Weekly Alert  |  December 21, 2022

Our teams at ScamAdviser and The Daily Scam wish you all happy holidays! We hope you have a safe holiday season surrounded by friends and family, and filled with joy and relaxing down time!

Exposing a “Gun” Used by Cybercriminals Many of our longtime readers routinely send us malicious/suspicious content. One such contributor whom we’ve mentioned in the past is an elderly woman named Bobbie. (Bobbie has given us permission to use her first name.) At the end of November and early December, cybercriminals targeted Bobbie with a barrage of malicious texts in a way that was very revealing about their methods for weaponizing domain names. How these horrible people loaded their “digital gun” and pointed it at this elderly woman prompted us to speak with people at the research firm WHOISXMLAPI. We used this firm’s powerful tools to analyze the way that these criminals weaponized domain names and it was enlightening. We want to show you what happened to Bobbie and how these bastards operate their weapons because it will help YOU to dodge a bullet!

Bobbie has been receiving a deluge of malicious texts for many weeks now, claiming to represent all kinds of crazy offers and opportunities.  We’ve posted many of them in our weekly Texplosion section of our newsletter for weeks. However, on Saturday, November 26, Bobbie received a text that contained a link from the phone number 915-332-3174 and offering a “free 750 Walmart giftcard.” Bobbie is much too savvy to fall for these threats and shared the text with us…

    The domain used in this threat is approvedurls5[.]info.  To help readers understand these threats, it’s important to recognize the three components that can make up a fully qualified domain name (FQDN), such as the blue link in the above text:

    • “info” = this is called a Generic top level domain (GTLD); the GTLD always appears at the end of a FQDN and is found immediately in front of the first SINGLE forward slash IF the link includes additional information. (Note: there are a few exceptions to this rule.) The text above has no additional information shown after the DOT-info, which explains why there is no single forward slash shown after DOT-info.
    • “approvedurls5” = the is the domain name itself; a domain is always separated from the GTLD by a period.
    • see” = this is a subdomain in the above text; a fully qualified domain name does not have to have a subdomain in front of it. However, if there is a subdomain, or more than one, they are separated from the FQDN, and from each other, by a period. For example: login.verizonwireless.com, where “login” is the subdomain and “verizonwireless.com” is the fully qualified domain name.

    On Tuesday, November 29, Bobbie received a text from the phone number 623-332-5592. It contained a link and offered a “free 750 Csh app gift card.”  The fully qualified domain name was identical to the domain received on November 25 except that the “5” was replaced by a “7.” This time, the subdomain was the number 4. And like the earlier text, this text was 100% malicious!

    You know the expression “two points make a line?” We saw that line and wondered if Bobbie was going to be targeted by more texts using the same FQDN but with different numbers: approvedurls (#) DOT-info. Sure enough, on December 2, Bobbie received approvedurls with numbers 8 and 9 from 623-281-4664 and 623-276-7653 respectively…

    That’s when we turned to the investigative suite of tools at WHOISXMLAPI. Their tools told us that, in total, there were 12 related domains registered during November…

      As a result of our findings, we fully expected Bobbie to be targeted by more of these “approvedurls” domains and sure enough, she received another text from approvedurs1[.]info, sent by another 623 area code number. We spoke to a researcher at WHOISXMLAPI named Alex and he confirmed for us that cybercriminals often register the same fully qualified domain name over and over, but include a number change. 

      The benefit of understanding this cybercriminal strategy is simple… If you receive a text or email and suspect that the link is malicious, look for a number used in that fully qualified domain name.  If there is a number, especially at the end of the domain, there is a strong likelihood that you may be targeted with more such domains using different numbers.  If so, you can be reasonably certain that they are all fraudulent and malicious! 

      Footnote: Do you get suspicious/malicious texts? (Most people do!) Take a screenshot and send them to texts@thedailyscam.com.

      Is Elon Musk’s Giveaway Real? Twitter users who follow Elon Musk (and related accounts like Tesla and SpaceX) are the target of the latest giveaway scam. Be careful! Read on to learn everything you need to know and protect yourself with this FREE, all-in-one tool:

      Work at Home Job Scams and Looking for an Apartment to Rent? During the last week we heard from a man who asked us if we thought a job he had been offered was legitimate. A shipping service called “Lienz Logistic” (lienz-logistic[.]com) wanted to hire the man to re-ship packages to clients that would be sent to his home. Hell no! We’ve reported on this scam MANY times and have now listed 51 fake shipping services used by these Russian-speaking scammers! They trick Americans into moving stolen merchandise and then never pay them a penny once their first paycheck is due.

      Two small examples of the signs of fraud by Lienz Logistic is the fact that the name of the company is Lienz Logistic, but on their Careers webpage they call themselves “Uss-express.”  They’ve repurposed this website many times under many names and simply forgot to change the use of an old name.

      Also, the domain lienz-logistic[.]com was newly registered in October and yet in the reviews section “Greg” says he’s been a customer for the last few months. Greg’s photo can easily be found on other websites and is likely a stock photo.  For example, it can be found here on the top of JoinRealtyGroup100.com. Also, the photo of “Maryr” used in a testimonial on lienz-logistic[.]com can be found on a dentist’s website in the UK under the name of Sejal, from a 2020 post. Finally, our partners at ScamAdviser.com give lienz-logistic[.]com an VERY low trust rating.

      Another bogus shipping site used by scammers was in a text reported to us and called ShipDLstics[.]info.  There’s no website at this domain address yet and it was just registered from Malaysia on December 5, the same day the text was sent.

      As an example of how despicable low-life scammers can be, check out this text exchange recently posted to Reddit by someone who found an apartment listed in Florida. The scammer claims that he can’t be there to actually show the apartment because he is with his mother who is battling cancer and is in chemotherapy. Take out your violins and feel sorry for this scammer! Scammers are sub-humans who don’t care what story they tell, who they target or how much pain they cause, just to make money.

        Life Line Screening, American Express and Geek Squad One of our readers sent us an unusual phishing scam we haven’t seen for a while. The email claims to be an offer from the company called Life Line Screening but comes from the odd domain called focuscameraviable[.]com. This odd domain was never registered (doesn’t exist) and was likely spoofed. It certainly wasn’t the legitimate domain for the company represented in the email! Most interesting is the fact that there were no malicious links found in this phish…

        The email provides a “priority code” and recipients are invited to call 833-970-4139 to speak to a company representative.  However, a Google search for this phone number only turns up ONLY 3 web pages on a government server in Turkey!  We OFTEN see these same Turkish server webpages during phone number searches and fee pretty confident that these links are not safe to visit.

        We asked Google for the Life Line Screening phone number and it had no problem returning the legitimate phone number which was not the number used in the email. Also, the legitimate number is a toll-free 800 number, not an 803 phone number!

        This next smelly phish was sent from a server in Germany (“.de” = Deutschland = Germany) that has been misused many times by cybercriminals.  “Your American Express will be closed” says the bogus subject line! This phish tries very hard to trick recipients into thinking it is legitimate because they used the legitimate American Express email address in the TO section of the email!  Also, the link in this phish points to a mimic that begins with the letters americanexpress but is then followed by veri[.]com. Using the tools at WHOISXMLAPI.com, we found 176 domains registered in the last 3 months that began with americanexpress.  We’re certain that many of them (most?) are 100% malicious, such as americanexpress-securitty[.]com and americanexpress[.]bid.

        Another reader sent us this lovely “Order_Discription” that came to her from a personal Gmail account. We’re grateful that many scammers cannot spell correctly and have no idea how poor their grammar can be! The attached file contained yet another scammer phone number: 818-660-1233.

        Deeeeeleeeete!

        Walgreens Survey Are there ANY legitimate marketing surveys online that offer money to participants?  Please let us know if you’ve seen or taken legitimate surveys and received a discount code or gift card as a result.  Our “rose colored lens” is very dirty and only sees malicious content disguised as a survey, like this email from Walgreens.  Except that it really came from an old domain called netemployers[.]com. Your opinion may be important but it certainly shouldn’t lead you to click that link to a crazy domain called subserouslsdgroundable[.]com. This domain was registered anonymously in June, 2022.  We’ve lost count how many times cybercriminals have used this exact email design and graphics for their scams.  About a year ago we published an article about fake consumer surveys.  These scams are a dime-a-dozen!

        I Found An Old Photo of You and Track Your DHL Package – Just a few days ago we heard from one of our readers who sent us a screenshot and asked “is this legitimate.” Our immediate reply was “NO!”  This is actually a common type of malicious clickbait sent through someone’s hacked Facebook account.  The message says “look I found an old photo of you” and incudes a VERY malicious link.  Because the message comes from the account of someone you know, you are much more likely to trust the message and click that link. That’s one of the many reasons that scammers try to capture the login credentials for people’s social media accounts! The link in this message points to a domain called 16yq[.]quest.  This crap domain was registered 8 days earlier and sits on a server in Amsterdam.  If you ever see something like this, be sure to contact the person whose account it came from by texting, calling or emailing and let them know!  Don’t just send a message over Facebook because the hacker who sent it might delete your message before it can be seen!

        Tis the Season, right? Scammers have been targeting the public HEAVILY with bogus emails pretending to be package delivery notices and we’ve been reporting on this for weeks.  It hasn’t slowed down!  Here’s one more email pretending to be from DHL but the domain used to send this clickbait is a HIGHLY suspicious “money-saving” website called connaughtindustries[.]com that was registered in early July.

        Instead of pointing to DHL.com, this bogus email points to a website called jewelryoutletmall[.]com.

        Yeah, right….. Lunge for the delete key!

        The Government is Approving Help and Set Up Your Request –Check out this bogus text telling our reader that “the government is approving help.” How lovely! The fact that this message is written in such a crazy way, including the use of a zero for the letter o, tells you EVERYTHING you need to know!

        Delete!

        Another one of our readers sent us this lovely text that makes no sense at all. NEVER reply with “stop” to these bogus texts because they only confirm to the scammers that you open and read them.

        Just delete!

        Until next week, surf safely!

        Copyright © 2022 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
        have subscribed to it via Scamadviser.com or thedailyscam.com

        Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

        Contact Webmaster