Take Advantage of This Cybercriminal Mistake! — During our eleven year history of analyzing fraudulent and suspicious content, we have noticed patterns in the way some cybercriminal gangs do things. When these patterns are also anomalies from the normal means of communication, then we’re able to take advantage of that anomaly by teaching the public how to recognize it to avoid online threats and reduce their risks for being victimized. Sometimes these cybercriminal anomalies are so simple, staring us in the face, that it takes repeated viewing until we suddenly have an “Aha!” moment. That’s what happened late last week after one of our loyal readers sent us a dozen malicious emails that poured into his inbox over 2 days. Aha! Now we’ve got a new simple skill to share with readers to help keep them safe!
One of the most infamous cybercriminal gangs that victimizes citizens of the world was known to us as the Hyphen-Poopy gang. They earned this moniker because, for months, we figured out they used software to help them create their fraudulent web destination directory names (folders) by randomly hyphenating 2 words together. (Breadcrumbs lead us to believe this gang is in India.) We wrote about it for months, teaching people how to recognize their fraud by simply looking for these 2 random hyphenated words in links. Until they stopped this practice in 2022. (Yes, we believe they enjoy reading our newsletter. and are still reading it now. Apparently they finally had to change their hyphen-poopy practices to make their fraud less recognizable.)
The reason we mention the Hyphen-Poopy Gang is because we believe this gang has made another serious mistake that has been staring us in the face for years without our seeing it! However, one of our readers often sends us LOTS of malicious emails that land in his inbox. Last week, after opening his emails in sequence, we then happened to open several legitimate emails from services/businesses we use. BAM! We realized that nearly all of the malicious emails we were looking at had content presented as a SINGLE LARGE CLICKABLE IMAGE, including text, headers, bulleted lists and even white space. This is an anomaly! The safe and normal emails we opened used links with selected text only, other than buttons. The images in the legitimate emails were just images, or images with a simple descriptor. This is normal.
Here’s an example of this “one image to rule them all” email. The image below was taken from an email on October 7 from the domain TangisMedia[.]net, and had the subject line “ Get Annuity Returns up to 7%*.” (NOTE: We have documented tangismedia[.]net as a source of LOTS of malicious emails for weeks!)
There are 3 regions (identified by the yellow boxes) in the above graphic. We can all agree that region #1 is, indeed, a graphic, an image. However any normal marketing email would have used text for regions #2 and #3, excluding the red button. But this malicious clickbait contained all of this as just one clickable image! The link attached to this image pointed to the link shortening service at tinyurl.com (tinyurl[.]com/4854mwh4) Using Unshorten.it, we unshortened that link to show that it will redirect visitors to a very malicious link pointing to a domain called fondationaitstore[.]store. (NOT “foundational”) This malicious domain was registered last December, 2022 in Morocco using our favorite Registrar, (said dripping with sarcasm), Namecheap.
Here’s a second recent example of a malicious email using a “one clickable-image” to contain nearly all of the email’s content. This email, sent on October 6, claimed to represent Liberty Home Guard but the email was sent from the malicious domain dobano[.]site. (This domain was also registered through Namecheap in Iceland on May 4 of this year.) The subject line was: US News & World Report says: #1 Best Home Warranty Company. The link attached to this graphic pointed to a malicious site in Columbia called dendelo[.]co. But we learned that this site will redirect you to another malicious website called newoneli[.]live! (Thankfully, our friends at Scamadviser show a very untrustworthy rating for both newoneli[.]live and dendelo[.]co)
Again, look at the above graphic from the perspective of text one would expect to find in a marketing email. We added a thin red border around the graphic to make it easier to spot all the white part of the image in the bottom half. It is NOT NORMAL for businesses to turn all that white space, and the text in it, into a clickable link as one graphic combined with the image in the upper half! THIS IS SCAMMER BEHAVIOR! Yes, of course you could expect “zone 1” (our yellow box) to be a graphic image, possibly clickable. But for this image to include all of zone 2 and 3, with all its white space is an anomaly!
And here’s the Golden Lesson to learn… How would you know you’re looking at one of these one-image anomalies? It’s simple. If you open an email and carefully move your cursor over the content of that email, without clicking anything, does your cursor turn into a clickable finger? (Just like it does when you hold it over a link!) If it does, then you should be HIGHLY suspicious of that email and DO NOT CLICK anything! Here’s one more extreme example of this 1-image clickbait. The email below claimed to be from “Renewal by Andersen” but was sent from the malicious domain called hereis[.]click on October 6. (This domain was also registered on May 4 using Namecheap in Iceland. This is NOT a coincidence! Namecheap is the Registrar of choice by cybercriminals!) The subject line was “Get a free quote from Renewal by Andersen.” We outlined the graphic in red but changed nothing else. Look at all the text and white space that was part of this 1-clickable graphic used in the malicious email! It was an insane amount of screen real-estate!
And so, dear reader, we do hereby officially newly name this low-life cybercriminal gang who seem to be most singly responsible for using these clickable single images as the “1-image A-hole Gang.” Unsurprisingly, as we start to investigate the history of this image design by these low-life bastards, we think it’s possible that they could be the gang previously known as the Hyphen-Poopy Gang! We still have work to do before we feel confident in this assessment so we’ll keep you posted in the weeks ahead. Also, just to be clear, in each of the emails described above there was a very small amount of content before and after the large clickable image. But that small content doesn’t detract from our point! Even that small “text” may appear as a separate clickable graphic, such as this example taken from the bottom of the last email above.
Beware of large clickable images in emails that appear to contain text, multiple forms of content and even white space that you wouldn’t normally expect to be clickable!
Online scams are the most reported type of crime. Most countries now state that between 20 to 50% of all crimes reported are related to online fraud. This is only the tip of the iceberg, as only 7% of all scam victims report the crime to law enforcement. With nearly $55 billion lost last year and more than 300 million consumers scammed fast action is required.
On October 18–19, 2023, the 4th Global Anti-Scam Summit (GASS) will take place. The goal of the GASS is to bring governments, consumer & financial authorities, law enforcement, brand protection agencies, and (cybersecurity) companies together to share knowledge and define joint actions to protect consumers from getting scammed.
In 2022, we had nearly 1,300 virtual guests and 120 physical participants from 70+ countries. This year the event will be organized hybrid again. Last year, we defined 10 Recommendations to Turn the Tide on Scams. This year, we will focus on further defining these solutions and showcasing the best practices from around the globe.
October 18-19 | Ramada by Wyndham Lisbon Hotel, Portugal & Online (Zoom)
Top Phishing Scams of the Week — Walmart, USAA, and Adobe. Can you spot all these scams? Check out and protect yourself with this 100% FREE, all-in-one tool.
Legit Covid Test Emails, and When Links/Ads are NOT What They Appear to Be — In case US Citizens hadn’t heard, the U.S. Government was offering free COVID test kits beginning on September 25. With COVID cases on the rise again, this is a good idea. U.S. citizens can get their test kits by visiting this US Government website: https://www.covid.gov/tests. Notice that the domain “covid.gov” ends with DOT-gov. This global top-level domain, as shown, is only used by US Government websites. However, citizens will be notified about the delivery of their test kits by the US Postal Service. Should you get an email like this, we want YOU to understand why this is legitimate! Notice the following…
- It was sent from auto-reply @ usps.com and ONLY “usps.com” appears after the @ symbol.
- Mousing over the tracking link will show you that it points to tools.usps.com. “Tools” is a subdomain used by the US Postal Service. It’s not important. What IS IMPORTANT is seeing usps.com up against the first single forward slash in the link!
If you get an email that deviates from #1 or #2, please be very careful to evaluate it before clicking! If you want us to help, please forward your email to email@example.com.
When is a link not the link you think it is? Answer….possibly anytime! Check out this recent email that wants you to believe it came from the US Social Security Administration when, in reality, it was sent from a website called White Leeds arid wetlands, under construction in Australia. You’re invited to see your social security statement and the link in the email looks like it points to ssa.gov. But a mouse-over shows that this ssa.gov link actually points to the malicious site mjt[.]lu, registered in Luxembourg. (“.lu”)
We have a couple of notes to share from our readers. The first is a correction we (thankfully) received a few days ago about a mistake I made in last week’s Top Story. I said that an email, which was sent from a domain ending in “.ch,” came from Chile. That was wrong! (The 2-letter country code for Chile is DOT-cl). The 2-letter country code “ch” represents Switzerland. So the sentence should have read “What Felicia didn’t know is that this ‘article’ was on a website on a server in Switzerland called paulownias[.]ch.” Many thanks to the reader who caught the error and let us know!
Another long-time reader told us that she has been receiving lots of phony messages pretending to be from Amazon, claiming to inform her that someone has been buying things (an iPhone, EarPods, etc.) through her account. They haven’t, and she’s reported this fraud to Amazon. However, late last week she said…”This morning, they tried a different tactic and made a call acting as if it was Amazon!! They wanted me to call them to verify, give my ok, etc. These scammers are tricky!” We want to raise your awareness about these tricks!
During the last couple of months we’ve also been trying to raise awareness of ways in which cybercriminals have been using AI to perpetrate fraud and victimize others so they can make money. (They are truly disgusting! We don’t understand how they can live with themselves.) This recent article on CNN adds another disgusting perspective to a new form of sextortion targeting a group of children in Spain!
Amazon, Trust Wallet and Your Email Password — Any email about Amazon’s prime service should be coming from amazon.com, and certainly not onmicrosoft[.]com. Moreover, the link to update your information in the attached pdf pointed to the Googleapis service. Thank goodness at least 2 security services recognize that link as malicious!
Trust Wallet is a digital wallet app for your smartphone that can act as bank account access. But this email didn’t come from TrustWallet.com. It came from a server in Brazil. The link to “confirm wallet” points to a malicious website at rdsv1[.]net.
Oh no! Once again, we’re told that the password to our mailbox at TheDailyScam.com has expired! Heavens! What should we do? Fortunately, we can click to “keep current password” if we’d like. But VirusTotal.com said that 4 security services found that link to be a phishing scam so we modified our email address the scammers had coded into the link and sent the link to a screenshot machine. Our newly cretaed email address makes it very clear what we think of these scammers.
Social Security eStatement Notification and Sam’s Gift Card Promotion — The same TDS reader who received the above message from the “Social Security” Administration, also received this one to view his SSA report. But this one included an attached file ending in DOT-html. Our longtime readers know how dangerous it is to open files ending in html, htm, shtml, php, and js! When we cracked open that attached file, we found many pages of code, ending with “startDownload.” Step away from this precipice!
Wow, yet another gift card promotion! Just click to claim your $250 offer! But this offer came from an agony shame grain website and the links pointed to a sulky website lacking in any credibility!
Look at this Picture of You I Found and New Message from FedEx — One of our friends had her Facebook account hacked. The hacker sent out this message to us saying “look at this old picture of you that I just found” followed by 2 emojis. Laughing and shocking, we are encouraged to click that link to see the image she found. But we didn’t, of course. Instead we investigated the domain in her link, xv6k[.]quest. The domain used in “Laurie’s” link was registered just 4 days earlier and is hosted on a server in Amsterdam! Also, Scamadviser didn’t think too kindly of that domain either. Don’t fall for these malicious tricks!
We also received an email working really hard to look like it came from Fedex. “You have (1) new message!” But instead of pointing to fedex.com, the link to continue pointed to the misused services at Googleapis. Fortunately, at least 3 security services found that link to be a phishing scam. We quite agree! We’ll get our package another day, perhaps.
A Real Text from Netflix and a Likely Pig Butchering Scam Text — We have something new to show you this week in Textplosion. The first is actually a very legitimate, real text that came to one of our family members from Netflix when the person went to add a new device to the family Netflix account. We want you to notice 3 things about this text that to help you recognize it as legitimate. They are…
- The person receiving it had tried to add a new device to her account and so the text isn’t unexpected.
- The text came from short code 68359. It didn’t came from a phone number or email address. Shortcodes are used by most big businesses who send texts. The business must pay for this privilege and register itself in order to use shortcodes. That’s why scammers don’t send texts from shortcodes!
The link in the text clearly points to the domain netflix.com! (The “m” is a subdomain, separated from the fully qualified domain name by a period. Also, the k0WtgX5agJb is a directory and not important because it follows the first single forward slash.
This may seem like a stretch but this simple 2-letter text from a strange number and sent to one of our readers is very likely the very start of a pig butchering scam. We say this because several of these have targeted us as well and they began with a message as short and simple as “Hi.” This 7-minute video on YouTube from ABC Channel 10 news details this scam and why it is called “pig butchering.”
Until next week, surf safely!
Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands