Select Page
Weekly Alert  |  December 28, 2022

We wish all of our readers a very happy and healthy new year, unless you are a scammer reading this!

People with Serious Credibility Problems! People all across the Internet have serious credibility problems! You’ve heard this from us before but as a reminder, here is another round of reasons to doubt what you see and hear from people over the phone and across the interwaves of turbulence. Let’s start with a phone call recorded by professional scam-baiter Rob  after he received an email like this smelly, rotten phish pretending to be from Geek Squad. Rob’s email thanked him for renewing his subscription for 5 more years at a cost of $616! Yikes! But, of course, Rob never subscribed to this service to begin with. Just wait until you hear how the scammer explained why Rob was billed this way! It’s actually quite clever and plausible.

Before you listen to Rob’s nine and one-half minute audio recording, there are several important things to pay attention to….

  1. Scammers often miss details and make mistakes that are important to notice. In this phishing email, the scammers misspelled “Geek Squad” as “Geek Suqad.” Also, the text in this email is very awkward and STRONGLY suggests that English is not the sender’s primary language.  The phone call confirms this and you’ll hear both scammers have Indian accents.

     

  2. This scam email was sent from a bogus personal Gmail account, not a business!

     

  3. As you listen to the call, notice that as both scammers speak to Rob and have Indian accents, you can often hear background sounds of other people speaking in a language that is NOT English. The second scammer asks Rob for his full name and phone number and we’ve removed that from the audio recording. (Also, you might notice that the first scammer, a woman, is coughing and sounds a bit hoarse. Perhaps she has COVID? We can only hope she does and infects all of the scammers around her!)

     

  4. After about 5 minutes, Rob tells the woman that his computer window closed and that he needs her to go through her instructions all over again.  This is just to waste her time! We’ve removed that extra time from the recording and moved on to the part where she tries to trick Rob to download and install the software that her scam team can use to take control over Rob’s computer! (Rob wasted about 18 minutes of this scam team’s time. Go Rob! That’s 18 minutes that these leeches weren’t targeting real people.

    The scammers use a very clever trick when Rob says he never purchased the Geek Squad software to begin with. They say that it came with his computer as a promotion when the computer was purchased and the subscription has now run out, charging him for 5 years when it auto-renewed. Very clever and plausible! The scammer tries to trick Rob into visiting AnyDesk[.]com to download and set up their free software.  AnyDesk makes software that allows someone to REMOTELY CONTROL YOUR DEVICE!  It can be installed on PCs, Apple Macs, Android phones, and even iOS devices like iPhones and iPads.  IT IS VERY DANGEROUS TO GIVE CONTROL OF YOUR COMPUTER/DEVICE TO SCAMMERS!  Enjoy the recording….

    Our next credibility problem concerns an email from a Foundation donating LOTS of money to charities as a result of the Covid-19 pandemic, including us (though we’re not a charity).  We’ve seen lots of this type of fraud.  Notice…

    1. The email came FROM “MacKenzie Scott” using the domain “maryiacofano[.]com” but Mary spells her last name with an L as Lacofano, not an i.

    2. This foundation claims to have given out $12 BILLION dollars through the Scott Foundation, since 2019.  However, the domain seen in Mrs. Amelia Alexander’s email address is scotsfoundation[.]org. This domain was only registered in August, 2022 and is NOT the REAL Scott Foundation domain, which can easily be found online.

    Any business or organization with an online presence gets LOTS of solicitations for partnerships and services from around the world, like us!  Check out this exciting offer we received just last week. They are offering a “3-way link exchange” which means that we would agree to add links from this service to our website to help promote their businesses/organizations and our links would appear on other websites to promote us. Sounds like a great offer, right?  Except that there are some things about this offer that bothered us…

    1. Madie Kemmer claims to represent a business called hirelinkbuilders[.]com. Though this domain was registered a year and a half ago, there’s no website to evaluate! It says “coming soon.”

    2. We asked Google about this business and Google knew absolutely NOTHING at all about it, except that it existed. We found this especially odd, considering the age of the business and that it is focused on promoting itself and those with whom it collaborates!

    3. Finally, as we looked closer at their email, we wondered why they sent their email at 4:55 AM? Where in the world are they? Russia?

    And so, we decided that we have too many questions about this business to proceed.

    Finally, between December 19 – 21, The Daily Scam received several concerning emails about some of our email accounts.  First we were told by our “Server Administrator” that they are “closing all old versions users from Today…”  We were asked to confirm our email in order to keep it open! We couldn’t quite figure out if they meant that we were old (we are) and that’s why we were to be closed, or our email account was old.  Either way, we thought this email had several SERIOUS credibility problems, as you’ll see below! 

      Our last email with credibility issues comes from a remarkable and generous philanthropist named Andrew Schuurman. Mr. Schuurman has selected us to be one of 20 people to receive an exceptional donation of $1.8 Million dollars! We’re honored and truly excited. However, there are just a couple of credibility problems that concern us about this lovely offer…

      1. Mr. Schuurman’s email came from a domain called seabirdreader[.]com. Seabird describes itself as “a new way of finding worthwhile content and other media on the internet: A place for readers to discover, for curators to share, and for writers to feature their latest articles, essays, blog posts, books, and other work.” This doesn’t sound like a legitimate email account for Mr. Schuurman, unless his email is a piece of fiction!

      2. When we tried to reply to Mr. Schuurman’s email, we couldn’t help but notice that our email was going to be sent to a different webserver in Hungary. Hungary is not a country shown to be associated in any way with Mr. Schuurman’s philanthropy or home country, according to Wikipedia.

         

      Hmmmm…. As a result of these concerns, we’re rethinking our plan to spend this $1.8 Million dollars to create a Professional Crab Racing arena and training center in Bora Bora, Polynesia. Oh well, the best laid schemes o’ Mice an’ Men…

      Top Christmas Scams to Watch Out For 2022 There are lots of common scams that, although they exist year-round, become even more prevalent around the holiday season as scammers ramp up their efforts. Below are seven of the most common scams that you need to be aware of during the festive period so you can stay safe from scammers.

      Trust Lost Again, Justice, and Waiting for More Pain How many times have we all read about companies who told us one thing and then did something completely opposite, effectively lying to their customers/users? Or companies who misled their people? And this misbehavior has been at the public’s loss but serves to make money for the company!  There are so many examples that come to mind, such as when Snapchat lied to it’s users for years by claiming that snaps (photos) sent via their app were deleted in X number of seconds after a recipient viewed it. That was a lie and ALL photos could still be found on the device on which they were received and on the Snapchat servers as well.  Or how about the MANY times that Mark Zuckerberg and Facebook (Meta) lied to their members about the monitoring of people, storage and use of their private information? On December 19, this business fraud  happened again. (**Sigh**) This time the FTC fined Epic Games, maker of the game Fortnite.

      Fortnite producer, Epic Games, was recently fined a total of 520 Million dollars for multiple breaches of public trust and fraudulent manipulation, as well as putting children at risk for bullying and other risky behaviors.  You can read more of these details on the FTC.gov website and in this Washington Post article. One reason for the fine was because Fortnite players were misled and tricked into buying gaming merchandise through the use of “dark patterns.” (We’ll explain ‘dark patterns’ in a January newsletter.)

      We want to point out, and celebrate the fact that sometimes scammers DO GET CAUGHT! Even when they are overseas in other countries!  Check out this article posted on December 18 about several men and women from the United States, Canada and India who were recently arrested and charged with fraud going back ten years to 2012! Much of their fraud was perpetrated against the elderly which, in our opinion, demonstrates how despicable these people are. However, on the other end of the scammy spectrum is this article on Cyberscoop describing unexpected fraud consuming the JFK Airport taxi system and involving Russian hackers! (**Said shaking our head in disbelief.**)

      We continue to hear about scams targeting people using Facebook Marketplace.  The latest was a Reddit member who posted this brief text exchange that everyone immediately recognized as a scam. “Overnight you a check” means that this will be a fake-check scam. Often, scammers send a check for more than the asking price, then claiming it was a mistake. They ask the recipient to wire the difference back, though the check will bounce 5-7 days later. That’s just one of several variations of this scam!

      Speaking of wiring money to scammers, our friend Rob recently made an interesting observation that we agreed with.  He says that over the last year or so, more and more scammers are steering AWAY from Western Union and other “brick and mortar” locations for transferring money because these services are doing a better job to stop people from sending money to scammers. Scammers are now more likely to use online transfers only, or bitcoin (and other digital currencies) where there is no one to warn victims that the transaction is likely a scam. Here’s a recent example from an email exchange Rob had with a Nigerian 419 scammer pretending to be a lawyer. Notice how this “lawyer” asks for payment…

        Sometimes, even we are aghast and confused by the tools and methods used by scammers. Take this bogus Facebook email sent to Rob recently and telling him that a user just logged into his Facebook account from a new device.  If he were to click either link, he would have sent an email to 72 scammer email accounts around the world, including Russia, Poland, Kazakhstan, Italy, Canada, France, Spain, Germany, Argentina, Japan, Australia, Czech Republic, Germany, Israel and elsewhere!  (**said shaking our head in disbelief**)

          Bank of America, Amazon and PayPal Bank of America’s website is easy to predict: bankofamerica.com. This email’s text field begins with “Bank of America” but where it counts most, between the <> symbols and after the @ symbol, you can see the domain ccboe[.]org. That domain belongs to Cullman County Schools in Cullman, Alabama! We’ve informed them that a teacher’s account has been compromised. The link in this phish points to a server called myqcloud[.]com. It is a service registered in Guang Dong, China back in 2013 and is obviously being misused.

          Deeeeeleeeeete!

          What makes this next rotten phish especially interesting is that it reveals two related fraudulent games.  The first, and obvious one, is the fact that this email did not come from Amazon.com customer support. (Also, if you read the paragraphs in the email, you’ll find poor grammar and the description makes no sense!) However, look at the destination link we found when hovering over “Verification Account!” We see another malicious mimic domain that was CLEARLY registered for phishing another well-known internet service!  This other domain is hosted on a server in Paris, France. Effacer! Au revoir!

          Let’s complete this trifecta with the third most common type of phish we routinely see….Paypal, of course!  This scam was sent from an account at windstream[.]net, rather than paypal.com! Like so many other scams, this one uses the trick of telling you that an order YOU DID NOT PLACE is being shipped to someone else and charged to you!  NOT TRUE! Don’t believe this malarky! However, if you want to SCREAM some holiday cheer into the open ears of the scammers who created it, please call them at 855-959-3140. Maybe you can use a fog horn to say hello for you?

          Marriott Bonvoy Account and Check Received This week we wanted to show you two extremes on the fraud scale. The first is a remarkably clever scam that we’ve never seen before and never thought scammers might monetize.  Check out this email that appears to be from Marriott Bonvoy.  The Marriott hotel chain has a rewards program and the Marriott Bonvoy account is the portal to it. Cybercriminals can turn your rewards points into their own holiday rewards!  This email uses two clever tricks that we want to make sure EVERYONE SEES…..

          1. Though this email came from an email service in Germany (“.de” = 2-letter country code for Deutschland = Germany), the criminals included a REAL Marriott Bonvoy email address in the TO section.  A recipient, at a glance, may think that this means this email came FROM the real Marriott service but it didn’t.  This trick is being used quite a lot lately.

          2. The link to update your Marriott account points to a malicious mimic.  Mimics are domains that closely resemble a website’s real domain.  Instead of being the real marriott.com or bonvoy.com, this email points to marriottacct[.]com! That domain was registered on December 15, just 2 days before this email was sent. The domain was not registered to Marriott Bonvoy, but to a woman named Helen McFarlane, from 1176 Sigley Road, Sylvan Grove, Kansas.  According to Google, there is no street by that name in Kansas.

          Delete!

          Though the previous email was clever, the next fraud was so absurdly lame that we wonder how this scammer is able to make a penny from it. Rob shared this with us. He played a Nigerian 419 scam and was sent the digital check you see below and told to deposit it.  Seriously?????  Yes, there is a real Oxbury Bank PLC in Chester, UK but this is certainly not one of their checks. There are no watermarks, background images, name for the bogus signature, etc. Also, it took us seconds to find the correct routing number required for the Oxbury Bank checks and this check doesn’t have it.  (We’re especially disappointed that this check is a fraud because Rob has been telling us for years that he’ll split, 50-50, any money he receives from these wonderful offers he gets every day. We’re both still waiting!)

          Lots of Bullets to Dodge! – One of our readers is the Safety Director for a chemical manufacturing company in the United States. This person has been getting a rapid-fire barrage of VERY malicious emails meant to download malware, and likely control a computer and takeover the company’s network. These emails are the most serious threats we’ve ever seen! Fortunately, this person is very savvy and we’ve got her back! She will often share them with us and ask for our input on questionable emails.  Here are a few of the most recent ones. You’ll notice that most contain dangerous attached files that we’ve written about many times… DOT-htm, DOT-html files. However, this first email contained a threat that we’ve never seen before, until now.


          The Safety Officer received this odd email about a subscription charge that appeared to come from Azuga[.]com, a service used by many businesses to manage their fleet of vehicles. However, the attached Excel file size was very small, suggesting very little content.  For a supposed “list” of things, we thought this just a bit odd and proceeded with caution. When we downloaded the file to check it with our many anti-virus, anti-malware software tools we were immediately surprised with a message from Microsoft’s Excel EVEN THOUGH we didn’t open this file.  It appears that the file tried to open itself but Excel stopped it and showed the Alert you see in the screenshot below. Nasty!

          This next email was easy to spot as malicious because the attached file was a DOT-html file! DO NOT THINK THAT A FILE ENDING IN html, htm or php IS SAFE TO OPEN! Sure enough, we cracked open that attached file and found that it contained coding that would have directed the Safety Officer’s web browser to visit a malicious website called candcinfotechdev[.]com.  This malicious website was registered and is hosted in Karnataka, India.

          Finally, here are two more examples of malicious texts that were part of the multi-day barrage targeting this chemical company.  Each attached file was similar to the email above and 100% malicious! These machine-gun style threats continued for several days.  From our perspective, this Safety Officer is excellent and deserves a lot of respect and appreciation for her ability to keep this company safe!

          Amazon Account Locked, Undeliverable Mail and Regarding Your Work – Our readers sent us lots of malicious texts they received last week, including a very oddball one about a person’s employment performance! Let’s start with this bogus text pretending to be from Amazon, followed by mail and packages that could not be delivered (Tis the season!) and ending with your work performance! Happy New Year!

          Here is the text that a woman sent to us to ask if we thought it could be legitimate in any way. We said no way! It is 100% malicious and here’s why…

          1. The fact that she asked us suggests that she did not know the phone number it was sent from.

             

          2. The text is poorly written and the sender does not identify his/herself. Also, notice the use of an apostrophe many times to break up words.  This is a tactic scammers use to try to avoid scrutiny from anti-spam filters.  However, the very use of these tactics 100% identifies the message as malicious or a fraud.

          3. Most importantly, there is a link in the sentence pointing to the domain: liamen[.]us A WHOIS lookup shows that this domain was registered in Italy just 2 days before she received this text. Newly registered domains are OFTEN malicious!  There is no website waiting at that domain. HOWEVER, there is a forwarding script on it that will sending visitors to another oddball domain in Columbia.  This behavior is typical of a threat.

          Until next week, surf safely!

          Copyright © 2022 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
          have subscribed to it via Scamadviser.com or thedailyscam.com

          Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

          Contact Webmaster