Tis the Season! — We are deep into the holiday season as many people around the world have celebrated Hanukkah, or are about to celebrate Christmas and Kwanzaa. Please be safe and careful BEFORE you click! James at Scamadviser has put together the Top 5 Christmas Shopping Scams in 2021. We urge you to read it and stay on your guard. And if you want to see what some fake online stores have looked like, check out our article on Consumer Fraud at The Daily Scam.
On a related note for the holiday season, people often choose to forgive one another and renew and strengthen their friendships and family relationships. In this spirit of forgiveness, this recent phone message from the Student Loan Forgiveness Program fits right in. Many of us would like student loan support but this message inviting people to call 866-205-9934 for help is NOT the way to get support! There are MANY complaints online about this phone number, including this thread on FindWhoCallsYou.com. The call came from 866-204-2579 which was also written up on Robokiller.com.
Student Loan Forgiveness Program
Amazon, Paypal and IT Help Desk – One of our readers sent us this screenshot to ask if it was legitimate. It wasn’t! The strong hint was that the email began with “Someone who knows your password is attempting to sign-in to your account.” Services like Amazon DO NOT send emails like this and certainly not one saying that “someone who knows your password….” But the biggest red flag is that this email came from a server in Mexico but says that the sign-in attempt happened in Canada! Deeeeleeete!
This next phish is the worst possible threat one can imagine because it isn’t just a phishing email. The email was sent to undisclosed-recipients from a server named eulchetska[.]com, NOT from paypal.com! It claims that your Paypal account has been locked for security reasons and provides a link to click and unlock it. But that link will send you to a website that hits you with malware first and then forwards you to a phishing site on “umbrellacorp[.]id” that looks like a Paypal login page! Ouch! Double the pain! (“.id” is in Indonesia!)
Apparently, “IT Help Desk Services” and Geek Squad are now using a personal Gmail address called ilana7780jase. These bogus emails rarely contain the name and address of the person who receives it. That’s a SURE SIGN of fraud! You didn’t just pay for an “up-gradation.” Notice how the scammers obfuscated the telephone numbers so that anti-spam servers can’t identify it as a fraudulent number. Deeeleeeete!
ADT Home Security and AETNA Payment – One of our readers sent us this email pretending to be from the Home Security system of ADT. But the email came from a website called enginesolo[.]com. Similar to one of the emails that targeted TDS, this email contained a link pointing only to an IP address rather than a domain name. IPLocation.net identified the link as pointing to either a server in Germany or Romania. (Sometimes IP addresses are moved from one server to another or DNS databases are updated in such a way that it may be harder to pinpoint the exact location of an IP address.) But ADT is an American company headquartered in Florida and this IP address isn’t even close! It’s malicious clickbait!
One of our readers sent us this tiny email claiming to be about an AETNA (insurance) payment waiting for approval. But the email clearly came from a Gmail address and contained only an attached pdf document. The pdf document was made to look like information about an Excel spreadsheet but the “open” link pointed to an oddball website at “s[.]id.” The “.id” indicates a server in Indonesia again!
It turns out that the website at the other end of this link is a phishing scam intent on collecting your personal login information to any one of several services. Check out the screenshot! Fortunately, the Zulu URL Risk Analyzer recognized that this link is 100% malicious!
What It Looks Like to Be Targeted –
In our effort to help people recognize or avoid online fraud and threats from cybercriminals we’ve taken few measures to hide our own identities. In fact, the reason we created The Daily Scam and Scamadviser is because we had been targeted and our family members had been targeted by cybercriminals! Even elederly parents, aunts and uncles in their 80’s and 90’s have been targeted. Cybercriminals don’t care who they hurt, or how much. The pain they have caused us, our friends and family, is what motivates us to try to educate the public. This effort, however, puts a big red target on our collective backs. Each of us and our family members continue to be targeted weekly. We wanted to share with you a bit of what a typical week looks like when cybercriminal gangs turn their sights on us and our families.
On December 14, one of our family members received a very targeted attack. Criminals registered a domain hours earlier after doing some research about the family. They sent one family member an email that appeared to come from a cousin about some photographs. Of course it didn’t come from the cousin’s real email address and the link was completely malicious! We know that one of the cybercriminal gangs in India is often registering their malicious domains through NameCheap in Iceland so this email may have been one of their “holiday gifts.”
Cybercriminals can be so thoughtful and caring (said dripping with sarcasm!). Doug at The Daily Scam received this lovely email with the subject line “Best Gifts For Your Family” but especially “To Your Wife.” Awwww! Isn’t that sweet? The sender, someone at Gmail named “Minh Phuong 06021990,” has some gift suggestions for Doug to give his wife. But the link points to a crap domain called 45jhe65j54u[.]xyz. Dot-xyz global top level domains are NOTORIOUSLY used by cybercriminals to target people with malware! And sure enough, BitDefender found malware waiting at the end of that link. Also, that crap domain was registered in Iceland about two weeks earlier. Hmmmm…..Could it be from someone we know?
Like our readers, we get bogus emails EVERY SINGLE DAY from cybercriminals disguised as businesses offering us new products. Such as this exciting message from Karissa via our contact form at TheDailyScam.com. “Biggest Ever Sale NOW!” for a durable pet mattress! We could get 50% off if we visit petmattress[.]store. But we recognized that this is another crap domain! It was registered in China just 4 days before we received this offer. No thanks, we’re good! Our pets will just have to continue lying on the cold, hard floor.
Sometimes we get the most amusing emails that make us smile and we can’t wait to share them with our readers! Like this adorable email that came from the Central African Republic. Apparently we have “4 Unreceived Clustered Emails on 10th – December – 2021, not delivered to Inbox.” “This was due to a system delay” but we can RECTIFY BELOW! Thank goodness rectification is an option!
That button to “Release Pending Message to Inbox” points to an IP Address rather than a named server. If you EVER see a link that begins with a bunch of numbers DO NOT CLICK IT! It is an IP address which identifies devices on the Internet. Every device that connects to the Internet gets an IP address. But to help people find websites on the Internet, Domain Name Service (DNS) connects IP addresses with domain names. And so if you see an IP address INSTEAD of a name, that means something is either wrong with the DNS service (a rare event) or more likely, someone is PURPOSELY trying to hide the destination of the link! Fortunately, you can visit sites like IPLocation.net and enter the IP address to see where an IP address is hosted. IPLocation.net told us that by clicking that link for the clustered emails we would be visiting a web page on a server in Hessen, Germany. Hmmmmmm…. Nein danke!
We could go on and on with malicious emails and texts that we, and our family members, receive weekly but we’re sure you get the point. Our family is well-trained to recognize and respond to these joyful hand grenades and gift wrapped bear traps tossed at them, so we’re not worried. In fact, this increased effort by cybercriminals simply confirms that our combined effort to help people around the world has a positive impact that cybercriminals don’t like. We’re always going to be here for you!
You Have a New Voicemail – A newsletter reader sent us this “C0M-CAST” email that may actually have come from a hacked Oakland, California government email account. The recipient is told he had a voicemail message but the attached file is an “htm” file. HTM and HTML files are EXTREMELY dangerous to open because they contain instructions that tell your web browser to do things. THE LAST THING YOU WANT TO DO IS HAVE CYBERCRIMINALS TELLING YOUR WEB BROWSER TO DO ANYTHING AT ALL! We cracked open that file and looked at the instructions of the code. The browser is told to go visit a malicious website called thermodilk[.]com. Lunge for the delete key!
Christmas Funding and Game App – And finally, we leave you with two texts that targeted our family members last week. The first contained the full name and phone number of the family member, along with a link to a website in Indonesia called “gameapp.” Of course, the link is malicious!
The second email offered Christmas funding and encouraged the recipient to visit a bogus loan website called WebBankUSA[.]com. According to Scamadviser.com, TrendMicro has reported this USA Bank site as unsafe!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands