|
|
|
|
|
THE WEEK IN REVIEW
We’ve recently had some nice feedback from readers. It confirms all the reasons why we do this work! The feedback is much appreciated and it makes us feel good! It also reminds us that the core of our mission is to provide an education for our readers to empower them to be able to recognize and avoid the threats that target them online and through their smartphones. In this spirit, we present a simple email sent to us through our website’s contact form. (We get junk like this every week.) Can you spot two simple facts about this email that identify it as likely to be a fraud? (Answers appear a little below.)
Once again, a young man sent us this email because he knew it was clickbait. However, when we explored it, we were surprised to find a hidden “treasure.” “Ashley Brown” (or is it “Jessica Miller?” --look carefully at the FROM address) sent an email to 4 addresses with a simple message “Just Say Hello to me! I will give my pic and phone number…” However, we noticed a bunch of empty space BELOW the “Sent from my T-Mobile” text. When we dragged our mouse through this space we discovered white text against that white background. Though we can’t be certain, we think that this random text may represent some type of tracker code. One thing is very certain… that text was placed there on purpose and was made white to hide it from your view! This suggests that this fraudulent email was not too likely sent by a lonely woman looking for some fun or to make a buck the old fashioned way. It suggests organized crime trying to keep track of who replies to them.
Has anyone else noticed a significant uptick in the number of scam calls or robocalls in general? We certainly have, and so has CNN! Our long-time readers will recall that back in early 2020 we congratulated the US Congress for passing the “TRACED act” a month earlier. It required cell phone companies to implement new measures to cut down on the number of robo and scam calls. Along with the pandemic surge in the Spring of 2020, consumer’s cell phones were nearly void of these annoying and dangerous calls! Not anymore! Read “Yes, you are getting lots of robocalls again” by Samantha Murphy Kelly, CNN Business (Updated Fri March 5, 2021)
TWO CRITICALLY IMPORTANT FACTS THAT SUGGEST MALICIOUS INTENT:
The first email above came to TDS via our contact form. In it, Kelle Steinberger asked us if we wanted to promote our business and she offered a link to her service. However, we didn’t believe her…
- Kelle is representing a business offering us a service. Why then does Kelle contact us through a generic Gmail address INSTEAD of an email associated with a business domain?
- Kelle provided a link to check out her offer. But the link doesn’t point to any known business. The link is to a link-shortening service at Bit.ly. We’ve seen cybercriminals misuse link-shortening services thousands of times! We used Unshorten.it to show us where it will send us and it redirects to a link that is shorter than the link offered through Bit.ly!.
Kelle’s link will redirect us to an IP Address for an Amazon server in Columbus, Ohio. Does this sound like a legitimate business to you? When we used our tools to view this server address, we discovered that a visitor will again be redirected to yet another website called classifiedsubmissions[.]club. This clubby crap domain was registered anonymously in Canada in late 2019. CAVEAT EMPTOR!
Daily Scam Home Page
|
|
|
|
PHISH NETS
Many Amazon Phish, and AOL
Many thanks go out to our readers who sent us all the phish in this week’s sea of stink. For example, there were many phish swimming in the Amazon pool last week! NONE OF THEM were sent from the domain amazon.com! Let’s start with this one that has been used at least a half-dozen times recently. Cybercriminals just change the FROM address, phone number in it, date on it and send it again! It claims you’ve purchased an Apple Mac Pro for more than $2000 and your item has been “dispatched” (The use of the word “dispatched” suggests that these are not American Scammers.) But wait, if you want to cancel the order, you can contact their fake customer service number at 833-264-0144. This phone number was recently reported twice as a scam on ReportScam.com.
This next email came from a generic Gmail account listed as “Jack Spencer from billing” and is about your “account security status.” You are asked to call a scammer’s phone number disguised as the Amazon fraud department. The number, 844-215-5076, has absolutely NO CONNECTION to Amazon at all!
Deeeeleeeete!
This next Amazon phish is interesting because it actually uses the free webservice at Google to post a phishing page. Again, the email did not come from amazon.com. The misspelled domain name in the FROM address has never been registered. The link in the email for Amazon is grainy because it is actually a poor graphic of a link. Mousing-over the link associated with this graphic showed us that it redirected to a web page at Google Sites, a free web service. Look at the screenshot below and you’ll see the criminals posted another button to click where you can log in and hand them your login credentials to your Amazon account. Fortunately, VirusTotal.com recognized the threat and it was taken down from Google Sites pretty quickly.
Google was misused again in this email pretending to come from AOL.com. It actually came from a free email service called telus.net. The link you are sent may LOOK like it leads to AOL but a mouse-over reveals that it points to a webserver on Google Apis and using a directory named “aolonline.”
Deeeeleeeete!
Daily Scam Home Page
|
|
|
|
|
YOUR MONEY
Paypal and Chase Bank Phish
We had sooooo many phish reported to us last week that we’re going to continue our phishing expedition in today’s Your Money column. Now it is Paypal’s turn.
It’s important to recognize legitimate domain names from fraudulent domains. A domain name ALWAYS follows the “@” symbol in a FROM email address. Paypal’s legitimate domain is simply “paypal.com.” If there are one or more subdomains, they will appear in front of paypal.com, separated by a period. For example, “login” is a subdomain in: account@login.paypal.com. (If we are referring to a legitimate link rather than a FROM address, there will always be a forward-slash / following the DOT-com. For example https://www.paypal.com/us/signin) Look now at the domain used in the FROM address of the first email below: paypal-0nline3-e1.co.us The fully qualified domain in this link is NOT paypal.com, it is “co.us” The junk in front, paypal-0nline3-e1, is a subdomain. (Notice the period that separates it from “co.us”) In fact, just by looking at the domains that follow the “@” symbol in each of the next 3 emails, makes it easy to spot them are fraudulent!
Once again, the recipients of the next two emails are informed of a large purchase she/he never made. They are invited to call a scammer’s phone number to cancel their order. This time the phone numbers are 844-683-3119 and 888-521-8172, neither of which are a legitimate Paypal number!
This last Paypal phish was sooooo poorly constructed that we find it laughable! And yes, it didn’t come from paypal.com and the link doesn’t point to paypal.com!
Check out the domain name that appears in this phish pretending to be from Chase Bank! “I am indecisive?” We are 100% certain that this phish was created and sent by African scammers because the email uses a “poker tell” that African scammers, especially from Nigeria, are known for. The email begins with “Beloved User.”
The link connected to the Yes/No buttons is for a shortening service. When we unshortened it, we found that you’ll be redirected to a hacked website in Brazil. (“.br” = 2-letter country code for Brazil)
Happy travels!
Daily Scam Home Page
|
|
|
|
|
TOP STORY
XYZ? Let it Be!
Many of our readers have heard us lambast ICANN, the “International Consortium of Names and Numbers.” They are the only governing body in charge of the Internet names and the Registrars who are allowed to rent those names to people around the world. It has been our opinion for years that ICANN is self-serving to boost their own revenue and almost completely ignores any common sense rules and requirements that will better protect many millions of netizens around the globe! Cybercriminals benefit from their lack of oversight.
When the Internet was just a baby in the late 80’s, there were only 7 “Global Top Level Domains.” (gTLD) They were: Com, Org, Edu, Mil, Gov, Int, and Net. Every website ended with one of these six gTLDs. As the Internet exploded in popularity, it literally began to run out of names! gTLDs began to expand significantly between 2013 and 2017 when ICANN added the possible use of thousands more gTLDs. The problem, however, is that the great majority of these are being used only (or mostly) by Cyber Criminal gangs who purchase domain names in bulk. They use these obscure gTLDs because they are cheaper to purchase AND because, for example, legitimate business names can be purchased by anyone --including criminals-- along with an obscure gTLD. For example, americanexpress.com or chase.com have both been taken by the legitimate businesses they represent. But anyone can register chase-bank-login.top or amricanexprss.creditcard because ICANN doesn’t require Registrars to be vigilant about criminal misuse of domain names. The rules protecting us all are MINIMAL and, from our perspective, ICANN doesn’t prioritize that Registrars do a better job to protect against fraud. ICANN simply doesn’t care because they make a profit from the sale of every domain.
[According to a research article published by Enrique Orduña-Malea and Isidro F. Aguillo called "Brief history of top-level domains and challenges for information professionals," ICANN released 73 new gTLDs for use in 2013, 406 in 2014, 390 in 2015 and 340 in 2016. Only 19 more gTLDs were released in the three years that followed. To see a list of these gTLDs released between October, 2013 and September, 2019 visit this article on ICANN.org.]
We’ve observed thousands of fraudulent global top level domains using DOT-xyz in the last few years but have NEVER seen a legitimate business use this gTLD. (It doesn’t mean legitimate use of DOT-xyz doesn’t exist, only that criminals overwhelmingly use DOT-xyz domains!) It’s so bad that we have no problem saying that if you see an XYZ, let it be! Take these two recent examples. The first is a smelly phish pretending to be from Netflix.com. The email was actually sent from the domain banjar[.]xyz. This domain was registered just 4 days earlier in Malaysia (“.my” = 2-letter country code for Malaysia) The link in this stinky phish was a shortened Twitter link. When we unshortened it, we learned that you’ll be forwarded to the phishing site on a website called servebbs[.]com. Notice below that the cybercriminals have created a subdomain that is meant to appear legitimate. It is named “rcvry-ntfl1x-8928” in front of that servebbs[.]com… as in “recovery netflix.”
Like all website owners with contact forms, we get LOTS of fraudulent and bogus solicitations. Take this email from Robert Garcia, asking us if we’re interested in borrowing money to help our business grow. (We’re not.) We immediately noticed that his business domain is directbizfunding[.]xyz. It took us seconds to discover that there is a business using the domain directbizfunding[.]com registered in September, 2019. However, directbizfunding[.]xyz was registered about 2 weeks before we received Robert’s email.
This newly registered domain is a sure sign of fraud from our perspective. This idea is supported because by the Zulu URL Risk Analyzer, who showed us that anyone clicking that “xyz” link and lands on their new website and is then forwarded to another business called Express Capital Corp. This bait and switch behavior is common for cybercriminals who post malware on their websites to infect your computers AND then redirect you to a related site so you don’t think anything dangerous happened.
There are two lessons here, to be clear…
-
ICANN still does a horrible job of holding Registrars accountable for making it so easy for fraudsters to register malicious domains! They should be ashamed of themselves because, more than anyone else on this planet, ICANN has the greatest responsibility and ability to implement and demand safer practices across the world!
-
If you see DOT-xyz, let it be!
Daily Scam Home Page
|
|
|
|
FOR YOUR SAFETY
Attached is Our Settlement Statemen
It is common practice for criminals to use different names that don’t add up in the malicious emails they send. Take this email sent to a Real Estate agent who forwarded it to us. The email says it came from “Adam Caballo” via Yahoo email (which is funny because caballo in Spanish means “horse.”) However, the email is signed by a “Fidelity Escrow Officer” named Michelle Patton.
Our super-sleuth Real Estate agent smelled fraud and would not download the attached pdf file. Did you know that pdf files can contain malicious code and phishing links? This pdf file was indeed malicious, according to VirusTotal.com!
Textplosion: New iPhone 12 and Someone Added on Your Account
Congratulate Doug at TDS for winning another iPhone 12, on February 28! Actually, according to texts he has received, he’s won about six of them. This one has a link to find out more at gcdu5[.]com. Yes, that domain was registered just hours before the text was sent. A BIG FAT DELETE!
To add insult to injury, came this text from 475-688-5745 saying “Someone just might have added $750 on your account” along with a link to another malicious website recently registered.
Deeeleeeete!
Until next week, surf safely!
|
|
|
|
|
|
|
|
|
|
|
