Copy
THE DAILY SCAM NEWSLETTER - NOVEMBER 13, 2019
Executive Editor : Doug Fodeman | Designed by Deutsch Creative


THE WEEK IN REVIEW

We are often amazed and thankful by how easy it is to expose online fraud if you know a few simple, but important tips on what to look for.  This includes looking at domain names, recognizing 2-letter country codes, and also applying a little common sense! Take this exceptionally lame email notifying the recipient that he had won $2 million dollars from Microsoft.  But to claim his prize he was asked to contact someone named Franklin Edward at an AOL email address! (It’s easy to poke another dozen holes in this email but we’ll leave it at that.)




In this next recent example, we were told we had won a million dollars through a Visa lottery.  That would be exciting except that the email was sent from Chile which raises serious questions about the authenticity of this claim!  Also, in order to claim our prize, the attached pdf told us to contact the Visa office through their email address of visa_lottery@yahoo.com.  A Yahoo email account to contact Visa.com? Anyone can create an email account with any name in front of the “@” symbol.  By creating an account called “visa_lottery” doesn’t make it real! The award pdf also told us we could call their office at the phone number 832-529-6486.  However, when we conduct a Google search for this phone number we find MULTIPLE reports of this number being used in scams, including a Visa lottery scam that was reported back in April, 2016!  (View PDF file announcing the details of our Visa lottery award.)



NOTE: One of our readers contacted us, wondering if all of our readers knew that you can enlarge nearly all the graphics that appear in our newsletter by clicking on them.  Did you know that?


 

Learning to pay attention to these details can go a long way to better protect yourself online!

 

PHISH NETS

The real Amazon would never, ever send an email saying “Hello Dear Customer, We have faced some problems with your account, So Please update your account details. If you do not update your account within 24 hours (from opening this email) will be officially permanently disabled.”  Who talks like this? We count at least four grammatical and capitalization errors in the short paragraph, not including the awkward English in the opening sentence.

Once again (**sigh**), cybercriminals have managed to misuse a link to Outlook.com by having it redirect to a hacked website in Denmark called ah-modegarn.dk.  It’s also important to note that Amazon uses online services called “AWS” (Amazon Web Services) that are available through their subdomain aws.amazon.com.  But this email came from an AWS Amazon malicious mimic… cs-awsservice87692[.]com.  You can see from the screenshot of a WHOIS lookup that this malicious mimic was registered in Japan by someone identifying him/herself as Bujang Inam from Fukuoka, Japan.  According to several websites, including Urban Dictionary, the name Bujang Inam actually translates to f**** you.  That’s certainly not Amazon!





 


YOUR MONEY

There is a website called PianoForAll.com that teaches people a method for learning piano chords and how to play.  This next email WANTS you to think that it is related to this educational website, but it is just another wolf in sheep’s clothing.  It is a malicious mimic. The email was sent from slawnick[.]info and links point back to a file at this same DOT-info site.  But you would never know it because, as the Zulu URL Risk Analyzer shows in the screenshot below, you’ll hit slawnick[.]info and then be redirected to the real pianoforall website.

Check out the WHOIS results for slawnick[.]info we’ve posted below.  That domain was registered by someone from India just a day before this email was sent.  We STRONGLY believe that when you arrive at this website, you’re browser will be hit with a malware script or download before being sent to the real pianoforall website.   Another interesting note… we wrote about this EXACT SAME SCAM EMAIL back in November, 2017. At that time we also found bread crumbs that pointed to a cybercriminal gang in India.  Take a look at our Newsletter from November 29, 2017 and check out the Your Money column!








 

Do you think you know BS when you see it?  Any email that claims to reveal the secrets of how to make money has GOT TO BE BS!  Check out “Time Casino Winner Shocks the World…Reveals All!” This lame-O email points to the domain casinodestroyerr[.]icu.  That’s right, DOT-icu, as in “intensive care unit.”  (You can thank ICANN, that wonderful overseer of domain names, for this global top level domain (gTLD) called DOT-icu.  It is now one of about 1500 gTLDs released since 2013.)

This email, showing a pile of money in front of a professional poker player named Jamie Gold, claims to have insider secrets to get better odds in Poker.  Yeah, and we know the secret to staying safe online…avoid emails like this one claiming to have the “secret” to anything! (According to a reverse image search, this photo may be from a 2017 tournament game Jamie Gold had won.)  The intentions of this email are clearly malicious and, like the piano mimic above, this email will send you to a domain that was registered on November 8, 2019, using a privacy service in Panama… just hours before this email was sent to us.  After getting hit with malware you’ll be passed on to another questionable website called specialoffer[.]best that was also registered in Panama less than a month ago.   Do you really want to roll those dice?

DEEEEELEEETE!



 

 

TOP STORY

“Breaking news” is described as information that is being received or broadcast about an event that is happening now or about to happen. (Source: dictionary.cambridge.org)  Newscasters, anchormen and women, like David Muir of ABC World News Tonight, will typically start their broadcast by saying “we have breaking news…”  And so we were intrigued one day recently when we opened one of our honeypot email accounts to find this list of 3 emails:

Someone clearly wants to get our attention!  The source claims to be a news website called “Breaking News Daily.”  We conducted a variety of Google searches and cannot find any website called “BreakingNewsDaily” so we decided to open each of these emails.  Here is a look at the first email we received at 5:22 pm. Two things struck us immediately that had nothing to do with the content of the email.

  1. The email came from the domain webplay[.]info, with links pointing back to it.
  2. The sender of this email misspelled “subscribers” in the FROM address and no, we had never subscribed to anything about breaking news daily, weekly or ever!

So of course we smelled a rat…. As we often do, we ran to our favorite WHOIS tool to find out when this domain was registered, where and by whom.  Once again, we see that this breaking news website was registered just 3 days earlier by someone using a proxy service in Panama to hide their identity.
 





Why did we get this email three times in an hour?  We opened the second email to discover the exact same content but it was sent from a different domain, artfully called todaysbignews[.]info.  And where was this artfully-named domain registered?  In Panama, just 11 days earlier and the domain was being hosted on a server in Turkey!  Does any of this build confidence that these emails were linked to legitimate news services?
 




 

Now that we had opened two out of three we couldn’t stop there!  The final breaking news email did not disappoint us. It came from the oddball domain named sunnydiamonds[.]info, and contained the exact same content as the previous 2 emails including the “subsribers” misspelling in the FROM address.  And it will come as no surprise that it was registered in Panama just 3 days earlier!
 




 

The point in all of this breaking news is that anyone can publish anything online to deceive others.  In case it wasn’t already obvious, a cybercriminal gang (who may be based in India) is purchasing a lot of DOT-info global top level domains and using them to target Americans. (If any of our readers in Australia or the UK get see suspicious DOT-info emails, send them to us!)  Here’s another “breaking news” malicious email that was sent from another bogus DOT-info domain called peoplemagazine[.]info and has no affiliation whatsoever to the magazine People at people.com. This bogus domain was also registered on October 23, 2019 through a proxy service in Panama.  But these cybercriminals are not just using “breaking news” as their clickbait. Look below and you’ll see that todaysbignews[.]info was also used to send malicious clickbait disguised as airline ticket deals.  If you click on the links in any of these emails, you’ll learn a new meaning of “breaking.”

Caveat emptor!
 



 

 

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2019 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp