The Newsletter | September 1, 2021 |
DOUG FODEMAN: EDITOR-IN-CHIEF DAVID DEUTSCH: CREATIVE DIRECTOR | POWERED BY THE DAILY SCAM |
|
|
 |
 |
Welcome to the first collaborative newsletter between TheDailyScam.com and ScamAdviser! Each week we hope to cook up a special sauce to educate the public on how to recognize online fraud and reduce your risks for being victimized by it, and seasoned with a little bit of humor as well. Below you’ll see our weekly themes in bold. They begin with “The Week in Review” followed by “Phish Nets,” “Your Money,” our “Top Story,” “For Your Safety” and occasionally “Textplosion.” In the stories below, when you see an image that interests you, clicking on it will usually open it up full size for easier viewing. In addition to the six sections in each week’s newsletter, we routinely offer links to deeper, richer articles and resources on our websites, as well as other sites. We’ll start with these outstanding articles, one from SiteJabber.com called “Is This Website Legit? How to Identify Fake Websites While Shopping Online.” and one from Scam Adviser. Many of us are using Venmo more and more to pay for merchandise and reimburse friends and family. But did you know that Venmo doesn’t have the same protection policies in place as traditional credit cards? And did you know that cybercriminals use tricks to target Venmo users? You can learn more about these tricks and how to recognize Venmo fraud through the Scam Adviser article “How to Spot Common Venmo Scams.”
Much of the content we bring to our subscribers comes from YOU! For eight years, subscribers to The Daily Scam newsletter have sent us their scams and suspicious emails, texts, screenshots from social media ads or posts, and even voicemail left on their phones. Now that subscribers to Scam Adviser are joining this effort, we ALL get to benefit and help each other! If you receive suspicious or fraudulent communications or find sketchy websites, send that information to:
spoofs@thedailyscam.com If you are looking for an opinion from us on whether or not something is legitimate or fraudulent, ask us! We’ll do our best to reply within a day or so. One of our U.S. subscribers recently sent us a brief email she received from someone named Dominic, whom she didn’t know. As you can see, Dominic’s email seemed very familiar, as if he knew the woman. And yet the woman didn’t know him. She thought this email was a bit sketchy. This email is MUCH WORSE than sketchy! |
 |
There are several important things to note about this email from “Dominic.” It came from a server in Brazil. At the very end of the FROM address, notice the 2-letter code following the last period of the email address. “.br” indicates it was sent from a server in Brazil. Country codes can reveal a great deal about online fraud! You can learn how to better recognize country codes in our short video at The Daily Scam. The bizarre name in blue in front of the “@” symbol, lcferreirafiho, doesn’t come close to matching Dominic’s full name in front of the email address. Though not proof of anything, this mismatch is a very common practice of cybercriminals and is enough to make an email suspicious. Clearly, the intention of this email is to encourage the recipient to click the link for that oddball domain called “fislifoo[.]com.” We used a WHOIS tool to see when that domain was registered and were not surprised to learn that it was registered anonymously in Iceland just a few hours before “Dominic” sent his email. This newly registered domain is CLASSIC behavior of cybercriminals who post malware on a website and try to trick people to visit and infect their computers or phones. The newer the domain, the more likely it is malicious! ScamAdviser has a great article about Malware Scams, how to recognize them and better protect yourself against them! Check it out!
|
 |
We also often report the stories told to us by YOU, our readers! It is a horrible experience to be targeted and victimized by cybercriminals. Many times our readers want to share their experience so that they gain some small satisfaction knowing they have helped others possibly avoid what they have gone through. Afterall, we’re here to help each other stay safe online! And finally, we don’t always have the answers to all questions about online fraud, but we do have your problems too! We are routinely targeted, as are our family members and friends. That’s why we started this effort to begin with! |
 |
 |
Amazon and PayPal Users Are Often Phished! Of all the phish in the sea of fraud, the phish we see the most are those that target Amazon customers! Here are two recent examples sent to us by subscribers to this newsletter. Both of these phish use a behavioral engineering trick meant to upset a consumer so that she/he picks up the phone to call the scammers about a mistaken order. Of course this is not a real Amazon order! In fact, if you look carefully at the FROM address, you can find the 2-letter country code for Russia! The “Amazon customer support number,” prominently displayed in 3 locations, is actually the phone number to a cybercriminal gang in India. Lunge for the delete key! |
 |
The second smelly phish wants you to believe it came from “Amazon Order Confirmation” but that was entered into the name field in front of the email address. The REAL email address follows in <> brackets and came from a generic Gmail account called “amznealerts.” Once again, if you have a problem with this $846 Samsung Laptop order charged to you and sent to the wrong address, you can always call the scammers, er….we mean Amazon support at their criminal call center in India again! |
 |
Cybercriminals are often creative and try to invent new ways to target their victims. This next email, pretending to be from PayPal, is a perfect example and is the first time we have ever seen anything like it! It came from the oddball domain “doflati[.]net” which was registered anonymously a few weeks earlier on July 1st. Notice that instead of addressing the recipient by name, it simply says “Dear Client” and then follows with “bad news.” Clearly, English is not the first language of these criminals and there are several capitalization, spelling and punctuation errors. Reading carefully can go a long way to help identify suspicious content. |
 |
What makes this phish so unique is that the link for “Login” points to a chat service! We clicked “Login” and were taken to a chat service that was set up to look like “PayPal Smart Help.” Notice at the top of the screenshot it says “Create your free LiveChat account to start chatting with your customers.” That’s right. These criminals simply opened a free account with a Chat service! Step away from this ledge! |
 |
 |
 |
Claim Your Economic Impact Payment and ACH Payment Notification Many Americans are getting fake “economic impact payments” that say they come from IRS.gov. However, the “IRS.gov” is entered into the name field. This email was actually sent from a hacked website called Magnum photos. When we put our mouse over the link, BUT DO NOT CLICK IT, we see in the lower left corner that it points to a website called spreely[.]com. Mouse-over skills are critically important to staying safe online because they can reveal WHERE a link points to before you go there, which can be too late. Visit some of our resources to improve your mouse-over skills! https://www.thedailyscam.com/mouse-over-skills/ https://www.thedailyscam.com/mouse-over-skills-on-i-devices/ https://www.thedailyscam.com/mouse-over-skill/ |
 |
We asked VirusTotal.com to check out the link to “Claim my payment” and it had no problem seeing that this link was VERY malicious! It’s important to say that no anti-scam tool is perfect, which is why we always use a collection of them to evaluate links, including a WHOIS to see when a domain was registered. However, we also want to emphasize the importance of intuition! If “it looks too good to be true” it probably is! |
One of our honeypot accounts received an “ACH Payment Notification.” But it came from a hair stylist/beauty website called bonnti[.]com! The email contained a pdf file with a link about our “ETF payment.” Did you know that pdf files can contain links and those links can be just as malicious as the links in emails, texts or on websites? |
The link in the pdf file was short, but not sweet…. “s[.]id/D7drz” Anyone clicking that link will find themselves looking at a bogus “Secure Email Encryption Service” login where you can hand over your email login credentials to cybercriminals. Fortunately, Virustotal.com again had no problem seeing through this disguise and identifying the link as malicious. We lived to tell the story! If you found these particular scams interesting, check out our article on ScamAdviser called “How to Recognise Unexpected Money & Winning Scams.” |
|
|
 |
 |
"A Rose By Any Other Name..." We have often referred to Shakespeare’s quote, said by Juliet in his play “Romeo and Juliet.” “A rose by any other name would smell as sweet.” But rather than referring to a good man (Romeo) from a bad family, we wish to turn this saying upside down to refer to the domain naming system (DNS) that is typically misused by cybercriminals to our disadvantage. We’re referring to bad domain names amongst the harmless domain names used across the Internet. Below is a simple example. It is a classic “Nigerian 419” scam (Named after the Nigerian “419” penal code). We were recently contacted by “Barrister Peter Zwennes” through his official email address at Lawyer.com. It is the domain name that immediately raises suspicions because ANYONE can open an email account using the domain Lawyer.com! Mail.com offers free email accounts to more than 200 selectable domain names including many domains preferred by cybercriminals! The most popular we have seen them use are: - Lawyer.com
- Accountant.com
- usa.com
- Consultant.com
- Engineer.com
- Contractor.com (and .net)
- Clerk.com
- Diplomats.com
- Workmail.com
Nigerian 419 scammers are especially fond of these domain names as a way to bring legitimacy to their emails. To us, it is the opposite! When we see an email, such as the one below from “Barrister Peter Zwennes,” we know that 99 times out of 100, it is a fraud! By the way, Sitejabber.com rates Mail.com’s service 1.4 stars out of 5 possible stars. We’re not surprised. |
 |
Another way to evaluate likely fraudulent or suspicious emails is through their global top level domain names, or “gTLDs.” You know the most common gTLDs as “.com” or “.org” or “.gov” or “.info” etc. They appear in a link JUST IN FRONT OF the first single forward slash! (That’s important because criminals play tricks on people by putting some gTLDs in other locations in a link.) When the Internet was first created there were only six gTLDs that were widely used. (com, org, net, mil, gov, edu) Did you know that three of these gTLDs are restricted and can ONLY be used by a select group? Anyone can purchase a “com” “org” or “net” today ONLY the United States government can use “gov” (However, governments from other countries can use “gov” if it is followed by a 2-letter country code, e.g. gov.uk or gov.br) ONLY the United States military can use “mil” e.g. marines.mil/ ONLY accredited colleges and universities can use “edu” (However, there are a few “edu” gTLDs used by elementary, middle and high schools who registered their edu domain prior to 1998 when the rules for “edu” domains changed. These few schools were “grandfathered” in and allowed to keep their domains.) e.g. harvard.edu/
Today, there are more than 1,500 global top level domains! Some of these are favored by cybercriminals because they can be purchased so cheaply. Here is a simple example. We at The Daily Scam received an email from Thomas Martinez, through our online form, telling us about loans and funding available from a business called “Direct Capital Lenders.” Take a look at the gTLD that followed the domain name “directcapitallenders1”... |
 |
The gTLD used is “xyz.” We’ve seen HUNDREDS of domain names using “xyz” as their global top level domain and they have all been scam sites or malicious clickbait linked to malware. We’ve NEVER seen a real, legitimate domain ending in “xyz” (though we imagine there might be a few.) And so our “spidey-senses” started tingling and we decided to do some digging. One of the most important tools to dig up Internet dirt is a WHOIS, and our favorite is at DomainTools.com. They informed us that Mr. Martinez’s business was registered about 3 months earlier. That seems awfully young for a financial lending business! |
 |
ScamAdviser showed us that a visit to DirectCapitalLenders1[.]xyz will only result in a redirect to a different business called Express Capital Corp. In addition, a Google search using Firefox for DirectCapitalLenders1[.]xyz turns up nothing, as if this business didn’t exist. (DO NOT USE CHROME to search for a domain name! Chrome will send you to the website instead and that can be very risky!) This information strongly suggests that instead of a loan from Direct Capital Lenders, what we’ll get is an interest-free malware infection! Ouch! Finally, what if a website has no name? What, you say? How is that possible? Check out this **lovely** email sent to one of our U.S. subscribers inviting her to see if she qualified for Medicare. The email claims to represent a website called QualifyMedicare[.]com BUT CAME FROM the oddly named domain “envypart[.]com.” When we moused over the link to “Click Here to Check Your Medicare Coverage” we discovered that clicking will send us to a website identified by number only! This set of numbers is an IP Address, well understood by network routers, but not human beings. Fortunately, there are websites like IPLocation.net that allow you to look up an IP Address. If you clicked that link, you would end up on a web server in Baku, Azerbaijan, just north of Iran! Does that sound like a legitimate source of U.S. Medicare information to you? Yeah, we didn’t think so either. So if you ever see a link that points to an IP Address instead of a domain name, our advice is not to click it. And as for Juliet? Perhaps an updated version of it might read “A crap domain by any other name would still smell putrid.” |
 |
 |
 |
You Have a New Voice Message. Another longtime reader recently sent us an email she received, presumably from Ringcentral, telling her that she had a voice message waiting for her. She was suspicious and wanted our opinion. The link pointed to a website called sgizmo[.]com and the Zulu URL Risk Analyzer discovered that this website had a connection to malware located on another website called giyw[.]club. This secondary malicious domain was registered on July 26 in Iceland, the same day that the email was sent. ‘Nuf said! |
 |
 |
 |
You Are the Lucky Customer This Month! One of our readers sent us this screenshot of a text he received from 775-383-4230 on August 25. He’s been rewarded as a “lucky customer” but for what business? He was invited to click a link to a crap domain called 9x2ey[.]com. According to our favorite WHOIS, this domain was registered anonymously in Iceland on the very same day the text was sent and is being hosted on a server in Paris, France! Hmmmm, this no longer feels lucky to us! Deeeeeeleeeeete! |
Copyright © 2021 The Daily Scam and Ecommerce Foundation. All rights reserved. You are receiving this email because you
have subscribed to it via Safe.Shop, Scamadviser.com or thedailyscam.com Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands unsubscribe | Contact Webmaster |
|
|
| |
