Copy
THE DAILY SCAM NEWSLETTER — OCTOBER 21, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 322


THE WEEK IN REVIEW

Leeches.  Without using expletives, that’s the best term we can use to describe the people that prey off of others across the Internet.  These leeches don’t care if their victims are old, young, struggling, sick, living paycheck to paycheck, or are unemployed.  These cyber leeches just lay out virtual bear traps or land mines, hoping that the target will make a mistake.

Several people have given us a small window into their daily experiences and it is exhausting to see how many malicious texts, emails, and phone calls they get EVERY DAY from cyber leeches.  We’ve devoted this week’s Top Story to a sample of the threats that targeted a husband and wife over the course of last week.  

With so many Americans out of work and hurting, as well as businesses weakened or closed by the pandemic, it should come as no surprise that TDS readers are reporting a record number of scam job offerings or sketchy invitations from oddball money lenders.  One man recently reported having a text-based interview recently with an HR Manager from Comcast for a remote job position.  As “proof” of his HR position with Comcast, Mr. John Ennis took a picture of his Comcast ID and sent it to the man he was scamming…. Er, we mean interviewing.  Enlarge this picture and look VERY closely at it.  Can you spot the two spelling errors that give this ID away as a complete fraud?


Daily Scam Home Page

PHISH NETS
PayPal, Chase Bank, and "Change My Account"

In the continuing explosion of fake emails about fake purchases, we offer this email from “Online PayPal Receipt.”  Except it clearly didn’t come FROM paypal.com!  It came from someone’s personal Gmail account.  This email claims that “you have authorized a charge of $499.95 to Cryptocurrency Exchange INC (Annual Subscription)” [Never mind that there is a bizarre reference to a Netflix email contact!]  But don’t worry.  You can call the “PayPal customer service toll-free +1 209-813-1985.”  Except that is NOT Paypal’s customer service number!

It is a scammer’s phone number!



In last week’s Phish Nets column we informed readers of a new record set when 18 online security services identified a domain as malicious.  This SUPER-malicious domain is back!  This time the domain gov[.]ly is being used to host a phishing scam made to look like an email from Chase Bank. 



Do you know what the term “spear phishing” refers to?  It refers to a phishing attack being directed against a particular person or position.  Earlier in October we heard from someone at a school who reported a spear phishing attack had been directed against their school’s business office.  An email, created through an oddball domain fast-telex[.]com and using the name of a math teacher, was sent to the business office with a simple request.  The “mathematics teacher” was requesting that the business office change the account used for auto-depositing his payroll.  We’re thrilled to report that the business office employee didn’t fall for this obvious fraud.

 

YOUR MONEY
Your Order Has Been Placed, Get a PayPal Gift Card, and Costco Promotion

One of our regular contributors sent us this email which informed her that “Your Order ID OD114035796168 Placed Successfully.”  Except that she hadn’t placed any such order with a website called artmobworld[.]com.  Thankfully she didn’t click that link!  The Zulu URL Risk Analyzer had no problem identifying that link as malicious.  ArtMobWorld[.]com was registered in India and is hosted on a server in Germany.

DEEEELEEEETE!






How would you like to receive a $1000 Paypal gift card! According to this email, it is being offered for free. (Like Paypal or any company would do that??)  You all know how this goes!  100% malicious clickbait!  The email came from epiclaught[.]info which was registered in Morocco on September 5th.  Lunge for the delete key!



As long as the free money is flowing, why not get $500 from a Costco promotion?  Oh, if only these malicious clickbait were true!  This one came from the oddball domain gomerrygoround[.]com.  The links in the email pointed to hotelsgreat[.]com. This domain is for sale and was registered many years ago…. In India.  ‘Nuf said.


 

Daily Scam Home Page

 
 

TOP STORY
Feel My Pain!

As we said at the opening of this newsletter, a husband and wife decided to share their weekly pain with us and we’re grateful for their effort.  Their effort enables us to help educate our readers!  Let’s start with one of several voice messages received by the husband.  It is our experience that scam/spam callers rarely leave messages on our phones anymore if we don’t answer.  Not so for this man!  Here is a call transcript he sent us in which someone is threatening his arrest.  He was instructed to call back 415-969-3165 and provide the last 4 digits of his social security number. This phone number has been reported as a social security scam multiple times on YouMail.com last week.
 



Not to feel left out, the wife received this voice mail the very next day about the same social security scam.  She was asked to call 415-969-5865. There are several scams posted to YouMail.com that use this phone number.
 



On the same day, the husband also received this text from 332-600-2587 informing him of “FEDEX: shipment 74199 notification - shipped!”  The link pointed to a website, c7fsv[.]info, that was registered hours earlier and hosted on a server in Hong Kong. No doubt, there is malware waiting on that server intended to infect phones.


A few days later the fellow received yet another text stating an update of his FEDEx parcel 30315, but from 347-331-8897.  Except this time the link pointed to a website called e1fcb[.]info.  This domain was registered the day before he received this text and is also hosted on a server in Hong Kong.



In the meantime, his wife received this random text offer for reduced car insurance.  It came from 651-371-9975 and contained a link to the domain tnpfwvn[.]com. This domain was registered in Panama on October 11 and is being hosted on a server in France.  Sounds like a good old-fashioned American car insurance company, right?  Especially with an offer of $39/month!  We don’t think you can insure a sit-down mower for that money!  By the way, you’ll see that the woman was invited to “Reply END to unsubscribe.”  NEVER do that with scam texts!  It only confirms to the scammers that you pay attention to their texts and so they will send more!



In the meantime, the husband gets another lovely voice message on his phone. This time from “Jen Rivera” calling to say that the fellow is pre-approved for a $52,000 loan.  He’s asked to call her at 888-891-2172.  We found lots of people on 800notes.com complaining that this was a scam because they all had received pre-approval for a $52,000 loan from Ms. Rivera but none of them had applied for a loan!  We also found this phone number associated with a loan service located at creditservices[.]cc (domain regisered in the Cocos Islands).  This domain was registered about 10 months ago but what was MOST concerning was the fact that both the Zulu URL Risk Analyzer and Virustotal.com found malware sitting on that website on the very web page about personal loans.  I guess you can’t believe everything you read, including what came back from a Google search for this personal loan service… “Credit Services is the leading personal loan service provider.” Perhaps it should read “Credit Services is the leading personal loan service malware provider.”


 

We’ll close out this snapshot of pain with a final text, sent again to the husband at the end of the week, saying that his package was returned to the warehouse.  The text was asking him when he wanted them to try to deliver it again.  This time the link pointed to a website called yourpackage[.]info.  This to-the-point domain was registered just two days earlier on October 15 in Panama and was being hosted on a server in Hong Kong. The website OnlineThreatAlerts.com posted this particular text as a scam on the same day the man received it. The man, thankfully, never clicked on any of these links. ‘Nuf said.  

Keep in mind that all of these are just a sample of the scams and malicious messages sent to this couple over the course of a week.  They are both pretty fed up about it all.

We feel your pain!

Daily Scam Home Page

 


FOR YOUR SAFETY
Confidential Data File

One of our regular readers works for a utility-related company.  She sent us this email that came to her from India (note the FROM address is “houseofhostings-DOT-in” where the “.in” means India).  The email referenced “confidential data” and “crucial paperwork.”  It included a link to a Google doc that we confirmed was a legitimate link.  And so we visited that Google doc on her behalf...






The Google doc contained a link informing the visitor to “Click here to download the document The file has been scanned: Safe.”  DO NOT BELIEVE THIS CRAP!  Anyone can say this in a Google doc!  The link redirects from Google to a crap domain called securefiles[.]top.  This domain was registered just 2 days earlier in Finland and is hosted on a server in England.  Virus Total tells us that 3 different services have identified this link as malicious! (See screenshot below.)




Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp