Select Page
Weekly Alert  |  March 15, 2023

Package Delivery Notices Not to be Trusted! We have all received packages, mail or some type of delivery from lots of different sources. Cybercriminals know how ubiquitous deliveries are, as well. During the last few months we’ve been noticing an increase in the number of email and text threats pretending to be delivery notices from well known US services like FedEx, UPS and the United States Postal Service (USPS). We’ve collected a group of them to share with our readers to help you understand why these bogus delivery notices are not real! They are malicious threats designed to throw malware in your path or phish for account login information. They typically contain the real logos of these well known businesses. We hope you’ll never be fooled by these bogus delivery notices!

Let’s start with this bogus email claiming to be from the USPS. It even shows a legitimate logo for USPS.com but it didn’t come from usps.com and the links don’t point back to the usps.com!  These scammers have abused two legitimate services in the creation of this fraud.  The first is a service called Freshdesk.com and was used to send this clickbait. NOTICE that the criminals who sent this fraud created a subdomain at Freshdesk called “uspsinformeddeliveryuscnunc190.”  Subdomains are meaningless and are easily manipulated. The critical part of this FROM email address is to see that it came from freshdesk.com and NOT from usps.com! The links in this clickbait also do not point to usps.com. They misuse an email marketing service called sender.net. (Also, if you look carefully at this email, you’ll see that the creators made several coding errors resulting in things like “Dear ,”  Delete and be happy you dodged a bullet!

This next clickbait wants you to believe it came from FedEx. However, like nearly all clickbait, the email did not come from the domain it claims to represent! Nor do the links point to Fedex.com!  In fact, the links in this clickbait point to an oddball website called missykrueger[.]com. This odd domain was registered in Iceland, through Namecheap in August of 2022. But that’s not your final destination on this malicious journey!  The Zulu URL Risk Analyzer (see screenshot below) told us that little Missy is hosted on a server in Turkey and it will redirect your click to another malicious website called Bolonies[.]com.  Back away from this bear trap! Tell Miss Krueger that SHE is full of baloney!

This third example is an odd duck and unique because it isn’t clear who it actually represents and the links point to an “IP address” and not a domain name. The email claims to represent “Express Service” but came from the domain bershka[.]com (and using the subdomain “news.”) It even claims to include a photo of your undelivered package! The link to schedule your delivery points to the IP address 45.88.169[.]3 and NOT any recognizable domain name. Legitimate businesses will NEVER link to an IP Address! They’ll link to a recognizable domain name.  This is clickbait! Delete!

To check out more samples of malicious clickbait disguised as texts, scroll down to our Texplosion column!

Check Out The Latest Scams Received a PayPal email invoice about a Google Pixel phone that you never ordered? Feels suspicious? Check it out and Protect yourself with this FREE, all-in-one tool.

Social Media Credibility Concerns — If you have ever been personally targeted by cybercriminals then you likely know that they will usually gather information about you online to help them perpetrate their fraud. (Many of us at The Daily Scam and Scamadviser have been targeted multiple times. We guess these criminals don’t like what we do!) There is a wealth of information available online about people and it can be a challenge keeping personal information private. There are hundreds of data brokers selling our data and most of us use social media and don’t realize how public our information can be on these platforms. For example, we’ve seen fake look-alike accounts created, pretending to be a person. The scammers reach out to others, through the fake account, and try to scam them while disguised as that person. (Check out our brief description of this scam in our article “Facebook Phony.”)  It’s important to protect your accounts online, keep them private, and don’t “friend” anyone who contacts you without verifying who they are and use some discretion.

A few weeks ago, Doug at The Daily Scam received a LinkedIn friend request from a man who identified himself as Dan [LAST NAME REDACTED]. Doug doesn’t know Dan. At that time, according to his account on LinkedIn, Dan had 8 followers and identified himself as a “small parts manger” (his spelling error) at “nextdoor door company.”  His account was completely public and showed only 1 post a week earlier in which he “liked” a post from Carlton Natural Resources at a job fair. We mention this because we don’t feel that Dan’s account met our standard for trusting it enough to accept his friend request. Some of our readers may disagree with us, thinking “give this guy a break, he’s just starting out…” While this may, or may not be true, we’ve seen evidence of too many social media accounts being scraped for data that is then used against the account owners and friends.  In October, 2020, one of our readers was targeted multiple times by “friend requests” from fake accounts of men on Facebook

Check out Dan’s LinkedIn account and ask yourself if you feel it is credible enough. Would you be willing to accept his request?

FOOTNOTE: Several weeks later, we see that Dan has gone from 8 followers to 14. His job description still contains the same misspellings and capitalization errors, etc. as shown below.

Speaking of credibility problems, check out this exciting request for a quote that we at The Daily Scam received not long ago. We spotted 6 serious red flags in this email that shout out fraud… 

  1. Mike McDermott says that he is the Chief Global Supply Officer for Pfizer Manufacturing in Belgium. But  Mike sent his email from a website registered in France called TotalEngergies[.]fr. (There is a company in France called Total Energies but their domain is listed as totalenergies.com.)

  2. Mike’s “reply-to” email address changes from quote@totalenergies[.]fr to mike.mcdermott@pfizersgroup[.]com. This change in email address is VERY common behavior of Nigerian 419 advance fees scams and other scammers. (See additional examples below.)

  3. The domain pfizersgroup[.]com was registered just 9 days before we got Mike’s email! The age of this domain is HIGHLY suspicious!

  4. Also, the actual business domain for the company Pfizer is Pfizer.com and was registered in 1992 by Pfizer, Inc.

  5. Why is Mike asking The Daily Scam to submit a quote for a high performance centrifuge? Seriously? We don’t produce them and we don’t use them. Though perhaps we could dump all the bogus texts, emails, advertising and other suspicious content we receive into a centrifuge, spin it down and concentrate all the fraud into a nice neat little pellet to flush down the toilet? Actually, we think this email was sent indiscriminately to thousands of emails. 

  6. We hope you notice the various capitalization errors in Mike’s first sentence. Details matter!

FOOTNOTE: Five days after getting the email below, we received another, identical email from Mike McDermott asking for a quotation. But this follow up email came from the domain PfizerGroup[.]be This domain has never been registered and doesn’t exist. The “Reply-to” address was again pfizersgroup[.]com.

Here are two more examples showing how the scammers sent an email from one address but changed the reply-to email to a different address! Anthony Long has a “huge” business proposal but doesn’t name his company and uses 2 email addresses from free email services.

    Finally, this email from “UBA Group Bank” came from a free email address at the domain “accountant[.]com” which immediately identifies this email as 100% fraud! We say this because the legitimate domain for UBA GROUP BANK is ubagroup.com. Also, any legitimate accountant will work for a company and/or have her/his own domain name to represent the company name. Generic email addresses like this are HIGHLY suspicious because they are heavily used by scammers.

      Oddball Phishing Phisherman often target website owners with emails intended to trick the website owner into revealing their administrative login to the website.  There are lots of ways that scammers can monetize someone else’s website, including posting malware on it to infect others, posting other phishing scams and sending out fraudulent emails in the name of the business they’ve managed to hack. Below are two oddball phishing scams that targeted us at The Daily Scam to try to capture our administrative account information. This first one claims to come from our website’s “Domain Administrator” which is funny because we don’t have one! But nevermind that. Apparently we have 9 quarantined message in our “quarantine portal” ready to be viewed. The scammer’s link in this email misuses the Amazon AWS service, again.

        This second email actually came from someone we know and from his legitimate email address. But he didn’t send this email! We learned that his email account was hacked and the scammers sent out lots of malicious emails while pretending to be him. This particular fraud claims to have a link to a secure document but the link uses a shortening service. We unshortened the link to discover that it points to a fake Microsoft phishing page posted on a free website hosting service.

        Deeeeleeeete!

        Scammers continue to send out lots of phishing scams under the guise of Geek Squad renewals for premium protection services. They must hate Geek Squad! Like so many, this email contained an attached pdf file that doesn’t hold a single bit of information correctly identifying the recipient and his/her payment method!  Lunge for the delete key!

        Cash Back Mastercard Rewards and Home Improvement Toolkit Lots of credit card companies play all kinds of games to attract consumers, including cash back rewards. Check out this attractive offer for up to 3% cash back on an Aspire credit card. Sounds good, right? Except that this offer came from an email at KnoxvillePiano[.]com!  Not only does this make no sense, but Google can’t even find that domain. It turns out that it was registered through Namecheap in Iceland in early October of 2022 and is hosted on a server in Paris, France. Surprised? Don’t be!  This reward has links that, once again, misuse the services at Amazon AWS.

        This Milwaukee Tool Chest is just what every handyman needs to organize her/his many tools! But this clickbait came from a personal Gmail account and the links point to a malicious web page set up with another link shortening service called cutt[.]ly. We’re certain that if you handle this particular tool chest, you’re going to get cut(ly). (Sorry, we couldn’t resist.)

        Action Required! — Why do you suppose this “IT HelpDesk” is pleased to tell us that our password is about to expire in a few hours? That’s annoying! But this email came from invoiceoverdues[.]com and the link to update our login credentials points to an email tracking service called mailpanion[.]com! Mailpanion is NOT our companion! By the way, invoiceoverdues[.]com was registered just 5 days before we got this exciting email.

        Delete!

        UPS Delivery Notices! — This text wants you to think it is from UPS and about your UPS delivery but, of course, it isn’t. Let’s start with the fact that the link in the text points to a hacked server for a website in Florida called hitchingpostsfl[.[com. But more cleverly is the source of this text. It was sent from a web domain called ViewSchedule-UPS[.]com. This malicious mimic was registered less than two months ago in Singapore, according to the WHOIS record.

        Delete!

        .

        A reader shared this text with us that she got from 347-525-3396. Apparently, her package could not be delivered “due to the wrong house number!” OMG! What business does this text represent? Who knows! But the scammers used another link shortening service to hide their destination and, of course, we unshortened it!  Off you’ll go to holde1258[.]top to learn about your package! We all recognize that delivery service, right? Delete!

        Until next week, surf safely!

        Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
        have subscribed to it via Scamadviser.com or thedailyscam.com

        Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

        Contact Webmaster