Copy
THE DAILY SCAM NEWSLETTER — DECEMBER 23, 2020
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 331


THE WEEK IN REVIEW

Our apologies to our readers! Last week we posted 2 sound files for social security administration scams and heard from several readers that the linked sound files didn’t work properly.  We should have posted these as mp3 files instead of m4a files. The mp3 file format is easier to open so here they are again as mp3 files:

Click to listen:





Early on in the pandemic, scams related to the spread of Coronavirus exploded on the scene and we posted an article revealing many examples of these scams and other resources.  We want you to know that these scams continue to target citizens around the world.  Here is one such recent example that appears to be about the value of wearing KN95 face masks to guard against coronavirus.  While that is true, the problem is the source of this email, and the links within it. The links point to the crap domain called numeromassi[.]buzz.  The Zulu URL Risk Analyzer not only found this website malicious, but it contains a redirect to another site we’ve previously shown to be malicious…. Yourdigitalofferr[.]com.  This is nothing more than malicious clickbait, not information about protective masks.





Daily Scam Home Page

PHISH NETS
Docusign Account, Your Amazon and Paypal Accounts Are on Hold!

This first email is rather clever in that it appears to contain an email thread between two people, and then seems to have been accidentally sent to you.  The most recent part of this trick contains the information “Your document has been completed” along with a link to “click to view completed due settlement” pdf.  This is followed, in bold, by “Do not show this email to anyone else  This email contains a secure link to Docusign.”  And of course, it doesn’t!  Hovering over that link will show that it points to a domain called elitetransports[.]co rather than docusign.net.  This website was registered in 2018 but as of December 20 has no visible website at the top of the domain. But if you were to follow this phishing link to a directory buried in that domain you’ll find what appears to be a Docusign login page! Check out our screenshot of this phish below which looks like you are on the real Docusign page to access secure documents.  Sharp eyes will see some very subtle and important differences between the screenshot phish below and the REAL Docusign Access page.  Can you spot them?

It is very unusual for a phishing site such as elitetransports[.]co to stay around for so many years. (It is hosted on a server in Columbia -- “.co”) But at least VirusTotal.com can show us that many security services have identified this domain as a threat!








The FROM address may appear as “service@paypal.com” in this next email, but that is simply text in the name field.  The REAL sender’s domain follows in brackets.  The email appears to have come from the bizarre domain registered in the United Kingdom called z345RXSf-77789182[.]uk.”  However, our WHOIS tools say this domain has not been registered.  It doesn’t matter.  The link to log into your PayPal account doesn’t point to Paypal!




Daily Scam Home Page

 

YOUR MONEY
Directv Promotion, Exclusive Verizon Offer and Walmart Satisfaction Surve

One of our readers very proudly shared this scam promotion with us because he enjoyed wasting a scammer’s time and attention!  The email claims to offer a 50% reduction on your AT&T Directv monthly bill for 3 years!  All you have to do is pay an initial 2 months in advance through the purchase of BEST BUY prepaid gift cards! (Does THAT make any sense?) And if you act in the next 100 minutes, they’ll throw in another $100 discount!

The email provides two phone numbers to call: 855-705-0708 or 855-716-0644. Our TDS reader called 855-705-0708.  Here’s how he described his experience….

“This one is a doozy. I kept this guy on the phone for 22 minutes. Had him send this to my alternate email. Told him to call me back in 30 minutes. He did. I went over all the details in the email. He originally told me this included my Directv account AND my cell services. I quizzed him about no cell services mentioned. He assured me they were included. If I concluded this offer in less than 100 minutes they would have a courier deliver a $100.00 debit card to me within 24 hours. I told him I would jump right on this. Two hours later he called back and said the billing department had not heard from me.

It was then I told him I was having more fun with this scam than he was. Of course he lambasted me with all sorts of cursing and name calling. When he stopped I told him I was a better con man than he will ever be and scolded him for breaking character. He was still cursing when I hung up.

I hope you post this because I think some people will fall for this because it looks real. They did a very good job on the email and the caller was very convincing.”

We applaud this gentleman’s effort!  As we’ve said many times, we feel it’s important to sometimes hit back at these low-lifes who don’t care who they target or how much pain they cause!  The creators of this particular scam have likely been conducting it for two years based on the fact that the email came from dtvpromotionsdepartment[.]com, a domain registered in early December, 2018 but now expired and with no website on it.



Next we have an “EXCLUSIVE OFFER” from Verizon, or so it wants you to think.  This “special offer Verizon reward” came from the domain arrespite[.]com and the fine print at the bottom tells you that it is “brought to you by Elmer Harris” of “9975 Bayport,,St.Mankato, Minnesota.”  WHO IS THAT?  According to Google and other online resources, there is no street in Minnesota called Bayport.  There are, however, the towns of Bayport, MN and Mankato, MN.  You are also informed that you can “Unsubscribe” from this email list and there is an address listed for Suite 143 at 275 Cumberland Parkway in Mechanicsburg, PA. 17055.  There is no “Suite 143” at this address!  In fact, this address is for a UPS store that also offers mailbox rentals, a commonly used ploy by scammers but we doubt that they’ve rented a mailbox there.  Just delete and be happy you dodged a bullet.



Finally, in yet another example of malicious clickbait disguised as a “satisfaction survey” here’s an email that  came from someone’s Gmail account named “hectorabelmarsh” but called Walmart.  Just take part in an “Online mart satisfaction survey” and you’ll earn $90.  Links in this clickbait point to a malicious web page hosted on a service offered by Dream Host called dream[.]io. We’ve notified Dream Host about this abuse.


Daily Scam Home Page

 
 

TOP STORY
Hacking Human Behavior

In case you haven’t heard, Russia is, once again, (**sigh**) accused of being behind a very serious hacking attack across the United States (and the world) that Bloomberg News is calling the “hack of a decade.”  SolarWinds sells software to businesses, state and federal government agencies. Their software enables an organization to see what's happening on their computer networks, according to a post by CNET.com. CNET goes on to report that hackers were able to insert their own malicious code into a recent version of the SolarWinds software which was then downloaded and installed by about 18,000 businesses and government agencies.  This story is summarized well in this 5-minute Youtube post from Bloomberg News.  Moreover, it has been reported that this compromised software was installed by a variety of critically sensitive U.S. government agencies including the Pentagon, State Department, Department of Homeland Security, and the agency responsible for U.S. nuclear weapons. This is frightening.

This embarrassingly massive and serious breach may be unprecedented. How could such a thing happen to SolarWinds, and consequently to many thousands of others?  We suggest that the answer may be as simple as “human behavior.” Powerful companies and government agencies most certainly have in place all the bells and whistles to protect against cyber-attacks and network hacking, including multiple layers of protection. However, if their employees are not exceptionally well trained to recognize fraudulent emails, for example, then their formidable layers of protection will come crashing down the moment an employee is tricked into downloading malware or revealing a password through a phishing scam.  HUMANS ARE THE WEAKEST LINK!  (NOTE: An outstanding service that businesses can employ to train and test their employees is KnowBe4.com.  We highly recommend their service and for the record, they didn’t ask us or pay us a penny to say this!)

In September, 2019, writer Josh Fruhlinger published an outstanding article in CSOOnline.com titled “Social engineering explained: How criminals exploit human behavior.” We recommend reading it for a more detailed look into this topic.  Amongst the many tricks Mr. Fruhlinger has described in this article, and in a prior related article called “Famous Social Engineering Attacks: 12 Crafty Cons” (August, 2019; CSOOnline.com) are these 3 methods commonly employed by fraudsters:

  • Offer something sweet

  • Fake it til you make it

  • Act like you’re in charge

We’ve seen these methods used hundreds of times by cybercriminals as they are the “staples” of their game play.  Here are several recent examples of how cybercriminals effectively hack human behavior.  Would YOU have fallen for any of these? 

  1. “Naked pix of u on port site”
    Imagine being told by someone that they found naked photos of you posted on a porn site that were captured because your laptop was infected by software that turned on your webcam while you were masturbating.  Many of our readers will shake their collective heads in dismay by this ploy but this BS no doubt targets a specific demographic who may be vulnerable to it.

    The link connected to “Click Here” points to the domain tonnyjelly[.]net which was registered on November 1, 2020.




  2. Stimulus Fund
    Any American watching or reading the news has to have heard about recent Congressional negotiations that are trying to produce a much-needed second round of stimulus money for those Americans who are still suffering from the consequences of this damned pandemic. Doug at TDS received this text on December 18 from 504-512-6756 saying that there is $1,735 in stimulus money being offered to him.  He’s got 4 minutes to claim it by visiting the official-sounding domain stimulusfund[.]net.



    A Google search for stimulusfund[.]net turns up some interesting results…. The first link is to the website itself though the meta description of this website makes no sense whatsoever! It begins with “Manager - Album on Imgur” and includes a reference to toilet paper. (Imgur is an image hosting company; “meta description” is the information that describes or summarizes the contents of a web page or website for search engines to see and disclose.) The other links that follow ALL refer to Coronavirus scams!


     
  3. We have been trying to reach you
    “We have been trying to reach you - Please respond!” says an email with the FROM address that starts with “Thank you! Verizon.” Anyone willing to look will see that this email came from a domain we have long documented as malicious…. Artmobworld[.]com. Fortunately, the Zulu URL Risk Analyzer knows this site well and has pointed out multiple elements that are malicious about it.




     
  4. Your insurance has lapsed
    “We tried mailing you at your Atlanta, GA address… Maybe we need to update our records.” “We noticed that your insurance has either lapsed or you’re eligible for a new plan of nearly half your costs.” The recipient is asked to call 855-752-0370.  On December 18 several people began to report this phone number as suspicious or a likely scam on 800notes.com and ReportedCalls.com.  Someone on SpamCalls.net states that this phone number is actually coming from Cambodia.   Another big reveal is the fact that Yolanda’s email is a generic hotmail email account, not the account of any legitimate insurance agency!


     
  5. 14 incoming messages
    Ths “important failure notice” about “14 Incoming Messages Failed to deliver to [EMAIL REDACTED] Inbox Folder” was spoofed to look like it came from the same business email inbox that claimed to have the 14 incoming messages.  Of course, the recipient is offered a button to “Retrieve Messages.”  But the link tied to that button points to a CRAP domain called pixmaninstalingyash[.]xyz.  This is nothing more than another fast way to infect your computer with malware!


     

    Do you think you would have succumbed to weaknesses of human behavior concerning any of the above threats?  Our longtime readers have grown very skilled, savvy and skeptical about online messages and the hidden threats they contain.  But what about your family members? Friends?  This season as you continue to celebrate through the winter holidays and raise a glass of cocoa or something stronger and sharing good will, ask the question of others… Can they be easily manipulated online or through their smartphones?  Do they know anyone who has been scammed? (The odds are very good that they do!)  Send them to our website!  Or better yet, invite them to get our free weekly newsletter.  And best wishes to all!

    Doug & Dave

Daily Scam Home Page

 


FOR YOUR SAFETY
US Housing Helper and American Express Account Security Update

Once again, here is an email that shows what low-lifes cybercriminals are because they don’t care WHO they hurt or how much!  This email is meant for those who are “rent insecure” because of financial circumstances.  It pretends to be from something called the “US Housing Helper” but it was sent from another crap domain called windseason[.]buzz.  It should come as no surprise that this domain has been found to have malware lying in wait. If you know anyone who is truly in difficult financial circumstances that may impact their ability to pay rent or a mortgage, send them to this real United States Government housing help website at usa.gov. (FYI… Windseason[.]buzz will also redirect visitors to the very malicious domain called yourdigitalofferr[.]com)






Normally, we would have thought this next email from jkamerica[.]com to be just another American Express phishing attempt. (As in “just kidding, America?”)  It’s about your account ending in “XXXX!”  “This email is to notify you that you have a new payment pending on your American Express account.”  But it turns out that this is just another malware bear trap lying in wait at the end of the link. Ouch!

Deeeeleeeeete!





 

Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp