Select Page

We would love to hear your feedback

THE DAILY SCAM NEWSLETTER  |  FEBRUARY 21, 2024

Co-Founder/Content: Doug Fodeman  |  Co-Founder/Creative: David Deutsch  |  V04N02

Clever Malware Traps Waiting for Your Click

Scammers have LOTS of ways to make money by sucking the blood of their victims. (Yes, most are sub-human vampires who don’t care about the pain they cause others!) One of their most precious tools is malware used to infect your devices. Malware typically offers them a lot of choices and ultimate control over victims. It can include ransomware that locks YOU out of your device until you pay a ransom, or keylogging software that captures every keystroke for the scammers to see (such as bank accounts and an Amazon account) or software that gives the scammers complete control of your device. There are a wide variety of malware options available to them. (Source: Wikipedia) But their success is completely dependent on getting YOU to install their malware. Check out some of the recent and clever tricks we believe are designed to do exactly that, including email and social media threats!

QR Codes are a 2-dimensional graphic made up of squares that can be translated into a URL or link on the Internet. The QR means Quick Response and any digital camera connected to the Internet, such as your phone, can scan a QR code, immediately open a browser and send you to the encoded destination. (Source: Wikipedia) In July of 2022 we first sent a warning to readers about the use of QR codes by cybercriminals to manipulate victim’s web browsers, though we had no specific examples. Then in the Summer and Fall of 2023, our readers reported a few examples of malicious QR codes landing in their email inboxes. Now, in 2024, we’re seeing an increase in malicious QR codes reported to us by readers. Here are two examples. Both came as pdf attachments to emails.

The subject line in the first email says that it came from a service called DocShare but that wasn’t true! The email contained no information whatsoever, other than a standard confidentiality statement. The only content in the attached pdf was the QR code! The recipient has no idea whatsoever what this document is about, or from whom! QR codes are typically used by cybercriminals to send you to a malicious website where malware is lying in wait like a bear trap, eager for you to step into.

This second example was sent to a business by “Payroll Update” and yet it contained NO email address! The subject line also included another trick used to get malicious content through antispam servers.  The words “Salary Approval” in the subject line were actually purposely spelled incorrectly. These words used a capital i for a lower case L.  “Saiary Approvai”   But because of the font selected, it appears as “Salary Approval.” Also, the attached file contained the name and stolen logo of the business being targeted, along with the malicious QR code. Legitimate businesses would never do these things!  Fortunately, the business that received this email recognized this as a fraud and shared it with us!

    Pretend to Hire Your Services: Last week we heard from a private CPA. He had received an inquiry from Gary Kane for help to prepare his taxes. The CPA replied and Gary’s second email came with a few details, including a link to a secure document for the CPA. But the CPA noticed that Gary’s second email came from a different domain than his first email, which seemed odd.  Lycos[.]com, used in the second email, is a free email service. And, as it turned out, the first email  came from marie-bouchet[.]com, which a WHOIS tool tells us has never been registered! (“mariebouchet.com,” without the hyphen, is a reflexology business in France.) All of this prompted the CPA to check the LINK Gary sent using Virustotal.com and the results were immediate and conclusive! Gary Kane’s link was malicious and pointed to a dangerous downloadable zip file. We believe this compressed zip file likely contains malware.

    During the last year we’ve heard from many businesses who are targeted by tricks like this. In this trick, new potential clients inquire about products or services and then try to manipulate the business into clicking dangerous links.

    Link within a link: Another trick we’ve often seen used by cybercriminals to direct you to malware is a method intended to separate a very malicious link from the source email. Here is a recent perfect example of a link within a link! Once again, an email from “Accounts Payable” is sent to a business and contains a fake invoice. But rather than simply include the invoice in the email itself, there is a link to supposedly view the invoice (document).  However, that link simply points to a Google page of a private account where there is another link called “View Document” to a supposed pdf file. This is scammer behavior and intended to make it harder for antispam and other security software from detecting a threat! 

        Finally, we leave you with this very commonly used threat that often targets people on social media like Instagram, X (Twitter) and Facebook. It takes the form of a link/image claiming that someone famous has either died or been seriously injured in an accident. This one was sent to us by a reader who had it shared from a friend’s hacked Facebook account. It is 100% clickbait. We don’t know the exact link destination shown in this image as youtu[.]be (YouTube’s link-shortening service). However, we can tell you that in past examples of this, the link often points to a phishing page or malware that captures login credentials to accounts. And, by the way, Simon Cowell is alive and well. If ever you see claims like this on social media, DO NOT CLICK the link to find out! Instead, open a browser window to Google and ask the search engine if someone has died. If you don’t see credible sources backing up that claim then it was malicious clickbait!

        Podcast #2 Released and Voicemail from Relief Advisory Approval Dept

        On February 15, Doug released Podcast #2 about “malvertizing.” This 16-minute podcast included examples and an interview with an expert in recognizing these threats. Check it out here on the SecureWon website, our partner in our monthly Podcast series. In our January 24 newsletter, we reported on a shipping scam connected to a “free piano” giveaway by a woman named Katie Vaughn. Just a few days ago, we received another identical email from a woman named “Teri Ford” who also wanted to give us her late husband’s free piano. We only needed to pay the shipping company! Notice in Teri’s email that the REPLY-TO address is different than the sending address. This is typical scammer behavior!

        Also last week, one of our readers received FOUR nearly identical voice messages over 3 days on her phone. All were from the “relief advisory approval department” of an unnamed company. Each came from a different phone number and 3 of the 4 asked the woman to call back different phone numbers, including 844-204-6130, 844-474-2375, and 877-205-9199. (We’ve linked each of these phone numbers to reports of fraud discovered in our searches.) Each of these phone numbers has been linked to scam calls from the Relief Advisory Approval Department!  This scam is explained pretty well in this article on MalwareTips.com.  Enjoy listening to Alison, Sarah 1 and Sarah 2:

        We want to raise awareness about legitimate businesses that use very sketchy practices that some people may describe as scam-like practices. Below is a scan of the front and back of a post card received by one of our readers who had recently purchased a new Honda. The postcard identifies the sender as the “Vehicle Service Division.” But from what company? This offer did NOT come from Honda! When we conducted a Google search for the phone number on the postcard, 888-582-6870, the first link we found was to a business listed on the Better Business Bureau website and called US Automotive Protection Services.  This name doesn’t appear on the post card. The BBB.org gives this business an “F” rating and has an alert posted on their site due to a “pattern of complaints” against this company.  When we checked BBB.org on February 18, this business had more than 230 reviews giving them a star rating of 2.12 out of 5. More complaints about this business can be found on other websites, such as Scammer.info.  Caveat emptor!

        Paypal Nike & Bitcoin Purchase, Antivirus purchase and Payment Request

        People around the world are being bombarded by these types of phishing scams! Most are sent from free Gmail accounts and NONE of them contain little more than the recipients email address and username! Also, most contain attached pdf files. This first one claims to be about your Nike purchase for $545.60. The second one says that you purchased bitcoin for $561.37. Neither phone number is the legitimate number for Paypal! NEVER call the numbers in these clickbait! The cybercriminals who answer are extremely manipulative and often very convincing!

        Once again we have a smelly phish sent from a free Gmail account from a woman named “dianne.” Check out the paragraph at the top of the email.  It is complete gibberish!  Also, be sure to notice that this email was sent to “undisclosed-recipients” meaning LOTS of people!

        Deeeeeleeeeete!

        We would like to remind our readers that cybercriminals misuse the real Paypal service to set up bogus accounts. They use these accounts to send out fake invoices to people from a real Paypal email. Just because you get a legitimate email from paypal.com doesn’t mean the email itself is legitimate! In fact, read what Paypal says at the bottom of every email and take heed!   Remember to report your smelly phish! https://safebrowsing.google.com/safebrowsing/report_phish/

        Apple Vision Pro

        Have you heard about the newly released Apple Vision Pro spatial computer that you wear like a pair of goggles to fuse together a computer screen with reality?  Scammers certainly have!  We’ve heard from several readers about this product. Check out this email telling the recipient that she has been selected to receive a FREE Apple Vision Pro. But it came from a crazy domain that was never registered and the links all point to GoogleApis.  We’ve confirmed that the link is malicious. Lunge for the delete key!

        This second offer for a free Apple Vision Pro wants you to believe that you are part of an Apple Loyalty Program. But this email didn’t come from Apple and it was sent to a Windows user who doesn’t own an Apple computer!  Virustotal said that six security services had found the GoogleApis link to be malicious!  You know what to do!

        Facebook Sponsored Ad and Bogus Threat Popup

        One of our readers was on Facebook and saw a “sponsored ad” to a website called foodscenttest[.]shop and clicked the link. He was immediately redirected to a malicious popup on a website called elliottpotter[.]autos. The popup claimed to be from Windows Defender, telling him that his device was infected with a trojan spyware and blocked for security reasons.  He was urged in multiple windows to call 888-566-6119 for Microsoft support. But this isn’t the support number for Microsoft! Browser popups like this are ALWAYS malicious clickbait!

        Similarly to the above popup, another man notified us that he visited a website (though we don’t know which one) and was immediately redirected to a website called azurestaticapps[.]net and hit with this popup. It claimed to be an Apple Security Alert and urged him to call 877-592-0824 because his PC was infected with a “trojan-type spyware.”  How can an Apple security alert for MacOS also identify a computer as a Windows PC?  This is 100% malicious clickbait! If this happens to you, immediately SHUT DOWN your computer and when you restart, be sure to clear your browser cache just to make sure that no malicious software was installed in your browser cookies or extensions.

        Until next week, surf safely!

        Copyright © 2024 The Daily Scam. All rights reserved.
        You are receiving this email because you have subscribed to thedailyscam.com

        Marblehead, MA 01945

        Contact Webmaster