WARNING – Fear the White Space! — Imagine seeing something for the first time when, in fact, it has been in front of you and hiding in plain sight for years. That’s how I felt about my realization that an overwhelming number of malicious clickbait emails contain the same telltale signs of malicious intent… Clickable white space! Think about it a moment… Legitimate marketing emails contain lots of text, graphics and buttons. Any one of these, or all of them can be clickable. HOWEVER, we have never seen legitimate marketing emails with clickable white space (that isn’t part of a graphic design). We mentioned this realization a few weeks ago and since then we opened our thalamus wide, paying a lot of attention to the blank white space in all kinds of emails. (The thalamus is that part of the brain that controls which sensory information passes through to your consciousness for your attention, and the information that is undeserving of attention and is put on hold. For example, you’re not likely thinking about the feeling of the seat against your backside until I mention it. And then your thalamus opens wide, bringing that feeling to your attention.) Try opening your thalamus and look with new eyes, at something malicious that’s been staring you in the face for years!
During the last eleven years, we’ve moved our mouse over tens of thousands of suspicious clickbait, collecting and evaluating links and sources to see if they were malicious. And in many thousands of these malicious emails we watched, but never thought about, how our mouse would turn into a “clickable finger” showing that the location under it was clickable. Many of those locations were in plain white space, seemingly without any content in them. Here’s a simple recent example. One of our long-time readers sent us this email claiming that his “device is at risk” for being infected with viruses. The email encouraged him to click a linked button to run a “security check.” Notice in this email that our computer mouse showed the “clickable icon” (See red circle) when we moved it over white space without content. This was true in virtually ALL of the white space from top to bottom! (This icon is never included in a real screenshot, but we’ve added it to this image to make our point clear.)
Every bit of white space about a quarter inch wider than the pink box in the above email was clickable, threatening to send victims to a website called mind[.]com. According to Google, this domain is for sale and not in use. It was registered last February, and still “under construction.” (The “m” in m.mind[.]com is a subdomain and not important.) When we open legitimate email from almost any other service or business, white space like this is not clickable. Text, buttons, graphics or images may be, but not blank white space.
Here’s another example that’s been hiding in plain site for years. Cybercriminals often pretend to be legitimate companies like American Home Shield. The real company uses the domain ahs.com but this clickbait was sent from nobelcareer[.]com. ALL of the white space above and below the primary graphic of the kneeling man under the blue header was clickable. That’s because all of it was assembled into one large image. That single image, including all the white space in its design, was linked to a website in Spain, ending with the 2-letter country code “es.” (“.es” = España) called gilbrandwaxroof[.]com[.]es that is for sale and not in use legitimately! (The “asdf” at the start of the link is a subdomain.)
We had no problem at all demonstrating the fraud in this email, even though Virustotal.com said that none of its 90+ security services found this link to Spain to be risky. (No security service is perfect.) BUT we did notice that Virustotal said that there were many redirects waiting on this website, which makes no sense for a website that’s for sale AND has no content on its top page. Google knows nothing about the website in Spain but, more importantly, the Zulu URL Risk analyzer found malware lying in wait on the Spanish site.
And, by the way, the phone number listed in the email, 855-632-0306, has been linked to multiple scams going back at least a year and a half!
We have just one more example to make our scary point very clear. This email claims to represent BurialInsurance.com but was sent from an email address at sharemodelgames[.]net. Look at the white space below the graphic of the smiling couple. It was ALL clickable! Again, real marketing emails DON’T DO THIS! That’s because ALL of the content was a single large graphic, including all the white space. Again, we’ve placed the clickable finger icon over it to demonstrate this point. Also, the link connected to this graphic didn’t point to BurialInsurance.com, it points to javadeveloper[.]net, which was found to be a phishing site.
And so, another lesson has been staring us in the face for years. Fear the white space! If you notice that your mouse shows white space as clickable (and it doesn’t point to the business that the email claims to represent), then we believe it is HIGHLY LIKELY that your email is malicious!
Phony Facebook Ad — Anyone craving some Maine lobsters? If you happen to encounter ads from the fan page “Top Maine Lobster” on Facebook, think twice before you proceed. Check out and protect yourself with this 100% FREE, all-in-one tool.
Someone Wants You Dead, Fake Lawyer, and More AI Worries — Our friend Rob told us a couple of weeks ago that someone wanted him dead! You read that right. Apparently, a “contract” was put out to take this good man’s life! At least that’s what Agnes Okon told Rob in an email he received on October 25 with the subject line “Someone you call your friend wants you dead.” Agnes says that he was hired to do the job but is offering to let Rob live for a mere $8000 payment from him. How nice of him, right? Technically, that’s called extortion! But a close look at Agnes Okon’s email reveals that he hasn’t a clue whom he’s speaking with! Rob’s email is hidden in the BCC field and not even in the TO field. This usually means that this email is sent to LOTS of people at the same time!
We LOVE Agnes’ email that he wants his payment sent to! It’s so subtle! AssassinsAssassins509 at Gmail! (Gee, we wonder if he has a website, advertising his services? By the way, in 2005, a man named Bob Innes created a satirical website called RentAHitman.com. He was actually contacted more than once by people actually looking for a hitman to kill someone! Of course, he contacted the FBI! Read about his website in this Wikipedia article.) This story takes an interesting twist. After a sleepless night fretting this shocking threat and constantly looking over his shoulder to see if he were being followed (ok, we’re exaggerating), Rob decided to send Agnes an initial payment! The next day, Rob sent $400 in scratched gift cards to Agnes’ very clever, and not-so-obvious, email address. PLOT TWIST! Each of Rob’s gift cards was linked to a tracking service and had already been used, so they were worthless! Except for the information they could provide about the scammer’s location. Oh no! (CUE dramatic music!)
Agnes clicked each of the cards, revealing multiple times that this top notch, John-Wick-like, Bourne Identity hitman was located in Lagos, Nigeria!
But this drama isn’t over yet! Agnes suspected he was being played by Rob and didn’t like it one bit! A few hours later he sent Rob an angry email. Rob isn’t worried though. He’s channeling Tom Cruise in Mission Impossible! (End with Mission Impossible theme song!) He and his team are ready for Agnes!
A little less worrisome than online extortion, a few days later Rob also received an email claiming to be from a personal injury lawyer in Tampa, Florida named Betsy Herd. However, it was immediately clear to Rob, and us, that Ms. Herd had sent her email from a malicious mimic domain called MorgenSternHerd[.]online and not the legitimate law firm domain MorgenSternandHerd.com. The mimic had been registered about 2 months earlier through our **FAVORITE** Registrar called Namecheap. Details matter and it is so very important to verify, verify, VERIFY! The fake “Ms. Herd” included 4 bogus attachments, one of which was a faked ID meant to convince Rob that she was whom she claimed to be! We weren’t convinced.
A valuable article about AI risks recently posted on Yahoo’s Finance news page. “Lawmakers call on Federal Agencies to do more about AI voice scams.” It’s about time! Check out…
Social Security, Netflix and Amazon Prime! — Last week one of our readers sent us a phishing email scam we’ve never seen before. It pretended to be from the SSA, United States Social Security Administration. However, the email is confusing. The sender (a free Gmail account called “wailraining”) can’t seem to make up their mind between no access to your account because “our services as it has been suspended for some time” and “your account has been temporarily suspended due to suspicious activity.” Of course the real ssa.gov website would never send junk email like this, and certainly NOT with an attached pdf containing such a message!
Lots of readers and family members have been letting us know about phishing emails pretending to be about your Netflix account. These phony-baloneys have definitely been on the rise! Check out this one sent from “sparkpost” and not Netflix.com. The link to a Netflix graphic at the top was broken and didn’t display. If you see broken graphics like this in an email, you should be suspicious! Also, if you doubt whether an email like this is legitimate or not, try actually visiting the website directly and logging into your account before you believe this smelly carp. Fortunately, VirusTotal identified it as a phishing scam.
This “Amazon Prime” email actually came from a domain called leedsconveyor[.]com that was registered about 9 months earlier and is still “under construction.” Including the subject line errors, we counted 7 grammatical, spacing and capitalization errors in this smelly phish. That, and the fact that the links point to a cabinetry company in the UK, tell you everything you need to know about this lovely email!
Credit Card Score Report and AARP Marketing Survey — Is your credit good enough? The sender’s FROM name and email makes this fraud extremely evident! However, it is worth bringing it to your attention because, once again, this malicious clickbait misuses the services at Google APIS services. You can no longer trust Google Apis to keep you safe! They are getting misused a lot. By the way, ALL of the white space around the words in the bottom half of this clickbait was also clickable.
Lunge for the delete key!
An email claiming to be a marketing survey, offering rewards, from AARP seems like it could be very legitimate, right? Except that this email came from corporateeventplanningtips[.]com and the links point to a link-shortening service often misused by cybercriminals! Rb.gy is a link-shortening service and this one will redirect your click to a malicious file on the website osmosisman[.]com! This domain was registered on October 6, in the UK. With “Black Friday” about 2 weeks away here in the US, please be on your guard because cybercriminals are likely to send out many more malicious emails disguised as Black Friday deals!
Targeted Attack Since 2022! — A Safety Officer for a Southern US company has been sending us emails for many years now. Just recently, a bunch of targeted attacks on her company had us wondering if there was a pattern to the emails she has shared with us. We searched through all the email she has sent us since January 2019 and discovered that in the Summer of 2022 there was a significant increase in a particular type of malicious email that you see an example of below. These emails all have attached “htm” or “html” files disguised as a variety of things but often as payment notifications. We also noticed that since late June of this year, most of these malicious emails contain the same “confidentiality notice” in them that you see in the example below. Our point? Clearly, the same cybercriminal gang is making a long concerted effort to hack into this company’s computers and network. No doubt, they want to install ransomware, steal data, or interrupt their services and then hold this company ransom for millions of dollars! Thankfully, their Safety Officer is a smart woman!
In this recent example, the very small attached file contained a few lines of code. Had it been opened, the attached file would have instructed the recipient’s browser to visit a VERY malicious website on a server in South Africa!
Until next week, surf safely!
Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands