Turning Your Phone Into a Self-Inflicting Bomb? — We have shared with readers during the last few weeks a few malicious texts that have been targeting an elderly woman, named Roberta. (She gave us permission to use her first name.) Fortunately, she is one of our long-time readers and is very good at recognizing these texts as malicious. However, last week this 78-year old’s phone suddenly turned into a dangerous landmine multiple times each day! She had been receiving a malicious text every two or three days, but on October 26 it became a deluge of multiple texts per day. This was no Halloween “trick or treat” prank. Unlike waking up to find toilet paper hanging from the branches of your front yard tree, this “prank” targeted Roberta and was intent on causing her harm. An unintentional click could trigger an explosion through a malware infection or a phishing scam! And yet, this brave and kind-hearted woman safely copied each of these landmines and sent them to us to inform all of you! Tread lightly as we expose these threats and point out ways in which you can see through this fraud…
On October 23, Roberta received this absurd text thanking her for “ur 4-star score.” Apparently, she won a 72 inch TV. The domain, ojosehi[.]com, used in this malicious link was registered just hours earlier. This fact is a common theme with most of these threats. Though Roberta did not share the phone numbers with us, we suspect that each text came from a different phone number.
She received the next threat two days later, on October 25. The text claimed to be an insurance reimbursement payment. The domain in the link, ashenyheade[.]com, was also registered on the same day that the text was received. Notice that she was urged to reply within 24 hours. The urgency to “claim by 10/26” is a common behavioral engineering trick cybercriminals often use. REAL businesses don’t give such short claim periods. And Roberta knew that this was NOT the 3rd such notice for this nonsense.
We spoke to Roberta last weekend about these threats and asked if she recalled giving up her phone number recently to any online solicitation that may have been suspicious. Surprisingly, she had! As a senior, she told us that she is often flooded by advertising about Medicare insurance, especially on her Facebook feed. She told us that she’s smart enough to recognize that the majority of ads about Medicare insurance on Facebook are suspicious, or completely fraudulent. Not long ago, however, one caught her eye and she clicked on it through her phone. Though she then recognized it as a fraud and didn’t continue, we both wondered whether that click resulted in her phone number being captured and added to a malicious text campaign. The malicious texts started soon thereafter, she said. Coincidence? Hmmmmm…..
On October 26, scary texts started to target Roberta multiple times that day. The phrases, word choices, grammar, lack of professional presentation, etc… all pointed to foreign-based cybercriminals targeting her. Two of the domains used in these malicious links, ilenoyo[.]com and ownybit[.]com, were registered on the same day that she received the texts, and another, approvedlink[.]info was registered just 3 days earlier. Also, a WHOIS look up showed us that ilenoyo[.]com was hosted on a server in Amsterdam and the latter two domains were both registered in Iceland using the VERY abused Registrar called Namecheap.
The next day, October 27, was worse than the day before and started with a text whose domain name was so obfuscated as to be impossible to read! We changed that bizarre font to learn that the malicious domain was F0UndLth3re[.]link. If you EVER see a text using such a crazy font that you cannot easily read it, DELETE it immediately! Legitimate businesses don’t do this! But criminals do.
The problem with most of these newly registered malicious domains is that security services aren’t yet aware of them. However, F0UndLth3re[.]link was different! VirusTotal reported that one security service had already identified it as malicious….
As if this wasn’t enough, Roberta was slapped in the face several more times that day. The malicious domains, illyimport[.]com and traplightly[.]com were both registered on October 27, while ikuxopo[.]com was registered two days earlier and was hosted on a server in the Netherlands. These texts pretended to be a SNAP notice about food stamp benefits, a $100 reward for taking a survey and something bizarre that we think was supposed to be sexually suggestive. It used the acronym “NFSW” which means “not for showing wife.”
Apparently, whomever was responsible for sending this kind-hearted 87-year old woman these malicious threats has begun to realize that she’s smarter than they thought. On October 28, she received only two threats. And as Halloween approached, we couldn’t help but notice the domain name used for one of these threats… “tightyghoul[.]com.” It was registered on the same day in Iceland via Namecheap. The second domain, irefuvo[.]com, was also registered on October 28 but in the Netherlands and the website is sitting on a server in Kuala Lumpur, Malaysia. Roberta didn’t fall for the 72-inch TV clickbait so these bastards tried to offer her an 82-inch TV. That didn’t work either!
We asked Roberta how she felt about this experience. Rather than play the victim card, she told us that she was annoyed that the criminals sending these malicious texts thought she was an easy target. She’s been reporting them to us and also to the phone carriers! She shared this article from iPhoneLife.com with us that tells people how they can report unwanted texts as spam, suspicious or malicious threats. Roberta also told us that she’s very aware of fraudulent phone calls that have caller IDs from surrounding small communities where she lives in the Western U.S. Occasionally, she has answered these calls and tells us that they are ALWAYS bogus calls related to Medicare insurance! She quoted the old expression to us… “If it seems too good to be true, it is!” And lastly, Roberta told us “If I can make the world a slightly better place [by reporting this fraud], I will.” We’re grateful for our partnership with readers like Roberta.
Why Are We All Targeted by Scammers? – ScamAdviser has published the 2022 edition of the report ‘Why Do Internet Consumers Get Scammed?’ It is insightful and worth reading. According to research conducted by The Global Anti Scam Alliance and ScamAdviser of 3,500+ internet users, 73% of respondents are either sure or think that they were exposed to a scam last year, broadly similar to last year’s survey which recorded a figure of 71%. On a more positive note, 27% claim to have definitely not been exposed to a scam compared to 12% in 2021.
Other key findings:
- Cryptocurrency schemes are now the most common scam
- 46% do not report the scam to any organization
- 84% rate police and government response as poor
On the 9th and 10th of November, GASA will organize the Global Anti Scam Summit to identify new solutions to fight the online rise of scams.
Sadly, the victimization rates detailed in the report mean that cybercriminals are making incredible amounts of money, especially when you consider that living standards in some parts of the world are less costly than they are in the US, Australia or the EU. If you want to find some comfort, and have a good laugh at scammer payback, you should watch this 26 minute video on YouTube posted by Mark Rober called “Pranks Destroy Scam Callers – GlitterBomb Payback” Mark documents how a team of anti-scammers targeted several cybercriminal gangs in India. Imagine weaponizing cockroaches! It’s been estimated that these phone call scams earned their “sales people” $7,000 – $9,000 per month and earned the owner of each business as much as $20 million per year! Mark and his team are remarkably clever, resourceful and skilled. It’s reassuring to see that these scammers can be harassed by the good guys!
The problem of cybercrime has become overwhelming in the last few years. For example, if you ask any adult with a cell phone or smartphone if they have ever received suspicious or scam emails, texts or phone calls, the overwhelming majority of people will say yes! And if you still own a landline, the problem is worse! (Landlines are so ‘2000’) According to this report from ConsumerAffairs.com, a recent study found that 83% of landline owners are bothered by unwanted calls. On average they report getting 46 calls per week and report 40 of them as unwanted! Read the October 21 article titled Nearly Every Call to a Landline is Unwanted, Study Finds. We may sound like a scratched record, repeating ourselves over and over, but the ease with which our personal data is gathered, sold, distributed, both legally and illegally, must contribute to this tsunami of victimization. This October 25 article from Consumer Affairs titled Is ‘Session Replay Software’ a Privacy Threat or Just Improving Your Web Experience? exposes just one possible source of our collective lost privacy.
Given, the growing fraud across the Internet and via cell phones, we thought it was time for you to test your anti-scam skills a bit! Here’s a simple test. Look at each of these 2 emails (click to enlarge) and identify 2 concerns about each one that strongly suggest they are fraudulent. We’ll give you our answers just below them. Good luck! (A funny coincidence….One of our readers received the top EXACT same email from the same sender and sent it to us. We also received this same email!)
By the way, in the last week, our friends Rob and Whiskey shared information with us that revealed more FAKE banks and online liquor stores. We’ve added this information to our articles about this type of fraud:
- EMAIL #1: In the first email from “Andrea Munari” she claims to represent an Italian business called BNL Gruppo BNP Paribas. However, she sent her email from a free personal Gmail account and NOT the legitimate domain for this business (which Google tells us is bnbparibas.it) Also, Ms. Munari sent her email to “undisclosed-recipients” which STRONGLY suggests it went to many people. This feels rather odd when asking someone for a proposal. Additionally, she doesn’t name the recipient of this request or their company/organization.
- EMAIL #2: The email claims to be from us at TheDailyScam.com but the sender’s email address is actually within the brackets <> and shown as macosxnews.com. The links in this email are supposed to point to our own email service. However, they point to an entirely different domain, called cloudflare-ipfs.com. By the way, in case you’re wondering, email services don’t block email AND then send you an email telling you they are blocked “pending your review.” That’s NOT how they work!
Microsoft, Geek Squad and Email Accounts – OK, this bogus email claims to be from Microsoft BUT comes from a server call testes-glasses[.]com (Seriously? Was this created by the Hyphen-Poopy gang?) That anatomically revealing domain name was registered the day before in Canada. Does the scammer have a sense of humor or are they a bit too self-absorbed? We’ll never know. However, we DO know that the link to update your current password points to a server in Iran that has nothing to do with Microsoft. If you’ve got the balls to see this scam clearly, lunge for the delete key. (Our apologies for that last line. We couldn’t resist.)
Cybercriminals are fixated on several fake sources for their scams, especially Geek Squad. Below are two recent examples where the scammers send fake bills, trying to trick the recipient into calling them where they hope to inflict their damage and make money. Please notice, as in ALL these types of scams, that the recipient is never identified ALONG WITH any correct information about the method of payment. For example, you’ll never see the correct 4 last digits of your credit card! Some interesting things to notice about these emails that also mean they are a complete fraud…
- The emails do not come from the legitimate domain for Geek Squad which is BestBuy.com
- A search for the phone numbers never points to any legitimate service associated with Geek Squad or Best Buy.
- The recipient is rarely ever named, other than an email address
- They often contain absurd and completely false narratives. Check out the second email saying that any email response will not be responded to, or the fact that the $417 debit takes 24 hours before it appears in your account BUT after 24 hours you can’t cancel this order! That’s scammer language!
Check out this lovely email we got from a server in Germany telling us that our email account has been “limited.” We love playing with the automated software used by these phisherman. The links point to their server at siasky[.]net and we modified their link to make it OBVIOUS to everyone that they are a scam. Enjoy!
Gift Cards for You!Gift Cards for You! – The use of bogus gift card emails has always been high on the list of tools in the cybercriminal arsenal because, quite frankly, people love a reward or gift. But these emails are truly malicious clickbait and here’s why…
- None of the emails come from the services they claim to represent. Often, the source domain is gibberish, like in the two emails below.
- They often contain discrepancies or language that makes no sense. For example, the “Citi B.ank” email below says “fifty dollar” in the subject line but $90 in the email!
Get Your Files and Confirm Bank Request – We’re not feeling the love for this email sent from a domain, khsas[.]com, which was registered in Nigeria in early April. It would be exceptionally unwise to download files from an untrusted source, such as this.
We STILL get absurd emails sent from the same malicious domain (kleenkit[.]com) but claiming to be different businesses, asking us to open an attached zip file. We have probably received about 30 of these in the last few weeks. Some may call this effort “persistence.” We prefer to call it stupidity. However, we would rather have these idiots waste their time targeting us, than you.
New Funding for You – Periodically we see bogus texts for money lending services, such as this one below that came from 628-288-3483 and for the website MoneyZip[.]co. Don’t bother sending a “STOP” reply to opt out. It only encourages these bastards to target you more heavily. What was interesting for us was to learn that the person(s) who registered the name MoneyZip[.]co did so in the Cook Islands and called themselves the “DDCCKK Family Trust.” It turns out that this trusting family has also registered several other suspicious money-lending websites listed below, all containing “usa” and “bank” in their domain names. We are 100% certain that this means these scammers are foreign to the USA and are not real banks. In case you want to take a closer look, we’ve provided a full web page screenshot of MoneyZip[.]co below. Enjoy!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands