Copy
THE DAILY SCAM NEWSLETTER — AUGUST 19, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 313


THE WEEK IN REVIEW

Late in December 2019, President Trump signed into law the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, or TRACED Act.  The Act forced telephone companies to implement new strategies to reduce the overwhelming number of robocalls (mostly spam & scam calls) and to identify for consumers the calls that come through but are likely scams.  From our unscientific and limited survey, we do believe there has been a reduction of unwanted calls, but scam calls are still a serious problem.  Last Fall, each of us used to get 7-10 calls per week, on average.  Now that seems to have dropped to 4-5 week.  But dangerous calls are STILL going to people’s phones and the scammers are STILL spoofing their caller IDs to look like Apple, Amazon, Microsoft and other customer service providers. (You can read more about the TRACED Act on the Consumer Reports website.)

Here’s a recent voice message that one of our readers sent us. Apparently, his social security number has been suspended.  Of course, no such suspension is even possible! Our Social Security Administration doesn’t operate this way!


 

With the pandemic still raging across most of the United States, millions of Americans are still out of work and desperate for a paycheck. Scammers know this and that’s why we’ve seen an uptick in the number of employment scams targeting people via text and email.  If you know someone who is out of work, please urge them to be cautious about job opportunities that arrive via email and are conducted without in-person meetings. If the ONLY contact is via texting/email, then it is absolutely a scam!  Here’s a recent offer one of our readers received. The two most important “poker tells” identifying this as a scam (besides the lame content in the email) are:

  1. The email was sent from one email address but you are asked (or tricked) to reply to a different email address.
  2. The sender claims to represent SNC Production Medicines & Health Products. Co. Ltd. but Google finds no such company and the email came from the domain CambridgeSeals[.]com, a company that makes tamper-resistant seals!



 

Finally, we wanted to raise awareness amongst readers that sometimes phishing emails are not about gaining access to your account.  They are looking for potential victims who are simply gullible enough to click a link.  Take this recent email about a Facebook user login attempt.  This email certainly didn’t come from Facebook.com!  Clicking the link would send a confirmation of that click to 15 different email accounts in at least 7 countries around the world, including Russia, United Arab Emirates, and Kazakhstan:

Sales @ stanforduni.com, admin @ massachusettsins.co.uk, irosky @ e-irosky.me, harvarduni @ harvarduni.org, univ @ univofcambridge.eu, edu @ univofoxford.com, ederalex @ yandex.ru, fabianeder @ yandex.ua, doae.eder @ yandex.kz, diyaeeder @ yandex.by, evereder @ yandex.com, even.eder.92 @ mail.ru, ederalex12 @ yahoo.com, e.pui @ aol.com, and valveeder @ gmail.com.



Daily Scam Home Page

PHISH NETS
American Express, PayPal, Wells Fargo Bank, Stripe Banking Service and Netflix!

Last week’s seas were FILLED with phishing scams!  Let’s start with this bogus security update that seems to be from American Express.  The email came from “alerts-verification[.]com.”  This domain was registered anonymously last month on July 6.  The link points to a website called cigaratsupport-usa[.]com.
 


 

One of our readers sent us this phish he received.  It’s pretty easy to tell it really isn’t from Paypal because NOTHING in the FROM section says Paypal.  Poor grammar and different font sizes in the same sentence should also make readers suspicious that this isn’t what it appears to be.  Most importantly, a mouse-over of “Resolution Center” shows that you won’t be sent to paypal.com!





Another longtime TDS reader sent us this phish pretending to be from Wells Fargo Bank.  It is very easy to see that this is a fraud!  In case it wasn’t obvious from the domain revealed by mousing-over “VERIFY HERE,” it points to a website registered and hosted in China.




We had never heard of the online banking service called Stripe until a TDS reader sent us this phish.  Once again, the email didn’t come from stripe.com and the links don’t point back to stripe.com.  Fortunately, VirusTotal.com told us that two services identified the link in this email as phishing/malicious.







Some cybercriminals were hell-bent on targeting Netflix account holders because they created at least two different phish to target victims.  Check out both of these Netflix phishing emails below.  They obviously didn’t come from Netflix.com and the links don’t point back to Netflix.com.

Delete, delete, delete!
 

YOUR MONEY
Fidelity Life Insurance and Time to Restock Your Wine Cellar!

It seems that almost every week we lament that cybercriminals use stolen graphics and information from real businesses in order to create malicious clickbait to try to infect your computer with malware.  Here are two well known, and very different companies, who have fallen prey to this misuse recently.  

Fidelity Life Insurance is real but this email came from the domain routerx[.]cam (not .com!)  This domain was registered just hours earlier! Notice the 2-hyphenated word directory at the very end of the malicious link: pleads-involuntarily.  We’ve written MANY times about the very active cybercriminal gang that uses random hyphenated words in their directory structure when setting up malicious links.  This topic was the subject of our Top Story in our July 24, 2019 newsletter. (scroll down to Top Story)




The same cybercriminal gang very likely created this malicious clickbait with the subject line “No Need to Go to the Store.”  This did NOT come from splashwines.com!  Links point back to presplsh[.]cam (not .com, just like the Fidelity email above) which was registered on the day this email was sent and is being hosted on a server in Amsterdam. Note the 2-hypenated words in the link!  ‘Nuf said!



Daily Scam Home Page

 
 

TOP STORY
Texting Mayhem!

Though robocalls may have decreased by 40% or so, we and many of our readers have been seeing an increase in scam or questionable texts to our smartphones!  Here are just a few examples of some of this texting mayhem to make our point…

1. “Anamul tried to log into your Facebook account.” (as in an “animal?” A zebra, perhaps?) One of our readers received this as a text associated with an email domain that doesn’t exist: fhsgmmxxqopwqnenezbheiqaxsixux[.]us.  Of course, the recipient did the right thing and didn’t respond!  Even responding with “unsubscribe” can be dangerous with malicious texts!



 

2. “Do NOT EAT these 3 things or your will Fail at dropping that Unwanted Fat”
What bothers the woman most who sent us this screenshot is the fact that she is trying to lose weight.  As such, she’s been searching for information on the Internet and also signed up with Weight Watchers.  Not long after starting this effort she began to get these malicious texts every other day.  She’s smart enough to know that the links are malicious and she deletes the texts.  However, she wonders HOW scammers came to learn about her effort and interest to lose weight and therefore target her with these clickbait? (Perhaps she has tracking links saved in her browser.) The most recent exposure of Weight Watcher’s account holder information came from an accidental exposure in 2018, as described here on Gizmodo.  There is no known breach since then but that doesn’t mean it hasn’t happened.  This text came to her from 657-436-2713.  Each text is from a different phone number. This link points to a crap domain sIwi[.]xyz registered in China back in 2015.



 

3. “You left an item in your cart”
Another TDS reader has been getting oddball notifications via text that he left items in his cart.  He didn’t!  This first one pointed to the odd domain called kinsters[.]info.  This domain was registered in Panama anonymously on April 29 and Google knows nothing about it!



Two days later, the same person received another similar text but this time the link pointed to the domain tredsu[.]info, which was also registered anonymously on April 29 in Panama.  What is also bizarre is that searching Google for either of these odd domains will return as the top-place result a link to a domain called strephuh[.]com.   Google knows nothing about this domain either and it was registered in November, 2019 anonymously in Panama.  Step away from this cliff and NEVER reply STOP to opt-out.  You are just confirming to these scammers that you are there.



4. “Share your thoughts in this survey”
Finally, we have a very questionable text sent to a woman whose name is NOT “Katherine” from phone number 844-958-2024.  The woman is a Massachusetts resident and this is obviously an election season.  HOWEVER, the sender doesn’t identify him/herself or the sender’s organization.  This link will redirect the woman to another domain called opinions-survey[.]com.  However, Google knows nothing about either of these domains (link in text: rtxt[.]co) or the phone number the text came from.  This text feels really sketchy.  Clicking the link will open a page that says it is a “Massachusetts Opinions Survey” followed by the message “Welcome. First, we are not selling anything or asking for money. We are a public opinion research firm and would like to ask your opinion on some issues facing Massachusetts. Your opinions are completely confidential.”  But NO marketing company is named nor ANY information about the people collecting this information! Even IF this is legitimate, we think any responsible organization would identify itself! We don’t recommend clicking the link and providing any information whatsoever to these anonymous people.  Keep in mind that the link contains an identifying code that can likely be tracked to the phone number that received it, clicked and answered the questions.

Daily Scam Home Page

 


FOR YOUR SAFETY
Zuckerberg's Wife Confirms Rumors

Back in 2016 and 2017 we published many stories how cybercriminals LOVED to use certain words like “shocking” as clickbait to trick recipients into clicking malicious links.  The use of those words as clickbait quieted down for the last year.  Here is a recent classic example of this junk.  The subject line is “MarkZuckerberg’s Wife Drops Bombshell” followed by the opening headline “Mark Zuckerberg’s wife confirms the rumors: Her Shocking announcement makes family furious!”  Yeah. Whatever. Don’t let scammers manipulate you with crap like this.  It would be shocking, to say the least.

The domain PromiseObese[.]com, used in this email, was registered on June 21 by someone who included an address in New York that doesn’t exist.  The link will forward you to another domain called NewsHealthReport[.]com.  This second domain was registered on July 20 by another man who listed an address in North Carolina that also doesn’t exist.  ‘Nuf said!

Until next week, surf safely!
Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE

Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp