Copy
THE DAILY SCAM NEWSLETTER — OCTOBER 28, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 323


THE WEEK IN REVIEW

The Hyphen-Poopy gang is back with a vengeance! (For those unfamiliar with this moniker, the Hyphen-Poopy gang is a VERY active group of cybercriminals who use 2 random hyphenated words in the automated creation of their malware directories built as bear traps on crap websites to target us all.)  We saw many instances of their “fine” work last week and have included interesting examples in this week’s Your Money column.

We also heard from a young Nigerian 419 scammer who admitted to us that he tried to scam a school’s employees because he is desperate for money…. If you want to believe that line.  However, we want to show you examples of job scams that are popping up like whack-a-moles.  Especially the Car Wrap Job scam last week!  We’ve reported extensively on these scams, which are just another variation of the advance-check scam (i.e. here’s a check in advance, deposit it and quickly send a large portion of the money to back to the scammer as he pretends to be a vendor offering equipment/services for sale on behalf of the person who sent you the check in the first place. Himself!  The check will bounce after 5-7 business days, long after you’re wired your REAL money via untraceable means to the scammer.)  These scams are often set up on free web hosting services like Weebly.com.  We keep reporting them and they are taken down, but pop-up 2 days later with a different name.  This one was sent to us as a text from one of our readers. It came from 757-603-7110 as a random text to 14 people. 

The opening sentence of the Weebly page contains at least 4 grammatical and punctuation errors!  As they say, “the devil is in the details.”  Readers are informed “Red Bull shall provide experts that would handle the advert placing on your car.”  That’s absurd that you can’t place a magnetic decal on your own car and you can be certain that you have to pay for this service in advance with money that will be sent to you as a fake check.  Also “only apply if you get bank account.“ **hand to forehead emoji**





 

To learn about other recent package reshipping scam job offers, visit our most recent article about them!

Do you think you can tell real friend requests from Facebook imposters?  And do you think you understand the risks that come from connecting over social media with a Facebook Phony? Read our latest feature article about a woman we call Faith who was targeted by more than a dozen fake friend requests on Facebook!


Daily Scam Home Page

PHISH NETS
Spear Phisher Pleads for Money, USAA Bank & Netflix

Many employees at a Massachusetts school were targeted by a spear phisher last Spring as he opened an email account using the name of the Head of School and sent out requests to the employees for a “quick favor.”  No one fell for it and TDS tricked the scammer into revealing that he was located in Lagos, Nigeria.  Once again, this spear-phishing trick has targeted the same school.  Many employees received this email last week. It begins with an email created in the name of the Head of School but it is not her real email address...



Doug responded to “officeonline861” and at first said that he was happy to help.  The scammer responded by asking Doug to purchase gift cards for school employees, and to keep one for himself!  The next email would have asked for the identification codes on those gift cards so they can be cashed anywhere in the world, like Nigeria.  But Doug called him out as a fraud and a deplorable person for doing this.  The scammer actually responded to that!  He said he was 16 years old and had no money or work.  He was hungry and pleaded with Doug to send him some money.  Given this scam’s track record, we’re not inclined to believe him!


 

We would like to believe that anyone with a USAA Bank account who received this email would recognize that “juanitar” from Valornet[.]com is not the same as USAA Bank. After a “major upgrade” to their computer system, USAA Bank members are asked to login to verify their accounts.  Total BS!  The link “Click Here” points to a server in Jakarta, Indonesia.  Just as you would expect for a bank named after the United States of America, right?


 

This next email from “Your friends at Netflix” came from a tech company’s email account (or so it seems) called support.com.  That’s not Netflix.com!  The link to “reset your information” points to a server in Italy.  Buon viaggio!

 

YOUR MONEY
Reflex Mastercard and Translator Pros

We had never heard of a Reflex Mastercard but apparently it is a real thing.  Unfortunately, this email from the Hyphen-Poopy gang is not the real offer from Reflex.  It is sooooo important to read carefully!  This email was sent from the malicious crap domain “refex[.]work” rather than ReflexCardInfo.com.  Notice the 2-hyphenated words in the link: Bernardo-gleeful !  Anyone clicking on the link to become Pre-Qualified will be forwarded through refex[.]work to the VERY malicious website called Plazabest[.]com where malware awaits, jaws open.  By the way, refex[.]work was registered the day before we got this email and it is hosted on a server in Kujawsko, Poland. 

DEEEELEEEETE!
 









Since we’ve already been visiting Nigeria, Indonesia, and Poland, it might be helpful to use technology to help us translate our conversations with the folks in those countries.  How timely it is that we received this email for “Translators Pro!”  Though it looks like a nifty product for those who travel, clicking that link to “Learn More Now” will send you first to the crap domain crastor[.]cam (NOT “.com”) followed by a redirect to…. **WAIT FOR IT**  ….Plazabest[.]com!  Yes, this is another malicious clickbait from the Hyphen-Poopy gang!  Come on over to a server in Poland and step on into malware!  So much for trusting “day old domains.” 


(Many thanks to Vincent Le Moign for use of his shrug graphic!)







Daily Scam Home Page

 
 

TOP STORY
An Ocean FULL of Phish!

We saw soooo many phish in the sea last week that we need to devote our Top Story this week to them.  Bon appetit!
Anyone with a Chase Bank account or credit card account is at risk of getting phished.  Chase Members are heavily targeted by phishermen.  Let’s start with this lure from a Comcast account via Sendgrid.  Sendgrid has frequently been misused to target people and the Sendgrid.net link in this email to “protect your accounts online” is one example.  The Sendgrid link will forward visitors to a website that is anything but blissful called blissfulhomeng[.]com.  This website was registered by someone in Nigeria. This email seems lame but take a look below at the login page waiting for anyone who clicks the link.  It looks like the real Chase login page!

A big, fat delete!
 









This next Chase phish came from the domain leanpack-solutions[.]com, not Chase.com.  The email refers to unusual activity on your account.  You are asked if you made the purchase.  The links point to a hacked account for a West Festival web site in France. (Notice the 2-letter country code “.fr”) But it doesn’t stop there!  The site contains a redirect that will send visitors to a malicious website with a name that begins “OldsoldierHasGonetoHisGrave...”

A definite delete!
 





 

This next phish also came from support[.]com rather than Chase.com. If you look carefully at this email, you’ll see that the software tools used to generate it didn’t work properly because it is missing information meant to trick recipients.  This email sends victims to a Car Finder website in Bahrain called carsfinderbh[.]com. 



 

And finally, one of our readers sent us a species of phish we had never seen before!  This phish targets KeyBank Members. We don’t know who the real FROM address is but the link for “Verify Now” clearly points to a website that has been identified by multiple security services as malicious:  uncoded[.]dev.





Daily Scam Home Page

 


FOR YOUR SAFETY
UK Driving License Registration

This malicious clickbait targeted citizens of the United Kingdom.  (We don’t often see scams that only target people in Great Britain!)  This email pretends to be sent from a UK Government website for the DVLA (Driver and Vehicle Licensing Agency) concerning driver’s license registration. But the email came from a generic Hotmail account and the links point to a domain that says it was registered by Polliani Vineyards, supposedly of Mendoza, Argentina.  But the domain isn’t used by the vineyard, so far as we can tell.  Rather confusing, but one thing is certain… 

The domain, majykintl[.]com in this fraudulent link, is hosting malware waiting to infect citizens of the UK before forwarding them to the real UK government website!




Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp