Select Page
Weekly Alert  |  January 26, 2022

It’s important to notice that this particular email from a woman identified as “colmenar” sent her email from a domain called datingls[.]com.  A WHOIS lookup of this domain tells us that it was registered through NameCheap in Iceland in September, 2020 and it is being hosted in Madrid, Spain.  NameCheap, a legitimate registrar service, is NOTORIOUS for enabling cybercriminals to easily register tens of thousands of malicious domains. (Check out this blog post by David McConnell in 2020 about NameCheap’s poor effort to police itself, resulting in a lawsuit from Facebook.)  Also odd was the content we found at the top of this “dating” site.  Look at the screenshot below.  All of this evidence STRONGLY suggests to us that this “dating” site is highly suspicious and may not be what it wants you to think it is.

    Ted is in his late 60’s and married.  Not only was he not interested in the offers that poured in, but he suspected that these offers could be malicious or misleading in some way. He was right to think so!  Something Ted didn’t know is that every single time he opened one of these emails, the sender could be notified.  In fact, an email sender can learn many things about the person who opens their email if it contains a tracking cookie!  For example, the sender can learn the day/time it was opened, how many times it was opened, even the approximate location and information about the device of the person who opens the email!  We advised Ted to simply delete these questionable invitations without opening them. (To learn more about these tracking cookies, also called “clear gifs” and “web beacons,” visit this Wikipedia article.)

    After several weeks, the source of these invitations changed.  Ted started to receive random chat requests from women through the chat service called Google Hangouts.  Their sexual intentions were very clear, as shown by these two screenshots Ted shared with us.

      Something that stood out to us was the odd discrepancy between the name posted at the top of each chat request and the supposed name of the sender.  For example, “Kristal Cholmon…” shows the name “Julia Carter” at the top of her invitation.  Also, she begins her message with “Hey Temptress.”  According to both the Oxford and Mirriam-Webster Dictionaries, a “temptress” is a description of a woman.  And yet, Ted’s gmail address name strongly suggests he is a male.  So why did Kristal (or Julia?) send that message to him?  Why did any of the dozens of women send their chat messages to Ted completely unsolicited, and how can he stop the flood?

        We strongly suspect that there may be several risks for Ted associated with these random emails and invitations.  Though human sexual desire is normal, we STRONGLY recommend against responding to these unsolicited invitations as a way to fulfil that desire. We can’t think of any REASONABLE reason why a young woman would reach out to a stranger in his 60’s for a sexual encounter. However, during the last few years, more than 75 men have contacted us for advice to deal with a form of sextortion that begins with meeting a woman online. (The youngest male victim was age 16 whose mother contacted us after her son revealed that someone was trying to extort money from him.)  This extortion example doesn’t include the nearly 1000 men who were victimized by another online sex scam we call the underage girl sext scam.

        The type of extortion sometimes related to these random invitations (solicitations) occurs when a real woman sets up a sexual encounter through a video chat, (or trades sexts with a man.) What the man doesn’t realize is that she is recording his screen during their encounter. Afterwards, the woman threatens to post that recording (or sexts) online for the world to see and to send invitations to his family, friends and place of employment. All of this personal information is easy to come by online. Think not? Try visiting OneRep.com and conducting a search for your full name. We’ve published several articles in the past about these forms of extortion, such as:  “Sextortion Scam Via Facebook” and “Online Dating Scams”  If the man is lucky, instead of extortion he could  discover that the person at the other end of the invitation wants him to pay for access to a livestream or recordings of her.  In other words, a paid porn site.

        Ted wanted none of this and asked us how to make it stop.  There is little to be done about the emails landing into his spam folder but he certainly understood that he shouldn’t open them anymore.  As to his unwanted chat invitations, this is what we recommended…

        In a Gmail account, click on the small drop down arrow next to your chat name. (The chat name is usually found in the lower left corner of your Gmail window.)  Look through all of the settings that are available.  For example, select “Decide who can contact you directly and who can send you invitations” and then select those preferences with the STRONGEST level of privacy.  (If you have a Gmail or Google account, we also STRONGLY recommend visiting your account settings and making your account as private as possible, including restricting Google from saving, collecting and sharing information about you.  Google doesn’t make this easy to do!  Start by visiting: MyAccount.Google.com

        Once Ted had modified his Chat settings in Google, we recommended that he then turn chat off. If you really don’t need it, or don’t need it often, it is a good idea to completely discourage these unwanted solicitations.  We learned that Ted is not alone. Many people have complained about these unwanted invitations.  Check out this Google community post from 2020:

          To turn OFF your Google chat service, go to your Gmail account and then click the gear symbol in the upper right corner of your window and select “See All Settings.”  At the top of the next window you’ll see a list of titles.  Select the last one on the right, called “Chat and Meet.”  In that final window, click OFF for Chat.  You can choose to hide or show “Meet” as needed.  Now, be sure to click “SAVE CHANGES” at the bottom of the window before you exit!  Ted was grateful for our help and so was his wife!

            You Can Help Others Avoid Dating Scams! This week’s Top Story is related to the risks of online dating. If you have had experiences with online dating, please consider sharing your experience using this set of survey questions so that we can help others understand and avoid the risks from dating scams. This newsletter is sent to more than 150,000 subscribers so the benefit you can provide others can be significant! Thank you!

            On January 15, our good friend Rob received an email from a personal Gmail account claiming that he was about to be charged nearly $350 to renew his Norton 360 subscription service.  Of course he hadn’t made such a purchase. Thankfully, there was a scammer’s phone number he could call and ask that the charge be removed from his credit card! Rob took great pleasure in calling, wasting a scammer’s time and then cursing him out at the end of the call!  You can listen to Rob’s call below but since we like to be a “family friendly” newsletter, we’ve cut off the last few seconds of the recording. Imagine a few f-bombs!

            Before you listen to Rob’s call to a scammer who used the name “Tom Cooper,” it is important to understand a few things…

            1. The email Rob received is a malicious trick frequently used by cybercriminals, especially several criminal gangs located in India. In the recording you can hear that the scammer, who calls himself “Tom Cooper,” has an Indian accent.

               

            2. The primary goal of these cybercriminals is to trick a victim into visiting a website that will allow their criminal team to remotely access and take control of a person’s computer. There are also other ways they manipulate victims. Giving your computer control to a skilled criminal results in LOTS of risks and pain to the victim. The criminals will have access to personal files, email, and possibly banking and other accounts.  This is a SERIOUS threat and very difficult to recover from. The criminals also try to install “back doors” into accounts and malware to allow further manipulation. And they often try to lock out the account owner! If this were a real call to assist a consumer with canceling an order, the person at the other end of the phone only needs to look up an account to stop the charge. PERIOD! There is no need for a consumer to visit a website or provide computer access.  As it turns out, “Tom Cooper” asked Rob to visit a registered a domain called NSupport[.]live and use an authorization code he would give him.  This is what the web page looks like at NSupport[.]live.  It has nothing to do with Norton by Symantec and was registered at the end of October, 2021. That means this particular scam has been running for at least 3 months.

            3. Listen carefully to this recording and you’ll hear LOTS of other scammers in the background.  These “boiler room” scam operations are found in many countries around the world but lots of them are located in India.  You can see a photo of one of these operations in this AARP article.

            IMPORTANT NOTE: The Consumer Affairs website has posted an article telling people to beware that criminals are posting fake COVID test kit sites in order to steal your personal information.

            Your Shopify Account, and Amazon Smelly Phish What a difference a week can make!  Last week hardly anyone reported phishing scams and this week we had lots!  Enjoy this unusual one for a Shopify account that “has been frozen!” (It is January, afterall, in North America.)  Oddly, the email appears to have come from a legitimate site called codeninjas.com but the link to “update payment method” points to the domain acemlnc[.]com and uses codeninjas as a subdomain.  Curiouser and curiouser.  But this is NOT shopify.com!

            Readers sent us two different phishing scams disguised as Amazon emails.  How unusual, (said dripping with sarcasm!) We think you’ll LOVE the English grammar used in the 2nd Amazon phish!  It’s hysterical! Also, the scammers who sent it used two different font sizes in the paragraph, making it appear very weird. And that perfectly aligns with the fact that this scam came from the domain WeirdInssertion[.]com! Inssertion should be spelled “insertion” making this weird, weird email even WEIRDER!

            Valentine’s Day Scams Are Coming and Insanely Cool Gifts – We got hit with this malicious email weeks ago and the cybercriminals rebranded it recently as “Valentine’s Day is Coming.” They’ve suggested the best gifts we can buy for our wives and daughters.  All we have to do is click the link to a malware-loaded website beautifully crafted as j65t7tyjy[.]xyz.  What a lovely domain name for gifts!

            When we used an online screenshot machine to take a picture of this lovely website, we discovered that visitors will be hit with malware and THEN be forwarded to a different site called icoxi[.]com that appears to sell these gifts for real.  But is it real?  Check out this article on Ad-Scams.com about this website and you be the judge whether or not the redirected site is legitimate (We are suspicious that it is not!)  As for j65t7tyjy[.]xyz, it was registered in Iceland through NameCheap less than a month ago!  Need we say more?

            This clickbait landed in one of our honeypot accounts offering “insanely cool gifts” from a Gmail account by someone named Fatima Zohrie.  The links all pointed to a domain called dateadier[.]com which had been registered anonymously in Iceland using NameCheap  just 5 days earlier! We all know what that means. But the name caught our attention… “date a dier” as in “date someone who dies?” Isn’t that a bit like being a necrophiliac?  Lunge for the delete key!

            Confirm Your Unsubscribe!!!  And Dying Priest Reveals… – It is crystal clear to us that some cybercriminal truly believes that including three exclamation marks after a command is surely going to make people take notice!!!  We do.  It tells us that the sentence was crafted by someone who doesn’t speak any good English!!!  This “unsubscribe” notice contained the same link whether you clicked to confirm or click to unsubscribe.  Malware lies in wait at the end of that link. It’s “guareanteed[.]com!!!”

            During our nearly 10 years of exposing online fraud, we often remind readers that cybercriminals LOVE to use clickbait directed at those who believe in God and to appeal to their faith.  Here’s a perfect example. The subject line of this clickbait said “Dying priest reveals closely guarded Vatican secret.”  The contents of the email are made to sound shocking!  The only shock will be to the victims who click the link to visit “blacomix[.]digital.” This domain, similar to the domain for an animation company in Kolkata, India, was registered anonymously in India using NameCheap last April.  Need we say more?

            Access Your Instagram Account, ATT, and Motor Department Texts – A reader sent us this text that she received a few days ago, knowing full well that it was a fraud.  She doesn’t have an Instagram account!  The link points to an Instagram login page. However, as we learned in this Distractify.com article, these texts have been identified as phishing texts or links to malware!

            “ATT” has a gift for you, again! Don’t believe it! Many people have reported these particular texts to us.  They are all 100% malicious and the links lead to malware intent on infecting your phone.  The domain, bmwy10[.]com, was registered in Iceland the day before the text was received!  Yikes! Delete!

            And now for something completely different!  A man living in Massachusetts received the following two oddball texts and was smart enough to recognize them as a threat! The first came from 989-215-6908 and contained the most bizarre English from “Motors Dept” and a link to “roadmotde[.]com”  This “eager to travel” domain was registered just hours earlier in Iceland using NameCheap.  What a shock?

            The second text came from 336-827-3377 and was even more bizarre!  It informed the man that “All Driver on MA State zone with ZERO accidents” could get as much as $1200 back!   The bizarre domain in this link, “dm-is-st[.]us,” was also registered just hours before the text was sent.  It was registered by a woman who says that she lives on Nutters Barn Lane in Des Moines, IA, 50309.  There is NO SUCH ROAD in Iowa!

            Until next week, surf safely!

            Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
            have subscribed to it via Scamadviser.com or thedailyscam.com

            Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

            Contact Webmaster