Dissecting Foul Phishing Tricks — We saw a significant spike in phishing emails last week, especially targeting Paypal account holders. Despite their best efforts to victimize you, there are multiple “poker tells” that scream fraud when you look carefully at each of these phishing emails. Some of these poker tells may be well known, or obvious, to our experienced readers, while others are more obscure or less often observed. We’ll break them down for you this week. Take a boat ride with us on a phishing tour…
Let’s start with the obvious check for where the email came from. This first email may say “PaypalService” in the name field but our readers know how important it is to look at the domain that follows the @ symbol and found between the <> brackets. This email came from mywuprod[.]com, not paypal.com! (mywuprod[.]com is hosted on a server in Berlin, Germany.) Next, if we mouse-over the link “Confirm my account” you’ll see that the link doesn’t point to paypal.com but to a link-shortening service at goo.su. This particular shortened link will redirect to a hacked and misused website in Russia, called inside360[.]ru.
Often, smelly phish are sent from personal Gmail addresses, such as this emailed “Order Confirmation.” This type of phish is meant to trick you into calling the scammers to tell them that you never placed this order. They are very good at manipulating you for their financial gain, such as getting your credit card information, or gaining control of your computer. Notice that they purposely show a phone number that is spaced far enough apart so that anti-spam servers or other defenses looking for known malicious phone numbers won’t identify 844-745-2755. Google shows that this phone number is found on a Government website in Turkey. We DO NOT recommend clicking any links to phone numbers UNLESS they are well known Internet services like 800Notes.com.
Sometimes, cybercriminals go to ridiculous and obvious efforts to obscure a scam phone number. Check out this next smelly phish and see what the scammers did to obscure the phone number by using brackets! What is ALSO fascinating to us is that a Google search for this phone number, 833-285-1037, pulls up links to the same government website in Turkey! Cybercriminals know that some people will search for phone numbers online and they’ll post these numbers on websites with malware traps. That’s why it is so important not to click links to just any website showing a number you search for! By the way, another giveaway that the email below is smelly phish is the fact that it was sent to “undisclosed-recipients.”
And finally, carefully read sentences, punctuation, capitalization and grammar in this last smelly phish. There are several subtle errors that scream fraud! For example, there are at least 11 capitalized words that shouldn’t be capitalized, such as “Transaction” and “Email.” The phrasing of some sentences is awkward, such as “please contact with our Executive over the call within 24 hours.” The REAL Paypal service would never make these mistakes! It shouldn’t surprise you that a search for the phone number in this final smelly phish, 833-285-1037, was also found on the Turkish Government web page. This fact is proof that all of these phishing emails were created and sent by the same cybercriminal gang!
Southwest Air Ticket Giveaway is a Scam – Who would think that a Facebook fan page, with more than a million comments, is just another scam? Check out this scam alert on Scamadviser.com to learn more about this bogus ticket giveaway!
Social Media Abusing Consumer Privacy…. Again! – What a shock! (Said dripping with sarcasm.) Twitter was caught misusing (abusing) personal consumer information, again! If you have a Twitter account, it seems that your email and phone number was sold to third party advertisers without your consent or knowledge. Twitter told consumers that it needed your email and phone number “for security purposes.” Twitter has recently agreed to pay a $150 million dollar fine to the FTC for this transgression! Do you think any Twitter account holders will see any of that compensation? We doubt it. To read more about this abuse, check out:
There have been several other abuses by Twitter, such as in 2010 and 2020. And Twitter is not the only social media company found to have abused, or hide abuse of consumer personal data. Facebook (Meta), the owner of Instagram and WhatsApp, has been found to abuse consumer data many times in the last decade. This is always followed by a promise from Mark Zuckerberg to “do better.” **Eye Roll**
With Father’s day coming up soon in the United States, we want to raise everyone’s awareness about scams and malicious clickbait disguised as Father’s Day promotions. Check out this recent Scamadviser article titled ‘Top Father’s Day Facebook Scams of 2022’.
Also recently, we saw an email sent by Barbizon Lighting, a small stage lighting supplier in New England. The email notified customers of a very serious threat that is, sadly, quite common. It said…
“A cyber threat actor has registered a “look-alike” domain name that is only one letter from Barbizon’s actual domain name on Friday. This newly registered domain name has one additional “i” – baribizon.com.
This “Doppelgänger” domain was used for a phishing attempt against at least one Barbizon customer within hours of being registered. Thankfully, our customer was not deceived by the socially engineered attack and alerted us immediately. We are working with providers and registrars to report the abuse and hopefully get the domain shut down. Please remain alert when reviewing any email that claims to be coming from Barbizon – ensure that the email is actually coming from Barbizon.com. If possible, ask your IT department to have your email provider block the false domain baribizon.com.“
Though, technically, a Doppelgänger domain is a slightly different type of malicious mimic, (See Wikipedia’s explanation), the point from Barbizon’s email is well made. LOOK CAREFULLY at the domain names of the emails you receive and the links you think to click!
In recent weeks, we pointed out how cybercriminals have used vanity scams to manipulate your clicking behavior, such as extending recognition to someone’s accomplishments in business and asking them to join a “Who’s Who” of business people. Here’s the latest example of this vanity scam… You’ve been “nominated for inclusion in the 2022 Professional Who’s Who publication.” Except that the email address this phony-baloney came from makes no sense. The link in this clickbait points to a misused email service whose link is also 100% malicious! Yes, congratulations indeed!
Wells Fargo Bank, Symantec and All Sports Product Purchases – We received this poor phishing email from an email address called “onlinestore” at apm[.]mc located in Monaco. The scammers incorrectly named the bank “Well Fargo” instead of Wells Fargo! The link to “Confirm your account” points to a hacked consumer goods website written in Arabic! Deeeeleeeeete!
This next phish shows how cybercriminals will sometimes purchase or steal data about the people they target. This email contained the email address and full name of the owner of that address, thereby making this scam seem more plausible. However, as you can see, it came from a free Gmail address and the English content contains some significant errors, actually making the email funny to read!
And finally, we end with a phishing scam that is much better crafted than the previous one. It was sent through the Intuit bill-pay system, a legitimate system businesses often use to send bills to clients. Of course, you are invited to call a bogus scammer’s phone number if there are problems with this invoice. However, look at the email’s “reply-to” address…. It points to symantec-orders[.]com. This is NOT a real domain associated with Symantec and was just registered 24 days before this scam email was sent!
Senior Discounts and Dick’s Loyalty Program – Cybercriminals routinely steal the content of legitimate websites and newsletters, repurpose it with their malicious links and hit send. However, we find that they often don’t have an eye for details. In this malicious clickbait their are two headlines. One says “22 Senior Discounts” and the next one says “21 Senior Discounts.” And because cybercriminals often repurpose previous clickbait, they often don’t change everything that should be changed. Look at the very bottom of this clickbait and see that this supposed “senior discounts” email came from “Green Ideas for Decorating.” Lunge for the delete key!
Many readers have sent us several different versions of this promotional email from Dick’s Sporting Goods Loyalty Program. But it didn’t come from Dick’s or any legitimate marketing service! That sendgrid link redirects visitors to a VERY malicious website called incarnetionfive[.]com. It was registered last November and LOTS of security services recognize it as malicious! (See screenshots below.)
The Catholic Church and Sexual Abuse – Cybercriminals have repeatedly shown that there is NO content that is to be avoided in their interest to do harm in the world for their financial gain. They are truly horrible human beings and here is one more example why we say this. We recently received this email below from “Clergy Abuse Settlements” in the inbox of one of our honeypot accounts. It claims to offer possible recompense to those who suffered sexual abuse from a Catholic Church employee. But this is nothing more than malicious clickbait, intended to infect your computer with malware. These bastards clearly have no soul, no shame and have no remorse for the pain they cause people around the world every day.
Netflix and “Rent to Own” – One of our readers sent us this first screenshot. Unfortunately, we don’t have the email address it came from or the link that the “pdf” file pointed to, but we are 100% certain this is malicious clickbait! Notice the many capitalization and grammar errors in the text! No, your Netflix account is not “temporary Locked.”
The housing market, both for renters and buyers, is insanely busy and prices reflect that insanity. It’s therefore not surprising that one of our readers received this text from 281-777-1952. She was asked to visit a website called rent2owncheap[.]com. That domain was registered in Iceland via Namecheap less than a week before she got this text. Deeeleeeete!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands