Weekly Alert | October 13, 2021
The 2nd Global Online Scam Summit will be November 3rd & 4th! – Please join us for the second edition of the Global Online Scam Summit (GOSS) taking place on 3rd and 4th November 2021. The event, organized in association with APWG and the Global Cyber Alliance, is a platform for sharing knowledge and insights on how to fight online scams and fraud worldwide. Last year more than 425 representatives joined the 1st Global Online Scam Summit virtually. This year we hope to make the event even bigger by expanding to two days and adding more inspirational speakers but also more possibilities to network and share insights one to one.
Do you think you can spot scams with your eagle eyes? Check out this “Spot the Scam” article from Trend Micro posted on ScamAdviser.com! Good luck!
Sextortion again and Your First Class Mail Has Been Delayed – CNET.com calls it the “Snailmail Blues.” News services across the US are reporting that the United States Postal service officially got slower in their delivery of first class mail starting in October. Boohoo! (Check out: CBS News) But this didn’t prepare us for this supposed “USPS” announcement on October 7 that our package, delivered on March 3, 2020, will be sent back because the “receiver’s address is incorrect.” March of 2020 and we’re just now getting this notice? Nearly 19 months later!? But wait, there’s more shenanigans! When we moused-over the link to “Check This Now” we saw that it didn’t point to usps.com, it pointed to a domain called easywp[.]com. The link began with the subdomain “dhlsecurity-assistance-team.” DHL assistance? This is just malicious clickbait, again.
We’ve seen waves of sextortion emails over the last few years. You know, the ones that say “sorry buddy, but I’ve hidden malware on your computer and secretly recorded you enjoying naked photos of….” The sender sounds convincing, and often tells you he’s the real deal by sending you one of your own passwords that he also captured, while he records everything you do on your computer. This is all a lie, albeit a very clever one. You see, most people don’t know that data is hacked and stolen from businesses all around the world every month and posted for free or sale on the “dark web.” A lot of this stolen data actually includes people’s real passwords, along with the owner’s email addresses. So these scammers first buy dark web data containing passwords and email addresses. They then craft an extortion email claiming they have captured an embarrassing video of you while you are watching pornography, and they sometimes include one of your (stolen) passwords as “proof” of their control over your device. These scam emails are sent to millions of people! Check out a recent extortion scam email below and you’ll see that the sender is asking for $1300 as his extortion fee.
Even if only 1% of the many millions of people fall for this trick, a scammer might rake in a half-million dollars! If you ever find one of these extortion emails in your inbox, we’ve got your back! This Scamadviser article tells you how to recognize this scam and what to do, and not do, in response to it! You can read many examples of this scam on TheDailyScam in our articles titled “My Malware Recorded You” and “Sextortion by Email.” Finally, to see if any of your data has been hacked, stolen or found on the dark web, visit HaveIBeenPwnd.com and enter your various email addresses, one at a time into the search field. Do the same with the email addresses of your loved ones! Look carefully at the results. If you are told that passwords have been stolen, then CHANGE those passwords if you still have/use them! In April, 2020, Sophos published an excellent article about the volume of this type of spam, it’s connection to cybercriminals, and the amount of money it generated. They also confirmed that this type of scam comes in waves. We hope we’re not at the start of a new wave.
Footnote: You might be surprised to learn that there are LOTS of people who, like us, are fed up with scammers targeting them, their friends and families. These people do their best to hit back at the scammers and one of the best ways to do it is to waste their time! Check out this recent article in The Guardian by Amelia Tait called Who Scams the Scammers? Meet the Scambaiters.
Paypal Order and Norton Lifelock Subscription – This bogus payment confirmation email from PayPal didn’t come from PayPal! It came from infospay-centers[.]com, a domain registered anonymously in Iceland a week before the email was received (on September 28). You aren’t even told what you supposedly paid $525.85 for! Your fictitious purchase was incorrectly sent to Macy, Illinois. (There is no town/city named Macy. Could these scammers mean the business named “Macy’s”???) You can call these scammers to find out at their “Fraud Helpling” or “Account Helpline.” Helpling???? Deeeeleeeete!
Our next phish claims that your “order is renewed” and thanks you for purchasing a Norton Life lock Protection plan” for $339.50. But this email came from a person’s iCloud account named “patrik munes” and the phone number you are invited to call, 800-448-8028, reaches scammers! Lunge for the delete key!
Sleight of Hand – Think You Have Bitcoins In Your Account? – Imagine hearing (via email) from a Mr. Thomas Dobbs, Head of Corporate Banking & Public Sector, and the Assistant Payment Officer for Barclays Bank. He is informing you that he has “$590,000.00 US Dollars Approved by United Nations in collaboration with World Bank” and deposited into an account that is waiting for you!
Mr. Dobbs sent this email to one of our SA/TDS readers last week. The reader exchanged several emails with Mr. Dobbs and someone named Mr. Christophe Bosche (who used an email address at “admin[.]com”) Their exchange exemplifies WHY it is incredibly important to pay attention to details and VERIFY, VERIFY, VERIFY! You see, Mr. Dobbs’ email appeared to be sent from the domain barclaysbank.com. But your reply will instead go to his REAL email address at dobbs.thomass@aol[.]com.
A “419 scammer” created a scheme whereby the funds seem to be deposited into a Bitcoin account that the Reader can log into and see. But, he cannot transfer any of this money out until certain fees are paid. The Reader asked us if the Bitcoin bank site was legitimate. Here’s what Mr. Dobbs had told him:
“As requested, we have now deposited 30 BTC which amount to ($1,422,395.10 USD) into your bitcoin portfolio at www.bitforte.net/signin” And Mr. Dobbs sent him the login information to the account. A visit to this website shows us that you are first asked to choose your preferred form of currency…
Before you get too excited about paying a small fee (of a couple of hundred dollars) to get your hands on nearly $1.5 MILLION dollars, let’s unpack the reality of this exchange. If we don’t, you’re about to embark on a fool’s errand with many more fees to follow. We visited our favorite WHOIS and asked when bitforte.net had been registered and to whom. We learned that this Bitcoin bank site did not even exist a month earlier! It was registered anonymously in the Netherlands on September 16.
Our next step was to check with Scamadviser.com’s AI to see what it thought about this website. You’ll discover that bitforte[.]net has a trust rating of 1 out of 100! With a rating that low, we wondered what the Zulu URL Risk Analyzer thought about this bitcoin bank site. Unsurprisingly, Zulu said it was 100% malicious! Like we said, VERIFY, VERIFY, VERIFY!
Can You Spot the World In Your Inbox? – People may not realize that many domain names contain two letter clues indicating where in the world they come from. They are called country codes and their very existence can often reveal an email or website as a complete fraud! Here’s a simple example. A business received an email from Ms. Janet Lor, who claimed to represent a company in Hong Kong and she wanted to place an order. She said the order is “too big to attached” so she provided a link to the order on the free cloud storage service called OneDrive.com.
However, we noticed that Ms. Janet Lor’s email actually came from a server in Germany, and not Hong Kong! At the end of her email address you can clearly see the 2-letters “.de” which stands for Deutschland, meaning Germany.
This odd discrepancy caused us to pause about clicking the OneDrive link. A WHOIS lookup of vient[.]de then showed us that this domain is up for sale….again. Did you notice that Janet’s name is spelled “Lor” in the email address but “Lo” in the email itself? We advised the business NOT to click that link!
Here’s another example. The email came from a server in Argentina. See that the email address ends in “.ar.” The email recipient is invited to reply using an email to the business domain bridgefinltd[.]info. However, a WHOIS lookup for this domain tells us that it was registered in “za” back in April. ZA is the 2-letter country code for South Africa. Once again, these facts make us highly suspicious about the integrity of the email content.
One more obvious example will prove our point. This email came from “Smadar Barber-Tsadik” who said he is the Deputy Chief Executive Officer of First International Bank of Israel Ltd. If so, why did his email come from a server in Russia?
If you wondered whether or not cybercriminals in other countries could register a domain using the 2-letter country code for the United States, we have this for you… “Jim Gray, Editor of Vibrant Health News” appears to have sent this email with urgent news about Metformin, a medication for treating type 2 diabetes. The email came from the domain moskintorpro[.]us, and provides links back to that same domain.
But a WHOIS lookup shows us that this “United States” domain was registered in Bhopal, India back in early April. (“.in” = 2-letter country code for India)
This discrepancy between the United States country code used in the domain and the fact that it was registered in India, led us to ask Scamadviser what it thought about this website. Not to be trusted! Also, VirusTotal.com showed us that 2 security services found this United States domain to be malicious!
To add insult to injury, moskintorpro[.]us will redirect visitors to another website registered to a domain with the “.us” ending called yoursdailyhealthcare[.]us. Besides the fact that this daily healthcare website was registered a week earlier and is also malicious, you can see that it was registered in India by checking a WHOIS record for the domain!
Two-letter country codes MATTER! They may tell you everything you need to know about the authenticity of an email sender or website. Pay attention to them!! There are many resources in which you can look them up. Below are two good ones. To see more examples how 2-letter country codes can expose online fraud, check out our 2-minute video called
https://www.nationsonline.org/oneworld/country_code_list.htm
https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
Stay Away From XRKETO[.]com – In several past newsletters, including last week, we pointed out that cybercriminals have been using a website called xrketo[.]com to host and deliver malware in a wide variety of scams. Misuse of this domain continues!
“You Won!” claims an email from Big Dollar Casino. Except that this email tries to hide the fact that it came from, and contains links that will send the recipient to xrketo[.]com, a VERY malicious website! Why use a link-shortening service like Bit.ly to create a LONGER link than the actual link it is used to replace? That’s proof positive that this is malicious!
Below is another email, claiming that we’ve been selected to receive an iPhone 13 Pro Max. And EXACTLY like the email above, the sender tries to hide the source and links within this email as xrketo[.]com.
Free CBD Gummy Bears and Lose Weight! – Recently, a 13-year old boy sent us these two screenshots, telling us that he has been getting a bunch of texts to his phone addressed to someone named “Elise.” We told him they were malicious clickbait and NEVER to click the links in them! Here are two recent examples….
“You have been chosen for a free serving of CBD gummy bears.” We’re pretty certain that it would be illegal for a 13 year old to act on this offer! Jump to the delete key!
This other text for “Elise” claims to offer a way to “shed 36 points” in 3 weeks. We’re also certain that this 13 year old doesn’t need to lose weight. (We know him.) The text actually came as an email from the domain biomaxlabs[.]net. This domain was only registered a month ago. What a surprise. You know what to do!
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands