Weekly Alert  |  September 22, 2021

The 2nd Global Online Scam Summit will be November 3rd & 4th!Please join us for the second edition of the Global Online Scam Summit (GOSS) taking place on 3rd and 4th November 2021. The event, organized in association with APWG and the Global Cyber Alliance, is a platform for sharing knowledge and insights on how to fight online scams and fraud worldwide.  Last year more than 425 representatives joined the 1st Global Online Scam Summit virtually. This year we hope to make the event even bigger by expanding to two days and adding more inspirational speakers but also more possibilities to network and share insights one to one.

Do you think you can spot scams with your eagle eyes? Check out this “Spot the Scam” article from Trend Micro posted on ScamAdviser.com!  Good luck!

Nothing’s what it seems – In response to the positive feedback we received last week for explaining why an email from Chase Bank was actually legitimate, we wanted to show readers another legitimate example.  Check out this email from Verizon Wireless reminding the recipient of a scheduled payment.  You can see that it came from the legitimate Verizon domain named VerizonWireless.com. This can be confirmed in a Google search. The email also contained the correct final 4 – 6 digits of BOTH the Verizon account number AND credit card number of the account holder. And, of course, the account holder knew about the bill and payment!

After sharing the recent scam house rental post from Craigslist, we heard from other readers about more scam posts.  One reader sent us a link to this house rental in Brainerd, Minnesota.  She contacted the “owner” of the property who explained to her on September 15 that his family had recently moved away due to work… I just got transferred because of our job and have to rent out this property since I will be away for some time.  We both work in an organization at the Christian care health system (christianacare[.]org).”  Notice the bogus reference to a Christian organization. This is  standard scammer procedure in their effort to gain your trust! They often want you to think they are doing the “Lord’s work.”

The scammer then goes on to explain that the house HAD BEEN FOR SALE.  He says I initially had it up for sale but had a change of mind in leasing it out ourselves because the agent that was in charge of our rental property was asking too much of an agent fee and also making it difficult for people who cannot afford the rent, stay away from renting my house.”  THIS IS A COMPLETE LIE!  Check out the screenshot below showing that this property is currently for sale and listed on several Realtor websites.  This is a scam “rental” and the scammer will happily tell you he’ll send you the keys if you wire him a deposit! Do you think you can spot fake or suspicious websites offering rental properties? Check out ScamAdviser’s evaluation of bestbnb-rental[.]com!

Speaking of wiring money, we couldn’t help but think of a Saturday Night Live skit, way back in the old days when Chevy Chase and Garrett Morris presented “News for the Hard of Hearing.” Check out this email ALL IN CAPS from Reverend Thomas Dah. Writing in caps is the digital equivalent of shouting! Our scam-buster friend Rob contacted Rev. Dah to ask how he could receive this very low-rate loan.  Take a look below at the remarkable list of personal information Rev. Dah has asked him to provide! Oh, and by the way, there’s an $85 processing fee you’ll need to pay up front!  No thanks. We’ll stick with local banks. (Also notice that Rev. Dah has used 2 different email accounts to communicate with Rob from each email. That’s typical scammer behavior!)

Footnote: One of our newsletter readers reported the following scam to us that targets Facebook users. She said someone receives a message from a Facebook friend asking “have you registered for your grant yet? I saw your name on the list when I collected mine.” If the person replies, the FB friend gives them a link to click and a company purporting to be a Government grant scheme asks him/her to send their name to check if they are still eligible. A few minutes later a new FB message appears telling them they are due to be granted a large sum of money, but need to pay government taxes in advance. To do this, the soon-to-be victim needs to buy Apple iTunes gift vouchers for a certain amount and must send the codes to the person sending the message, who will have a FB account. If the soon-to-be victim contacts their FB friend, the friend will reply “Yes, you buy the gift vouchers, send them the details and then you’ll get the money.”  However, If the soon-to-be victim contacts their FB friend via email, text or phone, they’ll learn that the person’s account has been hacked and misused by scammers!  Very likely, the real FB friend has been locked out of his/her account while the scammer pretends to be him/her.

Your Apple ID Has Been Locked (Text), Your Amazon Account, Chase Bank, and McAfee Total ProtectionOne of our readers received this random text from 336-347-4240 saying that her “Apple-ID” has been locked for security reasons.  The link pointed to the link-shortening service called Bit.ly. Like all such services, it is designed to take a LONG link and turn it into a short link that is easier to share with others.  However, these services are often misused by cybercriminals. (Read our TDS article titled “Shortened URLs: What are they and why should I care?”) We used the service called Urlex.org to expand that link to see where it points. As expected, it points to a phishing scam page set up at the domain called cks-accountt[.]live and NOT apple.com!  You can see that the redirected link begins with “appleid.applec[.]om” but the “appleid” and “applec” are both called subdomains. Anyone with a website can create a subdomain saying anything at all. To be the REAL apple.com, you have to see it followed by the first single forward slash!

Deeeeeleeete!

One of our readers sent us this smelly phish disguised as an email from Amazon but instead of amazon.com, this email came from tutureturn3amazon[.]com.  The email contained an attached pdf file containing the actual phishing link. Real and legitimate companies will never do this! Check out a screenshot below of the contents of this pdf file. The pdf contained a link to “verify” and unlock your account but it points to a website called cmail19[.]com.  Again, NOT amazon.com! Fortunately, VirusTotal.com had no problem seeing that this domain was malicious!

It is critically important to identify the domains that emails come from because this is often the first place you can see evidence of fraud in your inbox.  Take this email that says it is from Chase.  But the email address following “Chase” shows that it came from a free email service located in Berlin, Germany called t-online.de.  (“.de” = 2-letter country code for Deutschland = Germany) As if to legitimize this rotten carp, the sender coded the TO address as a real email address for Chase Bank.  Nice trick but that is not where the email came FROM!  (To learn more about identifying the parts of an email address that are important, read our TDS article titled Where its @!)

The email then contains a link that reads www.chase.com but unlike a valid link, mousing over this phishing link shows that it points to a hacked domain called youngnhung[.]com! Want to improve your mouse over skills? Read these TDS articles or watch our video…

https://www.thedailyscam.com/mouse-over-skills/ (video)
https://www.thedailyscam.com/mouse-over-skill/
https://www.thedailyscam.com/mouse-over-skills-on-i-devices/

And finally, we have yet another bogus email that appears to come from McAfee for your security subscription service, except that it came from a Gmail account called “frederickwhitedjx.” And like all of these manipulative phishing emails, the scammer is hoping beyond hope that you’ll pick up the phone and call him at 844-297-4418.

Southwest Airlines Offer and Bank of America RewardSometimes, just sometimes, cybercriminals make such dumb mistakes that we love seeing their scams because it makes us laugh!  Such was the case when one of our readers recently sent us this “fifty dollar Southwest Airlines offer!”  Look at the spellings for Southwest Airlines!  It says EVERYTHING you need to know about the authenticity of this email.  Enjoy!

In last week’s Top Story, we informed readers about “Popular Click Tricks.”  37% of the malicious clickbait pouring into one of our honeypot email accounts was disguised as consumer rewards, such as for opinions on bogus surveys.  That percentage ticked up slightly last week to 38% of all malicious clickbait.  Here’s a sleazy doozy with fraud hiding behind multiple layers of deceit!  The email appears to be an offer for Bank of America but look carefully at the FROM address.  This clickbait came from a website in the United Kingdom called lpersky[.]org[.]uk! Also notice the underscore and dash tricks used in the subject line to avoid anti-spam filters.

You won’t remain in the UK for very long though! Immediately, this clickbait will redirect visitors to another website called GSZZT[.]comScamAdviser doesn’t think too highly of this 5-letter website! That review had us running to a WHOIS where we learned that the domain gszzt[.]com had only been registered 10 days earlier!

We simply couldn’t resist seeing what kind of bear trap lay in wait  at GSZZT[.]com. Like so many other clickbait emails, we found this “short survey about shopping online.” And just like most of these crap surveys, a timer started ticking down from 8 minutes to complete the survey.  The web page even provided lame terms and conditions in pale yellow, like a real marketing company might do!  But don’t believe this malarky!  VirusTotal.com confirmed for us that GSZZT[.]com is a phishing site gathering your personal information for nefarious purposes!  Grab the handrail and STEP AWAY…

Click Tricks, Misdirection, and Ad Traps – This week’s story began after a reader contacted us about an experience he had while using Google to search for information about a senior living center for his mother. Sounds like a pretty straightforward thing to search for, right? Wrong. His experience sent him down a long winding road wondering about the information he was promised, and all the while, earning money for someone in Vietnam!

Sadly, the Internet has become so terribly littered with click tricks, misdirection and ad traps that it makes us wonder if it is possible to tell what is truly legitimate or worthwhile anymore.  Not all of this tomfoolery is malicious or fraudulent. It’s just meant to trick you to turn your attention in someone else’s direction so they can earn a buck by hurling lots of ads in your face.  Web page ads are called “impressions” and website owners are generally paid, on average, $3 – $10 per thousand impressions, according to insights and research published by TopDraw.com (updated March, 2021).  Additionally, when visitors actually click on an ad, it may earn the web host a few pennies to a few dollars per click.  TopDraw’s research shows, for example, that YouTube is paid an average of 10 cents for every advertisement viewed before or within a video.  One thousand views can earn $100. That’s one of the reasons why “influencers” can earn a significant income through their YouTube posts! According to several sources (including BusinessInsider.com and SmallBizTrends.com)  one million views can mean $2000 to $40,000 of income for the person posting the YT video! (The article on SmallBizTrends is another example of over-saturation of Ads on a web page.  We stopped counting at 15 Ads as we scrolled through to read that article!)

However, we believe there is a BIG difference between the few discrete ads we show on our websites or in our newsletters to help defray the cost of bringing free and important content to our readers VERSUS what happened to a son looking for elderly housing for his mother!  Amongst the top links returned by Google, the man saw one that seemed to include some straightforward information just under the link and so he clicked it.  Here is a partial, and slightly condensed screenshot of what he got…

The web page seemed to scroll on forever and had more than a dozen ads, including the two photos of beautiful women at the very top of the page. These top ads informed the man that sexy or lonely women were looking for men in his town who were “mature” or older than 35.  As he described this to us, this “creeped him out.” How did they know where he lived and that he was over 35 or of a “mature” age? Most disappointingly, he told us that the webpage simply contained links that were found elsewhere in his Google search anyway!  The whole purpose of the linked information he found from the original Google search was to send him to an endless webpage that scrolls forever through ad impressions!  

When we visited the webpage the man had cited for us, we couldn’t help but notice a lot of text written in another language. This turned out to be Vietnamese.  We’ve translated a few of these text ad traps we found on his web page that were written in Vietnamese (See the screenshot below of content that appeared further down this endless web page.)  The man had unknowingly clicked on a website named Angkoo[.]com.  A WHOIS lookup for this domain tells us that it was registered in Vietnam in 2019 and it is being hosted on a server in Ho Chi Minh City.

Why would a website, registered and hosted in Vietnam, with a lot of text in Vietnamese, have a web page named for, and provide links about a rehabilitation center that serves residents of Massachusetts, USA? The answer is simple. This web page is nothing more than misdirection and an ad trap designed to earn money for the creator. Period. Sadly, we find these click tricks in Google search results with increasing frequency.  We urge readers to look carefully at the domain names found in the gray links just above the large blue font of Google’s search returns. You’ll notice that the first 2 or 3 may also be preceded by the black bold letters “Ad.”  These links are advertisements that may be of value but they paid Google to appear at the top of your returns and may not be the most valuable links relative to your search.  For example, see the screenshot below for a search for “senior long term care.”  Caveat emptor!

Ducky Luck 500% Casino Match and 150 Free Spins! – Ducky Luck may indeed be a real online casino based in Antigua and Barbuda, but that doesn’t mean this email came from them! This clickbait came from a very malicious domain that we wrote about back in May, 2021, called Marvilons[.]com. (In our May newsletter, we showed readers that Marvilons[.]com was used to support malicious clickbait disguised as an email about ABC’s Shark Tank.) Just like the Apple phishing text above, the links in this email point to the link-shortening service at Bit.ly. And when we used Urlex.org to unshorten that link, we also discovered that visitors will be thrown into a malware trap lying in wait at xrketo[.]com.  This is the same trap we exposed in our May newsletter, in the “Your Money” column!  It shouldn’t surprise any of our longtime readers that this domain was registered in Iceland using Namecheap.  Don’t believe this crap!  It is malicious, through and through! The only “FREE Spins” you’ll get will be your heading spinning from the damage caused by malware sinking it’s teeth into your life as cybercriminals make money by sucking the blood out of you.

Hey Old Friend –One of our readers sent us (via email) a copy of a text she received from a random number.  It begins with a familiar phrase often used to manipulate victims… “hey old friend how are you?”  Of course, it includes a link that points to malware! 

Deeeeeleeeeeete!

Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster