Weekly Alert  |  May 4, 2022

“A Rose By Any Other Name…”We love this quote by William Shakespeare! It was said by Juliet in the play “Romeo and Juliet.” “A rose by any other name would smell as sweet.” But rather than referring to a good man (Romeo) from a bad family, we turn the meaning of this phrase upside down and refer to a bad domain supposedly used by a good company that is misused by cybercriminals to attack the public. We are specifically referring to a sudden increase in “clever” domain names used in malicious texts by cybercriminals. The fact that we see an increase in these clever names in unrelated malicious texts, strongly suggests to us that they may be created by the same cybercriminal group.

Our most recent example comes from 929-472-1996, a phone number not found anywhere online by Google. The text was received by one of our readers on April 27. You are led to believe it is from Lowe’s Retail Company, which specializes in home improvement products. The recipient was invited to take a survey and, as a result, receive a bonus reward of $100. The domain used in the link, however, was not for Lowes.com, but for the domain GetItemsToday[.]com.

Rather than use random meaningless crap domain names, such as helix[.]us, or nonsensical names such as sabeonautocoberage6[.]com, both of which can be found below in texts reported in today’s Textplosion section, the criminals have tried to create a phrase that is part of the “lure” to entice you to click this link. But this domain to “get items today” is just the start of a deep dark rabbit hole of likely malicious websites. GetItemsToday[.]com was registered in the Netherlands the day before the text was received. Our longtime readers know that this is NEVER a good sign! These days-old domains are often used to host malware. 

But this is just the entrance of the rabbit hole! The Zulu URL Risk Analyzer tells us that GetItemsToday[.]com will also redirect visitors to the domain elvergadura[.]com. Sucuri.net then shows that elvergadura[.]com will redirect visitors to a website in Russia called RegisterMix[.]ru!  Does ANY of this sound like Lowes.com or the likelihood of getting home improvement items to you? 

In April we reported on a number of these rosy, but dangerously misleading domain names found in recent texts.  They’ve included…

  • Awsomegiftsawait[.]com “Awesome gifts await” supposedly from Walgreens.
  • FeedbackBenefit[.]com “Feedback benefit” supposedly about a Home Depot survey
  • YouHereAndNow[.]com “You here and now” supposedly sent by a delivery service
  • WantToPickUpNow[.]com “Want to pick up now” also sent by a presumed delivery service
  • MySpeedyBrain[.]com “My speedy brain” sent as a random text from an unknown person hawking the benefits of a new health supplement that “everyone is talking about” to enhance your focus and memory.

And so “a rose by any other name would smell as sweet” should more appropriately be written in this context as “a skunk cabbage by any other name, would smell as foul!”

If you want to see our last story in which we referenced this wonderful quote from Romeo and Juliet, check out the Top Story in our September 1, 2021 newsletter. We specifically discussed the names of email accounts primarily used by Nigerian 419 scammers, such as “lawyer.com.”

You’re Going to Want to Read This TrendMicro.com has recently published a priority scam alert about text scams pretending to be from Citibank, Wells Fargo, Chase and other banks about a consumer’s account.  They are dangerous phishing and Zelle scams! You can read the full article by clicking this link or the image below.

We Have A New 2022 Winner! And a Hacker Requests a Banking Change! In our nearly ten year history, we have only awarded the John Newbery National Hugo Pulitzer Scam Email Award four times. It was last awarded on August 18, 2021. (The very first award was in 2016 and then in 2019 we awarded two of them to Nigerian 419 scammers because their dramatic writing was… well, supah dramatic! (Those stories are online as pdf files now: May 8, 2019 Newsletter and October 9, 2019 Newsletter) We are thrilled to announce a new winner for 2022! The 2022 John Newbery National Hugo Pulitzer Scam Email Award goes to Mrs. Melinda Boateng for her dramatically written piece called “Wicked Conspiracy.”  Congratulations Melinda, or whatever your real name is!

Last week we heard from a CFO at a school that one of the teacher’s email accounts had been hacked. The hacker took this opportunity to send an email to the CFO, disguised as the account owner, and request a banking change! The hacker asked that the payroll direct deposit information be changed. Fortunately for the account owner, the CFO saw through this scam. The hacker was shut out of the account within minutes and all other accounts using this password were changed shortly thereafter.  Never a dull moment!

Please excuse us while we use our precious newsletter real estate to speak directly to a scammer who contacted us recently… Hi Alex! We got your message at TheDailyScam.com a little after 12 noon a few days ago, asking about “order fulfillments” and shipping needs. We see you sent it to us from simonswokandgrill[.]com.  We ALSO saw your second email that you sent to us 39 minutes later from fulfillmentspecialist[.]us with the exact same content. Congratulations! We see that you registered this fulfilling and special domain the day before you contacted us. And we ALSO got your third email, sent just 17 minutes after the 2nd email, with the exact same content.  In 2 of your 3 emails, you ask that our reply be directed to yet another new domain called orderfulfillment[.]works which was registered just a few hours before you included this domain in your email. We’re still processing your request. However, an important question we wanted to ask you was whether or not you ship bullshit? We just didn’t know which of your many domains we should send this important question to

American Express Card and All Geeky Security Services! This smelly phish may say American Express but it appears to have been sent from a hacked account at San Diego University. This phish contains a classic example of fraud that shows why it is so important to mouse over and see where a link points to BEFORE clicking it!  The link says “americanexpress.com” but a mouse-over shows that it points to a shortened link through tinyurl[.]comCybercriminals love link-shortening services because it doesn’t show the recipient where they’ll end up on the Internet until it is too late!  (Unless you use an un-shortening service like Unshorten.it or Urlex.org!) When we unshortened the link, we discovered that you’ll be redirected to a website registered less than a month earlier and called Georges-HomeValues[.]online.

Here we go again! Thousands of peoples are getting hit with these fraudulent phishing emails pretending to be about computer security services!  Think about the motivation for this fraud for a moment… Cybercriminals could choose to make this fraud about furniture purchases, car leases, loans, credit card payments, lawn care or a hundred other services. But 90% of them are centered on the very services that try to protect YOU from cybercriminals…. Computer security! Enjoy this week’s perfect trifecta: Geek Squad, McAfee Security renewal and Norton subscription. All three were sent from personal gmail accounts and NOT any legitimate service. All want you to call the scammer’s phone number to speak with a sleeze-ball cybercriminal in India.

Are You Selling Your Home and Shell Gas Gift Card The real estate market is so hot, it’s on fire! And so we can actually imagine people getting random emails from real estate agents asking them if they are interested to sell their home and find out how much their property may be worth.  But this email from “Mike M” was signed by “Ben.” And no address was referenced! This turned out to be malicious clickbait from a domain registered less than a month earlier and called LeadingThePackToday[.]com. Yeah. Leading the pack of wolves perhaps. Delete!

As the cost of gasoline around the world jumped, it was only a matter of time before cybercriminals had an “aha” moment and decided to use it as clickbait. Check out this email solicitation for a Shell Gas gift card! But the subject line and email name sound like some gangsta who can’t write no good English! “Gstmycrd”  The link points to another link-shortening service! Step away from this bear trap!

Please Confirm This PO, Your Public Records Are Exposed, and AOL Account Shutdown – Mary Norton sent us an email and asked us to confirm a purchase order for something we didn’t buy.  We KNEW it was malicious clickbait.  We KNEW the attached Excel file contained malicious code! But we downloaded it anyway just to see what kind of mouse-trap it contained.  Sure enough, our anti-virus software told us that the Excel file contained a known Trojan.

One of the many ways that cybercriminals try to engineer your clicking behavior is to send you a notification informing you that your personal information has been exposed online, and that it may be embarrassing because of the information exposed!  Check out this email saying “someone may have run a background check on you.”  This is total BS! Notice that the email came from a server in Germany and YOU aren’t even mentioned by name!  Deeeeleeeete!

On March 9 we published a story titled “The Internet Favors Criminals. Meet Eldrige Engels!” The cybercriminals using the alias “Eldridge Engels” are STILL posting malicious websites registered in that name! The link in this clickbait points to a very dangerous website called buchiraltod[.]us that has been used for many weeks by cybercriminals! This particular email has been targeting AOL account holders.

BettyBoo Has Information for You, and We May Owe You Money! – Doug at TDS received this text from a VERY funny email address at bettyboo[.]net! He was invited to join class action law suits and get rich in the process. Yeah, right. For the record, Doug did once get a check from a class action lawsuit in the early 2000’s.  His check arrived and he still hasn’t cashed it.  It was for 12 cents. BettyBoo[.]net was registered in Mid-March.  No thanks. We’re good.

    If the above offer for making money didn’t work, how about a text saying “we possibly owe you as much as $756.30.” Wow! We overpaid?  But for what? Just visit the link to the nonsensical domain sabeonautocoberage6[.]me…. Or not!

      Until next week, surf safely!

      Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
      have subscribed to it via Scamadviser.com or thedailyscam.com

      Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

      Contact Webmaster