What is happening to Ukraine and the Ukrainian people is horrific and and a senseless tragedy. Our thoughts and prayers are with Ukraine. Click on the above banner for a list of safe places to donate. See our Week in Review article to learn about those that aren’t.
The Internet Favors Criminals. Meet Eldridge Engels! — This story begins with a small piece of malicious clickbait sent to a woman at 6:30 in the evening of March 2. The email sender asked the woman to stop sending the nude photos she had been **supposedly** sending to the author of this email. “It is not okay!” The woman who received this email has been a longtime reader of our newsletter. She is very well trained and savvy about recognizing malicious clickbait so she didn’t step on this clever landmine that would likely have tricked others. When we peaked “behind the curtain” of this clickbait, we saw a familiar name used by cybercriminals for many years. This name, and this clickbait, are perfect examples of everything at work on the Internet that favors cybercriminals at your expense!
Did you notice that this email came from “Hi” using the email domain dotdiary.co[.]uk and that the links point to the odd domain buchiraltod[.]us? When we asked our favorite WHOIS too what it knew about these domains, some rather surprising things turned up….
- Dotdiary.co[.]uk, though registered as a website hosted in the United Kingdom (.uk), was found to be sitting on a server in Moscow, Russia. When we then asked the proper WHOIS tool normally used for UK domains, Nominet.uk, we learned very little other than the fact that this UK domain was registered through NameCheap on August 23, 2021.
- Buchiraltod[.]us was registered on December 2, 2020, also through NameCheap, by someone who identified himself as Eldridge Engels. Mr. Engels listed his address as 4029 Washington Ave., Jackson, Mississippi, USA and his email as email@example.com. (Further investigation shows us that Mr. Engels has also used another email address in the past: Chandlers_404@hotmail.com. This second domain, according to the WHOIS tool, is being hosted on a server in Denizli, Turkey.
When we tried to take a screenshot of the destination page supposedly linked to the “nude photos” we get an error message saying “page not found.” When we removed everything in the link except the domain itself and tried to visit the top page of buchiraltod[.]us we found that we were redirected to another oddball website called confrestcial[.]com where a single simple form invited visitors to “unsubsubscribe” –but from what? A search for confrestcial[.]com (using Google in Firefox so we don’t actually GO to the website) shows us a bunch of other very oddball domain names. Hmmmm. Domain-Status.com tells us that buchiraltod[.]us was just one of 588 “.us” domains registered on that December day. Through our lens, buchiraltod[.]us was clearly malicious clickbait! But what troubled us the most was the name Eldridge Engels. We knew we had seen it before! A quick search of our newsletters confirmed that we had exposed malicious domains registered by Eldridge Engels twice in the last 3 years. A Google search also told us that we weren’t alone in exposing this fraudster!
- September 11, 2019 in a Top Story called “One Malicious Domain to Rule Them All.” The title says it all!
- December 8, 2021 in For Your Safety. The email recipient had received a request to be removed from an “adult” mailing list and the links pointed to a malicious domain registered by Mr. Engels.
- A blogger named Ted Montgomery uses his personal blog to write about many different things. Mr. Montgomery published a webpage about a string of scam emails and domains that targeted him and many were connected to Eldridge Engels.
- AbuseIPDB is one of many websites who, like us, tries to make the Internet safer by exposing online fraud and malicious intent. A user named “Phishkiller” reported 31 malicious domains (IP addresses) to AbuseIPDB in July, 2021. At least one of those malicious domains was registered by Eldridge Engels and hosted on a server in Romania. That domain was named couthowspaped[.]com
We decided to use Google Earth to pay a visit to Mr. Engel’s address at 4029 Washington Ave., Jackson, Mississippi, 39213 and were not surprised to confirm (again) that NO SUCH ADDRESS EXISTS! The last numbered house on Washington Avenue is #1801…
There are many helpful tools online to investigate websites, and the Registrars who lease them. One such tool is called DomainBigData.com. According to DomainBigData.com, Eldridge Engels, or his email address firstname.lastname@example.org, have registered at least 300 domains since January, 2018. And of these 300 domains, 225 of them were registered through NameCheap. We’ve seen thousands of malicious domain names during the last ten years and believe that most (all?) of these domains registered by Mr. Engels are malicious. Take a look at just a few of the domain names registered by Mr. Engels…
How is it that one registrant, named “Eldridge Engels,” has been allowed to register and use so many domains for malicious purposes for so many years? The answer is simple… The Internet favors criminals!
The Internet is rigged to favor cybercriminals and we all pay a price for this fact! Think about this a moment. Anyone across the world can register a domain anonymously or using fake information and that practice is allowed by ICANN and their licensed Registrars. ICANN is the International governing body who make the rules about global top level domain names (gTLD) used on the Internet, as well as selling licenses to the companies (Registrars) who then lease domain names to people around the world. Though ICANN collects pennies per domain name registered, the shear bulk of Internet names leased online and the shear bulk of Registrars selling those names, add up to a significant amount of money for both the Registrars and ICANN. According to Nonprofitlight.com, the most recent data listed for the Non-Profit ICANN shows net assets of nearly half a billion dollars! President and CEO, Goran Marby, reportedly earned about three quarters of a million dollars for the year reported. Not bad for a non-profit!
We believe that cybercriminals purchase many millions of dollars in domain names every year, and therefore provide a TREMENDOUS financial incentive for the Registrars and ICANN to turn a blind eye to the abuse of the Domain Name System. And we believe this happens despite that fact that in 2015, ICANN formed a “Public Safety Working Group” with four core values including #1…
- Develop DNS Abuse and Cybercrime mitigation capabilities of the ICANN and Law Enforcement communities
Of course “Eldridge Engels” is not a real person and doesn’t live at the non-existent address on Washington Avenue in Jackson, MS. But who is behind this fraud and WHY has it been able to continue for so long? Tiny scattered breadcrumbs in this difficult landscape suggest to us that the criminals behind this effort are in Eastern Europe or Russia, but that is a guess based on the hosting services used over the years to host some of these malicious websites.
And who suffers as a result of ICANN’s inability and unwillingness to stop the abuse, or to hold Registrars like NameCheap more accountable for THEIR LACK OF EFFORT to safeguard the public? You do! Even though cybercriminals will create another name instead of Eldrige Engels, ICANN and the Registrars don’t even bother to shut down this alias and prevent “him” from registering new domains. Where are the Internet Police when you need them? Oh right, there are no Internet police. There is only ICANN and it’s self-stated bullet point from the “Public Safety Working Group.” And yet, there are SO MANY different and valuable things that ICANN, the Registrars, and software manufacturers in general, can do to make the Internet safer for citizens of the world. We published a few suggested ideas in an article titled “How to Make the Internet Safer for Everyone.” We’ll now step off our soap box again. For now.
Donating Safely to Ukraine-Related Charities – Sadly, efforts to raise money to support Ukraine is also being taken advantage of by scammers. Check out these Ukraine donation scams exposed by James Greening on Scamadviser.com!
Also, Jennifer Leach, who works with the Federal Trade Commision, has published an excellent article on FTC.gov titled Giving to Help in Ukraine? Get your money where you mean it to go. Here are several other valuable resources for those who would like to support Ukraine. Thank you for considering this important humanitarian effort!
- Vox News: How you can help Ukrainians (Published March 1, 2022)
- Unicefusa.org’s effort to help children in Ukraine
- Razom for Ukraine. According to ABC News, Razom is an organization that was formed in 2013/2014, and is collecting money for refugees moving across Ukraine and also to support the soldiers, both civilian and military.
- Forbes Magazine list of charities to support Ukraine
Advance Fee (419) scammers are always ready to jump at any opportunity to push their scams in new ways. Check out this email sent to our friend Rob. We LOVE how the sender said “From Mr lisa wright.” Also, we don’t think that a “massage” from Russia is what anyone needs right now.
From: Lisa Wright <email@example.com>
Date: Mon, Mar 7, 2022 at 3:13 AM
Subject: Hello massage is from russia.
From Mr lisa wright .
I was a banker in one of the banks with the Russian.
I have three million dollars to move out of my country becuss of the war that is going on now .
Get back to me immediately if you are interested.
We can move the fund to you through online banking account. then move the fund into any of your choice account without any much stress. It must be confidential. It will happen in 48 hours if you give me go ahead I tell you how it will work as soon as you respond to me.
Mr lisa wright.
Though unrelated, we wanted readers to see this recent article on Scamadviser about online services who offer to write essays for college and high school students. Are Essay Writing Services a Scam or Legit? We recommend that parents share this article with their college and high school-age children!
Microsoft Order, Paypal Transaction, and Chase Bank Receipt – This “Microsoft Account” order for Windows Defendor contains a very interesting “poker tell” that we have written about in the past. This bogus email, from a fraudulent account at Gmail, says “Hello Dear.” There are also several English errors in this email that are funny. In our experience, “Hello Dear” is an expression often used by scammers from some African countries, such as Nigeria. Hmmmmm, we wonder….
One of our readers sent us this smelly phish that targeted a colleague of his. It pretends to represent Paypal but clearly didn’t come from Paypal.com! There are MANY English errors in the body of the email that make this phish obvious! The criminals who sent it also tried to obfuscate their bogus phone number from being easily searchable. Look at how they listed their phone number!
This last smelly phish was artfully crafted to appear as though it came from chase.com! Besides a couple of writing errors, what gives this scam away is that all relevant links pointed to the shortening service at bit.ly. This means that visitors will be redirected somewhere else on the Internet. We couldn’t find out where because Bit.ly had taken down the fraudulent link by the time we investigated.
Cybercriminals Target US Vets with Bogus Discounts –Time and time again, cybercriminals demonstrate that they enjoy targeting particular businesses and certain groups of individuals. One of these groups are United States Veterans. Check out these two malicious clickbait emails that were sent to US Veterans. The first came from yardlink[.]com and uses THE EXACT SAME TEXT that we have seen and reported on several times during the last few years, such as our September 15, 2021 newsletter. “15 Military Discounts Available to Those Who Served Our Country.” The link in this malicious clickbait points to a web page set up on the free web service called Wix.com. That webpage then forwards victims to a malicious web page at cjoint[.]com!
Now compare the content from that recent clickbait to this blast-from-the-past email sent last July, 2021! Again, it again offered “15 Military Discounts Only Available to Those That Served.” The links in this bogus email pointed to a website that was hosted on a server in Singapore! If you have any Veterans in your family or circle of friends, please raise their awareness about these threats targeting them!
Bogus Jobs Posted on Social Media –We recently heard from one of our readers in Australia who told us that she saw a job posted on Facebook to her local chat group from a woman using the profile name “Red Angel.” Our reader told us that Red’s profile was locked and she used poor English. Notice that the post says “No experienced Required.” Red also “liked” her own post! (In fact, it was the only “like.”) As you can see in the screenshot below, the link pointed to a web page on Google Sites. Anyone with a Google account can create webpages on Google Sites. There is nothing professional about Google Sites.
When we clicked that link in Red’s post, we discovered that the webpage on Google Sites said “Amazon work from home jobs.” There was yet another link set up through an email tracker & shortening service called qltrk.com (owned by Qliker.io) We advised the woman to report the post as a scam and NOT to click the link!
First of all, Amazon doesn’t post jobs like this. In fact, NO LEGITIMATE JOBS are posted like this with a link to a home-made page on Google Sites, followed by another link through a tracking/forwarding service! Step away from this ledge!
Regrets from USPS, Thank You Gift From Verizon – One of our readers sent us this very funny text he received from “USPS.” He was asked to update his shipping information in order to receive his package. Instead of providing a link to the U.S. Postal Service, the scammers included a link to isaiahbowling[.]com. Though this website was once legitimate, it is being misused for malicious purposes! And it certainly isn’t usps.com!
This next text is hysterically funny! It claims to be a thank you gift from Verizon after being told “Your February Due is processed.” The link points to a shortened link service with Twitter, instead of a link to verizon.com, and the text came from 925-421-5592. We can tell you from personal experience… Verizon doesn’t give you gifts! PERIOD!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands