In our very first joint newsletter published on September 1, we informed readers about an email service that is VERY popular with criminals because of the 200+ domain names available to choose from, like lawyer[.]com. One of the most popular domains misused by cybercriminals is usa[.]com. Here is a perfect example sent to us by our friend Rob. Someone named “Lucas Wilfred” (using the Gmail address “exellenceyyayiboni”) informed Rob of millions of dollars waiting for him in a Citibank account. He’s asked to contact the Citibank representative. But look closely at the email address offered! It isn’t at citi.com! Again, WHY does the service Mail.com allow this obvious fraud to occur? Is it because they simply don’t care that their service is used to victimize the public?
We are thrilled to inform readers of a new service Scam Adviser called Scamadviser Forum! We invite you to join our new forum and be a part of our ever-growing Scamfighter community. In the forum you can share tips, expose scams, help others identify scams, provide feedback & suggestions and much more. Let’s fight scams together! Join us! Also, check out some of the latest posts and contributions to our blog from our partners at Trend Micro. They’ve posted several weekly scam alerts, including sextortion and phishing, as well as fake cryptocurrency mining apps meant to steal your money!
Like us, readers may notice common threads connecting seemingly unrelated scams and malicious clickbait. One of these threads, for example, has been the fact that during the last 8 months or so, at least one very active cybercriminal gang has been registering a large number of their domains in Iceland, and often through the legitimate service called NameCheap. Another more recent thread we’ve been seeing is the misuse of a legitimate marketing service that sends emails from the domain sendibt3[.]com. Here’s a simple small example that was shared with us from a longtime newsletter reader. Pay special attention to the scammer’s tricks to obfuscate the text and make it harder for anti-spam servers to read it. They use many underscores and periods. Make no mistake about this. It isn’t spam, it is malicious clickbait! The link will forward you to a malware-laden web site. This misuse of Sendibt3 has become so severe that we do not recommend clicking any links that use this domain! You’ll find all domain names just in front of the first single forward slash / after http:// or https://.
We’d like to give a “shout-out” to a National Movement in Nigeria who are trying to combat online fraud. On September 4 they published an interesting article about an investment service who claim to increase the value of your investment by 10% every 25 days! That’s quite a promise! Visit: Nogofallmaga.org to learn more. We all know the expression… “If it seems too good to be true, it probably is!” Meaning it is a lie!
We are constantly pointing our digital fingers at online fraud and malicious clickbait. It’s time to take the opposite approach and show you a legitimate banking email. Let’s look closely at important observations that support WHY THIS EMAIL IS LEGITIMATE!
- The email actually came FROM the correct domain for the bank: chase.com
- The email included the correct last 4 digits of the account holder’s bank card! This is VERY important!
- The recipient tells us that he knows he made this purchase
- All links in this email point directly to the banks website: chase.com (If you look at the link in the bottom of the screenshot, you’ll see “secure” in front of chase.com and separated from it by a period. This makes “secure” a subdomain of the domain chase.com. This is safe and legitimate as long as we see chase.com up against the first single forward slash / )
Though this article from Yahoo Life is also an Advertisement, it is an interesting piece about the way that Russian cybercriminals are targeting folks working from home with ransomware, and how they suggest protecting yourself against this very real threat.
NOTE: There was an error in last week’s newsletter that dropped the graphic showing a scam home rental posted on Craigslist. Here’s the screenshot showing how the scammer tried to bypass the rules, and Craigslist AI, by asking readers to send him their personal email addresses rather than go through the Craigslist system. Look at the last line of text in the screenshot! This is scammer behavior!
BB&T Alert, PayPal, and McAfee Subscription BB&T is a banking and mortgage service. They use the domain bbt.com. This first phish most certainly did NOT come from bbt.com! Also, the link for “enable verification process” doesn’t point to bbt.com. Instead it points to a business messaging service that is being misused by criminals! This phish contains at least 3 awkward sentences suggesting that the author’s native language is not English.
Speaking of poor English, this next smelly phish was soooooo bad! (How bad was it?) It made us laugh! You HAVE to read it! For example, we learned that Paypal information is immortal! Or that you can restore Paypal restriced! (Whatever that means.) The link for “Updates Payment” points to a service in Japan. (“.jp” = 2-letter country code for Japan) However, the link contains a redirect sending visitors to a domain called custream[.]com that is without a website on the top page. You KNOW what to do!
Our last smelly phish this week actually came from a generic Gmail account on September 2. Like so many before it, the recipient is told that a charge of nearly $400 was auto-debited from his/her account to renew McAfee Protection services. And once again, you are welcome to call the scammers directly at 888-306-1083 to yell at them, like Rob did!
Chance to Win iPad Pro, Chase and Costco Want Your Opinion! Imagine getting an email saying congratulations, here’s your chance to win an iPad pro just by taking a survey! Would you do it? Do you hesitate? But wait, they go on to say that only 10 LUCKY people are selected for this survey! That means your chances of winning are 1 in 10, right?! Now would you take the survey? Gosh, we hope not!
This special “Walmart Loyalty Program” email came from an oddball domain named mcmenamins[.]com and the links point to a SUPER STRANGE domain called: Kokan-kingkong-kokan-klana-kamlin[.] net
How bizarre is that domain name?! You ain’t seen nothing yet! Scamadviser.com gave that domain a trust rating of 25%, indicating that it is not likely safe to visit! ZScaler found that visitors will be redirected from that K-K-K-K-KRAZY domain to another domain called laudypauty[.]com. Oh Laudy, believe us when we say they’ll be NO PAUTY on that website when you arrive! At least 6 security services found laudypauty[.]com to be malicious! Step away from the ledge!
It seems like everyone is asking for your opinion or for you to take a survey! But as you’ll see in our Top Story, the majority of these requests are malicious. Such is the case with this email that appears to come from “Chase Reward.” However, if you look closely, this $1000 gift card promotion is just malicious clickbait. The domain used to send the email, govdeliverys[.]com, was removed from use and is now available again for leasing. Most revealing that this is a serious threat is the fact that all links in this clickbait point to an insanely named domain, diimatop-diimal3ezz-2021[.]net, that was registered the day before this landmine arrived in our reader’s inbox. And it is no surprise that it was registered in Iceland through the abused service NameCheap.com. The blue text in the middle should read “Click here to get victimized.”
Offering people a chance to win something of value, or offering to pay them money for their opinion has been a routine weapon used by cybercriminals for years. Sadly, this type of trick must be very successful or they wouldn’t rely on it so heavily and routinely for so long. (Read our Top Story to see some statistics on this!) Though we often see the digital world through suspicious discolored lenses, it has been our experience that these email requests are RARELY legitimate. The overwhelming majority of them are malicious, leading to malware infections on your devices or phishing tricks meant to collect enough personal information to target you in other ways.
A malicious phish was also delivered from the domain goddeliverys[.]com to one of our readers. “Costco wants your opinion” says this email and they’re willing to pay you for it! POPPYCOCK! The links in this clickbait point to a domain that “sounds” like it could be relevant but isn’t. It’s called alloffers-foryou[.]net. We cannot emphasize enough how important it is to use a WHOIS tool to investigate suspicious domains. Once again, we see that alloffers-foryou[.]net was registered anonymously in Iceland the day before this threat landed in the reader’s inbox! You won’t land any offers if you click the links in this threat. According to the Zulu URL Risk Analyzer, you’ll be redirected to another website called Neenors[.]com where you’ll be asked for a lot of personal information and receive no reward! Check out the screenshots below!
Popular Click Tricks! On August 22, cybercriminals did us a favor and signed up one of our honeypot email accounts to multiple malicious email lists. Do not mistake this for spam! Spam is unwanted, unsolicited marketing email sent in bulk. It may be annoying but it isn’t intentionally harmful. We’re talking about MALICIOUS emails that are threats to you, your devices and your finances. Malware and phishing threats come in many, many forms. After just 3 weeks of watching our honeypot inbox fill up with landmines, we decided to take a birds eye view of them to see what topics cybercriminals most focused on in their effort to target you.
In three weeks we received a total of 97 malicious emails. We noticed there were three clear themes that accounted for most of these landmines. In third place, 20% of the landmines we received pretended to be invitations to join lawsuits against the manufacturers of the herbicides called Paraquat and Roundup. In fact, there are real class-action lawsuits against the makers of both of these products! And so it may feel very credible for consumers to see an email asking if they qualify to receive compensation due to exposure from these harmful chemicals. Check out this screenshot showing a list of these 19 emails. Note the FROM text and subject lines, and how frequently this clickbait arrived in our inbox!
In second place, and representing 34% of the malicious clickbait, were emails related to insurance offers. That surprised us! We wouldn’t have thought that insurance offers would be so compelling UNTIL we thought about our own circumstances. All insurance costs feel way overpriced to us, though necessary. Sometimes, however, they feel like a complete waste of hard-earned dollars. The 33 malicious emails claiming to offer low-cost insurance mostly represented auto insurance (82% of all insurance clickbait), but 18% of them focused on health and life insurance as well. Take a look again at the FROM names and subject lines of these emails.
You probably won’t be surprised to learn that the first place winner of malicious clickbait, by a small margin, is centered around the theme of consumer rewards, exactly like those we’ve detailed in our Your Money column. 37% of all 97 landmines we received offered rewards to us for our opinion. They claimed to represent the following well-known businesses or products…
Best Buy, Capital One, DeWalt, Dyson, Home Depot, Lowe’s, Samsung, Sam’s Club, Walmart
The two clear front runners were clickbait disguised as emails representing Walmart and Sam’s Club. As you look at this list of emails, pay very special attention to a trick used by cybercriminals to get this clickbait through anti-spam filters meant to block it. What do you see?
Did you notice the use of dashes – and underscores _ between lots of words? Another trick included the lack of spaces between some words so that they are up against one another. Legitimate emails from legitimate services do not make these mistakes!
Let’s take one more look at the malicious behavioral engineering game intending to manipulate YOUR clicks and trick you into giving up personal information. It appears as an email from Chase Bank but came from a website in the Netherlands called toolstation[.]nl. (“.nl” = 2-letter country code for the Netherlands) You are informed that YOU are 1 of 10 selected customers to receive a special reward. How nice! But all links point to an oddball domain called sheiryn[.]com. This domain was also registered anonymously in Iceland through NameCheap, though it was registered on May 11.
We visited this sleazy domain and took a screenshot of the top page of this slippery slope. We discovered a web page we’ve seen more than 50 times over the years. The web page included 8 fake reviews of people who, presumably, completed the survey recently and had given positive reviews. Notice that you are also informed that each reviewer has been “verified” as a real person. This is just another social engineering trick to gain your trust! Two more “dark patterns” meant to push you into taking this bogus survey NOW are the fact that you are told the offer is only available today AND the offer expires in 7 minutes. Our timer shows 6 minutes and 30 seconds at the bottom of the screenshot. Can you guess what happens if you let that ticking time bomb tick down to zero? It starts over!
We wish to leave you with an editorial note about the collection of personal data by real companies rather than cybercriminals. We are envious of the privacy laws and practices that Europeans enjoy compared to Americans. The European Union has far better laws and more sensible practices for their citizens than the U.S. Government has passed. Check out this recent article on Cyberscoop about Ireland’s Data Protection Commission hitting WhatsApp owner Facebook with a 267 MILLION dollar fine for misusing consumer personal data! IF ONLY THE U.S. HAD CONSUMER PROTECTION PRACTICES LIKE THIS! By contrast, check out this opinion piece about the overarching expansion of data collection of US Citizens since 2001.
National Military Appreciation Month After the recent fall of Afghanistan and withdrawal of U.S. troops from the longest conflict in United States history, we want to express a personal note of gratitude to U.S. troops, and the troops from about 50 other countries, who gave so much to try and restore order and safety to this war torn country, and prevent it from returning to a sanctuary for terrorists. However, don’t believe this recent email citing September as “National Military Appreciation Month.” It is more malicious clickbait! First of all, National Military Appreciation Month is in May, not September. Don’t be fooled by the discounts offered to Vets! This clickbait came from the oddball 2-word domain called impactnice[.]com (impact nice) and all links point to another 2-word domain called hipstrong[.]net (hip strong). BOTH domains were registered anonymously in Iceland using Namecheap. The former in April and the latter at the end of June. Why are we not surprised?
Unclaimed Assets, Citizens Voice Questionnaire, and Someone Sending You a Package
Here are a few hand grenade texts that were lobbed at some of our readers last week. DON’T BELIEVE THIS CRAP! And, in case it isn’t obvious, never reply with “stop” because it only confirms to the criminals targeting you that you open and read their messages! Sadly, blocking the phone numbers doesn’t really help either because new texts are sent from different phone numbers **sigh**
If ever you doubt the authenticity of a text message and link, remember to use a WHOIS tool to look up the domain that appears just in front of the first forward slash! This first domain, c79ml[.]com was registered on the same day the text was received and sits on a server in the Netherlands.
The domain in this next text may SEEM legitimate but queryweb[.]net was registered anonymously less than 3 weeks before the text was received. That’s too young for our comfort level.
The domain, 5f[.]claims, was registered just a few days before this text was received.
Until next week, surf safely!
Copyright © 2021 The Daily Scam and Ecommerce Foundation. All rights reserved. You are receiving this email because you
have subscribed to it via Safe.Shop, Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands