Cybercriminals Are Improving Their Scams —
One thing we have always been able to say about the sleazy, low-life, scammers who make a living by inflicting harm on others is that they are clever. Aligning with the tenets of Darwinian Evolution, that shouldn’t be too surprising. Afterall, those who can successfully adapt their scams will survive. (Consider Darwin’s primary axiom “survival of the fittest.”) Those cyber-criminal gangs and call centers who develop and share the best “survival” tips and tricks with each other will most likely continue to succeed in their efforts. We lament this unpleasant reality because we’ve noticed small, but resourceful shifts in the phishing threats targeting the public during the last year. These successes have also led to a doubling, if not tripling, of the number of phishing threats targeting us all, primarily through email and texts. Let’s dig into the motivating factors driving these bad actors and review the clever changes in the phishing landscape.
Common sense and recent investigations into cyber-criminal gangs strongly suggest to us that there are three types of people who join these loathsome groups of sub-humans. Either they are on the edge of a precipice and feel they have no other opportunity or option available to them for their own survival, OR they are 100% unempathetic a-holes who take pleasure in the game of making money and don’t care how they do it, OR they are literally conscripted/tricked/forced to join a cybercriminal gang and required to pay a debt in order to leave these despicable groups.
Some years ago, I baited a particular scammer and then called him out for running a scam. I then asked him why he chose this type of work. He claimed to represent the first TYPE of scammer, on a precipice and desperately trying to make a living. He explained that he had no other choices for a livelihood where he lived, and it was either this shameful work or begging. Identifying his circumstance is this excellent 2019 article in the NY Times titled “Who’s Making All Those Scam Calls.” It states, for example, that educational institutions in India graduate about 1.5 million engineers every year. However, only about 20% of graduates are able to find work in their respective fields. That leaves a lot of other men and women struggling to make a living. Many cyber-criminal gangs (such as the Hyphen-Poopy Gang) thrive in India.
At the opposite end of the spectrum, recent investigations have exposed the horrific detention of people who are conscripted to engage in cybercrime and must work to pay off a debt. Such was the case reported by Alastair McCready in Vice News on July 13, 2022 in an excellent article titled From Industrial-Scale Scam Centers, Trafficking Victims Are Being Forced to Steal Billions. And in the middle of these two extremes are the professional scammers who are completely devoid of empathy or humanity. We imagine they are so lost and without a conscious that they probably wouldn’t care if their own parents, or siblings were scammed by the types of fraud they engage in.
Regardless of the type of scammer, or their motivation, Darwin’s “survival of the fittest” drives the criminal gang’s evolution. Here are some examples of what we mean. For many years, the typical phishing scam was sent from a personal email account, either a hacked email or account created by the scammer. The link in the email typically pointed to a hacked website that was used to host the phishing scam. Here is such an email. It likely came someone’s personal Comcast email that was hacked. The link to “View Message” points to a hacked website registered and hosted in Istanbul, Turkey nearly two years ago.
In late 2020, the US Congress created a new law called the TRACED Act. This new law forced cell service providers to better fight robocalls, most of which were scams. And it worked! For a while. As Darwin’s Theory of Evolution predicts, some criminal gangs adapted and started running their scams differently to get around the TRACED Act. And many of these tricks were phishing scams. If THEY couldn’t make calls to YOU, perhaps they could trick YOU to call THEM! Here are a few of these types of scammer tricks. Readers should recognize them because they are now a staple of phishermen, and frequently used.
NOTE: In this next sample, notice that the email was sent to “undisclosed-recipients.” Also, the scammer included a New Jersey address for McAfee that is a home on a neighborhood street and NOT the McAfee business.
NOTE: This next phishing email was short and sweet, saying only “Thank You.” The attached pdf was created by someone named “Farhan Ahmed Hridoy” but we can’t reveal how we know that.
Sadly, many people who were targeted by these scams DID pick up the phone and call the scammers, often resulting in serious consequences for the victims. But perhaps the most clever adaptations we’ve seen evolved from criminal gangs through their phishing scams has been the misuse of legitimate web services. Some of these web services are well known and trusted, making these particular threats even more dangerous. Services like Appspot.com, Google sites, Weebly and other services are being successfully misused with greater and greater frequency. Some services, such as Intuit’s Quickbooks, have been taken advantage of so successfully that it can be very difficult for some people to identify these emails as fraudulent, and so they call the scammers. Here are just a few recent phishing emails with links pointing to some of these misused services…
“Survival of the Fittest” is inevitable by cybercriminals, and the consequences mean that we all need to be on our guard, educate friends and family, and continue to be skeptical of digital content. HOWEVER, making our collective effort even harder is when the online tools and services that are misused DON’T take down phishing sites as soon as they are reported! Unfortunately, last week we experienced an awful response from the customer service department at Square Up. Read our “Phish Nets” column below as we share that story, and remember to be on your guard! The changing tactics of cybercriminal gangs mean we all must adapt as well to recognize their new tricks!
What is Vishing? And How to Protect Against It. – Do you know what is vishing? Do you know what to look for? Protect yourself with this FREE, all-in-one tool! Click below to read more security tips:
Clever Scammer Phone Calls and Hurricane-Related Scams, (as Expected) – One of our readers sent us a VERY realistic and convincing voice message she received from a man named Mike. It sounds like Mike is getting into his car but he takes a moment to call her. He said he was calling from the Attorney’s office to say that she would be a good candidate for the debt validation program. The woman who sent us this voicemail told us she has no debt and is just a few weeks away from retirement. At least 70 people have reported the same fraud call online, including 20-something people at 800notes.com.
Student Loan Scammers Are Circling. Keep them at Bay.
The Federal Trade Commission recently published an article about this type of scam call. Check out their October 3 article titled “Student Loan Scammers Are Circling. Keep Them at Bay.” Given the Biden Administration’s recent notification about student loan debt relief, the Whitehouse is warning people to beware of more student loan scam calls related to this relief. Check out this October 5 article on CNN about them!
In this next scam call, sent to us by our esteemed colleague Rob, his Utility Company (not identified by name!) called to let him know that he was accidentally charged at the “commercial rate” rather than the residential rate for his utility services. They were calling to apply a $75 credit because of their mistake. Rob turned on his phone “scammer answering service” so his “wife” could respond to this call from “Raymond.” (Again, you can hear LOTS of other scam callers in the background of this Scam Call Center!) These scammers had Rob’s real name, address and telephone number! We’ve cut out these personal details from the recording. We also cut out about 4 minutes of waiting, repetition and gibberish as Rob’s “wife” wasted this caller’s time. As you can hear, the purpose of the scam call was to get Rob’s credit card number. His “wife” gave them a bogus one and neglected to give the last 4 digits, over and over! Finally, the scammer hung up! Enjoy!
Call from Utility Company
As previously reported, scams related to hurricane Ian spiked in the weeks immediately after this awful storm. Check out this article from the FTC.gov: Recovery Scams Will Follow Hurricane Ian. Here’s How to Spot Them! (And while you’re there, check out their very good unrelated article titled: Five Things to Do to Protect Yourself Online.)
Onto a completely different subject, one of our readers received this lovely email from a woman named “Pretorius Lindie.” Surprisingly, she wanted to give away her late husband’s baby grand piano and was looking for someone interested to take it! However, we thought the shipping costs could be excessive coming from Kazakhstan! You see, Kazakhstan is where her email came from! The exact source was a Kazakhstan Government website described as “Government for Citizens” – the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan.
Footnote: The FTC’s Consumer advice website is a great resource and regularly releases reports on various online threats and scams. For example, this Consumer Alert (published 9/26/22) is an excellent warning about a recent type of scam, and titled “Did you get an email saying your personal info is for sale on the dark web?” You can sign up for Consumer Alerts from the FTC here.
When Abused Services Don’t Cooperate, Criminals Win – Just last week one of our readers sent us a phishing scam targeting Comcast Xfinity users. If you read the paragraph in the email below carefully you’ll notice several grammatical and other English errors in it. Also you’ll notice that the link connected to “Click here….” pointed to a misused web page at Square.site. Square.site is owned by SquareUp.com which is part of the multitechnology company called Block, Inc. (Source: Wikipedia) As we sometimes do, we reported this smelly phish to Squareup.com and asked them to take the phishing page down. That request didn’t work out too well, and we were appalled with the response from the SquareUp customer service department. Sadly, their unacceptable response meant that this smelly phish was up for days tricking people into revealing their personal login credentials. Let’s walk you through our experience with SquareUp and you can decide for yourself if their response to our request was unacceptable, favoring criminals over public safety.
The phishing email came from a South Korean platform called Naver[.]com that’s been around since 2009, according to Wikipedia. (We’ve seen this service misused many times in the last few months.) The email claimed to represent Comcast but the link pointed to a free web page on Square.site called xfinity-109486. This is a subdomain on Square.site.
Below is a screenshot of the phishing page at Square.site. To anyone with half-a-brain, this is an OBVIOUS phishing page! It clearly pretends to be a sign in for Xfinity, but Xfinity has NOTHING to do with Square. Nearly 22 hours after reporting this site abuse to Square Customer Support, we received a reply thanking us for submitting this phishing page, and asking us to submit more information describing the technical issue or question!
We were incredulous by the reply from Square’s tech support team! What more needed to be explained? It felt like visiting a doctor to ask for help fixing an obvious broken arm, hanging in an impossible angle. But instead of seeing that the arm is obviously broken, the doctor asks for more information about what’s wrong! We replied rather curtly to the Square Up customer support representative. Once again, we were shocked by her response. It was now approaching the end of two days since we reported this scam.
On the third day after reporting this site abuse to Square Up, we checked to see if they had taken it down. Much to our surprise, Google was now informing us that it had detected the fraud and was posting a warning to visitors, thankfully! We sent this screenshot to Square Up.
On October 6, four days after first reporting this fraud to Square Up, we received an email from a Complaints Manager named Raymond. He said…
My name is Raymond and I’m a Manager with Square. I’m reaching out about a complaint that was escalated to our team for investigation and outreach. I understand that you are reporting a Square Site from a seller to be a phishing scam and expressed dissatisfaction with your experience with support. I’m sorry to hear about your experience, and I would be happy to help.
Thanks for taking the time to provide us with this information. The appropriate team will look into this immediately and take any necessary actions.
If you’d like additional information on recognizing and reporting phishing scams, feel free to visit our Support Center.”
We responded to Raymond’s email with the following. It was the last we heard from Raymond or Customer Support at Square Up. Unfortunately, that’s one more win for the cybercriminals and zero for the good guys.
“Hi Raymond, While I appreciate you, and your staff’s responses to my emails, I find it appalling that none of you can see this as obvious fraud. Especially when Google has already identified that link as a phishing scam! (I sent a screenshot in the last email.) That’s what is so disappointing.
Are you aware that phishing scams do the greatest amount of damage in the first few days they are set up? Are you aware that REAL people are getting their personal Comcast accounts hacked because your company is allowing this web page to stay up?
I will be publishing an article about the exceptionally poor response to this online fraud from Square Up. Would you care to make a statement about why this is so difficult to identify as fraud and remove? I would be happy to include it as a counter balance to what I have to say about the Square Up response.”
Reward for Telling Us of Your Netflix Experience! – Another newsletter reader sent us this very malicious clickbait disguised as an email inviting her to take a Netflix survey, in exchange for “several exclusive offer rewards.” The email appears to be sent from a gibberish domain that was never registered. The links point to a misused online service at wasabisys[.]com. If you look carefully at the information provided at the bottom of this clickbait, you’ll notice things that make no sense at all. For example, “Us Magazine News” and the unsubscribe link to professionalinternetutilities[.]com. Fortunately, VirusTotal.com told us that four security services have identified the link as malicious! Now Deeeleeeeete!
Unfortunately, we’ve seen the service at Wasabisys[.]com being misused a lot recently, and producing lots of malicious clickbait. We do not recommend clicking on ANY link that comes from their domain until they get better control over this abuse. Here’s another recent malicious example disguised as a Lowe’s promotion. The similarities to the Netflix clickbait above strongly suggests that it is the same cybercriminal gang misusing this service.
Open Your Audio File – No! The attached file is NOT an audio file, though the email claims it is and the file is named “Audio-64418” and begins with a small icon of a microphone. You all know by now that the attached file is a dangerous attachment. ‘Nuf said.
Citizens Bank Notice – This text came to one of our readers, pretending to be a notification from Citizens Bank. Notice that the short link points to the domain ko[.]gl. The REAL Citizens Bank domain is CitizensBank.com. The recipient didn’t have a Citizens Bank account! Swipe left!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands