Copy
THE DAILY SCAM NEWSLETTER — SEPTEMBER 30, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 319


THE WEEK IN REVIEW

So much malicious clickbait last week! It’s important to remember that many cybercriminal gangs from all over the world work for hours, day after day, dedicated to making money by targeting YOU via email, text, phone calls, and social media!  It is critically important that you stay on your guard and keep a healthy dose of skepticism when viewing, hearing, or reading any of the content or messages that come into your devices.  One recent example concerns a collection of simple texts, each containing a malicious link, that several TDS readers have reported to us.

These texts all begin with a name (usually NOT the correct name of the recipient), followed by something like “final notification for your USPS delivery” or “important notification about your USPS delivery.”  Each text contains a link that leads to malware designed to infect a phone.  Here are two recent examples, despite the April and August dates in the texts.  One came from 646-306-8926, the other from 917-331-8719. Both have links pointing to the domain sj1v[.]info. A WHOIS lookup informs us that this malicious domain was registered 3 days earlier and is being hosted in Hong Kong.  Every service we used to evaluate these links informed us they were malicious!

      

And then we had a TDS reader send us this completely lame scam text he received from the email address “givbkdonate @ yahoo.com” --as in “give back donate?”  Apparently, in December, 2019, a Nevada man named Bill Lawrence won 150 million dollars.  This text wants you to believe that he’s giving away money through someone named “Anthony Rodriquez.”  And if you believe that then we also have land to sell you in Atlantis.

 

Daily Scam Home Page

PHISH NETS
iCloud and Paypal Accounts are Locked

One of our readers sent us this obvious phishing email pretending to be from “Apple Support.”  Unfortunately, it was stripped of the link information but it is a phish nonetheless!  Look at the FROM address. It came from the domain “commentsold[.]com.”  “Dear Customer, A new issue of your account, please unlock your account because within 24 hours we will locked your account.”  (Apparently, someone didn’t attend all his English classes!)
 


 

This next phisherman also missed a few English language lessons!  It’s very deceiving, though, because “service@paypal.com” immediately follows FROM.  However, that Paypal email was placed into the NAME field!  The REAL email address appears between the <> symbols.  This email came from 3wp[.]com, a parked domain created in 2001 and currently up for sale.  What was interesting to us about this phish is that the link for “Login To Verify” pointed to a shortening service that sounds like “deliver it.”  When we unshortened that link using Unshorten.it we discovered that you’ll be redirected to a bogus domain called SaveYourAccountID[.]info. It was no surprise to learn that SaveYourAccountID[.]info was registered just 9 days earlier.

Deeeleeeete!







 
 

YOUR MONEY
Happy Easter Amazon Gift Card? Claim Your Costco Gift Card

If someone greeted you with “Happy Easter” we imagine a look on your face that might say “what planet is this person from?”  We don’t think you would smile warmly and reply “Happy Easter to you too!”  And yet, one of our readers contacted us to say “I just clicked on an egg, should I be concerned?”  HELL YES!  This fellow received a bizarre email last week saying “Happy Easter. Celebrate with us. Get your $1000 Amazon gift card” and he clicked the link.  As his browser was headed off to the malware selection of the day, he had second thoughts and quickly closed his window.  Then he returned to the email and, (dare we say it), clicked the Unsubscribe button.  He told us that he saw an image of a face and immediately shut that window down as well.  NEVER CLICK “Unsubscribe” IN SUSPICIOUS, SPAMMY, SCAMMY EMAILS!  These links are just as malicious as the rest of the email!



 

Though this email was about an “amazon gift-card” it came from a domain used by Royal Caribbean Marketing, or so it seemed.  Here’s what we discovered about this “chance to win”...

1. We used 4 different online tools to evaluate the destination of the links in the email and found no malware.  HOWEVER, these tools are not always reliable. Some malware contains unique "zero day exploits” and may be undetectable for days or weeks by online services. Or, as we suspect, the link forwards the visitor to other links that are malicious.

2. We were unable to determine the exact destination of the links in the email. But Screenshot Machine visited the destination and landed on Google's search engine.  That's not a good sign.  The link clearly doesn't show that it leads directly to Google and the content of the email suggests otherwise.  This tells us that another website was visited and then there was a redirect to Google.  That's common practice by cybercriminals.

3. The email claims to be about Easter and for an Amazon gift card. Easter is months away and NOTHING in the links or redirects to Amazon at all.  That's a bad sign.

4. The email came from a Royal Caribbean Marketing company.  That has nothing to do with the content of the email or Amazon.  Bad sign again.

Based on these points, we STRONGLY suspect that this email leads to a malware infection. But wait, we also told him that there may be some good news in these dark clouds...

a) He quit quickly after he clicked.

b) This happened, he said, on his iPhone.  Malware threatening an iPhone IOS is rare, especially if one doesn’t “jailbreak” the iPhone and ONLY installs software from Apple’s App Store. (In 2019, Android phones had the most malware threats targeting them, according to researchers at Check Point and reported in this ZDnet.com article. TDS does NOT recommend jailbreaking any phone!)

Having said this to Mr. Egg-clicker, we also told him it was prudent to install and run some quality Antivirus software designed for the iPhone. We also recommended that he clear his Safari and/or Google browser's cache on his phone to remove any possible threats still lingering in his browser cookies.  Finally, we told him to be hyper-aware of any more unusual emails or activities on his iPhone.  And, as predicted, two days later he received this NEARLY IDENTICAL email again!  But this time, it came from the domain eLifeThings[.]com.

A big fat delete!
 


 

Clickbait gift cards have LOOOOONG been the staple of cybercriminals.  It’s so tempting if we believe that some big name store has sent us free money!  But they are all lies and easy to see through if we look closely enough.  Take this opportunity to “Win a $100 Costo Gift Card.”  The email didn’t come from Costco and the links don’t point back to Costco.com.  This email came from RewardForYou[.]info, a domain that was registered anonymously in early August and is now hosted on a server in London, England.  The link for “Enter to Win!” points to a domain, webUSemail[.]co, that was registered in July.  Step away from this precipice!  When we safely visited this malicious link through a proxy, we arrived at a web page saying we were on an old version of Chrome and asking us to “Reinstall Chrome to Stay Secure.”  That’s just more malicious social engineering!
 

Daily Scam Home Page

 
 

TOP STORY
Mi Casa NO Es Tu Casa!

We have repeatedly warned readers about crap global top level domain names (gTLDs) used almost exclusively by cybercriminals because they are cheap to purchase.  There have been hundreds, like “.faith” “.digital” “.asia” and “.cam.” Lately, we’ve seen a lot of “.casa” along with “.work” gTLDs used in setting up malicious clickbait website destinations.  And so we wanted readers to know that my “casa” is NOT your “casa!”  NEVER click links in emails that come from domains ending in “.casa” or “.work”!  Here are three recent examples of emails that all came from a domain ending in “.casa.”  Each one of them was found to contain malicious links AS WELL AS 2-hyphenated words in the directories of those links!  These bear traps all came from the “Hyphen-Poopy Gang!” 

“See If Our Low Rates Save You More - SelectQuote Term Life $250k Coverage” came from riyeeh[.]casa.
 





 

“Tactical Flashlight 100% Free Today. Only Pay Shipping” came from treedf[.]casa.







“Inventory Low, Act Now to Get Your 15 Bottles of Premium Vineyard Wine for 75% off” came from cisrt[.]casa.  By the way, in addition to the malicious domains, every one of these “.casa” domains contained a redirect to a recently registered domain that we’ve already demonstrated contains even more malware lying in wait… “plazabest[.]com.” (Visit last week’s Newsletter!)




Daily Scam Home Page

 


FOR YOUR SAFETY
You've Been Nominated by Who's Who

“You have NOT been nominated by Who’s Who!  But you have been sent nasty clickbait meant to infect your computer with malware waiting at flippingclicks[.]com! 






Until next week, surf safely!
Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE

Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp