Copy
THE DAILY SCAM NEWSLETTER — SEPTEMBER 9, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 316


THE WEEK IN REVIEW

In last week’s newsletter we informed readers that cybercriminals were misusing our name and content in order to poison Google searches.  Their intent is to trick anyone looking for our name, or one article in particular about Amazon Customer Service scams, to find and click a link to malicious websites instead of TheDailyScam.com.  We believe that a criminal gang from India is most likely responsible for this poisoning because we know that they are MOST responsible for the Amazon scam.  And so it makes some sense that they would want to sow mistrust of links related to this article.

Sadly, this type of search engine poisoning has continued since last week.  For example, between September 1 and 4, cybercriminals posted the same content and reference to our website on 12 more websites.  Nine of these 12 were registered in the last 1-4 days through OVH.com and sit on servers in Italy.  These malicious domains are:

Pqbh.cloeparrucchieri[.]it (Registered 9/3/20)

Cop.mimmoscogna[.]it  (Registered 9/1/20)

mlhz.totalcomputerstore[.]it (As in “Total Computer Store;” Registered 9/3/20) 

Cezk.pluripremiatotrio[.]it (Registered 9/4/20)

Rmyk.quantocostaunimpiantofotovoltaico[.]it (Registered 9/3/20; oddly, this domain name is Italian for “How much does a photovoltaic system cost”)

Wlaj.edilmersrl[.]it (Registered 9/3/20)

Qeas.sediliwc[.]it (Registered 9/3/20)

Also misused were these websites/links:

ibuildcourses[.]com/ blj7f/ fake-utility-bill-for-amazon[.]html

devshabir.ahmadwaqas[.]com/ 0lgdbvcu9r/ dummy-mobile-number[.]html

vegetablemandistorecom.000webhostapp[.]com/ cimm4/ fake-utility-bill-for-amazon[.]html

We continue to urge our readers to be cautious about links they find online. Look to see WHERE they point BEFORE clicking.  If the link contains an oddball name, or points to a 2-letter country code and you are not expecting to visit another country, don’t click! To find us, the safest link to click will ALWAYS begin with https://www.thedailyscam.com/



It’s not just The Daily Scam that cybercriminals are targeting with poisoned content.  For example, we found oddball content on 30 subdomains of the website named cloeparrucchieri[.]it  ScamAdvisor lists the “trust score” of this website at 10% and says that this website “has been identified for the violation of intellectual property rights.“ THEY GOT THAT RIGHT! (A subdomain appears in front of a domain name and is separated from it by a period, e.g. azlo.cloeparrucchieri[.]it  The “azlo” is a subdomain of cloeparrucchieri[.]it.)



Adding insult to injury, MOST of these websites in Italy appeared to contain completely bogus apparel, footwear or sunglasses stores!  Check out this screenshot posted by WHOIS.sc for the domain TotlaComputerStore[.]it. (We guess they think “why bother wasting our time and money on just one scam?  Let’s put up fake stores while we have the websites!” Very efficient of them.)


 

Onto another subject… In the last 4 weeks, two artists have contacted us to raise our awareness about a scam that has been targeting artists for at least 6 years. It’s just another variation of the advance check scam.  Check out this email from “Russell.”   We found this exact email, and many similar scam emails, on the website JimDoran.art in his article “The Art of the Scam” where you can find this scam explained in detail. Also, this scam is detailed in this blog post by Lena Rasmussen.


 

Finally, Do you think you can tell a REAL Bank’s website from a FAKE scam bank website?  Check out these 3 banks.  Which one do you think is the fake?  Our answer is at the bottom of our newsletter!  Good luck! (NOTE: We used several tools to assess the risk of clicking the fake site and did not find any malware on the website for the scam bank.  We have visited this web page multiple times.  However, this is not a guarantee of future risk. Hence we have to say… Click at your own risk.)

   https://asiapacificnational.com/ (Asia Pacific National Bank)

   http://www.apdib.com/?l=en-us (Asia Pacific Investment Bank)

   https://www.ocbc.com/group/group-home.html (OCBC Bank in Singapore)

 

Daily Scam Home Page

PHISH NETS
Office 365 Password Reminder, Amazon and Apple Accounts

The appearance of this first phish needs some explanation.  Scammers often use various tricks to try to get past anti-spam filters.  The email, which appears to have come from a website in Germany (“.de” = Deutschland = Germany), shows the numerical sequence “389” repeated over and over.  It seems bizarre until you understand that ALL the 389 numbers were white text against a white background to make them appear invisible!  This makes a sentence harder for some anti-spam filters to see through fraud.  What remained to be seen was “Password for [EMAIL REDACTED] expires today.” and “You can change your password or continue using current password.”  The link “Keep Current Password” pointed to a hacked website in Mexico.  ¡Eliminarlo!



 

It’s too easy to quickly misread this next phish as coming from Support at Amazon rather than the reverse!  “Support[.]com” is NOT the same as Amazon.com!  The domain always follows the “@” symbol!  Anyone can create an email with whatever name they want in front of the “@” symbol.  The link in this phish points to a website in the European Union (“.eu” = European Union; this is one of the few exceptions to the rules about 2-letter country codes.  European Union is a regional group of countries.)





This phish may say it is from “iCloud services” but look what follows the “@” symbol!  We’re sure everyone can guess what country this email came from!  As in previous recent newsletters, the link points to a phishing site on Snip[.]ly.  By the way, it’s important to point out that Apple, nor any other service, will ever tell you that your account will be disabled if you don’t unlock it in 24 hours!  This is a behavioral engineering trick.

Deeeeleeeete!
 


 
 

YOUR MONEY
"I Need a favor" and USPS Survey

One of our longtime readers received an email from an old friend he knows well.  The man recognized his friend’s email address immediately but, when he clicked to "Reply" he noticed that his answer would have gone to a DIFFERENT email address at a website called macovn.net.  A WHOIS lookup tells us that this domain was registered on August 12. Google sees it but knows nothing about it.

The friend writes “I need a favor from you…”  If you Google the phrase “I need a favor from you” followed by “scam” you’ll find LOTS of websites describing this fraud.  Our biggest concern for the TDS reader’s friend was that it was very likely his email account was hacked.  The hacker probably contacted all of the person’s friends and relatives with the same pitch! (Using his contact list.)


 

Assuming that the man’s email account was hacked, he should immediately do the following:

1. Change the password to his email (AND on every other account to which he uses that same password)

2. Go through his email account settings to see if the criminal set up a backdoor to get back in or forward emails; this is often done as a forwarding address to send email updates/changes to and it will likely look SIMILAR to his existing email.

3. Put contacts on ALERT!  Send an email to all contacts (friends/family) and inform them that they may have been contacted by someone pretending to be him and asking for money.

4. He should look through his deleted emails to see if anyone manipulated or tried to access other accounts because ALL ROADS lead back to email! If he finds any evidence that someone tried to access another account, he needs to respond accordingly. The criminals try to hide their tracks by deleting emails generated by their activity.

5. He should contact his bank, financial institutions, credit card companies, etc. and put them on alert for suspicious activity.

Dealing with a hacked email account can be a major headache!  If, on the other hand, someone simply spoofed his email address to make it look like it came from his account, then he needs to do #3 above.  Were it me, I would email the scam artist myself using the “Reply-to” address and put him on notice that all my friends and family have been warned!

NO ONE is immune to the malicious clickbait disguised as a quick survey to receive a reward or money.  Not even the United States Postal Service!  Check out this email that was sent from li3wajngadoh[.]com.  This crap domain was registered in Panama anonymously on August 19.  Congratulations!  You’ve been selected to have your computer infected!

Daily Scam Home Page

 
 

TOP STORY
Jenzaa Has a Severe Problem

Jenzaa.com claims to be a blog about “Financial Tips,” housing and “government resource programs.”  However, we believe they have a serious credibility problem and it has only been made worse this year by cybercriminals. Since the Spring, cybercriminals have sent out thousands of malicious emails disguised as being sent on behalf of Jenzaa.com.  We also want to point out that the Jenzaa domain was registered in early October, 2019 as a new blog.  However, we can’t find any information about ownership or authorship for any of the dozen articles we visited!  The author is simply “Jenzaa.”  Who is Jenzaa? What gives them the authority to write about the topics they cover?  Is the blog written by a 10th grade high school student who took a class in economics?  Is it written by a savvy business doctoral candidate from Harvard University? Or is it written by a scammer in China? No one can tell... not from the WHOIS registration, nor from the “About Us” page on their website containing just 2 short sentences. (see screenshot below taken 9/6/20.)  It’s like mystery meat. Does this give anyone confidence that they offer sage advice? We are not calling this website a scam site. We’re only pointing out that it is impossible to evaluate their credibility.  ScamFinance.com also says they have a credibility problem because they “lack transparency” and say that “it seems as if the actual creators or owners are trying their best to operate from the shadows and obviously it is not a good sign.”



And making matters so much worse are the VERY malicious emails hitting people’s inboxes.  Other scam-reporting sites have lots of complaints about these emails. Many people think they are coming from Jenzaa.  Check the comments posted on Scampulse.com since the Spring!  One example is this email that came from the domain hillowpatty[.]com but pretending to be from Jenzaa about a $1000 Bank of America offer.  Mousing-over “Start Now” reveals a long link to a website called agntrckr[.]com.  It is a VERY clever ploy to make it seem like this is a market tracking service.  However this domain was registered on July 9 and is being hosted on a server in Western Germany.  It is 100% malicious and our tools have demonstrated multiple times that malware is lying in wait!  (Also, a critical reader will notice that this email is signed as “Affiliate via Jenzaal” instead of Jenzaa!)





 

NOTE: In domain names, the domain appears just before the “.com” in this case.  The “track” that begins this malicious link is a subdomain.  ANYONE can create a subdomain that says anything they want.

Did you notice in the Sucri analysis above that visitors will automatically be redirected to another website called promotionsonlineusa[.]com?  Do not visit this website!  

Here’s another malicious clickbait example that came from brandedgar[.]com, not Jenzaa.com.  Recipients are told they can “earn $750 deposited directly to your Cash App account.”  Total malarky!  Once again, “Start Now” points to the same malicious domain - agntrckr[.]com.  Again, visitors will be redirected but this time to a similar sounding website called surveysandpromoonline[.]com.  SurveysAndPromoOnline[.]com has been found to be a scam phishing site. It was registered on August 3.






Another TDS reader sent us an exact same malicious email as the one above but it came from a different source: trainscharlotte[.]com.




As we said, Jenzaa has some “‘splaining to do!” (And despite what we all may think, that line was never exactly said by Ricky Ricardo to Lucy on the show “I Love Lucy,” according to multiple websites including METV.com.) But more than that, Jenzaa SHOULD post a warning FRONT and CENTER on their website to inform readers about these malicious emails.  Hey, they can take our warning to readers posted on our front page about search engine poisoning as an example!

 

Daily Scam Home Page

 


FOR YOUR SAFETY
OneDrive Completed: Invoice Statement

This last email was particularly dangerous for several reasons.  First of all, it was sent to the safety officer for an industrial company by the legitimate email account of a company they do business with.  Thankfully, the safety officer was very suspicious and asked our opinion.  We told her not to trust the email and to call the woman who sent it to check.  We said this because….

1. It claims to be an invoice.  What's so private or difficult about attaching an invoice?  Why should it be posted online requiring a login and download?

2. The link points to mybluemix.net, a domain set up and owned by IBM back in 2014.  And yet, a screenshot showed us that she will be asked to log into a Microsoft Outlook server account in order to get into that link. This doesn't make sense... IBM and Microsoft are competitors.

The safety officer called the sender and learned that her email account had been hacked!  These malicious emails were likely sent to hundreds of contacts!  It pays to be skeptical!


 

Want to know what the fake bank website is of the three listed above?  Read our article about it!

Until next week, surf safely!
Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE

Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp