Copy
THE DAILY SCAM NEWSLETTER — MAY 5, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 350


THE WEEK IN REVIEW

Cybercriminals are opportunistic leeches who can turn on a dime when they see something that grabs people’s attention.  This newsletter has several of these examples (as do ALL our newsletters!) To make our point, check out this recent email sent to us by a TDS reader containing the subject line “Economic Impact Payments Status Available.”  The recipient was invited to claim an IRS payment for $815.05.  Except that this email didn’t come from IRS.gov, it came from a business domain created for Office365 using onmicrosoft.com. Most importantly, the link to “Claim my payment” points to a malicious website at “sendibt3[.]com” where malware lies in wait! Our best guess is that victims will be hit with a ransomware attack that locks up their device so all files are encrypted unless you purchase the decryption key. This is a form of extortion.






One of our readers informed us that he received a LEGITIMATE $30 incentive by the US Government Census bureau to complete the recent census survey!  At first, he thought it was a scam but it turned out to be legitimate.  He got a debit card and successfully used the money and didn’t have to visit any sketchy websites!  In case you wonder what that notification looked like, here’s a photo of his letter!




One of our family members received this very funny voice message telling her that “your IP Address has been compromised.” Recipients are told that their license will be disconnected within 48 hours because your “IP address has been compromised from several countries,” whatever the heck that means! Fortunately, our family is well trained to recognize scams!

Click to listen:


 

Daily Scam Home Page

 

PHISH NETS
USPS, Amazon, and Paypal
We recently received this phishing email from a TDS reader telling him “Your shipment is awaiting payment” and appears to come from the United States Postal Service.  However, the email was sent from the domain oznake[.]rs, which was registered in Serbia (“.rs” is the 2-letter country code for Serbia. View 2-letter country codes here. Also, check out our short video explaining how to recognize 2-letter country codes.) When we moused-over the button “Send my package” we could see that it pointed to a bizarre domain called opposedvoucher[.]com. This 2-word domain was registered through the Asian service Alibaba in Singapore in June, 2020.





We took a screenshot of the phishing page waiting for victims at OpposedVoucher[.]com. Victims will be presented with 4-6 pages of questions, beginning with your name, address and phone number. This does not bode well!


 

Cybercriminals have become quite adept at creating emails and texts that are meant to trick recipients into calling them and providing personal information, including credit card information as well as access into your personal devices. Here’s another example disguised as an Amazon order for a “biscuit leather colonel-mustard handbag” for $672.00. If you want to cancel your order, you’ll have to call the scammers at 800-467-5041. Also disturbing is the fact that the registrar, NameCheap.com, allowed someone to register the domain called ameznpscare[.]com, which appears to us as an OBVIOUS fraud meant to look like it is associated with Amazon.  It was registered in Iceland just hours before this email was sent from that domain.  

Our readers may remember that we had identified a group of malicious domains in last week’s newsletter that were also registered in Iceland.  You’ll see more below in today’s newsletter! This is no coincidence.  It is testimony to the fact that international cybercriminal gangs are businesses that employ lots of people and have their own business practices, such as saving money by purchasing domains in bulk from various registrars in different countries around the world, like Iceland! In support of our claim that this email came from cybercriminals in some non-English speaking country is the tiny text in the grey box at the bottom of the email. This is what it says… “Note that you have received as you have explicitly opted to receive. We will send you emails related to your orders, listings, updates about products oyou have purchased from us, or information about your account.” Spoken like a native English speaker, right?!





Finally, we have this “PayPal Billing email” that came from someone’s personal Gmail account named “elizabethjac8561.”  Recipients are told that they “sent a payment of $659.99 USD to Amirror Solution.”  “Charge will reflect in your record within 24 Hours,” meaning that you still have time to call the scammers at 888-993-4165 to hand over the keys to your life!  (It should be obvious to all that English is not the first language of the sender, highlighting again, that most of these scams targeting Americans come from cybercriminal gangs in other countries.)

Daily Scam Home Page

 

YOUR MONEY
ABC Shark Tank, New Rate Notification, and Quicken Loans

Shark Tank has been on the air for 12 years now and is very popular.  That’s why fake emails claiming to be about Shark Tank, or it’s participants, have been a staple from (at least) one very active cybercriminal gang whom we believe is in India and has been the one to register malicious domains in Iceland.  Take this recent example.  The email came from the domain titbaliya[.]com and all links point to another oddball domain called xrketo[.]com.  The former was registered on March 18 and the latter was registered on April 29, the same day this email was sent to one of our honeypot accounts.  Twenty-four minutes later, our honeypot account received the exact same email, with links pointing to xrketo[.]com BUT the second email came from a different domain named marvilons[.]com. (This marvelous domain was registered in Iceland in 2020.)










It’s not at all clear to us whether scammers want us to think this next email came from Chase or Home Guide. But it doesn’t matter. It’s malicious either way! It came to one of our readers and she was asked to verify her personal information to confirm her “newest rate.” But for what? No idea! The domain used to send this email and connected to the links is hideawayim[.]com. It was registered in India and is hosted on a server in France.

Now delete!





Quicken Loans may be committed to helping homeowners but this email didn’t come from Quicken Loans! The links in this email point to a dynamic DNS service that is likely to send you to a variety of different malicious domains every time you click the link.

Deeeeleeeete!



Daily Scam Home Page

 
 

TOP STORY
It Looks LIke You! (Facebook Message)

One of the most successful and longest-running phishing tricks targeting Facebook users has been a message from a friend saying “it looks like you..” or “Is this you?” or “Are you in this video?” (We wrote about this in our newsletter from September 25, 2019.)  The reason it comes from a friend is because the friend has fallen for the trick and his/her account was hacked. That’s what happened recently to a relative of ours.  She fell for the trick and the scammer then perpetuated the scam by logging into her account and sending out this message to all of her friends and family.



The link in this graphic is designed to look like it points to a YouTube video but it doesn’t.  This one very clearly points to a 3-letter domain (tsh) called tsh[.]re on a server located on a tiny African island called Reunion, off the coast of Africa. (“.re” = 2-letter country code for Reunion) It was registered in Spain (España) by someone named “Tq Tz” in January, 2021 with VERY little information given to the Registrar.


 

What’s to gain when a scammer steals your login credentials to a social media account? A WEALTH of information and opportunity that can be monetized many different ways!  Here’s just a few of them…

  1. Hackers will collect LOTS of personal information about you, your family and friends to sell on the dark web.  This kind of information can be used in spear-phishing attacks because the scammer can sprinkle their scams with information specific to the targeted person, making it more likely to trick him/her.

  2. Most people, sadly, use the same password for lots of important accounts including email accounts.  If this is you, PLEASE STOP!  Your email account serves as the keys to your entire digital kingdom!  It is exceptionally easy for criminals to figure out your personal email account once they gain access to your social media accounts.  And if the password to your email account is the same as your social media account, you are about to feel a great deal of pain and stress in your life!

  3. Scammers can target your friends and family with scams that appear to come from you through your own social media account! This includes social engineering tricks to get your friends/family to click malicious links to malware.  It can include the posting of fake items for sale with links to fake merchandise sites that are meant to capture your credit card data, for example.

Once you realize that your social media account has been compromised, it’s critically important that you do the following IMMEDIATELY:

  • Change your password to your social media account, and then change this password on every other account on which it is used! (Preferably, to different passwords!)

  • Notify your friends and family that your account was hacked and what the message was that the hacker sent out to others.  Urge them to change their passwords, etc. if they clicked on the link and gave up their login credentials!

  • Go through the settings on your social media account and confirm that nothing was changed that would provide notifications to the hacker or a possible way back into your account.  For example, sometimes hackers will add additional email addresses or phone numbers to an account.

Fortunately, MANY security services are already well aware that the domain tsh[.]re is malicious, as you can see from the graphic below.  But that doesn’t mean that the public is!  Most people truly believe that if they receive a social media message/post from a friend’s account, he or she sent it.  But in today’s day and age of skyrocketing scams and fraud, it is no longer true.  



Those people who clicked that link to watch the video were sent to this phishing webpage at tsh[.]re:


 

This exact same phishing page was reported in an article about Facebook phishing scams back in December, 2020 in an on DigitalInformtationWorld.com.  We urge all our readers to be skeptical online.  Look at content with a critical eye!  If you have any suspicions about a message or advertisement or post, do NOT click on it and do not enter your personal credentials.  Contact the sender or do a bit of research in Google to see if it is legitimate, or better yet, send it to us to ask us what we think!

Here are 2 links to other well written articles about Facebook scams:

 -- The Many Ways You Can Be Scammed on Facebook, Part I (Malwarebytes Blog; 12/2/20)

 -- 11 Facebook Scams You Need to Know (By security expert Robert Siciliano for TheBalance.com; 2/8/21)

Looking to improve your skills at making a SET of strong, related passwords that are easy to remember and NOT identical, visit our article called “Creating Strong Passwords and Sets of Passwords.”
 

Daily Scam Home Page

 

For Your Safety
SHOCKING PROOF!

We remember a time, just a few years ago, when thousands upon thousands of malicious emails were hitting people’s inboxes and contained words like “shocking” and “unbelievable.”  Of course, they were meant to entice the recipient into clicking a malicious link. On April 23, one of these dropped into one of our honeypot accounts. “Shocking Proof God’s Plan is Coming True…” “This video has left me speechless!” At least one line in this malicious clickbait was absolutely true… “I promise, you’ll never be the same.” (The domain used in the links in this email, vinoptek[.]today, was registered in India in January. What a surprise.)

If you see the word “shocking” or “unbelievable” in an email, lunge for the delete key!
 






Daily Scam Home Page

TEXTPLOSION
You have $50,000.00 owed to you...

This text from 860-578-7973 is hysterical! Supposedly, you are being offered $50,000.00 as part of a “Compesation” (See the misspelling?) package due to the pandemic. It comes from the “Federal Government and World Grant.”



Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp