Copy
THE DAILY SCAM NEWSLETTER — NOVEMBER 18, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 326


THE WEEK IN REVIEW

Though scammers and cybercriminal gangs can be found all over the world, the gangs in Nigeria are particularly famous for their “advance-fee” scams known as the Nigerian 419 scams.  This moniker is named after the Nigerian penal code 419 that describes these types of crimes. Nigerian 419 scams feel as old as mankind. We can almost imagine Adam and Eve getting a letter from someone claiming to represent God and telling them that more apple trees were ready and waiting to be delivered.  But the trees were held up at Customs and would be released as soon as Adam or Eve paid a customs fee.

419 scams come in all shapes and sizes, from one liners to long, complex crazy stories.  Recently we saw a sob story from “Katie” that had us breaking out our violins.  She’s offered us 40% of her money if we help her spread her charity funds.  We’re holding out for 50%.




We were also contacted in late October  by Susan, the Minister of Social Development in South Africa.  She contacted us for our “ass.”  (That fact, by itself, has us doubting her judgement.  Have you seen our ass!?)



 

Occasionally, when we have time on our hands, we reply to these scammers, disguised as someone likely to be vulnerable, and play along to waste their time.  You can read a dialogue of one of these conversations in an article we published called $8 Million Consignment Boxes For You.  Also, this article on Newsweek.com describes the history of Nigerian 419 scams.  If you enjoy reading these fictional stories, we’ve posted many examples of them in our feature article titled Nigerian 419 Advance Fee Scams

Enjoy!


Daily Scam Home Page

PHISH NETS
Wells Fargo Bank and Apple Account

A TDS reader sent us this email she received from the email service at telus.net.  Pretending to represent Wells Fargo Bank, the recipient is asked to complete her account verification.  The link appears to point to Xfinity.com but contains a redirect to a website called webcindario[.]com.

Deeeeleeeete!



Another reader sent us this phishing email in August and we forgot to post it!  The FROM address appears to be correctly spoofed to appear as though it came from apple.com.  However, mousing over the link to “update your billing information” reveals that it points to a domain called mysp[.]ac.  This domain has been linked to many suspicious emails and is noted on many websites.  By the way, NO SERVICE including Apple, will ever “permanently lock” your account in 24 hours as this email states.

 

YOUR MONEY
Letter from Santa and Leaf Gutter Guard

The Hyphen-Poopy Gang is back and taking advantage of the season to trick victims into clicking their malicious links. (In case you don’t know, the Hyphen-Poopy gang is our name for a VERY active cybercriminal gang in another country that uses automated software to set up their malicious links.  The software combines two random words with a hyphen in their directories.  They are easy to spot, as you’ll see below.)  Another tell-tale sign of these scams appears at the top of most of their emails.  Notice the sentence that begins “This offer is for United States only…”  It should read “This scam is for United States only…”

The first malicious click-bait appears to be about a solution to clogged leaf gutters but the email actually came from the holiday-esque domain chistmas[.]cam, and links point back to it.  If you look at the link revealed at the bottom of this email, you’ll see that the first directory in the link is named tease-autonomy, in typical hyphen-poopy fashion.  That link was found to be malicious by the Zulu URL Risk Analyzer AND the website contains a redirect that will send visitors on to another VERY MALICIOUS domain called plazabest[.]com that we’ve reported on in previous newsletters.






It isn’t even Thanksgiving and we’ve already begun to see ads and marketing centered around the Christmas holidays.  So we weren’t terribly surprised to see this annual clickbait targeting parents of younger children who celebrate Christmas.  You can have your child receive a letter from Santa!  Or so you are led to believe. While there are real online websites that offer this service, this is NOT one of them.  The email below came from the crap domain chislesant[.]work, which was registered just the day before this email was sent.  The hyphenated words in this malicious link are drowsiness-configures.  And just like the malicious email above, the malicious domain chislesant[.]work will also forward you on to plazabest[.]com.

Ouch!



Daily Scam Home Page

 
 

TOP STORY
Job Scams

This prolonged pandemic is taking a heavy toll on the world, especially in the United States where record-setting cases are on a horrible trajectory.  On just one day, Saturday, November 14, the United States announced more than 184,000 new infections.  Some epidemiologists are suggesting that the real numbers of those infected could be much higher due to the number of asymptomatic infected people.

One of the most significant economic impacts of this pandemic is the number of people who are out of work or under employed.  Scammers know this and are taking full advantage of this fact as evidenced by the noticeable rise in job-related scams we have seen during the last few months. These scams cover a wide variety of fraud and other risks.  Take, for example, this email recently shared with us by a TDS reader. The email came from a legitimate job service to inform the recipient that he’s been offered a job!  As you can see, the recipient had no idea what company this represented, other than the reference to part-time online work for nearly $600/day!  That’s quite a salary from an unnamed company for a part-time work from home job!

However, this email turned out to be plain old malicious clickbait! Sailthru is a legitimate marketing company but the sailthru.com link in this email will redirect to a website called mytraffic[.]biz.  According to VirusTotal, one online service sees malware waiting at the end of this link!








Other job opportunities are nothing more than phishing scams meant to collect personal information, such as this October text sent from the phone number 205-579-0838.  The recipient is invited to visit an information form on a free form-building service.  No company is mentioned and the phone number is untraceable.



When you arrive at the form, you see that you are invited to apply for the job of a Personal Assistant for an unnamed Real Estate Entrepreneur/Investor, as if any REAL Entrepreneur/Investor would solicit employees by random texts?? PhishTank.com has blacklisted this form as a phishing scam.



And there are the “Mystery Shopper” phony-baloney jobs such as this obvious fraud email with the subject line “Amazon Job’s N@work.”  But this email came from a telecom service in France through their domain sfr[.]com.  It also includes a domain in France in the “To” field (“.fr”)  The recipient is asked to reply to a generic Gmail address rather than a company.  Check out this 2017 article on USAToday.com about the Mystery Shopper Scam.



If you have friends or family who are desperately looking for work, please urge them to be cautious and careful.  Our readers are welcome to send us your suspicious emails, texts, or links to websites.  We’ll check them out and get back to you with our thoughts!

Daily Scam Home Page

 


FOR YOUR SAFETY
Your Mac Has Been Hacked and ACH Remittance Notification

One of our readers visited a website on her iPhone and suddenly got redirected to a domain called allbestsecureus[.]com followed by the message “Your iPhone has been hacked  All your actions on the device are tracked by a hacker.  Immediate action is required.”  SpamDoc.com gives this domain a 1% trust rating and we found several websites talking about this site installing malware on iPhones.  Here are two credible sources with information how to remove any malware installed by this site:
 
 How to Remove “Your Apple iPhone is Infected” Virus Pop-ups (Macsecurity.net)
 How to Remove Apps from Macs Computers that Open MyBestSecureUS[.]com and Similar Sites (PCRisk.com)


Should this happen to you, it is important to take a screenshot immediately to document what happened.  Then quick the app.  Do NOT click any of the choices!  Go to your settings, scroll down until you see the app that was opened (in this case, Safari). Scroll down the Safari settings and locate the “Clear History and Website Data.” Click that link and select CLEAR DATA.  Then open your screenshot and investigate targeted you and if you need to take any further action. 



People are often targeted with a promise of depositing money into their account.  Take this “ACH Remittance Notification.”  Apparently, someone tried to give $12,019.60 to one of our TDS readers on November 9.  There is no malicious link in the email, just an attached pdf file.  BUT WAIT!  That pdf file contains a VERYto malicious link to a website called fifthtax[.]ml, hosted on a server in Mali (“.ml”).  Anyone can drop a graphic in a pdf file and link it to anywhere in the world.

 Deeeeeeleeeeeete!





Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp