Targeted by a Barrage of Malicious Texts — 2019 feels like a decade ago, though it was just 3 years ago. You may recall that scam robocalls had exploded to unprecedented numbers across the United States. We remember getting as many as 7-10 scam calls every week, but rarely any scam texts. In late December 2019, then President Trump, signed into law the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, or TRACED Act. The Act forced telephone companies to implement new strategies to reduce the overwhelming number of robocalls and to identify for consumers the calls that come through but were “potential scams.” As this effort was implemented in the first half of 2020, Americans did see a significant reduction of scam calls. But there was another consequence. Cybercriminals pivoted their targeting strategies. They increased their use of sms messaging to deliver their malicious clickbait and phishing scams. That misuse of texting has grown significantly since early 2020. If you ask anyone with a smartphone if they have ever received unsolicited, questionable, or outright fraudulent texts, the overwhelming majority of people will say yes! During just the last two weeks we’ve been targeted by a variety of malicious texts and so have our readers. As we take a look at these landmines buried in the texting landscape, you’ll see subtle clues suggesting that many of them originate with the same cybercriminal groups. (You can read more about the TRACED Act on the Consumer Reports website.)
Another pivot resulting from the implementation of the TRACED Act was that cybercriminals began to use emails meant to trick consumers into calling the scammers! E.g. fake invoices for items falsely claiming that they made purchases or that there were security concerns about their accounts. The scammers provided call-back numbers. These false claims also appear in texts, such as this recent bogus text about your Amazon account! The text was sent from a scammer’s email account using the bogus domain “service-awsamzngroup[.]com.” The text contains a misused link for a music service called LinkFire.com. LinkFire owns and uses the domain lnk[.]to. As you can see in the text, scammers created a subdomain (which appears in front of the fully qualified domain lnk[.]to) called amazon-update-service.
(Two hours after receiving this text, the recipient received another, nearly identical text, emailed from amazongroup[.]network. This fake “network” domain was registered in Bulgaria on July 7, 2022. The link in the second text pointed to a subdomain called customer-amazon and also misusing the service at lnk[.]to.
The Danish company Linkfire.com, which owns lnk[.]to, continued to be abused by cybercriminals. This time the text pretended to be from Venmo! Check out this text received from a crazy email account at ytxibwzll[.]com claiming to have deactivated your Venmo account due to “suspicious transaction.” That nonsensical email domain was also registered in Bulgaria on July 7 by the same cybercriminals! The subdomain they used at LinkFire was “venmo-security-info.” The recipient of this clickbait also received a nearly identical text four and one-half hours later.
Had you received these back-to-back texts, would you have fallen for them? It’s important to recognize the difference between a domain name and subdomain! For example, amazon.com and venmo.com are the fully qualified legitimate domains for Amazon and Venmo. But any names/words in front of lnk[.]to, and separated by a period, are subdomains and have NO authentic connection to Amazon or Venmo, or any other business!
Cybercriminals use other forms of malicious clickbait to engineer your clicking behavior and they misuse other services. For example, check out these texts from 626-822-8507 and 689-200-5457 containing messages that a package could not be delivered to your address. Malware sits at the other end of the links in these texts. Both domains used in these texts are very newly registered. For example, the domain, uasp-vuintym[.]us was registered just a few days earlier through Porkbun.com, an ICANN licensed registrar. Check out the nonsense name and address of the “registrant” used to purchase and set up this domain. WHY can’t Porkbun (and other registrars) immediately identify this fraud and cancel the domain? Both abused domains used in these texts were registered by the same criminal group, as evidenced by the domain names. The texts were also sent to the same targeted victim about 30 minutes apart.
Often times, cybercriminals use the lure of saving money or making money to trick people into clicking malicious links. Here are two very recent examples. The first claims to save “lot of money on your electricity bills” followed by a link to another domain containing “usa,” as if any American seeing US or USA will more likely trust the link! The link is to usabravest[.]co. DON’T TRUST THESE LINKS! By our experiences, any link using US or USA deserves GREATER SCRUTINY! Why was it important to include the US or USA in the name?
The next claim is that “peope throughout the USA” can make money from class action lawsuits. The link in this clickbait points to a malicious domain called alicequint[.]co. This DOT-co domain was registered in August, 2021 and is hosted on a server in Brisbane, Australia. Would it surprise you to learn that usabravest[.]co (used in the text above) was also registered in August, 2021 and is hosted on a server in Brisbane, Australia?
Another common category of malicious clickbait texts sent by cybercriminals is health and wellness. Ironic, right? Because clicking on these malicious links will cause you financial and emotional harm and pain! Check out this bizarre text sent from an email account at pictoplaza[.]net about an “Anti Bug Machine” to improve natural life. What does this even mean?
Suffice to say, we are all feeling the pain of these landmines appearing in our texts. They put us 1-click away from serious financial risks and harm. It’s time for our government to act again! We need a new type of TRACED Act! Let’s call it the “Sms Abuse Criminal Reporting, Enforcement and Deterrence Act” or the SACRED Act! (By adding “Reporting” we expect the US Government to provide a service for the public to immediately and easily report fraudulent texts.)
Bank Mobile Alert & “you just sent a payment” Scams – Fraudulent texts are also disguised as banking alerts. Trend Micro just published an article about these types of text scams. These scams include phony payments made to you! Read the details by visiting their article!
How’s Life? – When people’s email accounts are hacked, one of the many resources that cybercriminals try to monetize is the victim’s contact list. Using a victim’s name, the scammers will send emails containing malicious links to the victim’s contacts BECAUSE people are more likely to trust emails that come from someone they know. But take a look at this obvious fraud below. Doug at TDS received an email from a friend, named Susan. But instead of Susan’s real email account, this email came from a University account located in Indonesia.
The “Google search” link that appeared within the email contained Doug’s personal email address at the end. Mousing over that link clearly showed that this link didn’t point to Google! It pointed to a shortened link at bit.ly that had quickly been taken down because it was found to be malicious! So, how’s life? Better now!
In last week’s Top Story, we described how David (from TDS) has a target on his back. Cybercriminals continue to take aim at that target. Check out this bogus phishing email sent to him, claiming to hold messages until he “authenticates” the account to his business website. That’s NOT how administrative accounts operate for websites!
The link in the above clickbait pointed to a link-shortening service at rb[.]gy and included David’s business email address. We unshortened that link using Urlex.org but then replaced David’s email with a fake email address called I-am-a-scammer @ scammer[.]com. We discovered that David would have been forwarded to a Googleapis link and then forwarded again to a misused subdomain at Appspot.com!
Both Malwarebytes.com, Zscaler.com and others have posted articles during the last few years citing the fact that cybercriminals have often misused the services at Appspot.com for malicious purposes, including phishing. We want readers to know that this misuse continues today. And “for the record,” the email above wasn’t the only email David received last week. Like we said, he’s still wearing a target but fortunately, scammers haven’t hit it yet and are not going to!
Scamadviser and The Daily Scam are proud of the fact that we have readers from all over the world, such as Australia to Africa. And from across the world, we often receive thank you emails from those we’ve helped. Two such recent notes came from a Ghanian and another man from the African continent. They concerned the same scam in which they were offered a bogus job in another country (Canada). They were told all of their travel expenses would be paid by their new employer. However, they had to pay for their work visas in advance. Of course, the payment was to be sent via wire transfer to an account that had NOTHING to do with the government agency of the country involved. You can read more about this scam, and the latest fake business used to “hire” employees called Bloomscope Engineering.
Our longtime readers know that we routinely receive solicitations and offers from very questionable sources all across the Internet. The vast majority of these are, in fact, scams. Some are simply questionable because they have serious credibility problems that don’t pass our “smell test.” Here’s one such recent example.
We received this interesting “inquiry for collaboration” from a web designer named Albert, who claimed to represent a company called DoobyWebs[.]com. We were pleased to see that their website posted a number of reviews from prior clients, dating back to June, 2021. The reviews were all pretty generic, such as the screenshot of the one from Eva saying “we have developed several websites with you and we are very happy with the work you have done.” Hmmmm….Having completed “several website” projects with DoobyWebs, one might think that Eva could give more details or accolades about this web business, but she didn’t.
Did you notice that Albert’s email included two domains? There is the domain doobywebs[.]com which hosts their business website, and the domain doobyweb[.]com from which his email was sent. Both domains were anonymously registered just 35 and 42 days earlier in Spain. Don’t you think that’s a bit odd when clients are offering reviews for this company that date back to June, 2021 and yet their website didn’t exist until a few weeks ago? As William Shakespeare wrote in Hamlet, “something smells rotten in Denmark!”
A Spear-Phishing Story to Tell and Oddball Smelly Phish – Last week, the DFO for an educational institution contacted us to describe a spear-phishing attempt that had targeted her, not once, but twice! It started when the DFO received the email below from an employee named Katie. Katie had contacted the business office to inform them of her changing bank details. The email very legitimately looked like it came from Katie’s work email at the DOT-edu. However, when the DFO hit reply, she immediately noticed that the reply was directed to williamssarah3213 @ gmail.com, instead of Katie’s work email. That’s when she contacted us and we were able to confirm that Katie’s work email had been spoofed. However, we were happy to reply to “Katie” on behalf of the educational organization…
Katie’s reply again looked like it came from her work email but, in fact, a reply back to Katie was automatically directed to the scammer’s Gmail address…
We followed up to Katie’s updated banking information with two next steps. First, we contacted Green Dot Bank and gave them the details of this fraudulently used bank account, about which they were grateful to hear. Secondly, we replied to “Katie” and sent her our own malicious link, telling her that she needed to click that link and digitally sign the document so that we could officially update her banking details. The scammer DID click our link and we saw evidence of that click, which we would rather not publicly explain how this was possible. This was then followed by another email to “Katie” or “WiiliamSSarah3213” or whomever this phisherman was, telling him that by clicking our link, he had just installed malware on HIS computer that provided us lots of information about his device. We wished him good luck in finding that malware!
Footnote to this spear-phishing story: About 2 weeks before receiving “Katie’s” email, the DFO had also received a similar bogus email from another employee named Lindsay. But this email landed in her spam folder. When she found it and showed it to us, we could see that the REPLY-TO address went to “myjobbroupdate” @ gmail.com.
One of our readers recently received this “message failure delivery notice” from an oddball domain first registered in Vilnius, Lithuania many years ago. The contents of the email are bizarre and make no sense at all! Nonetheless, the link to “Allow Messages” or “Review Messages” both point to a service called Rebrand[.]ly. We followed that link to discover that you’ll be forwarded to a phishing website at an oddball domain called glitch[.]me. The Rebrand[.]ly link contained the victim’s email address and the phishing website was designed to use this information to specifically target the recipient’s name and business! So, we substituted our own, more interesting, email address for these criminals to use. Check out what their phishing website login screen says in the image below!
We Would Like to Offer You a Position: Shipping Insurance Broker – Employment scams have been raging during these last two pandemic years! We often hear from people who have either been victimized or ask us our opinions about job offers or companies that contact them for job interviews. 99% of the time, we determine that the queries sent our way are scams. Below is a perfect example, sent to us by a reader last February. Read through this email from Stacy Osborne to a job seeker and see how many “red flags” you count in her email. We’ll list them below….
We counted five red flags. In no special order, here’s what we spotted that was both suspicious or complete signs of fraud:
- Stacy Osborne’s email came from “email.com” rather than any recognizable business domain. This is a sure sign of fraud! “Email.com” is a free email service available to anyone.
- Stacy’s email was signed by “Adelle Forsberg.” This is also a sure sign of fraud.
- Stacy, or Adelle, never identified the business they represent. Nor do they name the employment agency in which they found the victim’s resume. The former fact is also a sure sign of fraud.
- The job listed is for “Insurance Broker” which cannot possibly be accurate because a genuine insurance broker must meet pre-license state requirements and must then pass a state licensing exam. None of this is spelled out in the job requirements. In fact, this scam email uses the term “insurance broker” to describe a package reshipper mule who will be tricked into shipping stolen merchandise and never paid a dime!
- Finally, this is obviously a “work from home” job, as evidenced by “accepting incoming shipments at your personal residential address” and work location being anywhere in the USA. There is so much fraud targeting those who desire to work from home that everyone should be SERIOUSLY SKEPTICAL of any “work from home” job opportunity!
If you think you’ve spotted other red flags, let us know! Send them to firstname.lastname@example.org! By the way, many months later, our reader heard back from “Adelle Forsberg” from a business domain that we have confirmed is a job scam: Logistics HT LTD (logisticshtltd.com).
Hello UPS Customer! You’ve been selected to receive a reward for taking our shopper survey. But you have only 35 minutes to do this survey or you’ll be thrown into purgatory. OK, this email doesn’t threaten purgatory but you get the idea. The countdown timer in the email was a manipulative gimmick. When it hits zero, it restarts. Nothing else happens. However, if you click “OK” we can promise you that all hell will break loose and you’ll regret it!
We Received Your Payment and Your Password is About to Expire –We received your payment, says this email sent from a school in Nigeria. It was meant to look like an invoice from a Tire service in France. The “invoice” is actually a VERY DANGEROUS html file! Never open files ending in DOT-html (or htm or php or eml) They can contain instructions from criminals to your computer. That’s not a good thing to let happen!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands