Select Page
Weekly Alert  |  April 26, 2023

Check Out Our Ten Recommendations Last week we officially announced the launch of the Ten Recommendations to Turn the Tide on Scams. It included a panel discussion with the European Commission and other stakeholders and it went very well. Our goal is to make the Internet safer for everyone, both people and companies. As we’ve stated, online scams have become a global epidemic! Did you know that consumers worldwide lost an estimated $55 BILLION dollars to online fraud. 41% of all crimes reported in the UK, for example, are related to online fraud! Please visit our webpage on this effort to turn the tide on scams and look at our ten recommendations.

You can also share/like/retweet some of our social media messages as well to help us promote this effort:
https://twitter.com/scamadviser/status/1648961831980142593
https://www.linkedin.com/feed/update/urn:li:activity:7054728329140064256/
https://twitter.com/ScamAlliance/status/1648975097968091136
https://www.linkedin.com/posts/global-anti-scam-alliance_globalantiscamalliance-gasa-policy-activity-7054741504732381184-SWtd

We look forward to sharing more information and inviting your participation in this effort in the weeks ahead! This includes our invitation for you to join us at the Global Anti Scam Summit in Lisbon on October 18 – 19.

Would You Trust This Norton Agent? — Just a couple of weeks ago, a gentleman reached out to Doug at TDS to ask for his help and advice to respond to a serious mistake he had made. He only realized his error a few hours after the fact as he reflected on what had happened. To protect his identity, we’ll call him Chris. Chris had purchased a brand new Dell desktop about a month earlier and transferred all his old computer files over to it, including a Word file containing a full list of his personal accounts and passwords. His new laptop came loaded with Norton Antivirus software too, though he didn’t recall if it was a temporary license or a full year license. At about 4:30 in the afternoon, he opened Microsoft Edge and searched for Norton login to check on the licensing. After logging in, he completed what he believed to be the Norton registration process and provided his personal information, including a phone number. Within five minutes of submitting his information he received a phone call from Norton Tech Support. What follows is Chris’ story, including several mistakes that could have had serious consequences for him and his family. But luck, “2FA” (2-factor authentication) and Doug’s help enabled him to dodge a barrage of bullets.

On April 11, Chris’ wife reached out to Doug. She said that Chris “may have fallen for some sort of Yosoft scam and potentially let a scammer onto his computer.” When Doug spoke with Chris, he said that the Norton caller informed him that there was a threat found on his computer, and possibly effecting his home network as well. Chris asked him to confirm that he worked for Norton Software and the man, who spoke with an Indian accent, said yes, he did. He also told Chris there would be a charge of $130 for this service call to review Chris’ computer and remove the threats found. Chris gave him full remote access and privileges on his computer.  Chris was also extremely busy and distracted with other things. He left the Norton fellow alone with his computer for about 45 minutes. After that time, Chris returned and spoke to him again. But the man misspoke as he tried to use the word “surgical” during his description of what he was able to accomplish. He told Chris that he wouldn’t be billed the $130 for 7 days, incase anything else happened on his computer and a follow up call was needed. But the English error of the word “surgical,” the man’s accent and other things the man was saying started to make Chris nervous. He began to feel that this didn’t seem like a legitimate service. Again, Chris asked the man “how do I know you are connected to Norton software?” The man’s response made Chris feel even more uncomfortable. In an annoying tone, the man insisted he worked for Norton AND told Chris that he would now be billed after 3 days, not seven as first stated. What service arbitrarily does that, thought Chris?  Chris was now convinced he had made a grave mistake. He ended the call quickly and immediately shut down his personal laptop. (Shutting down the computer was the correct thing to do at that point!)

Assuming for a moment that Chris had actually given full computer access to a cybercriminal gang, Chris needed to act immediately to minimize any possible harm that might follow. This was exacerbated by the fact that Chris told us he had kept a Word document on his laptop that contained all of his accounts information and passwords!  We urged Chris to immediately visit all of those accounts, starting with the most important financial accounts, and change his passwords. He should then move on to his credit card and social media accounts. (Cybercriminals often find ways to monetize people’s social media accounts, most often by targeting the friends and family of the victim with various scams and malware tricks while pretending to be the account owner.) There was still a lot more for Chris to do to mitigate his risks and any possible damage. However, while Chris worked on this, we kept thinking about what his wife had said… “Chris may have fallen for some sort of Yosoft scam and potentially let a scammer onto his computer.” 

Chris’ problem began when he searched for a login to his Norton account. His wife thought that he had actually clicked on a link that pointed to a service called YosoftInfo. A quick Google search for “yosoftinfo norton scam” opened a world of confusion and accusations about whether or not this service was a threat. We stepped into this sea of confusion and discovered a possible malicious mimic that was first reported in the Norton online community back in July, 2022.

Yosoftinfo[.]online is a questionable service and there is lots of debate online about its legitimacy! For example…

We later learned that Chris thought he might have visited a website called yosoft[.]company[.]site. However, this website has practically NO information on it, and no phone number, though it does have a link pointing to yosoftinfo[.]online. (Scamadviser.com shows a VERY low trust rating for this website.) We visited the Yosoftinfo[.]online website (after our analysis showed no malware threats present) and saw that this service claims to be a Microsoft licensed partner. Microsoft provides a tool for the public to look up licensed partners at https://partner.microsoft.com/en-us/partnership/find-a-partner. We decided to investigate their website claim to check on the credibility of Yosoftinfo[.]online and what we found was very suspicious

It turns out that Microsoft does have a  licensed partner at the website YosoftinfoSOL.online BUT NOT Yosoftinfo[.]online. Could this latter website be a malicious mimic? A visit to both websites show them as nearly 100% identical! The website Yosoftinfosol.online, whom Microsoft shows as a licensed partner, also shows the same address on their website that Microsoft lists for them. HOWEVER, the questionable website, yosoftinfo[.]online, has a different address and phone number that is not found on the Microsoft partner page. The questionable address shown is 13078 60 Ave, Surrey, BC V3X 2L7, Canada.  A Google search for this address shows residential housing, which we feel is very suspicious to be listed as a business address for this company. Google shows us that this same residential address is also listed as the address for two other businesses.

We should note that the licensed service at YosoftinfoSOL.online also lists a business address in Canada but this Canadian address is different than the address shown on the suspicious site Yosoftinfo[.]online.

SUSPICIOUS SITE: Yosoftinfo[.]online was Registered on March 8, 2022 in India through the Registrar called Hostinger.

LICENSED PARTNER: Yosoftinfosol.online was registered on June 7, 2021 in India, also through the Registrar named Hostinger. The two websites appear to be almost identical! On April 15, we used the contact form at yosoftinfosol.online to ask them “is the domain called yosoftinfo.online (without the ‘sol’) also part of your company?” As of this publication date, we have not had a reply to our question.

It’s also important to note that Yosoftinfosol.online, the REAL licensed partner with Microsoft, shows their Customer Service contact information as yosoftinfosol8@gmail.com and phone 1825-525-0320. However, the suspicious website Yosoftinfo[.]online shows their Customer Service contact information as yosoftinfosol777 [@] gmail.com but the same phone number: 1825-525-0320. This suspicious website also offers 3 different email addresses than are found on the licensed/legitimate website for things such as “Work with Us,” “Technical Support” and “Billing Support.”

Our investigation raised too many suspicious flags about YosoftInfo[.]online to trust this website. We feel that Chris did the right thing to change all of his passwords! Later he told us that nearly all of the accounts saved on his Word document had 2-factor authentication turned on, as an additional form of protection! Thank goodness! For his next round of protective measures, we advised Chris to lock down his credit reports to protect against identity theft and to bring his computer to a service that would zero the hard drive and rebuild his operating system from scratch. The risk that the “Norton agent” might have installed malware during his 45 minutes connected to Chris’ computer was significant! In the end, Chris didn’t lose any money, or find any evidence to suggest that any of his accounts had been breached. One of Chris’ mistakes had been to create an unprotected file of all of his accounts and passwords on his computer. It should have been password-protected. We strongly advise against creating an open file like this! If you choose to create/keep such a file on your computer, please do the following….

  • Password protect this critically important file!
  • Use a trick to disguise ALL of your passwords in this file such as adding 2 random numbers/letters at the beginning and end of EACH password! You’ll KNOW to ignore them but any hacker will think they are part of your passwords!

In hindsight, Chris got off easily from a mistake that could have proven much more serious and costly!

Love Still Bites, Are You Free, and Surprising Sound Files — Last week we wrote about the many lovely ladies from Kazakhstan, Eastern Europe and Russia that were writing our friend Rob, and turning into romantic relationships. They only needed money from Rob to pay for a visa, or a flight, etc. to come to the USA. Rob finally broke the truth to the nice 9 women who had contacted him. Some weren’t happy to hear it! But that didn’t stop another 3 from reaching out to Rob! Check out this wonderful first email from Altynai (Altynai.rubyflower@outlook.com), telling RobI am a solitary lady from Ukraine.”

For years, we’ve published many spear-phishing attempts from scammers targeting school employees and whom we’ve sometimes traced back to scammers in Nigeria. This time we heard from an officer at a small town Rotary Club made up of local businesses. The Rotary Club officer, named David, received some emails from another member by the name of Blair. But David immediately noticed that Blair’s email was not the usual email address she normally used! The scammer, disguised as Blair, thought he was being clever by creating an email address that used the name “CommitteeBoard” in it! Of course, David didn’t believe this and contacted the real Blair through her usual email. In these type of spear-phishing tricks, we always see the same two things from scammers…

  1. They start with a phrase like “sorry to bother you” or “are you free at the moment”

  2. They ask you to buy gift cards for them at that moment. Of course, they want you to scratch off and read them the gift card numbers!

Another type of scam that constantly targets people target those who post items for sale in Facebook marketplace. Check out a recent example below. It was recently posted by a Reddit user named speccyfck. Look at the insane reply the seller got on Facebook Marketplace for an item she posted for sale. (By the way, Postnord is a postal service operating in Scandinavia.) Most respondents on Reddit explained that a “Postnord” representative would likely follow up by contacting the seller and claim to need her to purchase insurance in advance for the Postnord carrier to bring cash to her.

We’ve heard LOTS of recordings from scammers over the last decade but we’ve never quite heard one like this one below from “Fedex Parcel Dispatch Officer, Michelle Stones.” We think this is a hysterical recording created with the help of an AI tool. We especially loved how Michelle Stones begins by saying she’s a “US Citizen” and talks about “approval from White House” (she must mean any white house, as opposed to a brown house). Enjoy!

On a more serious note, there have been several articles in the news in the last few weeks about AI being used by scammers in increasingly sophisticated ways. Some of the victims have been terrified by the use of this AI. Apparently, some scammers have been collecting videos, e.g. TikTok videos, posted by teens and used the teens’ voices to train an AI tool to sound like the teen.  Then the AI tool is used to convince the parent that a scammer has kidnapped their child, whom they clearly hear over the phone.  Read more about this frightening scam on:

https://www.consumeraffairs.com/news/ai-used-in-terrifying-fake-kidnapping-scam-041423.html

Should you or another family member ever receive such a frightening call, experts advise you not to panic, nor assume that it is true! Demand to speak to your child and ask him/her questions that only he/she should be able to answer! (e.g. What did you have for dinner last night, who is your best friends brother, etc…) If this call is a scam, the “kidnapper” is going to push back and deny you this opportunity. He’s going to try to scare you into paying him money.  HANG UP and call your child! And don’t panic if he/she doesn’t immediately pick up either. We’ve heard of this type of scam that also involves another scammer trying to engage a teen on the phone for a while so that he/she won’t answer another incoming call (from you!) at that moment! Text your teen, multiple times to get through!

Here is a very different type of scam that was left as a voice recording on April 17 to one of our readers. It appears to be from a real young man named “Mark,” calling on behalf of some attorneys. But it’s good news about your current debt situation! You are asked to call back to 501-401-3259. However, the woman who received this call has NO DEBT, she tells us and her name was never used by the caller. Mark called from 877-200-8052. This number had been reported many times to Robokiller. Also, the number she was asked to call has also had at least a half-dozen complaints filed against it, according to CallerCenter.com.

LinkedIn and Xfinity Accounts Check out this email that was sent from a server in South Korea and claiming to be from LinkedIn!  Not only does someone want to join your LinkedIn network, but they also want to “make an urgent order.” That’s motivating, isn’t it!? Except that the links in this clickbait don’t point to LinkedIn. Fortunately, Virustotal informs us that the link is clearly malicious and shouldn’t be clicked! However, we’re concerned that some folks getting this email will focus on the message in the blue italicized font from “Vicki Pizzullo” and think this is OK to click. ALWAYS mouse-over links to see where they point to BEFORE you click them!

Xfinity is a service offered by the company called Comcast. Cybercriminals have been heavily targeting them with phishing email for several months now. Here’s another variation they sent last week asking recipients to “please update their payment immediately.”  You can easily notice that this email didn’t come from xfinity.com or comcast.com (or comcast.net). The link to “update now” points to a website that was registered just four days earlier and is sitting on a server on the Indonesian Island called Jawa.  Sounds a lot like Comcast of New England, USA, right? The subject line in this phishing email is actually funny because it tells you that your service has stopped! Of course, that’s pretty easy to verify, isn’t it?

Here’s another rotten phish pretending to be about your Xfinity account. But this email came from a server in Japan and contains a pdf file with a link in it.  The sender claims that your “Terms of Service” have changed and that you have to click and accept the NEW terms in order to continue using your Xfinity service.  Nasty phishing clickbait! Don’t fall for this junk!  Also, notice that the link in the pdf file points to the domain godaddysites[.]com.  These scammers have simply created a page on the GoDaddy site that uses a subdomain called “XfinityNewTerms5.” Like we say over and over, ANYONE can create a subdomain that says anything they want! Subdomains are never reliable ways to determine the credibility of a link or website!

Home Warranty Has Expired, Kickstarter, Answer and Win Now for something completely different! One of our United States readers sent us a digital copy of a letter he received in his mailbox. It claims to be a “FINAL NOTICE” about his home warranty. The bottom of it LOOKS EXACTLY like a check for $199.00, but at the very end we see the text “THIS IS NOT A CHECK.” What company sent this sleazy letter?  It included the homeowner’s name and address on it. Obviously, it is an advertisement but the reader who shared it with us thought that this letter crossed the line of manipulation and trickery in the way it was designed, making it feel like a scam!  We agree with him!

Now, notice that in the upper left corner are the words “Secure Home Center.” But no address is provided. Is this the name of the business responsible for this trickery? Or is this simply the name of this letter?  We actually think that “Secure Home Center” could be the name of the business behind this sleazy manipulation and here’s why… The Better Business Bureau lists a business called Secure Home Center and gives it an F RATING! There are multiple complaints against this company and someone has given it a 1 out of 5 star rating on the BBB website and their description seems to match the nonsense in this letter.

CAVEAT EMPTOR!

Another reader sent us this interesting emails that appears to be a kickstarter campaign for a new game. The email actually came from a known kickstarter website called Kickstargogo[.]com but the links DO NOT point back to this website and that’s important to notice!  For example, when we copied and pasted that link into VirusTotal.com, it informed us that 4 different security services evaluated that link as phishing/malicious.  On a related note, we looked up reviews for Kickstargogo[.]com and they weren’t very good. Sitejabber has over 180 reviews on them and the average star review for this company is less than 2 out of 5 stars!

Do you like to travel?  Please don’t do it through email like this next one!  It was sent from a server at a University in Ecuador and claims to reward you with a Keurig Coffee Maker if you take a short survey. But instead of the links pointing to a named website, the links point to an IP Address (A set of numbers that indicate a location on the Internet.)  We used IPLocation.net to tell us where this IP address is located. Guess what? You’re about to take a trip to Sydney, Australia!  Anytime you see an IP address, instead of a website name, DO NOT CLICK! 99% of these are malicious clickbait. (Perhaps 100%?!)

Malware Detected, Follow the Shipment Tracking — Doug from TDS was doing some research on a fake online bank called Dooci Bank (doo-ci[.]com) when suddenly his web browser was forwarded to this malicious page. This page was meant to appear as if it were from Apple.com.  But if you look in the link at the top of the browser, you’ll see his browser was forwarded to this page at ondigitalocean[.]app.  DON’T BELIEVE THESE POPUPS!  NEVER CALL PHONE NUMBERS that popup in your browser, telling you that you have security warnings, etc. Instead, IMMEDIATELY quit your browser and run your own antivirus protection software to see if anything malicious was installed on your computer. When you relaunch your web browser, clear the browser cache and check to make sure there were no malicious extensions installed too.  (By the way, a search for the phone number listed in this scam turns up at least 2 bogus websites claiming that this is a Windows support help number. Don’t believe everything you read online!)

Check out this very weird email that was sent to one of our readers as an “invoice”  He was told that he can follow the shipment tracking of 6 envelopes being sent to him by clicking the link provided. Talk about manipulative clickbait! TEN security services identified that link as malicious!

Deeeeleeeete!

Until next week, surf safely!

Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster