Copy
THE DAILY SCAM NEWSLETTER — DECEMBER 9, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 329


THE WEEK IN REVIEW

It was another “Textplosive” week!  Many texts targeted Doug at TDS demonstrating that these cybercriminals clearly know his phone number and name.  But he isn’t alone.  Other TDS readers have reported similar experiences.  Check out some of the new texts below, or visit our recent full collection of malicious texts posted in our article “Textplosion - Malicious Texts!”

One recent text was a new variation of the old advance-check Car Wrap scam!  (We’ve written a feature article about this scam which shows many examples of it.)  This variation is for Coca-Cola!  The text came from 360-204-6814 to one of our readers just a few days ago.  “Bit.do” is a shortening service.  We used Urlex.org to unshorten that link and discovered that it points to an online form created on the free form service called 123formbuilder.com.





 

Cybercriminals created a form that claims to represent the makers of Coke.  Text in the opening paragraph on the form was taken directly from Wikipedia.  The scam begins with “How would you like to make money by simply driving your car advertising for  COCA-COLA®”  They claim to pay $500/week!  The scammers require a minimum of a 7 week commitment.  You may be thinking “money, money, money” but hold on!  They will send you a check for your first week PLUS the money needed to pay for the car decal to be installed. Before you get too excited, we can GUARANTEE that the check you’ll receive will bounce after 5-7 business days, long after you have deposited it and sent a good portion of YOUR OWN MONEY to the “company” hired to install the decal, i.e. the scammer.



One of our readers sent us this very funny AI voice message she received saying that she would be arrested unless she called 325-876-2298.  “There is a legal case been file on your name”  Enjoy!

Click to listen:



Finally, we are very excited to announce that Doug from TDS has been cited in an article on DigitalGuardian.com as one of 34 experts reporting on the social engineering tactics of cybercriminals.  You can read his contribution in the article “Social Engineering Attacks: Common Techniques & How to Prevent an Attack.”

 

Daily Scam Home Page

PHISH NETS
Spear Phishing a School and Amazon Account Information

Spear phishers are phishermen who target a specific person, company or organization.  Lately, they’ve been targeting schools and we’ve been reporting on several of these attacks orchestrated in 2020.  Here’s the latest one that pretended to be an email from the Head of a school.  This email hit about a dozen school employees.  This type of scam ALWAYS asks for a favor because the boss is tied up.  This one begins innocently enough with “Do you have a moment I have a request I need you to handle discreetly.”

Typically, what follows a response is something like “I need you to go and buy gift cards that I want to give to some of the teachers as a surprise.”  The victim will be told she/he will be reimbursed at school and asked to give the “boss” the ID numbers on the gift cards.  That’s the same as sending untraceable cash to someone ANYWHERE in the world!

We think this next email is a phish but it could also be malicious clickbait to malware.  The TDS reader who sent it was not able to send a working link for that “pdf” file.  The email may say it is from Amazon Service but the domain at the end of that email address is clearly the coo-coo name gopxl-fullgass3[.]com.  This domain was registered on December 4, the same day the email was sent.  “We received your ticket Billing information that was been update…” 

Deeeeleeeeete and relieve yourself of that full gass feeling!
 



Daily Scam Home Page
 

YOUR MONEY
Your Grant Application

There are SO MANY things wrong with this email from info @ ingramchris[.]com about “Your Grant Application.”  Let’s start with the fact that the TDS reader who sent it to us never applied for a grant, but it sure was sweet of the sender to tell her that she doesn’t have to repay the $6,345 grant if she qualifies for it!  The email appears to have come from a very questionable website called ingramchris[.]com, which was registered anonymously in early July and is being hosted on a server in Cologne, Germany.  There are several famous people named “Chris Ingram” but we doubt this website belongs to any of them!  The meta tags for this website inform Google that “ingramchris[.]com is your first and best source for all of the information you're looking for. From general topics to more of what you would expect to find here…” but a screenshot of the top page shows a handful of oddball links written in German and that’s it.” (NOTE: This exact same meta information has been found associated with several other scam websites recently, including the domain cited in the “For Your Safety” section of today’s newsletter.)



Perhaps most importantly, mousing over the link to “View Available Funds Now” shows that you’ll be sent to a web page of the domain agktrckr[.]com.  This domain may LOOK LIKE a marketing service source but it isn’t!  This domain was registered anonymously in mid-June and is also hosted on a server in Cologne, Germany.  But that’s not your final landing point!  The destination of this link contains a redirect that will send you on to a website called ResourceFinder[.]info.  The security service McAfee has blacklisted this final destination website.


 

We took a screenshot of the top page on resourcefinder[.]info and were told that “you may qualify for up to a $6,345* grant!”  However, what struck us as MOST IMPORTANT was that the asterix pointed to a link about Pell grants on a U.S. Government website at studentaid.gov.  This legitimate US Government website about Pell Grants seems to have all the information you’ll need so why bother with a sketchy, questionable website with ties to a foreign country?  And to illustrate that this “resource finder” is even more questionable as a reliable tool is the fact that a Google search for their address, 215 West Ohio Street, Suite 610, Chicago, IL 60654, shows ONLY a website called JobsInYourArea[.]co.

Don’t go down this rabbit hole!

Daily Scam Home Page

 
 

TOP STORY
Using TDS for Malicious Purposes!

During our 6-plus years in operation, cybercriminals have tried thousands of times to shut us down, hack our site, malign our content, or target us and our family members with malware tricks and scams.  Their collective effort has never shut us down longer than a day and nothing they do will ever deter us from our mission to help netizens of the world recognize fraud and malicious tricks that target them daily!

Cybercriminals are “at it” once again in a way that is very public and misleading.  We recently noticed that Google searches during the previous 24 hours or week for “The Daily Scam” are turning up links that reference us and our content.  However, other than two legitimate links about us, (found on DigitalGuardian.com and SusieAndSecurity.com) all of these other links point to VERY suspicious websites, or websites with confirmed malware traps lying in wait for visitors. Between December 1 and 6 we found 22 such links poisoning Google’s search results.  Here are two screenshot examples of what we mean…






The fact that we have identified malware lying in wait on several of these sites leads us to believe that every single one of these links likely has a malware trap set up for it. Our tools also detected that several of these links showed “no web content found” on the page in the link.  This fact is simply confirmation to us that it is also malicious or was malicious (assuming the site owner or host service found the malware and removed it.)  Again, here are screenshots of just a few results confirming this...











 

Some of these malicious websites citing us are meant to poison Google searches for brief periods of time.  They appear to be up for one to two days and then they disappear.  Others linger longer.  Some are crap domains registered for malicious purposes, while others appear to be legitimate websites that have been hacked and maligned.

The “headlines” used in the meta data collected by Google vary somewhat but they are generally centered around the theme of fake phone and text numbers.  Headlines include: 

  • 500 Fake Ids Seized
  • Amazon Prime video customer service phone number
  • Amazon Toll Free Number
  • Fake Amazon Customer Service Number
  • Fake Emergency Alert app
  • Fake German Phone Number for Sms
  • Fake Microsoft Tech Support Numbers
  • Fake Numbers to Text
  • Fake Saudi Number Sms
  • Fake Utility Bill for Amazon
  • France Fake Phone Number
  • Is 999 a prime number
  • Money Numbers
  • Text Bot Numbers

Of course we have no evidence who is behind this poisoning attack but we can speculate.  Since most of the bogus content seems to be about fake phone numbers such as for Amazon and Microsoft, it feels like we’ve pissed off cybercriminals who are most responsible for these scams.  It is our experience that these crimes are most perpetrated by cybercriminal gangs in India.  And so we wonder.  This has happened to us in the past and we also suspected cybercriminals in India.  

Below is a list of the 22 websites where we found references to us in early December.  We have posted links below to some of the WHOIS records for domains that were newly registered.  All other domains were either hacked or not “newly” registered.  We’ve also informed some domain hosting services and domain owners of the fraud using their websites.  In at least 2 cases, cybercriminals were using content from MANY other websites to poison Google, including content about a funeral home!  Never a dull moment in this business.

MALWARE LADEN WEBSITES THAT CITE TDS between 12/1 - 12/6

  1. ledap.skymovie[.]site/888-phone-number.html (skymovie[.]site registered in Russia 11/2)
  2. ihfi.greenwoodteatro[.]it/france-fake-phone-number.html (greenwoodteatro[.]it registered 12/2)
  3. prakashelectricals[.]org/federal-9mm-hi4ei/fake-microsoft-tech-support-numbers-2020.html
  4. limpeza.antoniomendes[.]net/probability-and-iuuf4/money-numbers.html
  5. aaronroeauthor.editygroup[.]com/bluetooth-hidden-2angg/fake-numbers-to-text.html
  6. hspwdm.txshore[.]tech/xczmhu/6934 (txshore[.]tech registered 11/23; updated 12/1)
  7. ivolthi.pageantvoteph8[.]online/amazon-prime-video-customer-service-phone-number.html (pageantvoteph8[.]online registered in Russia 11/27)
  8. lalbu.pageantvoteph10[.]online/amazon-video-help-phone-number.html (pageantvoteph10[.]online registered in Russia 11/27)
    Also: lalbu.pageantvoteph10[.]online/amazon-video-help-phone-number.html
  9. raphaartlifetv[.]com/nmfta-login-ywdyi/fake-emergency-alert-app.html (raphaartlifetv[.]com registered 10/14)
  10. shopsafer[.]net/rav4-android-7wdxy/fake-utility-bill-for-amazon.html
  11. enpge.norrmio[.]site/888-phone-number.html (norrmio[.]site registered in Russia 11/2)
  12. kqfz.falegnameriaparcesepe[.]it/malaysia-phone-number-search.html
  13. protocolit[.]com[.]au/windows-8-ts5gm/fake-utility-bill-for-amazon.html
  14. namasteyouga[.]com/drive-shaft-0d2vz/fake-numbers-to-use.html
  15. rtio.studiodentisticocabras[.]it/fake-amazon-customer-service-number.html
    Also: srdg.studiodentisticocabras[.]it/fake-utility-bill-for-amazon.html
  16. ogif.funlearning[.]it/500-fake-ids-seized.html (funlearning[.]it registered 12/2)
  17. eezo.rolandosignorini[.]it/fake-german-phone-number-for-sms.html
  18. mico.qualitywines[.]it/fake-amazon-customer-service-number.html (qualitywines[.]it registered 12/3)
  19. bax.perfectfamily[.]life/xs/35115 (perfectfamily[.]life registered 11/23)
  20. bpsars.shoplag[.]site/amazon-customer-service-number.html (shoplag[.]site registered in Russia 11/2)
  21. yaranelevator[.]com/list-of-sbybs/fake-emergency-alert-app.html
  22. eww.webfutura[.]it/text-bot-numbers.html

Daily Scam Home Page

 


FOR YOUR SAFETY
Your Unclaimed Property

One of our readers received the email below from “Patty Hillow” via the domain hillowpatty[.]com.  Our reader told us that she ALMOST clicked the link because a friend had once shown her that there was indeed some money found in her husband’s name years earlier and was legitimate.  But then she looked more closely at the FROM address!  TDS and other websites have reported fraud coming from hillowpatty[.]com in the past, including Brown University’s IT support site in late September.  We reported on this malicious content in the Top Story of our newsletter on September 9.  However, we now know for certain that this is malicious clickbait leading to a malware trap.  You do not have unclaimed property and clicking the “Unsubscribe” link will infect your device too!




 

“Hillowpatty[.]com” is nothing more than a placeholder for criminals to direct unsuspecting netizens to a malware trap.  STAY AWAY!  “Hillowpatty[.]com” is NOT “your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here,...”  This is just METATAG BS!


 

Textplosion: Lots more malicious texts!

“Are you still interested in this?” from 863-591-0986; link points to a domain registered on the same day the text was sent!







“FedEx Notification: Your package is on its way with a complimentary item” from 910-922-8273; link points to a domain registered 6 days earlier and hosted on a server in Hong Kong.





 

“You need to read this” from 832-400-4640; link points to a domain registered on the same day the text was sent!





 

“Want to Drop 43 lbs inside 29 Days?” from 219-333-1544.

SERIOUSLY?

Until next week, surf safely!
Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE

Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp