Phishing: Watch those URLs

Today in my Yahoo! mail account:

Yahoo

If you click that “Sign In” link, you get taken to

http://www.oficinadentalpr.com/includes/drpbx/db/obfuscated.php

which is apparently a dental office in Brazil. (I tried contacting them to let them know that their website had been compromised, but their contact page seems to be malfunctioning.)

Edit: As of today, the entire “Oficina Dental” account has been suspended. Either they got infected and their ISP suspended them on general principles, or the whole page was a sleazy front for this scam operation. We’ll never know.

At any rate, this is what you get:

Yahoo2

Which leads you to the regular “Enter your critical personal information and credit card and bank data” page.

The ongoing lesson: Don’t click embedded links in emails. Just don’t.

The Old Wolf has spoken.

An especially convincing Phishing scam

Here’s the email that came to me yesterday:

Image1

  1. Notice that it appears to come from “Paypal.com,”  However, the original sender was 23.249.163.109 (if even that’s not spoofed) which is in Buffalo, NY rather than PayPal’s headquarters which is in California.
  2. Second, the message is an image rather than text. That’s a red flag right there. The images link back to:

These are definitely nothing linked to PayPal. So we know even without any further examination that we are dealing with a phishing scam.

The image itself, if you click on it, will lead you to a long URL which actually contains the email address that their phishing email was sent to. If you click on these links, they know who you are.

http://redirect.paypal.com.0.session…..=MyEmailAddress@comcast.net

Image2

So notice that when you get to the phishing website, they already have your email address. This is what makes the scam more credible – they’re not asking for your PayPal ID, because they are counting on the fact that you use your same email address as your PayPal address, and they already have that.

If you foolishly enter your password, the first thing you’ll see is this bit of misdirection:

Image3

But that’s just a clever bit of misdirection. So you try again, and this is what you get next:

Image4

Which soon passes to:

Image5

And off to the races we go.

REMEMBER: Banks or PayPal or other financial institutions will NEVER ask you to verify information like this via email. All such requests are SCAMS.

When I check out websites like this (don’t try this at home – you could also be picking up a lot of malware if you’re not properly protected), I usually enter really insulting phrases for names, cities, and so forth. It’s a small thing, but it’s really the only way I can get under the skins of these criminals.

Image6

That billing address is nothing I would ever want to repeat in polite company – but notice that the scammers are trying to make their victim think they already have a credit card on file, and you’re just supposed to verify it.

Image7

So again I give them some bogus information that could never be used as a real card or be used to hurt anyone else.

Image8

The last screen will redirect the victim, once they have handed over their sensitive information to thieves, to the real PayPal website. Notice however – nothing else on the page works. All the other links are non-existent.

This scam is well-contrived enough that I fear any number of people will be taken in.

The most important thing to remember is that, as I said before, PayPal will NEVER ask you to give up sensitive financial information like this through an email message.

Be careful out there, and protect your loved ones.

The Old Wolf has spoken.

Phishing in the Yahoo! Pond

Just received:

Mail Blocked

Email Service

Today at 8:05 PM

To: me

Not from Chase: Watch the URLs

scam-alerts2

It goes without saying that this email is NOT from Chase.


From: chase.online2@verizon.net
Subject: Chase Online Important Alert : Action Required

To: Undisclosed recipients: ;

Chase Online Logo

We’ve Updated Our Online Access Statement

Dear Customer:

Technical se rv ices of the Chase online  are carrying out a planned statement upgrade. We earnestly ask you to visit the following link to start the procedure of confirmation on customers data.

To get started, please click the link below:

please visit our secure server web form by Click here to get started

Sincerely

Customer Service
©2015 JPMorgan Chase & Co.

1) First red flag: To “Undisclosed Recipients.”  If you’re getting an email from your bank, it will be addressed to you and not to everyone in the world.

2) Next red flag: Nigerian English:

  • Technical se rv ices of the Chase online
  • “We earnestly ask you to visit”
  • Start the procedure of confirmation on customers data

Nobody at Chase ever  wrote such a bad email. If it sounds wrong, it is wrong.

3) Next red flag: Banks will never ask you to divulge confidential information on the internet. They just won’t.

4) Most importantly, look where you go when you click the link:

http://schlatterhof.ch/junk/Capt/index.htm (I broke the link so you can’t accidentally go to the fraudulent website.)

That is a lot different from the real URL you should be seeing when you go to Chase:

https://chaseonline.chase.com/

A bank should always have an “https” URL, which indicates secure data transmission. These turdcaskets didn’t even try to make the web address look like something from Chase.

Be aware. Be Careful. Practice safe computing.

The Old Wolf has spoken

Phishing: My Yahoo Account has “expired.”

Phishing, as I have mentioned numerous times elsewhere, is rampant. In a world with over 7 billion people, it’s hard to say how many electronic bad guys there are out there, but even if its a relatively small number, the nature of the web gives the bad actors a lot more access to a global pool of potential victims than your average con-man enjoyed in pre-internet days.

This email arrived this morning:

yahoo1

Two things:

  1. YahooMail is always free. There’s a no-ad service you can pay for, but the drones are counting on the fact that grandma or grandpa (or any other potential sucker) won’t know that.
    77
    A significant portion of internet users are terribly un-technical, and find computers are to be feared; if they use them at all, it’s on a cookbook level. “If you see it on the internet, it has to be true” is sadly a part of far too many people’s psyches, hence many people get taken advantage of in myriad ways.
  2. See that little yellow circle by the link? If you hover over it with your mouse, you’ll get a popup indicating how any particular website has been rated by users for trustworthiness and child safety.Yahoo2That’s a function of a browser extension called “WOT” (Web of Trust) that I have mentioned elsewhere. It’s invaluable for stopping problems before they start. The circles displayed are green, yellow, or red, and you can follow the “Click to view details” link for more information, user reviews, or to rate a site yourself if you have a (free) account.It’s not perfect by any means – WOT can be subject to shill reviews and malicious comments from unethical competitors and the like, but like anything else on the internet, it’s part of a body of evidence and I find it extremely useful as a canary in the mine.  In this case, the top-level domain “twomini.com” is rated very poorly on both counts, with the one user-posted review stating “Domainhoster hosting sites used for fraud, scam and Accountphishing.” Which is certainly true in this case.

If you hover over the “go here” link, your browser indicates that you are being directed to “http://bit.ly/10VyM2I” which is most definitely NOT a Yahoo address. It’s a shortened link which expands to:

DrudgeSirenSmallhttp://infoskale.twomini.com/obyno/Connect%26True%3DUser1%25%3DXclusiv-
3D%23Anonymous7Dole%3DReason%26Upgrade1%25continue%25True4.php DrudgeSirenSmall

Web addresses like that are not necessarily bad in and of themselves, but they are not what you would expect to see when you visit a major site like Yahoo, or Comcast, or your financial institution. Those little drudge lights up there point out that this kind of URL is a red flag for suspicious activity, and to proceed with extreme caution.

If the victim unwisely clicks on the link, they get this:

Yahoo3

which quickly redirects to this:

Yahoo4

If you try to “log in” from this screen, your account information is sent to Russia or the Ukraine or Nigeria or somewhere else, and the bad boys now have access to all your email, as well as an account to send out spamvertising or other scams with, and they do so on a regular basis. The victim is then sent back to the regular Yahoo Mail  website, and continues on their merry way none the wiser.

indiana_jones_grail_knight-you-have-chosen-poorly

I logged in several times with user names like “ScammersEatCamelDung”, just to make sure they got the message. Of course, it’s possible that responses are simply harvested into a login script that will never be seen, but what the heck; I’ll take any opportunity to insult one of these wastes of human cytoplasm.

Please be careful out there, and for the love of Ella Wheeler Wilcox and the music of the spheres, protect your loved ones. If you have people you care about who use the computer and who are not tech-savvy, educate them on how to protect themselves from scammers.

We demand that people get licenses to drive a car; it’s a shame no basic training is required before venturing into the potentially-scary world of the internet.

The Old Wolf has spoken.

Your Bank of America Account is Under Review. Right.

Well, since I don’t have one, that would be a Neat Trick. But here’s the email:


From: Bank Of America <dugginp@pitt.k12.nc.us>
Date:12/08/2014 1:39 PM (GMT-07:00)
To:
Subject: Your Bank Of America Account is under review

Wells Fargo

Your Bank Of America Account is under review

Bank Of America is reviewing some costumers account for possible Fraudulent & unpaid bills. The balance for your checking & saving account has reached reviewable level (uncharged & un-deducted billing).
This information is accurate as of 5/12//2014 03:44:12 CST. You are required to, sign on and verify  your account informations.
If you have questions, Bank Of America Online Customer Service is available 24 hours a day, 7 days a week. Sign on to send a secure email.

Note about balances: Ending balance reflects transactions that have posted to your account and does not reflect pending deposits or withdrawals. The available balance is an indication of funds that are available to you today; however, it may not reflect all transactions that you may have initiated or authorized.ailable for withdrawal. It reflects the latest balance based on transactions posted to your account, including deposited funds, paid checks, withdrawals, and purchases made with your ATM Card or Debit Card. Please note that some transaction activity (such as outstanding checks and some Debit Card purchases) may take several days to post to your account and, therefore, may not be reflected in the available balance. Some deposits made in a store or ATM may not be immediately available for withdrawal or to cover other transactions.

Please do not reply to this email directly. To ensure a prompt and secure response, sign on to email us.

To modify or cancel your alerts, sign on, go to Messages & Alerts, and select Set Up/Modify Alerts.

C2D196BDD8BF139CE0440021283BC044

Suffice it to say this is a phishing email of the worst kind. The embedded “sign on” links take you to this link (obfuscated):

http://conwaycentralbaptist.org/blah-blah-blah/.safe.ssl-comfirmed-onlinebankingofamerica.com/index.html

In case you needed an additional hint, this is not a Bank of America website.

Conway Central Baptist Church will probably not be pleased that someone has infiltrated their servers and is using them to host phishing data; they have been informed.

But the website looks like this:

bank

They want all sorts of information from you, including “Father’s Maiden Name” and “Father’s Middles Name.” If those aren’t screaming red flags , I don’t know what would be.

So many scumbags out there want your identity, your financial information, and your money, and they would sell their own mothers to get it.

Be careful out there.

The Old Wolf has spoken.

Why you *never* click embedded links in your email

Scam

See that link to “Capital One” there in the body of the email? It will actually take you to an entirely different website that just looks like it’s from Capital One.

Scam2

Congratulations, you’ve just handed the key to your bank account and your email account to thieves, probably in Eastern Europe or Africa.

One would think people would understand this by now, but there are a lot of folks who use computers who really don’t get below the level of Lolcats or Pinterest, and they need to be protected. Phishing scams are still rampant because phishing scams are still profitable. Far too many people are duped by websites like the one above, and happily hand over their information to criminals either online or via telephone.

2012-02-24-ScamArtist

If you are just learning about computers, this is Rule Number One about emails:

NEVER CLICK ON EMBEDDED LINKS IN AN EMAIL – ALWAYS TYPE THE WEB ADDRESS DIRECTLY INTO YOUR URL BAR.

I can’t emphasize that enough.

Not only are you at risk of losing your money or your identity, but you could seriously damage your computer files, for example, if you carelessly open an attachment which contains evil software like Cryptolocker.

If you are computer-savvy and have loved ones who are not, or who might be vulnerable to this sort of thing, please educate them and watch over them.

Be careful out there.

The Old Wolf has spoken.

A repetitive Phishing Scam: Apple ID

Your Apple ID was just used to purchase TuneIn Radio Pro $3.99 Your receipt No.226816512

Your Apple ID was just used to purchase TuneIn Radio Pro from the App Store on a computer or device that had not previously been associated with that Apple ID. You may also be receiving this email if you reset your password since your last purchase.

This purchase was initiated from Spain.

If you made this purchase, you can disregard this email. It was only sent to alert you in case you did not make the purchase yourself.

If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

Regards,
Apple

TM and Copyright ı 2013 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014, USA.

All rights reserved | Keep Informed


Naturally, this message is not from Apple. iforgot.apple.com is a valid Apple page, but the link redirected to a bogus site which was almost instantly deleted, and would have gathered your personal and financial data.

I’ve seen this one appear several times in my email box, so it’s an active fraud; please be careful out there.

The Old Wolf has spoken.

Another phishing Scam to watch out for

scam-alerts2

Your Apple ID was just used to download Skate Simu 3$ from the App Store on a computer or device that had not previously been associated with that Apple ID.

To: (redacted)
Date: Oct 13 (2 days ago)

Dear W R Jonathan Graham, (clearly not my name)

Your Apple ID was just used to download Skate Simu 3$ from the App Store on a computer or device that had not previously been associated with that Apple ID.

This download was initiated from Morocco.

If you initiated this download, you can disregard this email. It was only sent to alert you in case you did not initiate the download yourself.

If you did not initiate this download, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Security and your Apple ID for further assistance.

Regards,
Apple

TM and Copyright ı 2014 Apple Inc. 31-33, rue Sainte Zithe, L-2763 Luxembourg.
All rights reserved / Keep Informed / Privacy Policy / My Apple ID

The problem here is that in the email message, that “iforgot.apple.com” was a front for a redirect to another website, “dejewelady.com” (which has now been taken down), which redirected to a phishing page designed to gather personal information, passwords, and credit card data.

There are people working behind the scenes to protect the innocent – later in the day, this warning showed up at the top of the email:

Be careful with this message. Similar messages were used to steal people’s personal information. Unless you trust the sender, don’t click links or reply with personal information.

The links in the email had been disabled, and as indicated, the phishing website had been taken down. But it pays to be careful. It is rarely adviseable to click links in emails directly, but rather enter them yourself in the URL window.

Be careful out there.

The Old Wolf has spoken.

How to attract more spam

nospamcan

Got this in my mailbox today, from the spammer or spamming group which has been very active in the last couple of months:

From: Ford Fall Clearance <fordmakesthebest@host1.everyonehugecarclearance.net>
Subject: Re: Ford Dealers are Slashing-Prices. All Models Must Go..
To: <redacted>

FORD SEPTEMBER AUTO CLEARANCE
——————————————————————
<redacted>

Don’t miss out on the “Ford End-of-Summer Saving Event”
Limited-time special pricing on select Ford models
Compare offers to find the lowest price here:
http://xxx.everyonehugecarclearance.net
(Use the link above to view this message in your browser)
————————————–
message id 4335021

Click that link (which I have obfuscated so it goes nowhere) and you will be taken to the website of iMotors.com:

spam1

The spam email was from “Ford,” so this particular page focuses on Ford vehicles, but you can select any make and model, and I’m sure the “affiliate marketer” has pages for every brand which they blast out on a daily basis.

So, let’s put in some bogus information here – notice that the phone number and the email are both for the Federal Trade Commission. Enver Hoxha was the communist dictator of Albania for decades.

Spam2

That should generate some interesting emails and phone calls at FTC headquarters. Notice that by submitting your information, you agree to be called, robo-called, emailed, texted, etc. by anyone and everyone in the universe.

So what did I get for submitting my information?

Spam3

That’s right: Nothing. Even if I select my make and model on this page, and click “Search,” I still get the same result. Nothing.

But wait, there’s more.

Spam4

Now you get to give them a mailing address, so that your junk mail will increase by a factor of 100.

But don’t stop now! There are more deals ahead!

Spam5

Look at all this information they want you to hand them, including your birth date and social security number.

NEVER GIVE OUT THIS INFORMATION TO RANDOM WEBSITES!

That’s not just advice, that’s a command. Just don’t ever do it. You’re inviting identity thieves like a porch lamp invites moths.

I run an online business (several, actually) and part of our privacy policy reads like this:

We don’t know how it would be possible for anyone to hate spam more than we do.  In the same breath, we are aware of the challenges and inconveniences associated with identity theft.  As a result:

  • Your information will never be sold, traded, given away or otherwise divulged to anyone, and we do not purchase names from other companies.
  • We do not keep any financial data (i.e. credit card numbers) on file.
  • We do not buy information or names from others.
  •  We do not advertise by spamming. Ever.

Unfortunately many businesses do not subscribe to such policies, and you can be guaranteed that anything you respond to in your email that was unsolicited or from a company you have never done business with will result in an even greater flood of spam, or possibly criminal misuse of your information.

Be careful out there.

The Old Wolf has spoken.