Weekly Alert  |  January 5, 2022

Sextortion on the Rise — Happy new year! We hope that 2022 will be a better year than the last couple of years of COVID, along with higher incidences of online scams and threats. To help you stay safe James has created “The Ultimate Scam Checklist”  – a collection of tips to help you evaluate online threats and fraud.

In our December 8 newsletter we shared a sad story about a young man who was targeted by a type of sextortion scam called the “underage girl sext scam.”  Last week, another man sent us two different sextortion emails that he received about a week apart. Each email claimed to have installed software on the man’s computer that monitored and reported on his activities. They claimed to have captured embarrassing videos of him while he visited porn sites. The sender demanded a Bitcoin payment or, he said, he would publish the videos.  The emails are 100% untrue and just another scam.  The senders provide no proof whatsoever of their claims, such as a photo of the man engaged in any sexual activity. They don’t even address the man by name! (Click the screenshots to enlarge.) We’ve reported many times on variations of this scam.  Check out our articles My Malware Recorded You, Sextortion by Email, and the very strange circumstance we called Sextortion by Bot.

Unusual Activity on Your Paypal AccountPhishermen must have taken a vacation during the last week of 2021 because we only saw one smelly phish across our many contacts and resources.  That is a welcome and rare event!  This one phish claimed that there was unusual activity in your Paypal account from a source in Ontario, Canada on December 28.  This was an obvious fraud because the email came from a domain, mmxok[.]com, that had been registered just hours earlier.  This email is a valuable teaching exercise because it employs two common and effective tricks often used by scammers.

  1. The email’s FROM address appears to come from service@paypal.com but that’s not true!  That email address resides in the text field normally used for a person’s name.  The real email address follows in brackets <> and the sender’s domain is clearly mmxok[.]com.

  2. Cybercriminals often use redirects in their links to send victims to an undisclosed malicious website. Occasionally, these redirects are hidden in plain view, if you know how to recognize them. Check out the link revealed in this phish in the lower left corner of the screenshot. You’ll notice that there are two instances of “https.”  You may think that you are directed to a site called href[.]li but, in fact, you’ll be redirected to a web page at page[.]link where the Paypal phishing login is hiding.


Fortunately, many security services recognize that page[.]link is malicious!

Borrow Money Online! Why would anyone turn to the Internet to borrow money through a website that doesn’t provide names or contact information from real human beings with whom you can have a real conversation? Deception is just too easy online to consider trusting a website with such detailed and personal information that a loan application will require.  (Perhaps the need is so severe or so urgent that people are willing to overlook any possible risks?)  We raise this question because we received multiple random spam texts during the last 3 weeks from different phone numbers, claiming to represent two different loan services. (In past newsletters we told readers about texts from WorldBankUSA[.]com.) On December 30 we received a spam text from 201-649-6114 inviting us to click a link to NowApproval[.]com for a loan offer before the year ended. 

Like  WorldBankUSA[.]com, NowApproval[.]com offers small loans through an online application.  But is this service trustworthy or the best way to seek a small loan?  We chose to dig a little deeper into NowApproval[.]com and this is what we uncovered…

1. NowApproval has a simple interface that consists of a multi-step application. But what it is missing is any information whatsoever as to who is behind this website. There is no phone number to contact, no business name (besides the name of the website), and no people to contact about their company or the loan process.  We searched the Better Business Bureau website (BBB.org) and also used Google to search the Internet. No one seems to know anything about this website/business! 

2. Who is NowApproval[.]com? We asked our favorite WHOIS tool and learned that their domain was registered anonymously in the Cook Islands at the end of September.  From our perspective, that’s a very new business! 

 

3. Part way through our application process for a loan on NowApproval[.]com we were shown 3 official looking icons in pale gray at the bottom of the page. These icons said “EXCELLENT SERVICE,” “256-bit Encrypting” and “RELIABLE PARTNER.”  But these icons are worthless! For example, all “https” links are encrypted.  And who calls them a reliable partner or an excellent service? 

However, they do post a Disclaimer on their website. We read in their “Disclaimer” that they collect your personal information and loan requests and submit them to other services. They are simply a “middle man” and don’t provide the loans themselves. In return, this “may result in a commission” for NowApproval[.]com.  Hmmmm…. Does any of this sound like a site or service that you want to trust with your personal information or hope to get a loan at a competitive interest rate?  We would call them and ask more but we can’t find a phone number on their website!

A Young Man’s Female “Friends” – A young man reached out to us to share a problem he has been experiencing for many months. He’s been receiving random, odd emails from several different women.  They seem intent on starting up a conversation with him, along with three to four other men copied in each email.  Fortunately, he recognizes their efforts as a form of manipulation at best, perhaps malicious at worst, and doesn’t respond. But he actually kept most of these emails and decided to share them with us! He pointed out to us something about these emails that consistently identifies them as very suspicious and not likely what they claim to be.  After looking through all of them, we made another observation that more likely means “malicious intent.”  Can you spot either of these concerns?

Let’s begin with these 4 emails that were sent to the man from “Alyssa” in March and April, 2021. Look closely at each. What do you notice about them that doesn’t make sense if they were, in fact, real?

We hope you noticed that “Alyssa” first used an email address ritterrichard5 @ gmail.com in the March emails and then used saragreen33801 @ gmail.com in the April emails.  Neither email address comes close to matching “her” name, Alyssa.  We find this behavior to be extremely common amongst cybercriminals and others who are trying to hide who they really are.

“Alyssa” then disappeared for more than 2 months and returned in July, asking the young man “are you real.” About three weeks later, the man (along with 2 others) received another email from someone identifying herself as “Jessica Miller” and asking “are you there.”  No doubt, you’ll also notice that Jessica’s email came from an email account called “jodyararroyo72211” at Gmail!  But there is also something else going on in several of these emails that identifies them as fraudulent. Have you spotted it yet? [Readers may also find it interesting to note that taken together, each of these bogus emails also included two or three of the same four other email addresses.] 

    Between November 23 and Christmas day, December 25, the young man received 3 more of these types of emails.  The first came from Alyssa, but through an email address called “wheelerjamie5645.” Then an email came from a new woman who identified herself as “Leyla Rose” but using an email address called “janenolan083” at Gmail. And finally, Jessica (presumably ‘Miller’) returned on Christmas day but used an email address called “weme854957” at Gmail.  Can you spot the other fraudulent trick used in two of these 3 emails?

    Here’s the additional trick that REAKS of fraud and is used by the sender of five of these nine emails… Did you notice the two small gray hyphens in these emails?  They indicate where the body of an email ends and a Gmail account signature begins.  In five of these nine emails, the sender pasted an email message into the signature field of the Gmail account.  This makes it possible for that sender to easily crank out hundreds of these bogus emails without having to write any content, just by clicking the COMPOSE button in Gmail, the message will be included.  Instead of a signature, the email drops the short message into the email, but below those dashes!  The sender seems to be more interested in cranking out lots of these emails than any interest in the message she or he is sending because they’ve automated this step.  Sounds like fraud to us! We commend that man’s observations and his decision not to respond to any of them.

    Win a Playstation 5 From Russia – We can think of a lot of family members who would LOVE to receive a free Sony PlayStation 5! According to this email from googlemail.com, here’s your chance to win one.  But Googlemail.com? Why isn’t the sender’s domain just Gmail.com?  Did you know that when Google tried to register the domain Gmail, back in 1995, that domain was already trademarked and used in 3 countries in the world? The countries were Germany, Poland and Russia! And so Google originally registered the domain “googlemail.com” to be used for email from those 3 countries. 


    Returning to the PS5 promotion, there are two other points that are very odd and worth noticing.  This “offer” expired on midnight, December 31st of 2020!  Not 2021!  Hmmmm….. The clickable links in this email point to an IP Address INSTEAD OF a domain name.  We used IPLocation.net to look up the destination of this IP address and discovered that we’ll end up on a server in Moscow, Russia. Feels more like a link to free malware, not a playstation 5! Should we sign up? Nyet, Comrade!

    Holiday Text Hand Grenades –Over the holidays, families often trade cookie recipes, bake gingerbread houses, share eggnog, and sometimes various wines. Our families share malicious texts! (We know, we’re weird but when you are given lemons…)  Here are a few recent malicious texts we all enjoyed, especially the eggnog one. We hope all our readers had a safe and loving New Year’s surrounded by as many friends and family as a pandemic will allow!

    Until next week, surf safely!

    Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
    have subscribed to it via Scamadviser.com or thedailyscam.com

    Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

    Contact Webmaster