Weekly Alert  |  October 6, 2021

The 2nd Global Online Scam Summit will be November 3rd & 4th!Please join us for the second edition of the Global Online Scam Summit (GOSS) taking place on 3rd and 4th November 2021. The event, organized in association with APWG and the Global Cyber Alliance, is a platform for sharing knowledge and insights on how to fight online scams and fraud worldwide.  Last year more than 425 representatives joined the 1st Global Online Scam Summit virtually. This year we hope to make the event even bigger by expanding to two days and adding more inspirational speakers but also more possibilities to network and share insights one to one.

Do you think you can spot scams with your eagle eyes? Check out this “Spot the Scam” article from Trend Micro posted on ScamAdviser.com!  Good luck!

Register for Free

Improve Your Skills at Detecting Scams –After last week’s Top Story about a Fake bank, Rob sent us another bogus bank website! This time scammers pretended to be the Central Bank of Nigeria. A simple Google search will show you that the domain for the real Central Bank of Nigeria is cbn.gov.ng, where “.ng” is the 2-letter country code for Nigeria.  The domain name used in this fraudulent banking site is “centralbnk-001-site1.itempurl[.]com.” This bogus website doesn’t even use secure internet transactions! The link begins with “http” instead of “https” (The “s” stands for secure transfer of information.)  Thankfully, Virustotal.com tells us that many online security services know about this fraud! (See screenshot below.)  Scam Adviser and The Daily Scam have excellent articles that can teach you how to use search engines to see through many kinds of fraud!  Check out:

https://www.scamadviser.com/scam-reports/tips-support/4298/how-to-use-search-engines-to-spot-scams

https://www.thedailyscam.com/use-google-to-detect-fraud/

(Google is much more powerful than most people realize or know how to use. We describe some of these tips in our article “Use Google Like a Pro!”)

Also in last week’s newsletter we lambasted “advance fee” scams, most commonly originating from Nigeria.  Last week we received 2 interesting Advance fee scams related to the fall of Afghanistan to the Taliban.  This first one is extraordinarily lame to anyone who paid attention to the news because U.S. forces completely pulled out of Afghanistan at the end of August. Not so, according to “Sergeant James Earl!”

The email in this next advance fee scam comes from the domain “sadafpetroleum[.]com.” This bogus domain was registered by someone in China in February. 2020.  A visit to this “petroleum” website shows a Chinese furniture store! (as of October 1)

How good do you feel about your scam-o-vision, your ability to see through scams, fraud and malicious intent?  People from all walks of life and professions fall prey to scams, and there are so many different kinds of them. Here’s a simple example to consider… The email below came from a server in Germany (“.de” = Deutschland = Germany) containing a link that seems to point to a document on a university’s website.  (See the “.edu” global top level domain, used almost exclusively by colleges and universities.)  However, mousing over that link WITHOUT CLICKING reveals that the link points to a crap domain called fusyg[.]page[.]link, rather than the University’s servers.  The text of a link can say one thing but point to something completely different!  If you would like to test your skills to evaluate scams, visit these resources at Scamadviser.com:  “Spot the Scam” and “Think you can identify scams? Most cannot!” Also, if you are looking to improve your mouse-over skills, or you want to understand what are mouse-over skills, visit our short video and articles about them on TheDailyScam.com: Mouse-over Skill, the most important skill to stay safe online! (Video) and Mouse-over Skills on iDevices.

One final topic… The New York Times just released a fascinating article titled “Stalkerware Apps are Proliferating – Protect Yourself.” It is worth reading!

Phish Nets: Fake texts from Citizens Bank and Bank of America, plus iCloud Purchase and Chase BankCheck out these two texts sent to us by our readers.  The first, sent from 979-942-3881, claims to represent Citizens Bank. “We placed a hold on your account due to incorrect personal information.” If you look very carefully at the link you are asked to click, you’ll see that it actually points to a website in Russia! (Locate the “.ru” in front of the first single forward slash /.  This is the 2-letter country code for Russia.) The bank should be called  “Comrade Bank!”

The second phishing text we received was sent from 502-501-7427, which is not any number associated with Bank of America!  This “BofA Alert” tells you that your checking account has “been restricted.”  You are asked to call the scammers at 855-428-0813. Again, that number is also not associated with Bank of America! No thanks, we’re good!

Thank you for your purchase with iCloud, says an email that came from “roberthur5379” at Gmail!  What?! You didn’t order 12 TERABYTES of iCloud disk space for nearly $1500???? No problem, just call the scammers at 877-607-3630 and give them a piece of your mind!

Finally, we have a more “traditional” smelly phish that landed in one of our honeypot accounts.  It is disguised to look like an email from Chase Bank, but it came from a bizarre Gmail account called “studyinindia.edcil.” We’re told that there “is a problem with your account” and asked to confirm information.  Mousing over the link “Confirm Account Now” shows that it points to a long link associated with a legitimate service called Sendgrid[.]net.  Legitimate email services, like Sendgrid, are being misused more and more by cybercriminals.  An interesting article about this fact was posted just over a year ago on Cyren.com, an internet security company. Fortunately, the Zulu URL Risk Analyzer had no problem identifying the link as fraud, in part because visitors will be redirected from Sendgrid to a website in Brazil!  This is exactly where you would expect Chase Bank to locate their servers, right? Deeeleeeete!

CVS Bonus Reward and Home DepotThe Top Story of our September 15th newsletter was “Popular Click Tricks.”  37% of all of the malicious landmines that poured into our honeypot accounts were some type of bogus consumer reward.  These hand grenades claimed to represent well known companies. Here are two more to add to this pile of poo.  Check out this email, presumably from CVS, telling you that you’ve received a $100 CVS Bonus!  Yeah, right. The email came from the oddball domain fixerwind[.]com and links point to another charming website called ifycharm[.]com.  Both of these domains were registered in early December, 2020 (1 day apart) by people with French sounding names and these sites are being hosted on servers in France.  They have as much to do with CVS Pharmacy as dog poo has to do with Opera. Now delete.

This second email claims to be an invitation for a Home Depot shopper’s survey in exchange for an exclusive reward! “We have been trying to reach you — please respond!”  The links all point to a really odd domain registered in July, 2020 called eagential[.]com.  The top page of this website contains a form that says “SUBMIT YOUR APPLICATION NOW” followed by an unsubscribe form to collect your email address. The name on the page is actually thirtrieshe[.]com.  Does ANY of this sound the least bit legitimate?  We didn’t think so either.   It’s all malicious clickbait.  Deeeeeeleeeeete!

Cash or Malware Offer For Your Home? – Though we can all rightfully express our anger at the low-life cybercriminals who target us and our families, we have to give them credit for one thing.  They are often very creative and try new things in their effort to trick us to click malicious links or pick up a phone and call them.  On September 20, we received a rather new and unique malicious clickbait email. It was an offer of cash for our home, made to look like it came from the legitimate realtor named American Endeavor Realty.  In the few days that followed, we received 4 more cash offers for our home! Some, as you’ll see below, looked like they came from another legitimate company called WeBuyHomes4Cash[.]org

(NOTE: We do not endorse WeBuyHomes4Cash based on several very poor online reviews, such as with the Better Business Bureau, where this business has an “F” rating and LOTS of complaints. Many more complaints can be found on Trustpilot.com.)

What makes this clickbait so clever is the fact that the real estate market is incredibly hot for sellers, many of  whom are  getting offers over their asking price. Also, many Americans are still hurting financially and may consider selling for quick cash.  All of this assumes that the soon-to-be victims own their own homes to sell.  Let’s check out the first of these bear traps.  The text field of the sender’s address says “WeBuyHomes4Cash” but that’s a lie. You can see, in the gray text that follows, that this email came from a Gmail account named “lehoanghiep88.” It pays to read carefully before you click!  You can also spot super suspicious text at the bottom of this email showing this email is connected to “The Dining Room Gallery” located at 130 Church Street in New York city.  According to Google, NO SUCH BUSINESS EXISTS at that location!

    Why do we believe this is a malware trap?  All links in this clickbait point to a website named alignsave[.]com.  This domain was registered anonymously in Iceland in early July, using the frequently MISUSED service called NameCheap.  This has been standard practice for one of the VERY active groups of cybercriminals we write about.  Moreover, if you were to click that link to “alignsave” you would discover that alignsave forwards you to one of 2 websites that appear to be real and represent the business WeBuyHomes4Cash. (webuyhomes4cash[.]org AND webuyhomes-4cash[.]org)  WHY WOULD A LINK send you first to one website only to redirect you to another website? ANSWER: Because the first website hits you with malware and then sends you to your expected destination so you suspect nothing happened!

      This next malicious clickbait misuses the name of a realtor who appears to have a much better rating with consumers.  Criminals have chosen the name and graphics of American Endeavor Realty, a partner of HomeLight realty, to use in this clickbait.  You can see that this email appears to have come from the domain idgrrjjrv[.]com. According to our WHOIS search, this crazy-letter domain was completely spoofed and doesn’t exist.  This means that criminals used software to make this email look like it came from this domain, but didn’t. Like the first email above, the bottom of this email references a business that makes NO SENSE whatsoever to see in the email…. “Beauty Secret Jml” (or “jr n l”)

      A Google search for the address listed for “Beauty Secret Jml” comes up empty!  That address at 701 Minnesota Ave. is occupied by the Public Works and Highway Department for Beltrami County, Minnesota. DOES THIS MAKE ANY SENSE? Of course not!  And like the first email, clicking the link to “…blob.core.windows[.]net” will send you to malware and then redirect you to the real realty website so you won’t suspect a thing! Once again, this email is malicious clickbait and has NOTHING to do with American Endeavor Realty!  There will be NO CASH OFFER for your home! However, there will be a lot of pain associated with getting a malware infection on your device.

      We’ve recently heard from someone who told us about a man whose computer was hit with nasty malware called ransomware.  All of his files are being held hostage unless he pays an extortion fee!  And the criminals have told him that the clock is ticking down.  If he doesn’t pay them soon, then he loses everything on his computer.

      FOOTNOTE 1: The real American Endeavor Realty has a very informative web page for those people who are considering selling their homes for cash.

      FOOTNOTE 2: Most of the cybercriminal gangs we report about are located in foreign countries.  Sometimes it feels like they select companies that are iconic American companies to use in their scams OR companies that have the name “American” or “America” in them.  Perhaps this is their way of “pointing the middle finger” at the USA.

      Report Facebook User and Revised Invoice – Occasionally we get emails that we know are scams but we really don’t understand their intentions.  Such was the case with this email that came from the VERY malicious domain we’ve written about many times in the past. It is xrketo[.]com. The email informs the victim that someone just logged into your Facebook account from an iPhone 12 Pro Max.  You are asked to “Report the User” if it wasn’t you who logged in.

      However, the bizarre thing is that clicking to “report the user” will result in an email being sent to 55 email addresses from all over the world, including Russia, Spain, and the European Union! (See the screenshot below.) What’s all that about???  If you have an idea about this scam’s intentions, let us know at spoofs@thedailyscam.com.

      Businesses are often sent bogus invoices as clickbait.  Here’s another recent example that is a type of phishing scam! It came from a personal Hotmail account but claims to represent a State Government office in Kazakhstan. NOT TRUE!  The link appears to send you to a phishing page that asks for your login credentials to an Office 365 Excel account. Run away!

      Fortunately, Virustotal.com shows us that Google Safebrowsing knows this is a phishing scam!  

      Quick Cash Loan and a Real Verizon Text –One of our readers received this very sleazy image via text, as if the image were a text!  It’s a poor quality image that came from 251-346-1722, offering a quick cash loan.  Deeeeleeeete!

      We thought it important to show our readers an example of a real legitimate text. This text informs the recipient that someone is trying to access your My Verizon account.  That message can really make you feel anxious if it isn’t you trying to do that!  The link provided to “confirm or deny” this access is to a domain called govzw.com.  You can confirm that this domain is legitimate by doing the following….

      1. Hold your finger on the link long enough to get a pop-up asking if you want to copy it.  Select “copy” and then open a notepad on your phone and paste the link. You want to confirm that the link you are given does, indeed, point to the domain it says it points to. Seeing it in a notepad can help you see that.

      2. Visit our favorite WHOIS tool and look up that domain to see when it was registered, by whom and how long ago.  If you do that for govzw.com you’ll see that it was registered by Verizon in 2005!

      Until next week, surf safely!

      Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
      have subscribed to it via Scamadviser.com or thedailyscam.com

      Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

      Contact Webmaster