Can Superfoods Harm You? This One Can! — According to Wikipedia, a “superfood” is a food that is believed to confer health benefits as a result of exceptional nutrient density in the food. Some consider berries or certain grains as superfoods. The idea of superfoods guides the purchasing and eating decisions of millions of people around the world. Unsurprisingly, superfoods are also the topic of news articles, research and books, such as the book “The Lost Superfoods” published in 2020 by several co-authors. Whether you believe in the idea of superfoods, or follow recommendations about superfoods is not the point we are considering here. It is the fact that this popular and growing trend was maligned very recently by cybercriminals. They created a malicious website, marketing campaign, topical content and used the book “The Lost Superfoods” to throw clickbait into the inboxes of many thousands of people, including Doug at The Daily Scam. Check out the email I received and the evidence I uncovered to show how criminals weaponized this topic to make money.
On the morning of February 15, I found an interesting email in my inbox with the subject line “126 Forgotten Survival Foods That You Should Add to Your Stockpile.” The email came from forgottenfoods “@” primefood[.]shop. Though I was intrigued by both the subject line and the website domain, I was concerned seeing a DOT-shop global top level domain because these are often misused by cybercriminals. All links in this email pointed back to the domain primefood[.]shop.
Out of an abundance of caution, I visited my favorite WHOIS tool and looked up the full domain name PrimeFood[.]shop only to find my suspicions confirmed! This domain was registered just hours earlier! The age of this domain is one of the most certain signs of fraud or malicious intent that can ever be associated to any link under any circumstance!
Knowing the likelihood that the domain PrimeFood[.]shop was a malicious website created to attract clicks and infect computers, I carefully copied the link in the email and visited several Internet security tools to evaluate it. (We DO NOT recommend that our readers ever try this because a mistake can result in a dangerous computer infection of many kinds, including ransomware or a keylogger being installed.) Sucuri.net and VirusTotal.com are both good resources. They showed us that the link to PrimeFood[.]shop is actually just a redirect to another website called BestShoppingPoint[.]co ( “.co” – possibly registered in Columbia or first hosted on a server in Columbia) And that the domain BestShoppingPoint[.]co is a well-known malicious destination associated with malware AND phishing scams!
It turns out that BestShoppingPoint[.]co was registered about 2 months earlier in Iceland using the Registrar called Namecheap, a favorite of cybercriminals. Everything about that “superfoods” email was a complete fraud and designed to appeal to reader’s curiosity or interest in a healthy diet, and to elicit a click. One click is all it takes to result in a device infection that can lead to lots of serious consequences for a victim and the victim’s family who may also use that device. This is just one more reason why it is so very important to look at details BEFORE you click and question things like the source of an email or text, and the links contained in it.
Thanking a Scammer and Reasons Why It Is Critical We Pay Attention! — We want to give a big shout out to a cybercriminal named Taji and thank him for sending so much malicious clickbait to one of our honeypot accounts! This content has been tremendously helpful to understand how these gangs design, create and try to trick the public to click their links. (We can’t reveal how we know this man’s name, but he knows.) Thanks Taji! Keep them coming! We want the world to understand what low-life people these scumbags are who choose to make money by preying on the lives of others. For example, in recent months criminals using ransomware have heavily targeted hospitals. Shutting down a hospital’s computer systems and holding it ransom has had life-threatening consequences for people! In 2022, TheGuardian published an article detailing these types of attacks and the consequences that resulted from them. Fortunately, the United States FBI recently took down a ransomware network that was used to target hospitals and others, as reported by the American Hospital Association.
As if that isn’t scum bag enough, cybercriminals also target small independent schools. We’ve reported many times about the fraudulent attempts of scammers in Africa who have tried more than 2 dozen times to trick one particular elementary school into sending an employees paycheck to a new bank account controlled by the scammers. (Fortunately, it has never worked and never will work! The team in the business office at this school is well-trained but also has protocols in place anyway that will never allow anyone to change their banking information via email.) Check out this recent article posted on Venable about how these types of scams operate. (They are sometimes called “BEC” scams – “Business Email Compromise”)
Online fraud comes in many forms, including “mercenaries” who advertise themselves for hire. Very recently, The Guardian exposed a team of Israeli mercenary hackers for hire to specialize in disinformation campaigns targeting elections all over the world. They have been hired to manipulate voting in the United States, the UK, France, Germany, Canada and other countries. Watch this 5 minute video recently published about this disinformation team for hire. Together, all of this fraud means that we all need to think more critically and carefully about the content, email, texts, social media, and information that comes to our attention in the digital world.
We have a copy of a recent voicemail that sounds like an American woman claiming to represent the Internet/TV service provider Comcast. She if offering a great “50% off” deal but that deal ends today! This is 100% a fraud. The call came from 415-314-0210 but you are asked to call back 855-771-5389. According to this record in Buzzfile.com, the 415 phone number belongs to a motor vehicle parts and accessories company in California. The 855 phone number has no association whatsoever with Comcast.net. Enjoy…
Scam Caller as Comcast Xfinity Deal
Venmo, Microsoft One Drive and Norton Lifelock — Venmo has become very popular to send money, especially between friends and family. So it is no surprise that cybercriminals created this phishing email disguised as a message from Venmo support. But the email appears to have come from the domain bantuhebrewwords[.]com which was registered in Uganda. Most importantly, the “verify now” link in the email misuses the services of LinkedIn. It certainly isn’t pointing to venmo.com!
Sometimes we have to laugh at how easy it is to spot online fraud, like this email sent to us at The Daily Scam, from…. Us! Look carefully! It appears to show that we sent an email to ourselves saying that had 4 documents to view in our Microsoft Onedrive. But the link to view the files points to a VERY malicious link at arweave[.]net! Nine security services have identified that link to arweave[.]net as malicious!
Lately, phishing emails pretending to represent invoices for security services, like Geek Squad or Norton Lifelock, are flooding everyone’s inboxes! Our friend and scambaiter, Rob received five of these in just one day! Check out just one, a Norton invoice-NTT-125631 he received on February 15. Other than his email address, notice that this fraud doesn’t contain a single bit of identifying information and is especially missing any information about the details of HOW he was charged in this “auto renewal” for $349.99.
You’ve Reached Your iCloud Storage Limit and Claim Your Free COVID Test — Technically, both of the scams we’re highlighting in this week’s Your Money column offer free services. However, under “normal” circumstances, both would cost consumers money! The first, sent to us by a TDS reader, says that you have reached your iCloud storage limit. But wait! As part of some fictitious loyalty program, you’re going to get 50 GB of online storage space for free! How lovely…. If it were true! This clickbait came from a server in the UK, not icloud.com or apple.com. Also, it is critically important for readers to recognize that the blue button in the email contains a typo! That link points to a well-known link-shortening service called Bit.ly. Of course we used Urlex.org to unshorten that link and discovered that you’ll be redirected to another website with a misspelling called FullyChamge[.]uk. (See screenshots below.) This malicious website was registered in the UK but is hosted on a server in Czech!
COVID is still a problem around the world. Thankfully, it is now possible for citizens to get free COVID test kits in many countries. This very clever clickbait employed several tricks and criminal effort to trick recipients into believing it was real and to click the link, resulting in a malware infection! The email inviting you to claim your 8 free At-Home Covid test kits appears to represent a real healthcare company called ATC Healthcare. The email even came FROM, and has links pointing TO, the domain ATCCovidTestingntwrk[.]com (as in “ATC Covid Testing Network). A quick search for ATC Healthcare showed us that their website uses the domain atchealthcare.com. Could the other domain also be owned/used by this company?
First, we carefully copied the link in the email above and visited our favorite tools to evaluate it. The Zulu URL Risk Analyzer not only said that the link was 100% malicious, but it told us that the domain atccovidtestingntwrk[.]com is hosted on a server in Bulgaria (“BG”) that has malware lying in wait for our visit! And to make sure you don’t suspect anything, once you’re hit with malware you’ll be redirected to another website called covidtestingscreening[.]com which also has malware lying in wait, according to the Zulu URL Risk Analyzer! (It’s important to note that this second malicious website is also dressed up to look like it is owned by ATC Healthcare)
But this fraud isn’t over yet! If you visit the REAL ATC Healthcare website, you can see that it was co-founded by two brothers who share the last name of Savitsky. A Google search will also show that the son of one of these founders is a man named Jordan Savitsky. This is where this fraud gets even more interesting. A WHOIS lookup for atccovidtestingntwrk[.]com shows that this malicious domain, hosting malware and a redirect to another malicious website, was set up just two days earlier by someone using the name of “Jordan Savitsky,” including his business name called ATC Testing, and his business address! But that malicious domain is being hosted on a server in Bulgaria! Cybercriminals went to a LOT of effort to disguise this fraud. Don’t be fooled! We always encourage our readers to send us their suspicious content and ask for our opinion! (We reserve the right to publish content shared with us for educational purposes but guarantee to remove any personally identifying information before publishing it.)
Attached Invoice and Your Password is About to Expire —Like many of the businesses whose employees read our newsletters, we continue to be targeted by malicious emails that claim to have attached invoices that are really dangerous web files in disguise, ending in htm, html, or php. Here’s another one sent to us and asking us to “please see attached requested invoice.” We cracked open this particular bogus “invoice” to find sophisticated web coding. The coding included the words “We can’t show this document here, you need to download it.” Ah… no thanks. We’re good!
Problem Billing Your Paypal Account — One of our readers received this beautifully crafted text informing him of a problem with billing in his Paypal account. Last time we checked, Paypal should be capitalized as a formal business name. The link points to a website that looks a lot like paypal.com, right? Managelogservupdteid23[.]us This lovely domain was registered just hours before the text was sent and is hosted on a server in Indonesia. Sounds like Paypal to us!
Until next week, surf safely!
Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands