Copy
THE DAILY SCAM NEWSLETTER — JULY 12, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 360


THE WEEK IN REVIEW

We have to step onto our small soapbox again and scream into the night about the local sheriff, whom we believe is incompetent, getting rich from the criminals he refuses to keep out of our town, and obviously doesn’t give a damn about the town citizens. OK, it’s a metaphor and we’re talking about ICANN, again! 

ICANN (Internet Consortium for Assigned Names and Numbers) is the ONLY governing body responsible for creating the rules for DNS (Domain Name System of Internet names) and overseeing/monitoring the gaggle of Registrars who sell and maintain domain names, many of whom who have sleazy business practices.  ICANN makes money on every domain sale by a Registrar.

As we’ve said for years, ICANN turns a blind eye to fraud. They DON’T CARE about the consequences of their actions on citizens around the world, and (in our opinion) may even make decisions that FAVOR criminals over public safety because it earns them money.  LOTS OF MONEY!  BILLIONS of dollars!  Here is one tiny example.  We learned from Rob, our professional scambaiter friend, that Nigerian 419 scammers have been using a domain in their advance-fee scams called UKRoyalCourtofJustice.com.  This domain is in-your-face fraud because any real website associated with the Royal Court of England will end in “.UK” and likely include “.gov.”  And in fact, the REAL Royal Court website has both, ending in “gov.uk” Every Registrar on Earth should have spotted this fraud and shut down the registration of the bogus domain, but they didn’t.  UKRoyalCourtofJustice.com was registered anonymously on July 14, 2020 in Nassau, Bahamas. It’s been operating for a year as an obvious fraud to those who understand DNS. The Registrar didn’t care and ICANN doesn’t care to monitor, police or set any standards meant to protect consumers from this type of obvious fraud. To read many more examples about the ways that ICANN favors criminals over public safety, re-visit our March 24 newsletter on the topic! There are lots of things that ICANN can do to make the Internet safer for the world and make it harder for criminals to operate. Read our article How to Make the Internet Safer for Everyone. (You can learn more about ICANN on Wikipedia.) Now we’ll step off our soapbox.

Based on our experiences and observations, English is not the primary language of most cybercriminals who target Americans, British citizens and Australians. There are often subtle, or in-your-face clues that an email, text or web comment is possibly or likely fraudulent. Take these recent examples below. In the last two months, three people have contacted us to say that they were invited for job interviews with a company called TTEC. The interviews were entirely through texting in Google Hangouts. Last week, one woman actually paid $600, as instructed by the scammers, to purchase software she needed for her new job and expected to be reimbursed. Of course that didn’t happen. Look at this small excerpt of the 3-page contract she was asked to sign upon accepting her new job. Keep in mind that REAL legal contracts are THOROUGHLY vetted by lawyers and will NOT contain poor, incorrect grammar, or spelling errors, especially of the “United States!”





Though we probably sound like an annoying dad or mom, saying the same thing over and over, trying to emphasize a point, that’s OK! It is CRITICALLY IMPORTANT to read messages carefully and thoughtfully and ALWAYS REMAIN SKEPTICAL about what you see/read online. Finally, VERIFY, VERIFY, VERIFY!

 

Daily Scam Home Page

 

PHISH NETS
Amazon and Paypal

Did you know that you can download a list of every single domain name that is registered on a given day? Each day’s list can be 90,000 to more than 140,000 names! Simply visit WHOIS DOMAIN SEARCH. Once downloaded, those lists are easily searchable. When we’ve searched these lists, we repeatedly find obvious domain abuse by cybercriminals that Registrars and ICANN completely ignore! For example, on July 1st, amongst registered domains were 70 domain names with the name "amazon" in them, as well as 67 domain names containing “paypal” in them. Amazon and Paypal users are the two MOST victimized groups by phishing scams, from our perspective. Here is a small example of some of the domain names that were registered on July 1 that we believe are likely to be used for fraud.

accountstatementamazon.com
adminsecure9412amazon.com
Amazon-invoicing.com (registered in China)
amazon-serrvicepaymentt.com
amazon8510service.com
amazon8519verify.net
amazonainsurance.com
amazonalert.site
amazonbillingalerts.com
manage-account-amazon-support-less2.com
manage-account-amazon-support-less3.com
secureaccount9411amazon.com
service9814amazon.site
shoping-amazon.com

paypa-intl-online.com
paypal-safeagent.net
paypal-secureagent.net
Paypal-ticketid119.com (plus 55 more ending in different numbers)
paypalgz.net
paypalrefundform.com
Paypay-login.com (registered in China)
scurityinfoaccupdtpaypal.com
secured-login-paypal-user.com
statementaccountpaypal.com

And for good measure, we’ll add another domain we found on July 1st that is also very likely to be used to falsely represent Bank of America: bankkofamerica.site.  Why can we say this? Because it was registered in the UK and uses a crap top level domain “.stie.”

Enjoy this week’s sample phish sent to us by our readers.  The first came from AgentOfficeMail[.]com.  “Your Amazon account has been locked” and the sender wants you to click a link that points to LinkedIn.com!  But that LinkedIn link will cause a redirect to a phishing web page at the oddball domain named hebnxvcd[.]com.

Deeeleeeete this smelly phish!






“Your PayPal account has been temporarily restricted!” WHAT?  Apparently, this email from “intel.com” says that they “have found suspicious activity on the credit card linked to your PayPal account.”  But the link they want you to click to respond to this ruse points to a phishing website, me2[.]do, hosted on a server in the Dominican Republic (.do) Lunge for the delete key!



Daily Scam Home Page

 

YOUR MONEY
BestBuy it is NOT, and Lowe's

One of the Good Guys, who is as passionate to fight the battle against scammers as we are, is James Greening through his website FakeWebSiteBuster.com.  He recently posted a thread about a website selling technology and uses the domain name HunterSothebysRealty.com. This domain was registered in China on Aug. 16, 2020. But this very questionable website’s displayed name is “BestBuy” when you visit their site. If you believe them, you can buy an 8th generation 10.2” Apple iPad, that Apple Computer sells for about $300, for the very low price of $82!  Or how about buying a 50” Smart flat-panel LG TV for $81! These TVs can be found on lots of other websites for about $400 and up.  According to James, this site is a fraud and VERY risky to make a purchase from.

We agree!
 



Hey, your Lowe’s order is arriving!  But you didn’t place an order with Lowe’s?  Just click the link they provide and we guarantee 100% that your computer will be attacked by malware.  Links in this malicious clickbait point to a website called Yellowteck[.]com. This oddball website was registered in India by someone named Pranay back in 2018. And this website is hosted on a server in Telangana, India. Need we say more?
 

 


Daily Scam Home Page

 
 

TOP STORY
How Many Warning Signs Can You Spot

We’ve had positive feedback from TDS readers about the occasional “quizzes” we post in our newsletters. And so we have another for you. How many “red flags” (warning signs), that demonstrate or suggest fraud, can you spot in each of these two emails? Our answer follows below the “pesky mosquitoes” advertisement.

Email 1: “Account protection”




Email 2: This email was dropped into the comment field on our website at The Daily Scam.



Enjoy this malicious filler about pesky mosquitoes.  Nothing is more annoying than pesky mosquitoes when you’re sitting out on a back deck eating dinner at sunset, except malicious clickbait like this one. It came from an oddball “.club” domain that was registered in Iceland a day earlier.  Our long-time readers will immediately recognize that this clickbait came from the Hyphen-poopy gang of India!  If you look at the link address revealed by mousing over “Shop Now” you’ll see an unusual directory following the DOT-club top level domain.  The Hyphen-Poopy gang uses automated software to create directories by combining two random words with a hyphen.  These are easy to spot, and if you do, you’ll know the email is malicious.  “Apologizes-seemed” is the “poker tell” in this clickbait.  Finally, the Zulu URL Risk Analyzer rated the link in this pesky email as “90% malicious.”  


 

Red Flags in Email 1: “Account protection”

  1. This is an email supposedly about our paypal account’s security but it came from a generic Gmail address from someone named Norene Brenna instead of from paypal.com.

  2. “Norene” (The scammers using that email) forgot to drop the multiple email addresses into the BCC field so we see that this exact email went to 7 people. Were this a REAL security email, we would be the only recipient.

  3. Obviously this important security email doesn’t mention the recipient by name or account number. This information is important to verify its authenticity. For example, credit card companies will at least say something like “your account ending in 4552.” (We’ve seen phishing scam emails say “your account ending in xxx2.” This single digit isn’t credible!)

  4. There are MANY capitalization errors in this email. (One might argue, too, that the last sentence should have been the first sentence but this criticism is a bit nuanced.)

  5. The phone number given, 208-254-6629, is not PayPal’s customer service number. In Fact, Google has no information about that number. IMPORTANT: If you use Google to search for phone numbers, DO NOT click links to any websites showing that number UNLESS you know how to tell the difference between a legitimate site and a malicious site! Cybercriminals list hundreds of malicious websites with phone numbers and they are malware-traps meant to infect your devices. Several legitimate services to lookup phone numbers are: 800Notes.com, NoMoRobo.com, CallCenter.com, RoboKiller.com and WhoCallsMe.com.

  6. If you want to get really picky, there is a punctuation oddity after “payment status” and both the “order ref” and “transaction id” seem way too short to be legitimate.

  7. Finally, were you to look up the REAL address for Paypal in San Jose, California, you would see that it is 2211 North 1st Street, not 2215!

     

Red Flags in Email 2, received via the comment form at TheDailyScam.com

TDS receives scam comments every week.  Most of them are solicitations to bogus businesses, services and products.  Many are malicious.  We enjoy getting them because they help us to inform our readers!

  1. “Uwe Rolph” was kind enough to stop by and tell us about the services at “best-marketers[.]com” but why did he do it through a generic email at Outlook.com?  A REAL business contact would come from the business domain she/he claims to represent, not outlook.com.

  2. We ran a Google search for best-marketers[.]com (using Google in Firefox; don’t do this in Chrome!) Google can’t even FIND that website, let alone tell us anything about it. That means that no other people or services know anything about it either.

  3. A WHOIS lookup for best-marketers[.]com is the proverbial “icing” on this malicious cake.  It tells us that this bogus domain was registered anonymously in Russia in late April.




4. The email uses awkward English, and has grammatical and other errors in it.

5. If you want to be SUPER PICKY (and we are), we couldn’t help but notice Uwe Rolph’s name is listed in his email address as “rolph.uwe” but “Uwe Rolph” in front of it.  This is very unusual for Americans to do. It suggests that the sender is not a native American.  This is not incriminating, but noticeable.

If there are red flag warnings that you observed and we missed, or have a different opinion about our assessment, let us know! Send us your thoughts to spoofs@thedailyscam.com


Daily Scam Home Page


 

For Your Safety
SURPRISE, times 3!

One of our longtime TDS readers was the “lucky” recipient of three nearly identical emails sent hours apart.  The fact that they all claimed to be “exclusive rewards” worth $90 from three unrelated businesses says everything she need to know about this clickbait!  They are FILLED with red flags that confirm they are malicious, including business names that are not capitalized, and the fact that they were all sent FROM the same bogus domain, and have links pointing to the same oddball domain, named mxfir[.]com.  However, our favorite was the fact that the first email came from a ‘Costumer.’  You know, a person or company that makes or supplies theatrical or fancy-dress costumes!







Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp