Last week one of our readers sent us a friend request he received, unsolicited, from a woman named “Victoria Webb.” Oddly, Victoria’s email name was a bizarre random string of characters, making her email somewhat suspicious. In large bold letters, the email said “New Message and Friend Request Received.” The man was invited to click “continue” to connect with this friend request. (He had not sent her a friend request.) We noticed that the link pointed to the link-shortening service called Bit.ly. This was a major red flag! Why did the sender wish to hide the final web destination if you clicked “continue?” Step down this rabbit hole with us as we demonstrate how this seemingly innocent friend request, is a hidden malicious nightmare waiting to happen.
The link in Victoria’s invitation is a serious red flag because it should have pointed directly to the social service used to send the friend request. Instead it showed the link-shortening service at Bit.ly.
We ran our usual credibility checks on Victoria’s link, starting with revealing where the man would have been redirected had he clicked “continue.” Unshorten.it shows us that his click would have hurled him to a web page called vickybb[.]carrd[.]co/?p2 on a service called carrd[.]co. From a safe, remote distance we took a screenshot of Vicky’s webpage to see a rather revealing image of a young woman and an “open message” button. Again, we used security tools to evaluate Vicky’s web page. Though we didn’t find any threat on her web page itself, we DID find that it contained a malicious code to connecting it to another website called jessica-fitzgerald[.]info. (According to the Zulu URL Risk Analyzer.)
The man had clearly dodged a bullet but this isn’t the end of this investigation. We wondered about this domain carrd[.]co and what Google might tell us about Vicky’s web page. Oddly, when we used Firefox to ask Google about this link (Asking Google while using Chrome would simply have sent us directly into the jaws of this threat rather than a Google search), Google knew nothing about Vicky, BUT it did return a link for someone else identified as “Kibblebitez” at carrd[.]co. Google’s meta description of this web page caught our attention! A “gallery” seemingly showing a movie rating? We clearly don’t understand the references here! Does this new cutie-pie want to be associated with dog food? We couldn’t find any reference to, or understand, her name choice. We certainly didn’t find any movie reference to it. (The dog food package on the Kibblebitez top page image below was added by us.)
Next we explored the malicious external element that Zulu found on Vicky’s webpage. Once again, Google knows nothing at all about Jessica-Fitzgerald[.]info and there are no visible webpages found at the destination of the malicious link leading there. Jessica Fitzgerald’s lovely domain was registered recently in Iceland in July, 2023 through our favorite Registrar, Namecheap! Once again, we found this newly registered site to be suspicious. The lack of Google information also implied that this website specifically told search engines NOT to include it in their databases. But what of Carrd[.]co, used by both Vicky Webb and whomever the heck Kibblbitez might be? It turns out that Carrd[.]co is not a social media site at all. It’s a project created by a programmer to enable the free development of 1-page websites by anyone…
That may be a nice idea by the creator of Carrd[.]co, but to us it is but one more critically important reminder that you can’t believe anything you see/find online unless you verify it or completely trust it as a highly credible source, e.g. nytimes.com or cdc.gov. And no matter how professionally managed, or good intentioned, a site or service is, there are no promises that it can’t be misused by others! This lack of protection applies to GoogleAPIS, AmazonAWS, Meta (Facebook), Instagram and a long list of other services, including Carrd[.]co!
“Wrong Number” Scams — Receiving phone calls from strangers who claimed to be calling the “wrong number” accidentally? Watch out! It could be a SCAM. Check out and protect yourself with this 100% FREE, all-in-one tool.
Scam Updates, Weird Emails, and a Letter from Santa? —We have an important update to the story we reported last week about the hit man in Lagos, Nigeria who tried to extort $8000 from our friend Rob by not killing him! Rob later told us that when he called out the scammer about this death threat, he asked this hitman if he knew were he lived. And he DID! But, plot twist again! The hitman replied, providing Rob’s phony address in California that he routinely uses when playing with scammers! It seems obvious to Rob that this scammer, errr…. We mean professional hit man, got Rob’s bogus address off some victim list shared by Nigerian scammers. We also have an update about the fake “Top Maine Lobster” scam written about by our friends at Scamadviser in the “Scam Alert” section last week. On October 30, a woman named JoAnn posted this message on Facebook. It doesn’t get any more clear than this, people!
The above information led Rob to do a little research about the bogus business Top Maine Lobster. Apparently, many sites are already well aware that this business is a fraud, including Scamadviser!
It’s also interesting to note that the smelly Lobster website is very well presented, but that’s because they stole content from a real business website called “Maine Lobster Now” This REAL website was registered about 12 years ago while the “Top Maine Lobster” site was registered in China just a few weeks ago!
Imagine getting an email from Daniel Radcliffe? One of readers did and immediately shared it with us! Daniel says “hiii.” The recipient responded but, as yet, Daniel hasn’t followed up. We’re so excited and have so many questions we want to ask him! And we’re not alone! It turns out that in 2019 Mr. Radcliffe posted this video on YouTube addressing many of the questions people asked about him across the interwebs. Gee, maybe our reader can ask Daniel to write a personal message to her and include his autograph in the email!
We have some sad news to report this week. We think we’re being “terminated.” One of our email addresses at TheDailyScam.com received this email from our HR Management department (which we didn’t even know we had!) Apparently, some of our staff members have been “terminated with immediate effect.” Since there are only two of us at The Daily Scam, this news was terribly disturbing and we couldn’t bring ourselves to even mouse-over that link, let alone open it, to see which one of us is to be terminated! (Or both of us?!) We’ll let you know next week what happened! Unless, of course, we’re both terminated!
We routinely talk about the Registrar called Namecheap because we routinely see it as the favored registrar used by multiple cybercriminal groups daily. We don’t think that this fact is unnoticed by Namecheap and they do little or nothing to stop this misuse. (Or, perhaps, they make it easy for cybercriminals to use their services so they can make money?) Afterall, LOTS of people have given them horrible ratings and reviews but it doesn’t stop them from making money and putting the world at risk! Don’t take our word for it, check out their awesome rating on the Better Business Bureau website:
OK, real life is often stranger than fiction and this New York Times article about a scammer hijacking a quarter million dollars worth of rare Japanese Kitkat candy makes the point! Yes, candy.
Every year, for the past 11-plus years of our existence, we’ve seen that cybercriminals send malicious clickbait to people related to the Christmas holidays. The only question for us is when will it first be reported each season, and by whom. Rob wins the prize! On November 6, he forwarded this email to us about a “hot deal directly from Santa.” It wants parents to believe that they can order letters from Santa to be sent to their children or grandchildren. But it was sent from an odd domain in the UK to Rob in the US. Though Totalvirus.com says this email contains no malicious links, they all point to a website in India! It turns out that this website in India will then redirect visitors to another very malicious domain we’ve written about this fall called imaginio[.]live. Apparently, tis the season! Please be on your guard about malicious Christmas clickbait!
Our friend and supersleuth online detective James, posted on November 6 an interesting scam he uncovered related to the fabulous musical group Foo Fighters….
Netflix, Intuit’s Quickbooks and this Billing Team — We’ve been warning readers about the huge increase of phishing scams disguised as Netflix emails. Here’s another example, but this one came from a two bizarre domain sources. One “via” another? No matter. Neither one is netflix.com! The malicious link in this clickbait is, once again, GoogleAPIS services. Your membership has not expired but this email should! VirusTotal confirmed the threat. (See the screenshot below.) Lunge for the delete key!
This next smelly carp wants you to think it came from Intuit.com, the owner of the service Quickbooks. However, that domain was placed into the text field of the FROM address. Follow along and you’ll see that this email was actually sent from a domain registered in the European Union (“.eu”) called kaminholz-breuer[.]eu. But that is actually a malicious mimic registered about 2 weeks earlier using Namecheap! The real kaminholz-breuer is a firewood supplier business in Germany using the website kaminholz-breuer.de, and not DOT-eu. The “change of ownership” statement in this email is completely absurd! However, the malicious link is very clever because it contains a hidden redirect to the website amplifyapp[.]com. This LOUD app webpage has been identified as a phishing link by VirusTotal.
One of our readers sent us this very interesting invoice email from a real service called authorize.net. Though the link actually pointed to this same legitimate service, notice that the subdomain starts with invoicetest. Was this just a mistake or was it a real phishing threat? We think it was a threat, even though there is no longer an invoice at the end of the link. It “doesn’t exist” when we tried to visit. But the email content is no mistake and describes an invoice from the “Billing Team” for $577.17. Also, your email reply would be sent to an Indian-sounding name “Tushar Gupta” at Gmail.
A Buyer for Your Home and Who’s Who Congratulations! — No! Prudential Homes of America is NOT responsible for this clickbait! It came from a server in the UK called dik[.]co[.]uk. (Apparently, complaints about spam from this domain were filed back in early February at Spam.org!) Like the example in our Top Story, this clickbait used a link-shortening service for the links in it. This one was from TinyURL.com. But the link included lots of useless gibberish characters AFTER the only 8 shortened characters, just to disguise that it was a shortened-link. Of course we unshortened that link and discovered that you’ll be thrown into the waiting jaws of malware at imaginio[.]live! Again! OH NO! Danger, Will Robinson!
Have you ever heard the term “vanity scam?” We’ve been describing these for as long as we’ve been around! (Here’s our article posted in 2012 about these scams, as well as another variation posted in 2019.) However, even when these are real offers and not disguised clickbait, vanity scams typically offer praise for a person or business including promoting that person or business in some published directory or accompanied by some award. BUT you, the person or business being awarded, will have to pay for that publication or award! One recent business contacted us about such a promotion for an award honoring them and they were asked to pay $3000! That’s the vanity scam! However, this scam below, disguised as an offer to be included into the WHO’S WHO of America directory, is simply malicious clickbait. The email came from a VERY misused and dangerous domain called tangismedia[.]net. The links in this clickbait point to a hurtful website called x-ow[.]com that was registered 151 days earlier and still says “our website is coming soon.” We doubt that, but “ow” says everything you need to know about this website!
Blocked Incoming Messages — Oh dear! We have so many problems at TDS! We learned a few days ago from a “trusted source” that our incoming emails to firstname.lastname@example.org are being blocked! Blocked emails included messages about insurance quotes, technical offers, Mercury drugs (????) and FUSION FUELS (??????). In order to release these blocked messages we were asked to click “release” links that, shockingly, didn’t point to thedailyscam.com! GASP! But a screenshot of the page waiting at the end of that link shows a Webmail login. Making this threat even funnier, is the fact that the “releasing” links all point to a website written in Japanese called xercomedia[.]net. Google translate tells us that this website is called a “Touch for Health.” Now there’s an oxymoron if ever we saw one!
Until next week, surf safely!
Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands