Select Page
Weekly Alert  |  June 22, 2022

2 Reasons Why the Internet Favors Criminals For nearly a decade we’ve been shouting through a hail storm of scams that the Internet is designed to favor criminals. No one listens. **sigh** Examples of what we mean turn up every week! And yet, we strongly believe that two critically important decisions could make online fraud much more difficult to perpetrate AND offer far greater protection to netizens of the world. One decision must come from ICANN, the keeper of the keys concerning domain names (@ICANN). But ICANN REPEATEDLY demonstrates how greedy they are by enjoying the income they earn from criminals who register millions of scam and malicious domain names, instead of prioritizing the public’s safety. The other decision must come from the companies that create our web browsers, e.g. Google Chrome, Microsoft Edge, Apple Safari, Firefox and our email programs. But these companies have no incentive to create this simple safeguard we describe below. And since there are no Internet Laws, or any country with a governing body overseeing the “world wide web” to force this change, it’s not likely to happen. Let’s start with the most simple idea…

Every member of the team at The Daily Scam and Scamadviser receives daily malicious emails, texts and phone calls. (Probably like all of you!) Last week Doug exposed several reasons why Google and Amazon cannot be trusted any more than any other website (which isn’t saying a lot) and shared some of the threats that targeted him. Again, on June 14, he received another such email containing a link that appeared as Google.com but pointing, instead, to a link shortening service.  Companies who create web browsers and email programs should be required to code their applications so that they raise a warning when the link displayed does NOT match the actual link actually embedded. So instead of leaving it for any email recipient to notice this discrepancy, there should be a popup warning asking the person to confirm their wish to continue! Instead of this…

It Should be this…

Of course the bit.ly link was 100% malicious! It redirects him to an AmazonAWS.com link which contains a built-in redirect to yet another website registered anonymously 1 week earlier, called natgentcontents[.]world and hosted on a server in Finland.

WHOIS records are easily available from many resources on the Internet. This information should automatically be available to the public by simply doing a “control-click” or “right-click” on a link! And identifying domains registered less than 3 months ago should automatically generate popup warnings such as this sample we created about a very REAL Amazon phishing threat that landed in a newsletter reader’s inbox on June 19…

The other issue that we feel is completely unacceptable is the fact that cybercriminals routinely register domain names that would never pass a simple security check point. Here is a very recent example that arrived as a text to one of our U.S. readers.  The message starts with “your citi online account was locked.” Any artificial intelligence should understand that this text pretends to represent CitiBank. Citibank uses the domains Citibank.com, Citi.com and CitiGoup.com. However, the link in this text is for CitiCustomerHelp03b[.]com. A simple check against a WHOIS record shows that this domain was registered 4 days earlier to someone identified as “Darisma fauziah” in Balikpapan, Indonesia.  It is possible to conduct a reverse search of domain names by ownership. This was demonstrated by Robbie Ferguson in his 2020 blog article titled Domain Names Owned by Citibank. As you might guess, a reverse domain search does not show CitiCustomerHelp03b[.]com owned by anyone associated with Citibank!

Other examples of domain names that should never have been allowed to register can found in an article  published in February, 2022 on The Daily Scam and titled Fake Online Banks & Trading Services. (We’ve updated it as recently as 5 weeks ago.) In this article we’ve listed more than sixty fake banks. Some of the scammers have registered domain names that are CLEARY fraudulent and similar to REAL banks and their domain names. WHY IS THIS POSSIBLE or ALLOWED? AI can easily be programmed to review requests to register domain names and compare them to known, previously registered and legitimate domain names.  Here are just a few examples of scammer’s domain names and the legitimate names they pretended to represent:

Capital One Bank:
Real domain: capitalone.com
Scammer’s domain: capitalonbk[.]com

First National Bank USA:
Real domain: fnbusa.com; fnb-online.com
Scammer’s domain: firstnbusa[.]com

Union Bank of Switzerland (USB)
Real domain: ubs.com
Scammer’s domain: ubsofficial[.]org

Vintage Bank of Kansas:
Real domain: vintagebankks.com
Scammer’s domain: vintagebank[.]pw

But, as we stated in our opening opinion, ICANN cares more about the money they make from criminals than the safety of netizens.  Companies like Google or Firefox or Apple have little incentive to add extra security features because….

  1. It costs them money to develop their AI programming
  2. There is no governing body requiring them to do it!

Imagine, for a moment, if ICANN stepped up to put citizens of the world first and did the following 3 things…

  1. Create a single database of all WHOIS records that was easily searchable and contained up-to-date information available so that the public can easily search and understand it, or APIs (Application programming interfaces) could interact with it in real time to provide the information it contains to other sources, such as a control-click (right-click) of a domain name within a web browser.
  2. Create an independent division of ICANN that is completely focused on Internet security and fighting the massive volume of fraud that misuses domain names!
  3. Require Registrars, who are licensed by ICANN and sell domain names, to devote a percentage of their resources, staff, money, etc. to fighting online fraud and misuse of their services! And hold these Registrars accountable immediately if they fail to do a reasonable job! If they don’t, they lose their licenses! (MANY people, for example, have called out the registrar called Namecheap for its very poor effort and response to security and fighting fraud! Read this article on The Register as just one example of what we are referring to. In our experience investigating fraudulent domains, Namecheap has been the registrar most often used by cybercriminals to purchase domain names during the last 4 years.)

Imagine that! Imagine ICANN devoting some of their enormous income from domain sales to investigate misuse OF THEIR SERVICES and the Registrars they license! This effort would dramatically reduce online fraud and make it harder for cybercriminals to operate. This effort would greatly reduce the financial and emotional pain suffered by millions of people across the world! But, sadly, it will never happen. SHAME on the people who run ICANN!

Common Amazon Prime Day Scams & 5 Tips for Avoiding Them Amazon Prime Day 2022 has been confirmed to take place in July. Although as you’re preparing to save some serious cash on some great deals, scammers are preparing to do everything they can to steal your money and personal data.

Variety is the Spice of Life? Not Concerning Scams! Last week, several readers, and our friend Rob, sent us a variety of interesting scams, many of which were voice messages left on their phones. We also saw some posts on websites about currently active scams that we’ve not reported in a while. You know what they say about variety…. It’s the spice of life, right? Except when it comes to scams! Let’s start with this very funny voice message that Rob received from 516-273-7867 on June 14. Snapping into immediate action, our friend turned on his BOT AI to have a lovely conversation with the Scammer’s AI.  Listen to their back and forth and be patient during the few seconds of silence while each BOT figures out what to say to the other BOT!  It begins with “This is an emergency alert call for your computer!” We LOVED Rob’s bot and want to hire her!

Rob truly enjoys engaging with the scammers and wasting their time. And its not just his AI who has all the fun! Here’s a recording of another scam team he engaged with on June 17 who pretended that his credit card had been charged for a renewal of Norton Utilities, security software. Rob said that the scammer started to ask him questions and then the scammer put the phone down to consult with someone else without putting Rob on hold. If you listen carefully, you can hear that the scammer has an Indian accent. You can also hear the scammers having a conversation in the background in another language that might be Hindi, along with some English. (You might have to crank your sound up.) If you can definitively identify the language they are speaking, please let us know!

Do you think scammers won’t come up to your door and knock on it? Think again! A woman posted the following on a neighborhood site in Nextdoor.com last week. It is a warning that we want to strongly echo to our readers: “A man came to my door alleging to be from National Grid. He wanted to come inside my home and after I refused he asked to look at my National Grid bill. I refused all his requests and he eventually left. I then called National Grid and they confirmed he’s not an employee. I also called the police and was told this is a known scam. Attached is the picture of the man.” (National Grid is her local Utilities company.) Here is the picture she posted. Notice that the scammer is wearing a lanyard that he hopes will make him appear “official.”

Also on Nextdoor.com, a man posted a scam that has targeted the eldery for years now! The man said… “Beware of the scammers: The Grandfathers scam, this time it was, it’s your Grandson, my nose is broken, someone ran a Red light, totaled my car. I went along with it… where are you? Boston, he said, but the Police got me for DUI,  but I got a lawyer. My response was, I’ll call you right back! This guy was good, the sound of his voice with a broken nose, could have easily passed as him!” (my grandson)

IMPORTANT FOOTNOTE to those who use Internet Explorer: In case you hadn’t heard, after nearly three decades of use, Internet Explorer (IE) was officially retired on June 15, 2022. It is no longer being updated and that presents serious risks for those who continue to use it on Microsoft Windows devices. Instead, you should use Microsoft Edge. In the coming months, IE will likely disappear entirely from your Windows devices after a software update. If you’ve bookmarked lots of links in IE, you may want to export that bookmark list from IE  and import it into Edge sooner than later!

Wells Fargo & USAA Banks, and Coinbase No, we don’t have a Wells Fargo account. But that didn’t stop scammers from sending this rotten phish to us anyway. Though it says “From Wells Fargo online” you can clearly see that it appears to have come from itunes.com! (Bizarre!) Mousing over the link tells us something we already know. RapidCaseKicker[.]com is NOT the same as wellsfargo.com! Delete!

One of our longtime readers sent us another Wells Fargo wolf in sheep’s clothing! This one said “security alert about your account” and came from a crap email account at mycci[.]net. The link pointed to another crap domain called ctt[.]ac. Deeeeleeeete!

Another newsletter reader received this smelly carp disguised to look like an email from USAA Bank.  She told us that she doesn’t have any such account!  The email contained a pdf attachment and that attachment contained a link to eft-fund[.]org instead of usaa.com! At least 2 security services have already identified that DOT-org domain as a phishing domain. We grabbed a screenshot to show you below. Enjoy!

We don’t think too many of our readers have Coinbase accounts. Certainly not the reader who sent this to us! The email came from a server in Hungary telling her that her non-existent account had been locked! This is yet another example how an email program should be able to identify that the link provided in the email does NOT send you to coinbase.com.  In fact, the link points to Twitter’s link-shortening service at t.co which means you’ll be forwarded again! This time to a site in Australia (“.au” = 2-letter country code for Australia.) Hungary and Australia? Did you ever imagine you would become such a world traveler?

Calls From Amazon? And Russian Services Offered One of our readers informed us that her cell phone received 13 voice messages on June 16 and 17 from unknown or different phone numbers, in less than 24 hours! They all claimed to be from Amazon and were calling her about her Amazon account. The callerID of one of these calls even said that it came from a phone number in Konin, Poland! (9 pm her local time, 3 am in Poland) It was: +48 63 288 52 17.  Fortunately, she was smart enough to recognize the fraud and not answer any of the calls, which may explain why there were so many!  They really wanted to talk to her!  Listen to the short portion of the voice message she captured about “authorizing an order”…

Anyone with a website will tell you that they are routinely bombarded with solicitations via email and/or the site’s “leave a message” field or chat window.  That includes all of us at TDS and Scamadviser! One particular email did, in fact, catch our attention because it seemed like such a scam, errr….we mean… sincere offer from a fellow named Aleksandr Linnikov. The fact that Russia so brutally attacked Ukraine and is lying to their own people, prejudiced our decision not to reply. But that’s not the only thing that we didn’t like about Mr. Linnikov’s email. How many suspicious red flags can you spot in it? We found 3 that are critically important! (See below.)

Three red flags in Mr. Linnikov’s email are:

  1. He claims to represent an “eLearning App Development Company” and even says “We’re” –meaning a company of more than one person. And yet, he NEVER names the company!
  2. His email comes from a personal Gmail account rather than a company domain.
  3. He didn’t sign his email or enter his name and position in the email. We only learned his name by using Google Translate to translate the Russian to English that we saw in the text area of the FROM address.
  4. (We know. We said 3 but what the heck…) A Google search for Aleksandr Linnikov and eLearning App Development company turns up NOTHING in Google.  We also searched many variations of this, e.g. just his last name along with eLearning. Nada. Zip. Zéro!

DEEEELEEETE!

Scammers Prey Off of Russia’s Brutal War Against Ukraine – We wish to usurp this week’s “For Your Safety” column to draw attention to the fact that scammers are such low-life blood-sucking vampires, without an ounce of empathy for those they target or the causes they pretend to represent. Take this “lovely” offer that came from the CEO and Co-Founder of “The Golden Gate Realtor in Ukraine,” a man by the name of Aleksandr (Alexander) Bodashk. Thankfully, this scammer didn’t think about how easy it is to use a WHOIS tool or conduct a Google search. However, we did! A quick search informs us that “The Golden Gate Realtor in Ukraine” uses a website called TheGoldenGateRealtor[.]com. A WHOIS lookup showed us that this website was created just 24 days ago! And it was no surprise to learn that it was registered anonymously through Namecheap in Iceland. Apparently, Aleksandr Bodashk has a proposal for us.  Well, we have a surprise for him. It’s easy to show his website is a fake and we’ll make sure to do that!

We visited this scammer’s Realty website (24 days old) and met his “Team” of Realtors.  With confidence, we can say….

1. “Keith Bailey,” the Marketing Director, is a stock image found on many stock image websites, including here at iStockPhoto.com.

2. The photo of “Lyudmila Koromislova” led us to more than a dozen questionable real estate websites. Most of them showed this photo as a woman named Brittany Watkins but we don’t think this is her real name either. It is likely another stock image. Here are 2 of these links showing her as Brittany Watkins:

https://mutual-property.com/agent/brittany-watkins-2/ 

https://tayorealstate.com/agent/brittany-watkins/

Ironically, here is a very questionable website that looks similar to the Golden Gate Realtor site from Ukraine. It shows this same woman using the name “Danielle Murray”

3. Apparently, “Thomas Stevens,” the ICT Manager for Golden Gate Realtor Ukraine, is also a sperm donor who is proud to donate.  Check out his photo on a sperm donor fertility clinic here. Apparently, he was also a “third party apparel refurbisher” and posted his photo on a blog called “Darnit.” Oh, and he goes by lots of other names on lots of other real estate websites but we don’t want to send you to these questionable sites because we believe that some of them are hosting malware!

And so, after much contemplation about Alexander Bodashk’s offer, we’ve decided to pass and instead make a donation to the Red Cross in Ukraine.

    Best Way to Stop an Explosion of Scam Texts – One of our readers was recently hammered by BOT texts and asked us if there were any way to stop these bot-texts. As she told us… “They are driving me crazy. They chose a group of about 20 sequential phone numbers. Mine is about in the middle.” If you look at the crazy domain names in the texts that targeted her, it is interesting to note that NONE of these domains was registered! (Meaning they were all available to be purchased from Registrars.) We suspect that this means that the text links actually point to a different domain than the domains shown in the text. (We were sent screenshots.) But we’re certain the text links are malicious! When will the creators of our texting software be able to recognize and warn us that the link we see is not the website we’ll visit? Oh, yeah,…not too likely to happen. So how can you best prevent a deluge like this in the future? Though not perfect, you can purchase and install the Robokiller App. It’s pretty good from the reviews we’ve seen. And please… never, ever reply to suspicious or malicious texts!  It only encourages them to send more.

    Some of the domain names displayed in the texts:

    sarngirlfriend[.]me

    bathgirlfriend[.]me

    saengirlfriend[.]me

    sargirfrien[.]me

    bathgirlfriend[.]me

    Some of the email addresses used to send these lovely texts:

    Kadepqowueushzbnpoiuyt67 @ gmail.com

    Sadaia688 @ gmail.com

    Servicecementsoshg76 @ gmail.com

      Until next week, surf safely!

      Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
      have subscribed to it via Scamadviser.com or thedailyscam.com

      Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

      Contact Webmaster