Making YOU an Accomplice to a Crime! — Sometimes cybercriminals are in need an accomplice to help them carry out their fraud. Can you guess who their favorite accomplice is?  YOU!  That’s right, they enlist YOUR help in carrying out their crimes against YOU!  To do this, all they have to do is convince you of a false narrative and then manipulate you to follow their instructions. And then BANG! They make money and your emotional and financial pain begins. They manage to manipulate us all in many ways but there is one very interesting way that doesn’t happen quite as often as, say a phishing scam like those we document every week. This week we have a few examples showing you a form of fraud that begins with a popup telling you that your device is infected with viruses and/or trojan horses. Ah, but wait! Help is available, says the message. Let the pain begin…

About five weeks ago, a woman we’ll call Felicia was cruising Facebook on her phone. According to Felicia this is something she does routinely, daily. As often happens, Felicia saw an article that interested her and she clicked it. Suddenly she got a popup message over the article that appeared to be from Google telling her that her phone was infected with viruses!  “Your iPhone is severely damaged by (13) viruses.” Ahhhh….lucky number 13!

Both In red, to really stand out, as well as in a gray box, the message continued with….

“We’ve noticed that your iPhone is 28.1% damaged by (13) harmful viruses from recent adult sites. It will soon corrupt your iPhone SIM card and damage your contacts, photos, data, and applications.”

Also in red was a timer that began at nearly 5 minutes. And in bold at the top of the gray box was written authidmob[.]com. Finally, prominently displayed, was a blue button “Repair Now.” 

As Felicia told us, the first thing she did (after first expressing a word we prefer not to repeat here) was to call out for her husband. In seconds he took the screenshot and correctly quit her application. He then sent the screenshot to us and asked if there was anything else he should do. We told him to clear the application’s cached files.  Obviously, this popup was complete malarky and a cybercriminal’s attempt to enlist YOUR help to scam YOU! We all know that Facebook cannot protect it’s community against all malicious clickbait. Apparently, cybercriminals were able to place a malicious link disguised as an article called something like There’s not one piece that I didn’t go out and buy or that I can’t tell you a story about.  What Felicia didn’t know is that this “article” was on a website on a server in Chile called paulownias[.]ch. (“.ch” = Switzerland)

We asked Google about this Chilean website and, according to Google, the paulownias[.]ch website is listed as “Live News Pro” and also has the subtitle “Mindblow: a blog about philosophy.”  This all sounded pretty sketchy to us!  (A Chilean WHOIS tool told us that this website was first registered in mid-July, 2022.)

We also wondered about that other website shown in the gray box, called authidmob[.]com.  It seemed that clicking either “OK” or “Repair Now” was likely going to send us to this sketchy mob site. Another WHOIS look up told us that this domain was recently registered in mid-June of this year and was being hosted on a server in Germany! What makes this Authentic Hidden Mobster website even more suspicious and bizarre was when we asked a screenshot machine to take a picture of the main page as if it were visiting as a smartphone! This site claimed to be the “Best 2FA app with end-to-end encryption”   Hell, no!

Remember, this all started with a popup on Facebook after Felicia clicked to read an article that interested her. Fortunately, she was NOT going to help cybercriminals victimize her!  Coincidentally, a few days later our friend Rob told us that a friend of his sent him the screenshot below. The man was on his laptop when he clicked a link (to where, we don’t know) and was suddenly looking at this popup… “(28) security threats detected!”  Of course the fellow was invited to “tap the button to subscribe the antivirus protection on the next page for only $4.99/month…” A large, centered green button said “Fix Now.”

Again, cybercriminals often need YOU to be an accomplice to their crimes so they can victimize YOU!  When popups like this suddenly startle you, don’t click anything!  Take a screenshot to document what you see and then QUIT your application.  If you know how, clear the browser cache of that application and also if you know how, check to see what browser extensions are installed in your web browser. If you see any extensions that don’t make sense to you, Google them or ask someone who is tech savvy. (Also, if you don’t know how to clear your browser’s cache, you can Google that too!) The last thing you want is for one of these malicious websites to also install something that will continue to try to make YOU an accomplice to their fraud!  We’ve seen visits to sketchy sites also try to install browser extensions and even implement browser hijacks that take over your default browser settings.

FOOTNOTE: Using our Google skills, we were able to identify the full article that caught Felicia’s eye on Facebook. It was an article about the actress Jamie Lee Curis and her marriage to a man named Guest.  As of mid-September, that article is still showing on the Chilean website.  However, we also discovered that article posted on another sketchy website claiming to have articles about “celebrity news, biography, viral stories….” called anomama[.]com. This website was registered in mid-April 2022 and seems to contain exactly the type of articles designed to pique your curiosity and generate a click.  Be careful what you click on!

Online scams are the most reported type of crime. Most countries now state that between 20 to 50% of all crimes reported are related to online fraud. This is only the tip of the iceberg, as only 7% of all scam victims report the crime to law enforcement. With nearly $55 billion lost last year and more than 300 million consumers scammed fast action is required.

On October 18–19, 2023, the 4th Global Anti-Scam Summit (GASS) will take place. The goal of the GASS is to bring governments, consumer & financial authorities, law enforcement, brand protection agencies, and (cybersecurity) companies together to share knowledge and define joint actions to protect consumers from getting scammed.

In 2022, we had nearly 1,300 virtual guests and 120 physical participants from 70+ countries. This year the event will be organized hybrid again. Last year, we defined 10 Recommendations to Turn the Tide on Scams. This year, we will focus on further defining these solutions and showcasing the best practices from around the globe.

Schedule  |  Book Tickets

October 18-19  |  Ramada by Wyndham Lisbon Hotel, Portugal & Online (Zoom)

Top Phishing Scams of the Week — PayPal, USPS, Capital One, Bank of America, and MORE. Can you spot all these scams? Check out and protect yourself with this 100% FREE, all-in-one tool.

As soon as my browser changed, showing “TicketsCenter” at the top of the screen I realized that I had JUST MADE THE SAME MISTAKE made by the woman who told me her story a few weeks ago!  (This was followed by a palm plant to my forehead, shaking my head as if to say “I’m an idiot!”)  Ticket prices for the orchestra seats I was interested in started at $239 on the LOUSY site Tickets-Center.com.  After closing that browser window, and trying again but more carefully this time, I arrived at the REAL box office site for the Chevalier Theatre. Their website said that TicketMaster.com was their official authorized ticket-selling website.  After clicking that link, I was able to find and purchase tickets for the exact same orchestra section for $100 each! 

We told this ticket scam story to a friend of ours and she immediately told us about a similar experience she had when she booked a hotel in Montreal late last Spring!  She searched for the name of the hotel in Google and clicked a link that contained the hotel’s full name. What she didn’t realize, until well after committing to a non-refundable price, was that she had clicked a link to Expedia’s travel services and not the actual hotel.  She tells us that the person answering the phone, answered it in French and never identified the service as Expedia. She thought she was talking to the hotel reservation desk. She later tried to get a refund after discovering her error once she received her confirmation email from Expedia (not the hotel) but was unable to get the full amount refunded. She called the real hotel and asked to speak with the manager to tell him what had happened. He told her that this is a problem that happens to a lot to their guests! Once more, these are reminders to pay attention to links before you click them!

Last week we shared a story with you about Rob’s experiences tracking 419 advance-fee scammers to their location, which were almost entirely in Nigeria. We have some more news to report. Apparently, Rob’s interaction with 419 scammers demonstrated that these are sometimes MORE THAN just an advance fee scam. Check out the recent interaction below that Rob recently had with one of these scammers. In every way, this interaction looked to be another “advance fee scam.”  Notice that the sender’s domain was from a website called kasikorn-org(.)com. It turns out that this domain is toxic! Rob’s Malwarebytes protective software blocked him from visiting that site “due to malware.” We then asked the Zulu URL Risk Analyzer to check it out and it also confirmed that this website was hosting malware lying in wait for your visit!  Ouch!

However, this scare didn’t deter our friend and he continues to interact with lots of advance fee scammers. Almost every time he tricks them into clicking his scratched gift card images, these scammers show up in Nigeria!  Check out this recent exchange Rob had with Pastor Jude Kar about a Western Union money transfer of $3.5 million dollars. Apparently, Pastor Jude Kar clicked Rob’s link four times in just four minutes!

Before we leave the topic of advance fee scams, we wanted to put a smile on your faces. Below is one of THE MOST POORLY WRITTEN advance fee scam emails we’ve every seen! If we gave out awards for worst scammers, “Kevin Terry” would likely win it!  Enjoy….

Finally this week, we want to remind our readers that random emails appearing in your inbox from people offering jobs, services, business, or the sale of products, OFTEN have serious credibility problems! Check out this “JOB OFFER” email we received from a Manager from si-protech[.]com by the name of Bernard Arnault. Mr. Arnault wanted us to contact him via his Gmail address about this wonderful job offer. (We weren’t looking for a job.) It turns out that his domain, si-protech[.]com, is completely unknown to Google and is being hosted on a server in Singapore (and we’re located in the Eastern USA.) Hmmmm…..Wouldn’t legitimate businesses WANT Google to know something about their business for people to discover during a search? 

Spearphishing Again, Comcast and Paypal — This Customer Service email came from a free Gmail account. (What a surprise!) The scammer who sent it pasted the email addresses into the TO field, and not the BCC field.  The TO field showed more than 450 targeted victims!  We cut out most of them. Of course, the phone number posted in this email is a scammer’s number. Time to take out your airhorn cans and tell them what you think of these scammers!

This next email was sent to several hundred Comcast account holders, thanking them for scheduling a $710 upgrade. We KNOW that Comcast is expensive and keeps raising their prices but this email was a fraud and came from a free Comcast email account, rather than any official Comcast service account.  Details are important, right? Look at the incorrect use of capitals in the sender’s wish for you to “have a good day” at the bottom of the email!  By the way, Google tells us that the phone number 518-499-3054 is NOT a Comcast service number!

Sometimes scammer’s emails, like the one above, contain little “poker tells” indicating that they are a complete fraud! Check out 2 phishing scams (we’ve combined into 1 graphic) and claiming to be from PayPal. The first one, from Herbert C. Watts, calls you a “beloved customer” and the second one had an attached pdf that starts with “Dear [ $email ]” because their auto-form software creator didn’t work properly!  Hence, no name!

Netflix Offer and Southwest Airlines Giveaway — Netflix is very popular around the world. That’s why it is often the content used to target people with malicious emails. Check out this “Netflix” email that was sent from a server in Brazil to “Undisclosed-recipients.” Oh no! Your membership has expired?! But the link to extend your membership (for free) doesn’t point to netflix.com. It points to the legitimate, and misused service, at GoogleApis. Fortunately, Virustotal tells us that 2 security services have identified that misused link as malicious.

Oh my gosh! You’ve been selected as a winner of a Southwest Airlines prize giveaway! Amazing! …if it were only true.  This fraud didn’t come from southwest.com, but instead came from a free Gmail account named “hossenbelayet600.”  The link to claim your price points to a very dangerous webpage at maool[.]com.  Using several security tools, we were able to show that visitors first likely be hit with malware and then redirected to a phishing website called gency[.]org[.]uk hosted in the UK. Ahhhhhh….cherish that prize, people!

BEWARE of QR Codes and Facebook Password Reset Codes — We have been reading about, and seeing firsthand, a rather dangerous shift in the methodology of some cybercriminals. There has been an increase in the use of QR codes in emails and ads online that are malicious. If scanned, they will automatically send your scanning device (like your phone) to a malicious website that is designed to infect it with malware.)  Here’s a recent example that was sent to an employee of a company and the FROM name was made to look like it came from the employee’s Human Resources department. It did not!  NEVER scan QR codes that cannot be verified by their source or have questionable or suspicious content such as poor grammar, etc. (The subject line in this email is very suspicious and awkward. They also didn’t capitalize the recipients name at the end.)

We want to raise awareness for a scam that actually involves the receipt of a legitimate email from Facebook. Several readers have reported this to us in the last few weeks. The email below is 100% legitimate and came from a domain owned/used by Facebook, called facebookmail.com. (This domain was registered in 2006 to Meta, Facebook’s parent company, and even uses facebook.com name servers.) The link in the email to change your password is also legitimate. What isn’t legitimate is that the people who reported getting this email NEVER requested to change their passwords and never asked for a recovery code because they couldn’t get into their Facebook accounts! We’ve heard of scammers triggering recovery codes being sent to people via email or SMS and then contacting those people with crap stories WHY they are asking YOU for that recovery code!  Again, this is an example of their attempt to make YOU an accomplice to their crimes of victimizing you!  This has happened a lot to people who post merchandise for sale on Facebook Marketplace. A scammer may contact a seller and say, I’ve just sent you a verification code that tells me you are the legitimate owner of this merchandise, blah, blah, blah…. Please give me the verification code.  NEVER GIVE ANYONE A VERIFICATION CODE THAT YOU RECEIVE!  (One exception: If you are working with a tech support service after having just purchased a new phone and are trying to transfer your files over from old to new phone AND you are WITH the tech support person or certain of their identity!)

USPS Package Delivery Problems Again! —OK people, you can roll your eyes again and say “not another USPS package delivery scam!”  Yes. Another. Apparently, they are effective because 90% of all text message scams we’ve been seeing for weeks are these same scams.  This one came from an international area code +63, from the Philippines.  The link you are asked to click to fix your delivery problem uses a subdomain “usps” which is meaningless!  The real domain points to mepackage[.]top.  It was registered on September 13, the day before this bogus text was sent to one of our readers.

Deeeeeeleeeeete!

Until next week, surf safely!

Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster