Weekly Alert  |  March 2, 2022

Scamadviser has some exciting news! Before we get into this week’s Top Story, we wanted to tell you about a new effort to help you better learn how to recognize online fraud. Scamadviser is going to set up a new educational website offering a set of online video courses to help consumers recognize scams. And we want YOU, our readers, to help them pick a name!  Please take this simple poll and select the name you would like them to use for this new service! 

    At first glance, Oritza Bank (oritzabank.com) looks like a routine bank website.  You can actually choose to display the website content in more than 50 languages and dialects from around the world! There is a robust list of banking and financial services listed on their Services web page, although every one of those links points to the same page asking you to login into an existing account. But if you scroll down their top page, amongst all the impressive graphics, information and professional design, you’ll find three pieces of information that struck us as MAJOR RED FLAGS….

    1. Oritza Bank says “Dot Bank offers various deposit offers in all international currencies with interest rate up to 25% for all regular clients.”  25% INTEREST RATE?! And who the heck is “Dot Bank?”
    2. Oritza Bank says “We offer amazing amount of cashback for payments made with one of our credit cards – Blue, Green, or Orange. – Up to 30% Cashback.”  UP TO 30% CASH BACK?!

    3. Oritza Banks says they have issued more than 745532 credit cards. Further down their web page they say they were founded in 2002.  This is all quite remarkable since their domain, oritzabank.com, was registered anonymously in Iceland just 5 days earlier!

      Now our “spidey-scam-senses” were tingling! We crawled every inch of that site, looking for more things that didn’t add up.  For example, we found that the address listed for this bank in the UK, 101 Gresham Street, London EC2V 7NG, United Kingdom, doesn’t exist. (Also they misspelled United Kingdom as “United Kindgdom.”)  Gresham Street ends at #99. Going beyond the real street numbers is common scammer practice to make their location believable!  However, we were not expecting what happened next. And it is absolutely why we know that the cybercriminals who created this website are lazy.

      An important technique in any of our investigations of a suspicious website is to search for unique phrases found on a website, and conduct reverse image searches for pictures, ESPECIALLY pictures of people who are identified by name! The reason is because we find that fake websites frequently steal real content from legitimate websites. Oritza Bank had 3 testimonials about how wonderful their services were.  These comments were made by “Mildred Bates – Jewelry Shop Owner,” “Marie Hanson – Charity Organization Manager” and “Ann Smith – International Company Owner.” When we conducted searches for these women and their quotes, we discovered identical content on more than 51 other bogus banking websites created in the last 3 years! (We say “more than” because we didn’t bother visiting suspicious websites in Asia on Chinese, Russian, or Taiwanese servers.)

      For example, the photo of “Mildred Bates” was found on LOTS of websites around the world! She was named “Denise Abela” on a website called ArtatHome.com.mt which Scamadviser found to be suspicious. She was named “Vinisha Vinny” (Web Developer) on a Quora.com page, and named “Emma Villa” from Genova at the bottom of an Italian medical website called infobariatrica.it. But MOST importantly, we found “Mildred Bates” listed on many fake bank websites such as ForestWoodBank.com (You’ll see her testimonial scroll through at the bottom of the page.)   And we discovered that THE REAL photo was taken from a stock photo website called DepositPhotos.com.

        When we searched for Mildred’s last quoted sentence “Securing financing helped us renovate and expand my jewelry shop and attract more clients” we discovered that her quote was attributed to “Marie Hanson – Charity Organization Manager” on LOTS more fake banking websites…

        And so we spent a few hours going down a deep, dark rabbit hole that seemed to have no bottom!  Every search we conducted turned up more and more identical content on more FAKE BANK WEBSITES.  Searching for “new” content on these other fake sites, kept turning up MORE FAKE BANK WEBSITES!  We finally had to turn off the light and get some sleep!  Given the sites we crawled, and the links we found to other sites in Asia, including Russia and China, we suspect that there are at least 75 fake bank websites using the same, or nearly the same, content and images… but with different bank names!  That’s what happens when a scammer gets lazy!  Instead of creating new content for each scam site, he thinks no one will notice that he’s reusing the same content and pushing out new scam bank sites every month or two.  

        Well, we’ve noticed!  Read our feature article to see the list of all these bogus banks (including 3 other scam banks previously posted there but unrelated to these scam sites.) In our feature article, you’ll also find more reasons why these are scam sites AND tips on how to recognize scam banks!

        Speaking of Banks, Mr. Robert Cashman is the President and CEO of Metro Credit Union in Massachusetts, USA and a personal friend. His Bank’s website is MetroCU.org and, by contrast with these scam sites, it was registered on the web in 1997! If you visit the Locations web page, you can verify each and every location as real!  Mr. Cashman recently sent out an important email to the Metro Credit Union community members with valuable information about scams.  He’s given us permission to repost a portion of his message here…

        “Please be aware that fraudsters will spoof legitimate phone numbers and email addresses to trick you into giving them your personal account information. Scammers will go so far as to pretend to work for Metro. If you offer details in response, scammers can take control of your accounts.

        Recent scams have involved gaining access to online banking accounts and setting up fraudulent transfers.  A current scam involves phone calls asking to verify recent transactions to help prevent potential fraud.  Once information is provided and verified, scammers are setting up unauthorized account transfers through Person-to-Person (P2P) payment systems such as Zelle and Venmo.

        You should always be cautious of anyone contacting you – by phone or email – for personal information including your Metro account information or iBanking credentials, even passwords and passcodes.”

        Excellent advice indeed!

        When Scammers Get Angry! When we say that we have the same problems you have for being targeted by scammers, we mean that times 100! Take, for example, this screenshot of malicious emails in one man’s spam folder at his business email. It shows 18 malicious emails received over the course of a week. **By the way, did you know that most email programs will show you a popup of an email address, without opening the suspicious email, if you hover your mouse over the name in the FROM field (without clicking)? For example,the email below from “Zoosk Dating” (a legitimate dating service), came from a malicious domain called loolwfing[.]shop. This malicious domain was registered in India the day before this email was sent.**

        Now let’s take a look at Doug’s spam folder showing emails OVER A 12 HOUR PERIOD OF TIME. (Keep in mind that this screenshot also excludes about ten more random emails from “women” whose subject lines say they are excited for Doug to join them in “adult activities” as well as emails about methods to enhance certain male body parts! –We like to keep our newsletters appropriate for all ages.)  There were more than 35 malicious emails in this 12 hour period!

        From a purely graphical perspective, the man’s business spam folder looks like a genuine effort to trick him into clicking malicious links. Fortunately, they are all landing into his spam folder and he wasn’t too worried about being targeted.  And from a purely graphical perspective, Doug’s spam folder looks like scammers are SHOUTING ANGRILY AT HIM!  Perhaps it’s because he’s pissing them off? We’re pretty certain that  cybercriminals are reading this newsletter and so we have a message for them…. Yo, dudes. Take a chill pill and calm down. It’s OK. Just get used to us. The Daily Scam and Scamadviser teams aren’t going anywhere as long as you are being sleazebag leeches and targeting the public with your scams and malicious clickbait.  But we want to thank you for your effort to target us.  It gives us great content to share with our readers!  Keep it coming, but you gotta relax. We wouldn’t want your blood pressure to get too high. It’s bad for your health.

        In past newsletters, we’ve told readers about one young man’s “fake female friends” targeting him with emails that are created by using Gmail signature fields, because it’s easier and faster to spin off 100’s of scam emails this way.  The scammers sending those emails must subscribe to our newsletter too! Just a couple of weeks ago, the same young man heard from “Linda” (or was it “evgen kazakow70”?)  For the first time ever, this particular “woman” told the young man “hello that is my email box” and didn’t paste her message into the signature field. How sweet! But the young man told us he still doesn’t respond to this crap.  Sorry, Linda.

        Track Your Package (UPS), Amazon, Chase Bank and Paypal One of our readers in the US sent us this phish that came from a website in the UK.  Apparently his order can’t be shipped until he pays the $1 shipping cost.  That’s right.  One dollar.  But wait! The link to track his package and pay the fee also points to another website hosted in the UK.  When we visited the link, we were told this was a UPS website and we were asked to enter personal information.  No thanks! Fortunately, that website is blacklisted by McAfee Security!

        Another Amazon Phishing Scam? What a surprise! **said dripping with sarcasm** Here are two! Neither came from amazon.com.  The first may LOOK LIKE it did but that email address “no-reply@amazon.com” was simply placed in the name field as text.  If you read the email, you’ll agree that the sender’s first language is NOT English!

        The second Amazon phish below came from a personal Gmail account and the TO field included several dozen email addresses! (We removed most of them to save space.)  Gee…. Do you think “amazon” would capitalize their own name?  No matter. You’re welcome to call these scammers at 844-659-1432, SCREAM and then hang up!

        Uh, oh! Our Chase account has been suspended! Or so you are led to believe.  The link to “Verify Identity” points to a link shortening service instead of Chase.com.  We used Urlex.org to unshorten it and discover that you’ll be redirected to a phishing page on 4nmn[.]com. This scam site is registered, and being hosted, in a country that is not being very nice at the moment…. Russia. Fortunately, lots of security services know that this site is malicious.

        Finally, we have a lovely email sent to you from Taiwan (“.tw” = Taiwan). The sender wants you to believe it is about your Paypal account. Did you notice that in all of these fraudulent emails, what’s missing in your real name and address? At best, they include your email address or the username in front of the “@” symbol.

        Gift Cards and Winners! – One of our longtime readers sent us this lovely “Congratulations!” email. Just for sharing his opinion in a marketing survey, he was offered $100! Except that this was malicious clickbait pointing to a server in the Netherlands. Step back from this ledge!

        Speaking of congratulations, how about this email that did NOT come from Sam’s Club? Congratulations! You are our winner!  The link contained a redirect to the shortening service at bit.ly which sends the victim to a malicious website called grammio[.]net.  Can you guess where this website was registered last August using the “We-Don’t-Give-A-Damn” Registrar called Namecheap?  It was….Iceland! Lunge for the delete key.

        Action Needed – One of our readers sent us this very dangerous clickbait.  She was told that her “McAfee Total Subscription” had expired and she was able to renew it by clicking RENEW. It’s bizarre that this email appears to have come from honda.com.  But we wanted readers to understand that it is NEVER SAFE to click an unsubscribe button in a suspicious or malicious email!  That’s usually the same as pulling the pin from a hand grenade.  Understood?

        Message From Verizon, Fidelity, and Money for You! –Before we dive into some of this week’s malicious texts, we wanted to show you a legitimate text from CVS pharmacy and point out WHY it is legitimate! First of all, the text came from a short code. Short codes are set up through a registry that requires companies and organizations to pay a higher fee to use them.  This simply means that short codes are HIGHLY LIKELY to represent legitimate businesses and organizations.  This CVS Pharmacy text came from the 6-digit shortcode 287-287. Scammers NEVER use shortcodes! This text also contains two links and each link CLEARLY shows the correct domain for CVS directly in front of the first single forward slash:  cvs.com/   (The “i” and the “e” in front of cvs – separated by a period – are subdomains.)

        Let’s contrast this with the following malicious texts. They came from random phone numbers and contain links that don’t point to Fidelity Investments, Verizon or whatever the heck that last one is supposed to be!  All links are malicious!

          Until next week, surf safely!

          Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
          have subscribed to it via Scamadviser.com or thedailyscam.com

          Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

          Contact Webmaster