Copy
THE DAILY SCAM NEWSLETTER — FEBRUARY 3, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 337


THE WEEK IN REVIEW

We reported to readers on January 6th that David had received a “digital mugging” by one of the cybercriminal gangs we routinely report on. Now they’ve begun to turn their attention to our family members in an effort to hurt us.  This fact says volumes about the low-life people they are, who make money by causing pain to others. It also tells us we’re right on target with the work we do to reveal their fraud.  Here are two recent emails sent to Doug’s spouse. Both emails were clearly designed to look like they came from Doug. The source of the first email was from an account in Japan named “yum.” A WHOIS lookup of the domain in the link, hrletde[.]com shows that it was registered just hours earlier.  We all know what this means…

Malware awaits!









The second email to Doug’s spouse came two days later from an email address in Ecuador (“.ec” = Ecuador).  Once again, the link in the email was to a website that was registered just hours earlier, uorcloas[.]com.  Below, in For Your Safety, you’ll see one of the most unusual forms of malicious clickbait we’ve ever seen. It targeted one of David’s family members.  What was so unusual about this clickbait was that it appeared in the Calendar settings on the person’s smartphone.








Though there are many possibilities for who might be responsible for targeting us for the work we do, a variety of breadcrumbs we’ve traced suggest the source is one of the cybercriminal gangs in India.  Our best guess is the Hyphen-Poopy gang. We named this gang in late September, 2020 and less than 2 months later David took a digital beating.  (Read the Your Money column from October 14, 2020 to understand why we call this gang the Hyphen-Poopy Gang.)  (NOTE: We’re reasonably certain that this criminal gang, and perhaps others, subscribe to our newsletter and thus would rather not reveal any more about the breadcrumbs that point to them.)

 

Daily Scam Home Page

 

PHISH NETS
Venmo, Square Cash App, Bank of America, and Wells Fargo

We’ve never caught a phish targeting Venmo or Square Cash App users before but we’re not surprised to find them swimming in an ocean of fraud. The creators of this Venmo phish probably thought they were very clever by creating a domain lookalike, venmo-app[.]com, to use in this fraud.  This domain is NOT owned by Venmo.  It was registered in Germany on August 4, 2020 and hosted on a server in Manchester, England.  However, the text in the email contains MANY capitalization, grammar and other errors, plus they close it with “Sincerely, PayPal.”  The link for “help.venmo.com” appears to point to Google but contains a redirect that will send victims to a hacked website called teletrade[.]com which trades in rare coins and currencies.

Delete!


 

The email made to look like it came from Square Inc. was sent from accounts-lockeds[.]com.  This domain was registered anonymously on December 3, 2020.  The text in the email is pretty lame… “Hi Client, Your payment has not yet been verified. Future payments to your account may not be founded until the account is verified.”  Seems to us that Google Translate did not serve them well!  That “Log In” link points to another very long link to Google.  However, like the Venmo phish, we found a redirect buried in it that will send victims to a website hosted in South Africa (“.za” = Zuid-Afrikaanse, in Dutch, means South Africa.) called annig[.]co[.]za.
 






 

One of our readers takes great pleasure in wasting the time of Nigerian 419 scammers (advance fee scams).  He sends us lots of interesting tidbits weekly, including this phish pretending to be from Bank of America.  The email came from an account in Japan (“.jp” = Japan). Clearly, a mouse-over of the link “Login Here” reveals that it points to a website called keenjabber53[.]com. This cool prickly domain was registered almost a year ago in Singapore, but now contains a redirect that will send you to a Bank-of-America look-alike in India at bigworld[.]net[.]in.  Our friend told us that the fake BOA website asks visitors for their social security number, card number, passcode, email, and even email password!  That’s pretty cheeky!



 

What would a week be without another Wells Fargo Bank phish?!  The link to sign into your account pointed to an ancient domain (first registered in 2009) that no longer appears to have any website on it.  It’s called Bertina[.]biz and is hosted on a server in Falkenstein, Germany. ‘Nuf said.

Delete!



Daily Scam Home Page

 

YOUR MONEY
Your Medicare Application and Claim Your Chase Bank Reward

In the United States, people qualify for Medicare when they turn 65 years old (or earlier if they have certain disabilities/conditions).  So this next email is clearly targeting older Americans. If you look closely at the FROM address, you’ll see that it came from a spoofed bizarre domain name that never existed, according to WHOIS tools.  “Get a Free Medicare Benefits Review Today” may sound helpful but we believe this is malicious clickbait and NOT an informational email from “TZ Insurance Solutions LLC.”

Never mind that the design and layout of this email matches that of most malicious clickbait. Take a look at the link revealed at the bottom of the email by a mouse-over.  It points to an unknown address identified solely by its IP number (Internet Protocol): 45[.]154[.]85[.]76. According to IPLocation.net, that IP Address is either sitting on a server in the UK or the Netherlands!  WHY would any United States Insurance Agency host it’s information (or use a marketing service) that directs medicare inquiries to Europe?
 





 

What makes this Medicare clickbait interesting to us is that the cybercriminals who set it up posted a redirect from the server in the UK/Netherlands to a domain owned by TZ Insurance Solutions called Online-Medicare-Plans[.]com, which was registered back in 2012.  We imagine visitors clicking the link in the email will be hit with malware in Europe before being tossed over the big puddle to this real website owned by TZ Insurance.

A FOOTNOTE for those truly interested in learning more about Medicare plans: If you are “of an age” and interested to learn more about Medicare plans, be VERY mindful about where you get your information!  Check out reviews of sources!  For example, if you are considering visiting the website owned by TZ Insurance Solutions, you might find it worthwhile to know that 14 Google reviews, as of January 30, 2021, gave TZ Insurance less than 2 stars.  (It would have been a much smaller rating but 3 of the 14 reviewers gave them 5 stars.  Of these three 5-star ratings, one literally said “your going love this place ,great food fairly priced sowhatare you waiting for” and the other two 5-star ratings said nothing at all and came from “Tour Guides.”  Makes you wonder if these 5-star ratings were real or fake!)







 

This email is so obviously NOT from Chase Bank!  It clearly came from onlineshopkenya[.]com and the links point there as well.  We didn’t find any malware at this location but that doesn’t mean there is none! Do you see the logo/name for “National Consumer Center” in the upper left corner? When we search for this service we found many links offering advice for getting rid of the malware disguised as the National Consumer Center, such as this article at malwaretips.com.  We took a screenshot of the link destination. Below is the web page where you’ll see an invitation for visitors to take a questionnaire.  This feels like a phishing scam!

Deeeleeete!





Daily Scam Home Page

 

 
 

TOP STORY
Why Google Can No Longer Be Trusted

For many years, Cybercriminals have understood the value of manipulating tools and services that people trust in order to infect or mislead their next potential victim. Google represents the crown jewels because EVERYONE uses it and most people trust it to return reliable information and resources. You shouldn’t. If you’ve never heard of “search engine poisoning” before, you need to. (It is also called ‘spamdexing.’) Cybercriminals have become very skilled at manipulating Google to pull up malicious websites, scam phone numbers and other misinformation in the top links returned for many types of searches.  Here’s one small recent example… We recently conducted a Google search for “how to recover a facebook account.” Amongst many credible sources we found a link that we immediately recognized as a fraud. Look CAREFULLY at the link information returned by Google...


 

Did you notice that “faceebook” and “passsword” are both misspelled in the directory name of this article?  MOST importantly, however, is the fact that the link points to sites.google.com.  ANYONE with a Gmail account is able to create a website for the world to see.  These free websites are automatically posted to sites.google.com!  Real businesses and services don’t use free website hosts like this, they purchase domain names for their business/service. You can now surmise that 802-456-4706 is a scammer’s phone number.

When Google searches are returned, there are 3 or 4 types of information provided.  

  • At the top of a Google return, in grey, is the website domain, followed by the directories and name of the web page.  

  • Underneath the domain name, in the second line of larger font, is the clickable link. This link is created from information found in the <TITLE> tag of a web page. 

  • Underneath the article title you’ll typically see text taken from the top of a web page so people can better evaluate if this information is something they are truly interested in. 

  • Some websites are so rich in resources that Google will also show an indented listing of multiple resource links that can be found at the website. Try Googling “thedailyscam” and you’ll see what we mean.

After identifying this scammer’s phone number, meant to prey upon people looking for help with Facebook, we conducted a Google search for 802-456-4706 and were not at all surprised to find LOTS of malicious websites listing this scam phone number.  Some were posted on sites.google.com, while others were posted on bogus websites intended to look like tech support services.  These included the following scam, or legit but misused, domains:

  • Antivirusupportplus[.]com (Registered in India in 2017)

  • Klusster[.]com (A website that allows its users to post whatever content they want.)

  • Askpromptly[.]com (A website registered in October, 2019 by someone identified as “Merry Suzen Sant.” This person also registered 2 other odd websites around the same time and Google can’t find anything about this unusual name at all. One of “Merry Suzen Sant’s” websites is called ChangeMyFlights[.]com and offers the phone number: 803-373-8382. If you use Google to search this phone number you’ll find several scam sites AND credible sites calling them travel agent scams!)
     


 

This rabbit hole of fraudulent websites and resources goes deep!  One scam seems to lead to another, but we digress.  We visited the VERY fraudulent link to sites[.]google[.]com/view/recover-faceebook-passsword and saw a bogus website intent on tricking consumers into calling a scammer’s phone number.  This was also true of the first link above for sites[.]google[.]com/view/mobile-tech-suppport (NOTICE the misspelling of “suppport!”)
 





And if you think that these scam sites littering the Internet are only targeting Americans, then you are naive.  Here is a screenshot taken from the homepage of antivirusupportplus[.]com.  You’ll see phone numbers inviting callers from the UK and Australia. Some people may think that these websites represent legitimate businesses. Maybe we’re too hasty in our assessment?  If this were a legitimate business, wouldn’t you expect a legitimate business address or company name? Also, we should be able to look up reviews and other information about a legitimate business! Antivirusupportplus[.]com lists their business address as “Sylvan Heights, Sylva, NC 28779” without any street number. We looked up Sylvan Heights street in Google maps and found a wealthy suburb that contains about a half dozen houses and a cemetery. 



 

Google has lost control to keep bad actors from listing their scam websites in the first 1 - 3 pages of Google returns.  Every month we hear from people who use Google to reach a customer service phone number for a big company like Apple, Amazon, Microsoft and others, only to find a scammer’s number who take them for a fraudulent ride down a deep dark path. Don’t assume that every website or phone number returned by Google is legitimate.  Double-check, look at site domain names, look for reviews that make sense!  Most importantly, search for business names you can trust or that you know are in your area.

Daily Scam Home Page

 


FOR YOUR SAFETY
Calendar Embedded Malicious Link

David’s family member was quite surprised last week after launching her calendar application and spotted what appeared to be an advertisement in her calendar. The details read “BEWARE! Your passwords might be published online. Remove possible viruses now.” Only it wasn’t an ad.  It was a malicious link. It pointed to a domain named zpredir1[.]com which was registered in March, 2020 and is hosted in Amsterdam. This site contains several alternating redirects to other websites, including a redirect to a website registered in Russia just 9 days earlier.  Visitors might also be sent to one of these two malicious websites:  

  • Vipguard[.]site 

  • Appsecurity[.]site

Both of these “.site” domains were registered anonymously on November 26, 2020 and are hosted on a server in Frankfurt, Germany. There is no web page at the top of either domain for visitors to see (as of 1/30/21).
 


Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp