Weekly Alert  |  May 10, 2023

Think You Know Where These Links Send You? You’re Wrong! Cybercriminals routinely register malicious domains, stuff them with malware or phishing scams to collect your personal information, and then throw you a bogus email, text or social media post, hoping you’ll take the bait. But that’s not their only strategy for lobbing hand grenades at you because, fortunately, many people see oddball domain names in a link or FROM address and are suspicious, as they should be! Have you ever heard of “link shortening services?” These are websites that people can use to take a looooooong link, and turn it into a short link that’s easier to copy/send/share/post. The first such service ever created was appropriately called TinyURL back in 2002. (Source: Wikipedia) When you click a “shortened link” you have NO CLUE where on the Internet you’ll be sent until you arrive, unless you use a tool to unshorten it before clicking! Cybercriminals have often used these link shortening services to hide a malicious destination from your eyes. (These are also called URL Shorteners.) In the last week, we saw a significant increase in the use of these services by cybercriminals to hide their final destination, a digital war zone

Today, there are many hundreds of link-shortening services online, including those from well known companies like Twitter (t.co) and Google (goo.gl).  You may also recognize services such as Bit.ly, Tiny.cc, and hundreds more. Check out this email claiming to be from Kohls Department Store. This email came from a crap domain, mppqosi[.]live, that was registered in Morocco on April 26, just 3 days before this email targeted one of our readers. The links in the email point to an obvious link shortening service called TinyURL.com

There are several services online to unshorten links before you click them, to see where they will send you. Our two favorite UN-shortening services are Unshorten.it and Urlex.org.  When we unshortened the tinyurl link in the “Kohls” email, we discovered that anyone who clicks it will be redirected to a very malicious website we identified months ago called mapgodss[.]com.  (It was registered last October in St.Kitts and Nevis but sits on a server in Moscow, Russia!) It’s important for us to note that the newsletter reader who sent this malicious clickbait to us has received many of them containing a tinyurl shortened link.  Each one we unshortened pointed back to the “Map Gods” website!

One of our honeypot email accounts received a simple, short email claiming to be from Anthem Blue Cross Blue Shield health insurance company, but was, in fact, sent from a personal Gmail account called noguenogueira.exp. This email contained no text but just an attached pdf file that looked official. The pdf file contained a link to another link shortening & tracking service called cli[.]co.  As you’ll see below, this link shortening service does NOT have a good reputation! Six online security services have identified that shortened link as malicious and with many different redirects associated with it, including one pointing to a website called synology[.]me that is completely unknown to Google.

This problem of using link shortening services to hide a final malicious destination is not restricted to just email. Many people have also reported malicious texts to us that use these services in the text. Check out this recent text disguised as coming from the shipping service DHL that our friend Rob received. You can see that it was sent from an oddball phone number that begins with an 833 area code. It says “we are currently unable to deliver your package.” Rather than pointing to dhl.com, this link points to a link-shortening service called “zipper” zpr[.]io. When we unshortened this link we discovered that it pointed to a domain called emc[.]id, which is hosted on a server in Indonesia.  However, most revealing about this fraud is that the name of the landing page is dhl-global-tracking-invoice8940. We followed that link (safely) and discovered that Rob is asked to pay a “fee” to get his package delivered! (screenshot below.)

So the next time you mouse-over a link and see that it appears to be short and contains a collection of 6 – 12 random letters/numbers after the first single forward slash, we want you to think before you click! It may well be a link shortening service that will send you flying somewhere else across the Internet and into the jaws of a malicious website.  You are always welcome to send us your suspicious emails and screenshots of suspicious texts.  Send them to spoofs@thedailyscam.com.

ChatGPT-4 Phishing Websites & Other Threats This week we’ve discovered yet more ChatGPT-4 phishing attacks and other threats. Check it out and protect yourself with this FREE, all-in-one tool.

Scammed and Liked it, Scam Callers & Shipping Problems Galore! — Last week we heard very unusual feedback about a scam that we would never have predicted! A man was scammed in China, and actually said that he liked it! Before you shake your head, thinking how does this make any sense at all, read what happened to him. (The victim has given us permission to share his experience with our readers, but has asked that we protect his identity and how we learned of his circumstance.)  

He said “a few weeks ago I was in Shanghai for a work visit. Having some free time, I decided to walk on ‘the Bund.’ (This is a touristy boardwalk with a beautiful view of the city.) While I was there a woman approached me and asked me to help take a picture. No problem. And then she wanted to practice her English with me. I was alone and she seemed very nice, so we chatted. She said she was a teacher who was visiting town for the weekend. She wanted to know if I was interested in visiting a traditional tea house nearby that she was hoping to check out. I said yes, though I was a little concerned. I’m a married man and I didn’t want her to think I was going to be doing anything untoward, but it was all very friendly and relaxed.

We ordered tea and it was really great. It turned out that I learned a lot about Chinese tea and had a lovely friendly conversation for an hour or so. The tea was tasty and the service was friendly. Then bill came and surprised me. It was pretty steep for a bunch of tea. About 40 dollars. Regardless, I paid my share and we said our goodbyes.

I told somebody else at work about the experience and they explained to me that this was a tourist scam! it’s called the teahouse scam. It was all a setup between the teahouse and the woman who I went with. Presumably, she gets a cut of the profit from the visit. Regardless, I don’t regret it, though I feel a little foolish. I had a nice time, some lovely conversation, and I learned a lot about tea. The money was a lot, probably, but it was definitely worth it for both the experience and for the story about getting conned.” There are lots of websites describing this famous scam in China, including this interesting article on The Roaming Renegades about the most common scams in China targeting tourists.

We were reminded recently how easy it is for scammers to make their Caller IDs look like any phone number they want, such as Capital One Bank. This Reddit Member posted exactly such an experience last week after getting a phone call that came up as “Capital One” on his Caller ID. But it wasn’t, of course. The conversation he had with a scammer quickly deteriorated when he wouldn’t provide his personal information in response to the scammer’s questions!  The Capital One representative, named “James,” wanted the man to “consolidate his debt” and told him that he found his information through Experian, (one of the three major credit-reporting agencies in the US.) The Reddit member did the right thing and kept questioning the man about his authenticity…. Where are you calling from? What company do you represent? How did you get my phone number? Etc. Eventually, “Capital One Rep” hung up on the man and when the man called the number back, he was surprised to learn that his call went to the REAL Capital One Bank credit card service! He reported the scam call to them and said they were very understanding and sorry he had been targeted.

That “Capital One” call was pretty lame. More skilled scammers do their homework before targeting someone and gather some personal details to make their call seem more believable. Your personal data can easily be found on dozens of sites (dare we say more than a hundred?) across the Internet. Did you know that Data Brokers make money off your personal information every day. They buy your data, such as Social Security numbers, Date of Birth, home addresses, health information, contact details, etc. and then sell it to the highest bidder. One way to better protect yourself is to use a service like Incogni.com. We strongly recommend this service to our readers!

  • Incogni.com is a personal data removal service that scrubs your personal information from the web
  • It contacts and follows up with data brokers all over the world on your behalf. For an individual to do that, it can take hundreds of hours
  • With Incogni, you can kick back and worry less about identity theft, health insurers raising your rates based on info from data brokers, robo calls, scammers taking out loans in your name, and all the other terrible things bad actors do with personal data

We have a couple of very short scam call recordings to share with you, interesting for very different reasons. First, check out this unbelievable response that our friend Rob received on May 3 when he called back the phone number on a phishing scam taken from a fake invoice for a Geek Squad service he never ordered. The scammer who answered had a conscience! Oh My God! Listen as the scammer breaths a heavy sigh before telling Rob what to do with that email! We want to give that scammer a hug! (However, our guess is that he no longer works for these criminals any longer.)

Next, check out this partial recording of a lame-sounding AI scam that was sent to us by one of our readers. It’s actually quite funny because the AI is so poor! The call claims to be about a charge to your Amazon account.

Finally, we wanted to raise everyone’s awareness about scam emails and texts (see our Textplosion column below) disguised as bogus deliveries.  Here’s one of dozens of examples. It looks like an email from the United States Postal Service but it isn’t, of course.  THIRTEEN security services found the link in this email to be malicious!  We’ve getting lots of these in our honeypot email accounts.  Check out a partial list of them below…

Amazon Prime Support, Norton and Paypal! This first smelly phish is “fantastic” because it came from a service called fantasticretailgroup[.]com, and NOT from Amazon.com as they want you to believe! The scammers messed up by entering the targeted email addresses into the TO field, instead of the BCC field. We could see all victims’ email addresses. They targeted 50 AT&T account holders. The fact that these 50 email addresses were in alphabetical order tells us they likely purchased a list of email addresses from a data broker or some other list on the dark web.  Read the actual email. It’s absurd! Amazon would never say something like this!

This next type of fraud has now become so common! It must be because enough people are falling for it. If you think about it, there’s no reason to attach a pdf file to the emails below. The information in the file could have been put into the email itself. The reason it isn’t is because lots of anti-spam servers are getting better about recognizing this BS and blocking it from your inbox. Below are two phishing scams, one disguised as a bill from Norton and the second as a bill from Paypal.

Deeeeeleeeeete!

Win a MacBook Pro! According to Wikipedia, the retail company Walmart can be found in 24 countries around the world. Certainly, most people in North America and Mexico recognize this company! Perhaps that’s one reason why it is so commonly used as clickbait by cybercriminals? This email hit the inbox of one of our readers in late April and came from a crap domain, unehdys[.]com, that was registered in Iceland, using Namecheap less than 3 months earlier. It did NOT come from walmart.com.  Most importantly, look at the link in this malicious click bait. It points to the link-shortening service called TinyURL.  Sound familiar?  Can you guess what “spiritually geographic” malicious website the link will redirect you to? If you read our Top Story, you’ve seen it before!

Urlex.org tells us that the TinyURL link in the clickbait above will forward visitors to a malicious website that has been used hundreds of times to target people…. mapgodss[.]com

Did you hear that the pandemic is officially over? (At least here in the US.) As of tomorrow, May 11, the US Government is no longer going to fund free COVID test kits for its citizens. Perhaps that’s why this clickbait was sent on May 2.  According to this email, you can click and have free COVID test kids sent to your home. The problem is that the link points to an IP address (not a domain name).  When we used IPLocation.net to look up that address, we discovered that it points to a server in Moscow, Russia!  That’s sooooo nice of Putin to support American citizens in this way, don’t you think? (Please notice the crazy way the sender modified words like “free” and “claim” to try to avoid being identified by anti-spam servers. Also, this email was sent from a University server in Myanmar!)

Your Bell e-Bill is Ready! —An e-Bill from “Bell”? What makes this clickbait so funny is that it refers to the Canadian Internet provider named Bell, while providing a bill associated with a fictitious company and address-that-doesn’t-exist in either Canada or the United States! Check out the crap global top level domains that this email came from and point to… DOT-xyz.  If you EVER see any domain name ending in DOT-xyz, LUNGE for the delete key!  These were registered just 2 days before this clickbait landed in our inbox.

Amazon and DHL Delivery —Legitimate business almost always use “short codes” from which they send texts. There is, in fact, a US Shortcode administration that licenses businesses to provide shortcodes. To register for a shortcode requires money and for businesses to provide verifiable information about their business. That’s why you’ll never see scammers send you a text using a shortcode.  They’ll send text from random phone numbers or, like this bogus Amazon text, from crap email accounts! The link in this malicious text doesn’t point to amazon.com, but points to kokonuelnibro[.]us.

Here are two more malicious texts that want you to believe they represent the delivery service UPS and the United States Postal Service (USPS). These are a complete fraud! Both tell you that the service has an incorrect address on file that you need to fix. NOT TRUE! The text from “usps” was sent from an email account that begins with blabbermouth.  Need we say more?

Until next week, surf safely!

Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster