One Woman’s Creepy Email — One of our readers from Canada told us last week that she had taken a flight on the Canadian Airline called WestJet on December 7. However, she happened to notice an extra charge from WestJet the next day on her credit card. She said “Last night I complained to my credit card company about WestJet billing me twice for an inflight purchase. They said they would launch a dispute.”
On December 9, this woman received the craziest email she’s ever received. The subject line was “ExpiringSoon : Your WestJet SurveyOfferRewardWorth UpTo$90 “QFRS.” The email came from “FreshCustomerSurvey” through the domain called uncanonization[.]com. We know Canonization as the official declaration of sainthood for a deceased person of the Christian faith, such as Mother Theresa. So we have to assume that “uncanonization” means to remove that sainthood! The woman who received this email pointed out 3 things to us worth noting and also immediately recognized this email as a fraud. First, she asked “what’s all the noise about a university student?” The top of the email contained two paragraphs of text that were lifted from University communications that can be found online. One paragraph came from the University of Chicago and the other from the Drexel School of Education, plus about 30 oddball codes that littered the paragraphs. The text then ended with a couple of sentences about activating an account with “MusicDiffusion®.” After this bizarre text came the “Online Shopper Survey About : Airline Purchases.” Again, all links pointed to the website to remove your sainthood!
The woman also pointed out to us that though she received the email at her Gmail account, the email was actually addressed to her username at aol.com, an account she doesn’t have! But what disturbed her the most was the unusual coincidence that she had called her Mastercard company to dispute the WestJet double charge less than a day earlier and then she received this fraudulent WestJet Airline survey! We both agreed that she was staring down a very bizarre rabbit hole but she’s not Alice and it wasn’t Wonderland! Look carefully at this bizarre email and then we’ll unpack the details and share with you how deep this rabbit hole goes after we jumped into it. (Click the image to enlarge it.)
It is particularly disturbing that the woman who received this email had spoken to her credit card company hours earlier about WestJet. We told her that this email was not likely a coincidence. And if not a coincidence, then this was a targeted attack against her, and the perpetrators sent it because they felt they had the greatest chance for her to click this fraudulent email BECAUSE she had recently flown on WestJet. Generally speaking, it means that one of four sources of information had been compromised by cybercriminals: the WestJet Reservation system, the woman’s own personal computer on which she made the reservation, the woman’s phone, or the credit card Call Support Center. We believe the most likely way that the cybercriminals came by her information was through the Call Support Center. Though complete conjecture on our part, here’s why we think so…
- If the woman’s phone and/or computer were compromised, there would be NO NEED to send her a malicious email. The hackers would already have much better means to monetize their access through her equipment. (If her phone or computer had been hacked, it would be a nightmare of pain and financial loss for her. Read our articles “Targeting the Eldery – One Man’s Story” and “Sprint Phone Hacking Scam.”
- If WestJet’s reservation system were hacked, it would be BIG NEWS! The hackers would likely encrypt their servers with ransomware and demand a million dollar payment. There are many ways for them to make LOTS of money from such a hack.
- Credit card companies often hire call support centers from groups overseas, such as call centers in India or Indonesia. We suspect these may be less secure or more likely compromised in some way by criminal elements abroad. That’s why we think her information about WestJet was somehow picked up by cybercriminals and she was targeted with a malicious email, though it was very poorly constructed.
WHY IS THIS EMAIL FRAUD AND UNSAFE TO CLICK?
- Did you notice that the subject line was missing spaces between many words? That’s a trick used by cybercriminals to avoid the watchful eyes of anti-spam servers. The oddball text from the two universities and “MusicDiffusion” was supposed to be white against a white background. The woman would have simply “seen” this as empty space. This text is also inserted to try to fool anti-spam servers into seeing this as a legitimate email. (NOTE: When we searched for “MusicDiffusion” in Google, the first link returned was an Ad about “Playlist Promo Scams to Avoid.” Interesting.)
- The email came from the domain uncanonization[.]com. This unsaintly domain was registered by someone named “DaKota Green” from 5660 Strand Court, Naples, Florida on September 3, 2021. This is only about 3 months earlier. Furthermore, we looked up 5660 Strand Court and discovered that it is an address for Windsor Professional Center, a service that sells “virtual office space.” The age of this domain and use of a “virtual office” screams fraud! (Who spells her name like “DaKota” with a capital K anyway?)
- We took a screenshot of the destination link in the woman’s WestJet email and this is where the rabbit hole became a chasm of fraud! Click to enlarge the screenshot of her “SHOPPER SURVEY.”
We can say with confidence that this “shopper survey” is a complete fraud. Over many years, we’ve seen this exact survey, or nearly exact, dozens of times! They are meant to collect personal information of participants and sometimes to target people with malware. They ALL have a timer telling visitors that they have only minutes before this offer expires. However, if you let the timer tick down to zero, it just restarts! These surveys also provide 4 to 8 “verified” reviews by people who presumably took the survey and were pleased by the gift they received, or how much fun the survey was. (A fun survey!? Now THAT’S fraud!) All of these “verified” people are completely fake and use stolen images. Here’s simple proof of this fact. We Googled two of the exact quotes used in the above survey by “Beverly Edwards” and “AnaMaria Juhart” and discovered those exact quotes on several other survey websites but by people using other names! Below is one example using the quote that begins with “I was really bored so I decided to take the survey.” It was found on 3 other bogus surveys, including from a website called myexclusivesurveys[.]com. This exclusive survey site was registered about a week before Halloween in St. Kitts and Nevis Islands. We found this same quote in a survey dating back to January 30, 2019! These cybercriminals have been using this same content for many years! Don’t believe any of it and don’t take these bogus surveys! We can promise you that it won’t end well for you.
Bogus Sextortion But Real Scare Tactics – Last week we shared one man’s recent experience with the Underage Girl sext scam. After publishing that Top Story, we heard from two more men who were targeted a few days later. And then another reader sent this frightening sextortion email (below). A hacker claims to have installed software on the woman’s computer, capturing her “pleasuring herself” as she visited porn sites. However, this entire email is complete fiction! We’ve written about these fake claims for years and the extortionist tries to convince the recipient to pay a bitcoin extortion fee. If the fee isn’t paid then they threaten to post the sensitive video online and distribute it to friends, family and coworkers. You can read more about these scare tactics used to trick victims in our Scamadviser article “Tactics Used by Fraudsters to Scare Victims.” You’ll also find lots of these bogus fictional emails which claim to have installed software on your computer for the purpose of capturing “private personal moments” in our article on The Daily Scam called “Sextortion by Email.”
Rather than scaring you, we would rather make you laugh! You can start by reading the “Impotent email” in one of our phishing scams below. And if that “impotent email” doesn’t make you smile, how about this Nigerian 419 Scammer (disguised as Ms. Linda Brown) telling our scam-baiting friend Rob that she is “stormed with excitement” upon receipt of his rapid response! OK, we’ll stop making fun of scammers, for now but it did make us smile!
Update Your Delta SkyMiles, iPhone Purchase, and Geek Squad – Rob contacted us recently to share a very unusual phishing email that we’ve NEVER seen before! It was actually a multi-phishing email that began by trying to trick him into revealing his Delta SkyMiles account information! The email came from a server in Germany, not delta.com. It also contained poor grammar, which is a sure sign of fraud! The link to “UPDATE YOUR SKYMILES” points to a website called bizeads[.]com.
Visitors to bizeads[.]com are first given a “Security Challenge” to make them feel more secure! (Oh, the irony!) Then they are asked for their Delta Skymiles login information. However, after that, they are asked for their email login credentials as well, in this case to AOL! Deeeeeleeeeete! (Thanks Rob for showing us the light!)
Apparently “David William” can’t make up his mind how to spell his name (“William” or “Williams”) But it doesn’t matter because his Gmail account AIN’T paypal.com! This phish tells you that you’ve just purchased an “I Phone 12 Pro” for $412.75. What? Not your purchase? Well, the scammers want you to call them at 503-272-8565. By the way, this same email, without any name or address to confirm the recipient, was openly sent to 17 people!
Scammers LOVE to use computer and security software services in their phishing attacks, such as the Geek Squad, a subsidiary of Best Buy. But this smelly phish came from another Gmail account. The attached invoice, named Cream Minimalist Commercial Invoice-converted, was an attached pdf file. Look at the screenshot of it below and you’ll also see that this “invoice” contains no name or address of the recipient! But, to dispute the charges, you can call the scammers back at 252-392-2964 and give them a piece of your mind! And, as they say in the invoice, “Thank for your business with us!”
Finally, we’ll leave you with one more Geek Squad phishing email because they are that delicious!
Hiring Scams – One of our readers contacted us last week after being targeted by 2 nearly identical hiring scam emails. Both of them contained an encrypted attachment which meant that they could not be scanned for malicious content. Both came from two different people (Drew Dean and Colt McClean) at the same exact domain, celebration[.]br[.]com.
Not only does Google know nothing about that festive domain, but EURODNS.com tells us that this domain is dedicated to websites in Brazil. (“.br” = Brazil) Furthermore, it was registered anonymously in April and there is no website information or title to be found. Sounds like a South American Puma trap to us! Step away from this cat trap!
Here are Photographs I Shared with You – Early in the Fall a man contacted us to say that he had received a suspicious email that was sent from his niece, but it was NOT from her real email address. That email contained a “message” from his supposed niece and a link to a malicious website hosting malware. Now, about two months later, it happened again. His niece doesn’t use the email at live.com, as seen in this email. Oddly, the subject line contained the identical subject line and misspelling of the word “ffrom” but after “Fwd:” This confirms that it was the same cybercriminals who had targeted the man earlier in the fall. His “niece” again tried to convince him to click a link to some photographs she shared with him.
This clickbait is extremely dangerous and can result in a great deal of pain and financial loss if the malware is successful in allowing cybercriminals complete control/access of your devices. The link in this email pointed to a domain, eothrs[.]com, that had been registered anonymously in Iceland just hours earlier! Lunge for the delete key!
Giving Away Money! – Doug at The Daily Scam has been getting lots of texts the last few weeks about loans and deposits available to him. Like this one asking him to confirm his deposit at ZipnLoan[.]com. A second text from a very similar phone number contained a link to MoneyZip[.]co. Hmmmm…. Both ZipnLoan[.]com and MoneyZip[.]cowere registered in the Cook Islands on June 1! No thanks, we’re good!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands