Copy
THE DAILY SCAM NEWSLETTER - APRIL 15, 2020
Content Director: Doug Fodeman | Creative Director: David Deutsch


THE WEEK IN REVIEW

There are some signs and statistics that we are at or near the apex of the curve for infections and deaths caused by the Coronavirus in many parts of the United States, such as in New York and Massachusetts.  However, the number of malicious clickbait arriving into people’s inboxes and text messages continues to climb. The most effective clickbait steals the images and content of legitimate products, like Medicom’s Safe Mask, and repurposes it to point to malware-laden domains.  People are now reporting malicious texts related to the pandemic and your health. Take this example that came from 541-945-9866 saying “Urgent: [NAME REDACTED] Support your Immune System and Lower your Risk of Spreading Germs and Getting Sick...”  The link points to the oddball domain ki1q[.]pw.  The woman who shared this with us blocked that phone number, only to receive a nearly identical text an hour later from 541-914-3430.  But the second text contained a link pointing to the domain mit7[.]pw.  NEVER click on these links!  Smartphones are as easily infected with malware as any computer!



 

We hope our readers are staying safe and healthy!  Read more about scams and fraud related to the Coronavirus pandemic on our website: https://www.thedailyscam.com/coronavirus/

Here are a few helpful links about pandemic-related scams from other credible web sources:

Daily Scam Home Page

PHISH NETS
Cox Communications and Paypal

Cox Communications is an independent internet, telecom, and television provider available in many states across the U.S.  One of their users sent us this email she received from “e-Mail Support” via a Comcast.net email address. (That’s funny right?  It’s like getting an advertisement for Nordstrom sent to you from a Macy’s email domain!) The link “Log in to Update” points to a hacked website for a company called “Alsetdata” that seems to be suspended or no longer operates. (The Alsetdata Linkedin account says they opened in 2002 but have ZERO Linkedin connections and no contact information whatsoever. What’s up with that?)



We decided to follow that link to the hacked webserver.  Here is a screenshot of the phishing login page greeting Cox account holders.  Notice that in addition to your account name and password, these phishers are also asking people to enter the last 4 digits of your SSN and your mother’s maiden name!  These are two of the most frequently asked security questions when setting up accounts as proof of identity but you should NEVER provide this just to log into a service!


 

Phishers have been sending out this same Paypal phish for several weeks.  Sadly, the only reason we believe they keep sending the same scam design is because it must be successful.  This one came from the domain “assistant[.]bkc” and has links pointing accountautsession[.]com.  This domain was registered a week earlier in Canada.






 

Daily Scam Home Page
 

YOUR MONEY
Search for 0 APR Credit Cards and Terminix Pest Control

One of our honeypot email accounts received this wolf-in-sheep’s clothing “promotion” about zero percent APR credit cards but the links to the graphics were broken.  We want people to notice two things about this clickbait…. 1. The crap domain name is a random set of letters “sfqwiyu” DOT-rest. 2. The first directory in the link was created by 2 random hyphenated words (authoring-shells).  The appearance of such random hyphenated words anywhere in a link is the tell-tale sign of an extremely active cybercriminal group that has been around for many years! If you see such a thing in a link, DO NOT click that link! And, unsurprisingly, that crap domain sfqwiyu[.]rest was registered on the same day that this email was sent.

Deeeeleeeete!







Most people recognize the Terminix brand of products for controlling all kinds of beasties that find their way into our homes.  But that doesn’t mean that this email is from any legitimate company selling those products! The email came from a domain that sounds like a good deal…. Exemplarydeals[.]com BUT DON’T BE FOOLED BY THIS NAME!  First of all that domain was registered anonymously in Panama less than 3 weeks before this email was sent.  Secondly, the Zulu URL Risk Analyzer tells us that visitors will be redirected to another website, pickearth[.]com that was registered in 2019 and yet Google has no information whatsoever about this other website.  Our screenshot machines tell us that there is no content on the picky earth website. We STRONGLY suspect that both sites are being used to target visitors with malware.

Step away….









Daily Scam Home Page

 
 

TOP STORY
The Many Faces of Clickbait

Malicious clickbait comes in so many different varieties!  Over the 6+ years that we’ve been educating netizens about it we’ve illustrated many hundreds of examples.  Most take the form of familiar products and services to lure us into a false sense of safety by seeing a product/service that we recognize, like the Terminix email above.  However, some of the malicious clickbait we see falls into an entirely different category…. Social engineering based on a human interaction! These little landmines are tossed, willy-nilly, via texts, into inboxes and through social media posts.  Here are a few recent ones that deserve to see the shining light of day….

“Why are you sending me this kind of pictures?”

You’ll notice there this email, received by one of our readers, doesn’t contain any links at all.  So how can it be malicious? It is actually the perfect social-engineering trick! Trick people into confirming their email address and that they will open an email I send.  And if you respond… “what are you talking about? I don’t know you and I never sent you anything” you will VERY likely get a reply that says something like “yes, you did! I’ve attached a copy of the photos you sent me, see for yourself.”  And you can be as certain that bear poop stinks, the attachment will be a malware trap.

It’s important to note that every blurred out area on this email was the user’s email name, NOT her first name.  Meaning that this malicious clickbait was created after criminals scraped her email address from some database and repeated it several times in this email.



 

“Latest news about textbot[.]eu”

“Milena” sent us an email that seems so innocent.  She’s sent us a domain name that she thinks will interest us.  Her email was sent on April 1, a notorious day for jokesters! And since that domain, textbot[.]eu, was registered in Germany on that same day, we decided to lunge for the delete key!




 

NO SUBJECT….

We know Meghan and we know that Meghan doesn’t have an email address on a server in Vietnam (“.vn” = 2-letter country code for Vietnam.)  However, what was very clever about this malicious clickbait was the fact that the criminals wishing to do us harm included a copy of an email from Meghan’s REAL email address and a harmless link so we might think the entire email was trustworthy!  Sucuri.net had no problem finding the malware at the end of that top link on a server in the North Mariana Islands in the Pacific Ocean. (“.mp” = 2-letter country code North Mariana Islands.)





 

Speaking of international travel, we also got an email from Beth via a server in Japan.  We know Beth and she doesn’t use such an email address. The link points to a server in Russia!  We know how this story goes….


 

Finally, the many faces of malicious clickbait will often use names that sound legitimate or of interest and are misleading!  Like this text (receiving into our email inbox) containing an email address named “Credit Score Update fviounw.” But that clickable email address was actually a link pointing back to the oddball website km5tb2[.]com.  Again, a simple WHOIS lookup tells that this oddball domain was registered on the same day this text was sent.  We know this story all too well!




Daily Scam Home Page

 


FOR YOUR SAFETY
Copy of Shipment Information (UPS)

One of our readers sent us this email to ask if it was legitimate.  Our answer is obviously no! It claimed to represent UPS and is clearly not from UPS!  The email came from, and has links pointing to the domain theyouthambassadors[.]org.   We used two screenshot machines to take a picture of that website but both returned a "404" error meaning no web page could be found.  The domain theyouthambassadors[.]org was registered back in 2016 but Google knows nothing about it and it is now being hosted in Omsk, Russia.  Most importantly, the recipient does no business with this “organization” and was not expecting any invoice from them.  The writing is on the wall….



Until next week, surf safely!
Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE

Produced by:
Deutsch Creative
 
Copyright © 2020 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp