Would You Fall for These New Phishing Tricks? — During the last couple of weeks we have seen an explosion of phishing scams pour into our honeypot email accounts, and submitted by our readers and friends. It’s overwhelming at times! And along with this deluge of phishing scams are new phishing tricks that we want to show you. Our friend Rob, for example, received 5 different phishing scams of different designs within about an hour. All of them pointed to the same phishing site and used a very clever trick we’re now seeing used a lot! Would you be fooled by this trick? Check it out, as well as others, as we expose this fraud… (Note: We offer an apology in advance. We were a bit cheeky this week with an offensive graphic in our Top Story. Don’t blame us! We couldn’t help but use a scammer’s own tool to tell them what we thought of their effort to scam others.) 

IMPORTANT: If you, or someone you know, is the victim of fraud or harm initially caused by a malicious email or spam message, please contact us at victim@thedailyscam.com. We are gathering information for a story and would like to speak with these victims.

Phishermen are happy to collect the login information to any account you want to give up! They’ll use that information in a wide variety of ways to make money. (See our list below.) However, let’s start with this fake email that appears to be from Dropbox, the file-hosting service headquartered in California. The sender’s domain is CLEARLY not dropbox.com and the link to view your supposed document points to a phishing website at backblazeb2[.]com.  Check out the “login” page waiting for you. You’re given various options as to which email account information you want to give to cybercriminals!

Cybercriminals have been very good about creating a webpage that looks like the website you are expecting to visit. This is nothing new…

One of the most clever phishing tricks we’re seeing used A LOT is when scammers target a person’s business domain, instead of a free email service like Yahoo or Gmail. Here is an email, sent from a server in Hong Kong (“.hk”) to our friend Rob and claiming to be an important Security Notice because his “mailbox is full.” When we moused over the link to “increase my memory space” (We can ALL use more memory space, right?) we found Rob’s email address with his business domain at the end of that link.

This clever phish was capable of visiting Rob’s business website, capturing an image of it and placing that image onto the phishing website’s background with a login window on top of it! To the untrained eye, it truly looked like you are on Rob’s website, except for the undeniable fact that your sitting on a webpage at the scam domain called umbraco[.]io! We wanted to let the phishermen know exactly what we thought of them so we swapped out Rob’s email in this phishing link for an email we made up, but pointing to a real website called ThatsTheFinger.com. Check out what the scammer’s trick created as a result…

Again, this scammer trick targeted Rob. But this email came from a hacked business in South Korea. This time, we modified Rob’s email to point to two very important websites on the Internet: theuselessweb.com and Nooooooooooooooo.com! Take a look how this clever scammer tool grabbed both site’s icons and combined them with the domain name to create a title section of the bogus login window! Would YOU fall for this trick if you saw YOUR company/business/organization’s logo followed by the name? And, adding insult to injury, these scammers auto-populate the fake login window with YOUR email address!

To show our readers more clearly the details of this clever trick, check out this phishing email sent to us at TDS. Notice that this clever phishing trick actually looks like it was sent from our own domain! It looks like it came from abuse@ thedailyscam.com. But mousing over “verify account” clearly shows that the link points to a server in Iran (“.ir”) and our email address is seen at the end of the link!  Again, we changed our email address and the domain so the scammer’s trick pointed to I-SCAM-U@ thatsthefinger.com.

Another new trick we saw recently was used in an email that one of our longtime readers shared with us. Like many of us, she has more than one email address. She received a phishing email that appeared as though it came from one of her email addresses and was sent to her other email address! This trick, called “email spoofing,” certainly got the woman’s attention! She opened the email where she discovered her full name in the body of the email. Of course, the email was a phishing trick and the “customer support” number 806-478-1126 is a scammer’s number. However, it made this woman feel a little creepy to know that scammers had associated her name with both of her email accounts.

So what can cybercriminals do when they capture your login credentials for an account? How about these common malicious tricks…

• Even if the account is not a financial account, do you use the same password as email with any financial account like a bank, credit card or store account? Cybercriminals will try to use your stolen password in many other accounts including Amazon, especially if they can pinpoint your general location.
• Is there any evidence in your compromised account that you receive information from any financial account, like a credit card or bank account? Cybercriminals will try to change your passwords to these other accounts using the “forgot password” feature that those accounts provide as they are linked to your email.
• Cybercriminals will contact your friends/family/colleagues through your account, pretending to be you and ask for financial help, or ask them to click a malicious link, or other trick. They’ll also likely export your entire contact list, putting all of these other people at risk for getting malicious emails disguised as you for some time. We’ve seen these threats targetings others go on for 3 years after an account was hacked.
• If you have a business domain with a website, cybercriminals may see if it is possible to take control over your website and use it to help them scam others through the placement of more phishing sites or malware on your web server.

The critical lesson here is never assume that the website you are about to log into is the REAL and legitimate website UNLESS you’ve carefully checked the email source of the link and the domain of the website you are about to log into. Also, look carefully at the page you are on. Do you see any grammatical, spelling or capitalization errors?  If you do, close that window and try to locate your site directly or through a saved, bookmarked link.  For us, we bookmark all of our own most important links related to finances and personal accounts. When we want to visit those sites, we go to our trusted bookmarked links.

Is Social Oasis Legit? — Wondering if SocialOasis, the site that claims you can earn money by completing tasks is to be trusted? Check out the review and protect yourself with this 100%  FREE, all-in-one tool.

Another example of a COMPLETE LIE is the misspelling of the word consumer at the bottom of this next smelly carp. The bottom of this bogus phish says that it was sent by Paula Q. Carey of the Cunsumer Helpline Dept. Spelling matters!

Last week we also heard from another school’s business office who reported getting this spear-phishing email below. The Head of the school is named Randy. It appears that Randy contacted his school’s business office via email and requested that they change his banking information before sending his next paycheck. The only minor problem is that Randy didn’t send his email from his school email address. He sent it from a server in Chile. But it’s an American school!

A member of LinkedIn recently shared a very important message for parents about posting personal information about their children online in a world where AI is increasingly being used to steal identities in voice, images, videos and other ways. Though the message is not about scams, it is about the theft of personal information to be used in harmful ways without the person’s permission. We want to support this LinkedIn member’s message though we cannot verify his information when he says that “8 out of 10 parents have followers they’ve never met.”  We’ve seen teens and adults often accept followers on social media whom they do not know in person. Increasingly, accepting such unknown, unverified followers can be risky.  Watch the brief video on this post and you’ll understand the point.

Netflix Phish and Cloudflare Dangers! — Though this phishing scam was sent from a server in Poland, and contains an attached pdf with a link pointing to the website personalpeaceretreats[.]com, you would believe you are on the real Netflix site.  The phishing page created on this hacked site looks and feels exactly like the real Netflix.com, but it isn’t!

Back in 2018, BleepingComputer.com published an article about how severely Cloudflare’s IPFS Gateway was being used by cybercriminals for phishing scams. A year ago, The Register similarly published an article about how widespread this abuse was and other services have also spoken about this widespread abuse as recently as this Spring. Well, this abuse continues and we think that our readers should recognize it when they see it. It is now a common threat!  Check out this email from “IT Support” that was sent from a server in Kyrgyzstan about an “account deactivation request.” The links in this phish point directly to the domain cloudflare-ipfs[.]com. Remember that domain and be VERY careful not to click those links.

Here’s another example of a phishing email with a link pointing to cloudflare-ipfs[.]com. This one contained the targeted victims name, email or domain seven times! The threat found at cloudflare-ipfs[.]com is now so widely known that VirusTotal shows us that 15 security services recognize these identical links as malicious!

Subscription Will Expired Today — As we say over and over, details matter! And in those details if you notice grammatical, spelling, capitalization or other errors, then pause and dig deeper before trusting what’s in front of you! Like in this email with the grammatically incorrect subject line “Subscription Will Expired Today.”  A closer look shows that it was sent from a server in the United Kingdom (“.uk”)  This email came from, and the links point to, a server domain called justprepit[.]co[.]uk. It was registered just a week before this email was sent by that EXTREMELY UNTRUSTWORTHY Registrar called Namecheap.

For Your Safety: Many Safety Issues! — Like us, you might think that this email from one of our readers is a likely phishing scam. It was directed to the Safety Officer at a chemical company in a Southern US State. But this is not a phishing scam. Sucuri.net found malware waiting at the end of the link as well as a redirect to a webpage named “ukrainianhistory.” Hmmmmmm…. We couldn’t help but wonder if this threat didn’t come from a Russian cybercriminal gang or the Russian government itself. But we’ll never know for sure…

This “pending package delivery” notice came from a free Gmail account, a sure sign of fraud! The link may **LOOK** long but it is actually a shortened link from the service at TinyURL.com.  We unshortened the only part of that short link that matters and discovered that you’ll be redirected to a website called alevsesli[.]net, registered in Iceland using Namecheap. Four different security services have found malware sitting on that site waiting for your arrival! Deeeeeeleeeeete NOW!

Earlier in this week’s newsletter we mentioned that our friend Rob, like so many of us, have been getting hammered with LOTS of malicious spam! We’ll close this week’s newsletter with one more dangerous example. On one day earlier in July, he received five different emails with an attached file of type “shtml.” This type of file also contains instructions to take over your web browser and is EXTREMELY dangerous to open! Never open attached files that end with DOT shtml or htm or html or php!

Until next week, surf safely!

Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster