Copy
THE DAILY SCAM NEWSLETTER — SEPTEMBER 23, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 318


THE WEEK IN REVIEW

In the summer of 2019 the Senate passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act. It required phone companies to implement new technologies in January 2020 to reduce robocalls and help identify likely spam calls for consumers.  Since these new technologies were implemented we feel that the number of robocalls has decreased significantly and most of those that are ringing on our phones are identified as “potential spam” calls.  However, please stay vigilant because some scam calls are getting through...

Last week, one of our readers reported a scam call claiming to be from an AT&T representative.  The woman reporting this scam to us said that a man with a heavy Latino accent called her from 214-771-2335.  He stated that he was calling for AT&T to report that someone was trying to purchase an iPhone using her account information.  The caller had the woman’s address as verification. (That information is child’s play to find online!)  He asked her to change her PIN, saying that he would provide them with a new secure PIN number, and that insurance would be placed on her account. Unfortunately, the victim did give the man her PIN. During this exchange, the victim looked up the area code to see that the call came from Texas.  She asked the man why his call was coming from another state and he replied that he was working from home. The woman became very suspicious when the “AT&T representative” said “don't log into your account until we hear back from the fraud department.”  She then hung up and called the real AT&T immediately!  They confirmed it was fraud. The scammer had already placed an order with AT&T from her account and used the woman’s phone insurance plan somehow. The woman also started receiving emails from her insurance policy about a loan application submission. The real AT&T was quick to take action to cancel the order while she was on the phone with her. 

Another woman told us last week that she received a call from Amazon Customer Service at 888-280-4331. This is actually the real Amazon customer phone number BUT it was spoofed to look real.  The call was coming from somewhere else in the world, but not Amazon! The person at the other end of the line asked her questions which she said didn’t seem right to her.  She also said that the representative told her that an order was delivered last Friday to a wrong address.  He asked her for her correct address, which she provided.  She also told him that she didn't order anything from Amazon.  When she asked him what it was she was presumed to have ordered, he couldn"t answer her.  She became suspicious, said “you sound like a scam” and hung up!  There are hundreds of people on 800notes.com reporting fraudulent calls coming from the real Amazon Customer Service number because of phone call spoofing.

Then we heard from a third TDS reader who received a recorded voice message on his phone from "Amazon Customer Support."  The supposed support representative, a man, said he was calling about a possible fraudulent charge to the Amazon account for $279.99. The “representative” did not identify what had been purchased for that amount but he did say "you don't need to do anything if you made this purchase, your Visa card will be billed."  If, however, the recipient had not made this purchase, he was asked to call back 469-839-6098, a number that clearly does NOT belong to Amazon according to our Google searches.  How's that for engineering human behavior to call back scammers!

To learn more about these call scams, visit some of our articles:

Amazon Customer Support Scams
Apple Customer Support Scams
Apple Tech Support Scams
Microsoft Tech Support Scams


For many weeks now we have been reporting on malicious links that use the subdomain “track” and domain “agttrckr[.]com.”  We’ve connected these links to malware multiple times and they are showing up in a wide variety of emails sent to people across the Internet.  Here is one such email that was sent to a 76-year old retiree who hasn’t posted a resume on any job site.  If you mouse-over a link and see track[.]agttrckr[.]com, DEEEELEEEETE it!


 

Daily Scam Home Page

PHISH NETS
N0RT0N Antivirus and AOL

This first phish is of a different sort than our usual dish of phish.  The email is not socially engineered to generate a click of a fake link.  Instead, it is meant to trick recipients into calling a fraudulent phone number at 833-300-1550. This is NOT the Customer Service number for Norton Antivirus!  In fact, a closer look at this email shows that it came from a domain similar to Norton.com, but NOT Norton.com.  “Nortonssupp[.]com” was registered just 2 days before this email landed in one of our reader’s inbox. Also, notice that NORTON is spelled using zeros instead of capital Os!  How many people would miss these important clues to fraud when they see that they’ve just auto-renewed for a service charging them $479?!






Just a couple of weeks ago, another TDS reader sent us this exact same email disguised to look like a notice about cancelling your AOL account.  To be honest, we’re not sure whether the link is a phishing link or just meant to trick you into visiting a malware-laden website.  However, we do know that this email came from RoughTraxTest[.]com, a domain registered in early July and hosted in Quebec.  If you click the link “Cancel” you will be sent to a website (routenant[.]com) that was registered on August 10 and is being hosted on a server in France.  Sound like AOL to you?  According to Wikipedia, AOL was founded in 1985!  By Internet standards, that’s ancient!

Delete!


 

YOUR MONEY
She Lost 71 Lbs and The Most Dangerous Food in America

OK, we admit it…. We normally don’t share these slimy, spammy, cheesy, obvious BS emails with our readers but we just couldn’t resist this week.  This first one got our attention because of the before and after images!  They are CLEARLY not the same women!  Don’t just take our word for it!  We consulted with two fit 27-year old women with observant eyes for details!  “Are these before and after images of the same woman?” we asked.  It took them a nanosecond to answer in unison “No!”  I guess that means we shouldn’t believe the opening story about a mother of 2 named Tonya who lost 71 lbs.

This weight-loss crap came from the domain dorosofter[.]today.  We’ve NEVER seen any legitimate website use the global top level domain (gTLD) called “today.”  You’re familiar with gTLDs like .gov, .com, .edu, and .org ---BUT NOT “.today.”  Cybercriminals use crap gTLDs because they are very cheap to purchase domain names using them.  Think of them like cheap bullets shot at your inbox.  This fully qualified domain, dorosofter[.]today, was registered in India on the day this email was sent.  Need we say more?







Speaking of crap global top level domains, there have been more than 1500 released by ICANN (Internet Consortium of Assigned Names & Numbers --the wonderful watchdog that sets the Internet rules designed to keep us all safe **said dripping with sarcasm**)  Here’s another email from a crap gTLD “casa.” It has the subject line “Is This The Worst Food You Can Possibly Eat?”  Of course, the email doesn’t TELL YOU what is “the most dangerous food in America.”  You’ll have to click a link to find out!  That’s known as clickbait!  And this clickbait is as malicious as they come!  In fact, this one contains a double-whammy!





Clicking any of the links in this email will send you to the malicious domain called tormind[.]com where malware is waiting.  This domain was also registered in India in late August.  But wait!  That’s not all!  Tormind[.]com will also forward you to another malicious domain called PlazaBest[.]com where MORE malware is lying in wait!

Pow! Pow!




Daily Scam Home Page

 
 

TOP STORY
Telltale Signs of Malicious Intent


In order to infect your computer or phone with malware, cybercriminals have to trick you into clicking a link that will take you to a website hosting malware.  We have educated readers on several different ways to see through this type of fraud, such as recognizing domain names in links and how to look up the date they were registered using a WHOIS tool.  For example, domains that are newly registered are very likely malicious.

Another way to recognize fraud is related to one particular well organized and long-standing cybercriminal gang.  These are the criminals who use automated software to create directories by combining two random hyphenated words in a web server.  Examples of these oddball word combinations have included:

yourself-articulating
goodly-print
churchwoman-represses
slumbered-spotted
screwdriver-argot
questionnaire-poole
superseding-striven
backspaced-conversation

If you can learn to mouse-over links in emails, WITHOUT CLICKING THEM, and see the link revealed at the bottom of your web browser, look for the appearance of these oddball word combinations.  If you see them you’ll know that the email is 100% malicious!  Delete it!  Here is an example.  Find Waldo, we mean… find the 2 hyphenated words in the link in this first screenshot.  The second screenshot will show it to you, along with the domain name the email came from.





 

By the way, the domain used to send this email, remeaa[.]work, was registered on the day the email was sent and is being hosted on a server in Amsterdam. The Zulu URL Risk Analyzer identified it as malicious.  Sound like Mastercard.com to you?














This “Path to Being a Homeowner” came from a domain that was registered the day before the email was sent and was found to be malicious.  Next time you see two oddball hyphenated words in a link, DEEELEEEETE it!





 


Daily Scam Home Page

 


FOR YOUR SAFETY
Your Gift

“We just tried to contact you about your Gift. follow this link to get it before it goes!”  This random text came from 216-270-9154 and was sent to a young woman who then contacted us.  Fortunately, she was smart enough to know this was not likely real.  It turned out to be malicious!  The domain found in the link in this text was registered on the very same day the text was sent and is hosted on a server in Hong Kong.  ‘Nuf said.





Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp