin Singles! 185[.]144[.]29[.]69 is on a server in Moscow or Chelyabinsk, Russia!

  2. Free Medicare Health Insurance  103[.]151[.]168[.]10 is on a server in Dhaka, Bangladesh!

If you got both right, you just earned your first Cybersleuth Merit Badge!
 

 

Until next week, surf safely!
Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE

Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp