June 30, 2013

Email spam, scam and threat round-up for week ending on June 30, 2013

June 30, 2013

The overall volume of spam over this past week is greatly reduced, to say the least. Not only have the type of spam subjects become fewer, but the number of malware threats has dropped as well.

The few malware threats that arrived in my MailWasher Pro Inbox were in the form of attached zip files pretending to contain Better Business Bureau complaints (Subject: FW: Complaint Case 2UBG8353D9XLI0Z) or an ADP Payroll invoice (Subject: ADP Payroll INVOICE for week ending 06/21/2013).

Malicious files in email attachments are best managed by an up-to-date anti-virus program that can monitor incoming email messages, as well as files you open before running, such as zip and pdf files. I personally use and recommend Trend Micro Internet security products. It uses "in the cloud" malware definitions for the newest threats, so it doesn't bog your computer down with what would otherwise be a huge virus database on your hard drive (and loaded in RAM memory).

Also, if you operate your computer with less than Administrator privileges, and keep your bullshit detectors on high, you will be about 90% less likely to get infected by most malware, especially the silent install type. The B.S. detectors are for when an installer pops up a UAC prompt asking for the Administrator password to continue.

The bulk of spam over the last week was for herbal weight loss scams, like "green coffee" beans or "Garcinia Cambogia" pills. I did a little bit of reading up on the latter and found a lot of people, mostly women, who tried these Garcinia pills had developed some very serious gastric problems, until they stopped taking them. Very few of the commenters had any success at losing weight, without also losing their lunch ;-)

Best advice: if you need to lose weight, see a doctor and exercise more often. Exercise burns calories. Magic weight loss pills may work for a while, then stop working. Then you may regain the weight you lost (I watched this happen to a friend who tried the old Atkins Diet. Bad outcome!).

The next most common type of spam last week was for work at home scams. These are either running scams about "processing emails" (Earn $25.00 For Every Email You Process!), or are fronts for "Money Mule" recruiters (Subject: Environmental business currently seeking representatives worldwide.) (Read about Money Mules here).

The last class of spam that was measurable was for an ongoing penny stock pump and dump scam. Stock scammers have bought a large volume of shares, valued at about 20 cents US, of a company that deals in a hair replacement treatment. For about 3 weeks they have been blasting out email scams making all sorts of false claims about this company and the value of its stock. Using fake news in the messages the scammers are hoping to drive up interest, which would lead to more people being roped into the scheme, causing the value to rise quickly. If the value of this stock rises to a level that the scammers have agreed upon, they will sell off all of their stock, at a profit to themselves and their co-conspirators, but a loss to everybody else involved.

If you are a MailWasher Pro user, and you have applied my custom MailWasher spam filters, you are already protected against all of the above spam, scams and malware threats. At the very least, you will be warned about what classification any given email falls into, if any. If, like me, you set your spam filters to auto-delete known spam and threats, they will go poof before you even see them (MailWasher Pro has a restorable recycle bin, in case of false positives).

Please note: I update my custom MailWasher spam filters as is needed. If I get, or am notified about a false positive detection, I investigate the cause and fix the bad rule-condition as soon as possible.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 19, 2013

Summer specials at Dotster, Domain.com and MyDomain

June 19, 2013

The following is an ad written by me (Wiz). I am an affiliate for this related group of companies (I will earn a small commission if you purchase anything offered here) and am also a long time Dotster customer.

Dotster, Domain.com and MyDomain are all one related company that is in the web hosting and domain name registration business. I originally heard about Dotster in about 1999, on TechTV (now called G4). On that show, Leo Laporte talked about registering domain names and revealed that his choice of "Registrar" was Dotster.

After I learned about Dotster and how domain names that were registered officially could be used for professionally hosted web sites, I went to dotster.com and proceeded to register my first domain name: wizcrafts.net (that's where this blog is located). That was about 13 years ago and I am still using Dotster as my primary Domain Registrar.

Somewhere down the time line I joined an affiliate network that had Dotster as an advertiser. Since I was and am happy with their services and rates, I decided to become an affiliated "publisher" and have promoted Dotster ever since.

Every now and then, Dotster, and its related businesses MyDomain and Domain.com, offer a substantial discount for Registrar and hosting services. I am pleased to let you know that these companies are now offering some really good discounts that are good through July 31, 2013. The details are listed below.

First of all, before you can have a public web site in your own name, hosted professionally, it needs to have its name (e.g. example.com, example.net) registered through an ICANN Acredited Registrar. So, when I want to create a new web site, I pick an available name (or add dashes or letters until I find an available variation) at Dotster.com and pay a small annual fee to register that domain name.

Once you register a domain name, the next step is to get it professionally hosted, so it can be found by search engines and indexed. The "indexing" of web sites by search engine "spiders," like those operated by Google, Yahoo, Bing, etc., occurs when they "crawl" all publicly accessible websites for content. When they find new content, it gets added to their search databases. If you create a new site about the endochronic properties of triple resublimated Thiotimolene, register a domain name and have it professionally hosted, searchers looking for such mundane information will see lists of related search results and eventually, your site will be among those shown in the search results (it takes time for a new web site to appear in most search results, sometimes months).

The Summer 2013 specials at Dotster, Domain.com and MyDomain

The specials listed here involve applying a coupon code to the appropriate items, in the shopping cart. The percentages will be deducted as you continue towards completing your purchases. The terms of use are show at the end of this article. All these discounts end on July 31, 2013, at 11:59 PM Pacific Time.

40% off All Web Hosting Plans

Dotster web hosting discounts

Now through Wednesday, July 31, 2013, customers save 40% on all new web hosting plans. This offer (valid at Domain.com, Dotster.com, and MyDomain.com) can be redeemed by entering coupon code 40HOSTING at check-out!

These web hosting plans are simple to use and incredibly powerful, with the basic plan costing just $3.75 a month (by the year). Install WordPress and other popular open source applications with one click, or use the popular website builder to create a fresh, new site. All plans offer unmetered disk space and data transfer. The basic plan only allows one domain, where the others allow for unlimited domains to be hosted under the same account.

The deals and initial prices can be prepaid and locked in for up to 3 years. After that, renewals are at the then-going rate for those plans.

*Disclaimer: LIMITED TIME OFFER. 40HOSTING coupon and offer expires July 31, 3013, 2013 at 11:59 p.m. Pacific. 40HOSTING coupon is good for 40% off new Web Hosting services. No minimum purchase required. All renewals on products and services after the initial discounted period will be charged at the then current standard list price for the selected period. Coupon is not valid with new domain registrations, domain renewals, domain transfers, premium domains, custom website design, other coupons, or special pricing.

Domain Name Registration Discounts: Spend $40, Save 20%

This deal applies to the purchase of new domain names and most other non-hosting services.

Domain.com, Dotster.com, and MyDomain.com are giving 20% off to customers who spend a minimum of $40, by using coupon code SAVE20NOW in the shopping cart. Please note that this coupon can't be combined with other coupons including the 40HOSTING offer above. This coupon is valid through Wednesday, July 31, 2013.

*Disclaimer: SAVE20NOW coupon is good for 20% off new products and services when you spend $40. Offer is good through July 31, 2013 at 11:59pm Pacific. All renewals on products and services after the initial discounted period will be charged at the then current standard list price for the selected period. Coupon is not valid with certain TLDs, renewals, transfers, custom website design, other coupons, or special pricing.

One reason that I use and recommend using separate companies for domain name registration and web site hosting services is that if you decide to move your web site files from one hosting company to another (this happens a lot), all you need to do is log into your Domain Registrar account and change the "Name Server" records to point to your new web host (they all provide these details when you sign up for hosting). A few hours later your new site will be online, as the change filters on through the various name server routers around the World.

However, if you also used your previous web host as your Domain name Registrar, you might have to make a formal request to allow the domain to be transferred to your new host and may even have to pay them before they turn it loose. This is a lot of jumping through hoops, as far as I am concerned. That's why I have stayed with Dotster as my Domain Registrar all these years.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 12, 2013

Beware of email job offers from Money Mule recruiters

June 12, 2013

I have written about spam issues for many years now, covering junk email selling illicit prescription drugs, bogus weight loss substances, E.D. pills, counterfeit watches, purses and shoes, malware link/attachment threats, as well as financial scams like Nigerian advance fee/overpayment (419), pump and dump penny stocks, work at home ripoffs and fake job offers. Today's article is about the last item.

Some types of spam are always present, like the illicit E.D. pills and Nigerian 419 scams. Every now and then something new comes along and gets spammed out heavily for a while, like the current green coffee weight loss scam. But, these new items tend to disappear when the spammers renting the use of botnets lose money promoting things that their recipients aren't interested in trying. That is why we see different spam topics every few weeks.

Most spam, from the 1978 ARPANET DEC email blast to present, has been to take some of your money for some item or substance. 419 scams get you to pay advance fee money in the false expectation of receiving a fortune in return.

Malware delivered by email is usually meant to steal money from online banking users, or valuable website login credentials (Phishing scams), bank card numbers, and even your identity. Or, it might demand a payment to restore the use of your "locked" computer, or to fix non-existent system problems it claims to have found. This malware is either delivered via an email attachment, or by hyperlinks to a hostile website that exploits vulnerable software that may be installed on your computer or smart device.

Fake employment offers, on the other hand, are meant to get YOU to participate in stealing other people's money, as the middle-man who receives, then remits stolen funds to cybercriminals pretending to be employers. The people who enter into these schemes are known as Money Mules.

Read on to find out how this scam works and what the consequences could be for those who get involved

What is a Money Mule?

A Money Mule is a person who either knowingly or unknowingly becomes involved in a criminal money laundering scheme. The Money Mules I am going to describe are unknowingly recruited into transferring stolen funds, thinking it is part of a legitimate job with a multinational company. This job came to them via an unsolicited email, offering employment, possibly with a subject similar to this one that is currently making the rounds.

Subject: Environmental organization is expanding and currently recruiting worldwide reps

Think back to my prior paragraph describing malware threats that are meant to steal money from computer users who do online banking. These victims are tricked into opening a hostile attachment, or clicking on what appears to be an important link to view an invoice, read a complaint, get details about a failed transaction, etc. Once they have taken these actions, an exploit kit runs active JavaScript codes to find out if the computer contains vulnerable software for which an exploit can be downloaded. These vulnerabilities are usually found in outdated versions of Java, Adobe Flash and Adobe Reader. Once a single vulnerable entry point is found, the appropriate package is delivered and installed on that computer. In the case of bank account stealing malware, this is usually the ZeuS (Zbot), or Citidal Trojan.

These Trojans will scan the infected computer for links to certain financial institutions, or PayPal, etc. When the user goes to log into their online bank, the malware will either intercept the user name, password and challenge question, or present a fake replacement login page, then send these credentials back home to a server controlled by the criminals running that particular Trojan campaign. Some time later, money will be transferred out of the victim's bank account, usually in amounts that "fly below the Radar" of most bank fraud detection monitors. This is usually just under $5000 or $10,000, depending on how much money is in that account. If a company business account is attacked, hundreds of thousands of dollars might be transferred before alarms go off.

Bank account cybercriminals will do everything in their power to avoid being identified, while still getting a hold of the stolen money. So, they spam out fake job offers to rope in as many Money Mules as they need to launder these stolen funds as quickly as possible. If the average amount that can be transferred to a typical private bank account is $$9,999, this amount will be sent to each recent recruit, by direct deposit. Read that again! The money stolen by a banking Trojan is sent directly to the bank account of a recently hired job seeker, who is acting as a Money Mule.

The Mules are put under contract to report all money received as soon as possible, then to await instructions. They may be told that a direct deposit of say $7500 is going to be made at 8 AM the next morning, their time. They are then told to check their bank account, online, until the money is deposited. They will then receive instructions to issue a wire transfer in that amount to another bank, using routing and account numbers.

Stolen money may be transferred several times, between various Mules, some of whom are in foreign countries. The payout to the criminals behind this job scam is often accomplished by having local Mules take out cash (direct at bank or via ATM card), and converting it into prepaid money cards, or wired by Western Union to recipients who cannot be traced. Many, if not most of these cybercriminals live in the former Soviet Union.

How Money Mules (don't) get paid

Payment for their (money laundering) services is usually promised to be at the completion of each job, or at the end of two weeks, or the calendar month. What most Mules don't know in advance, but soon find out, is that their commission payment is usually never issued. Exceptions might happen when the controller tells the Mule to keep a very small commission before sending out the bulk of the money. Very few Money Mules are retained for a second job. They are "cut loose" and all communication with the so-called company that hired them is terminated. Emails bounce and any phone numbers used to communicate with the Mules are disconnected.

Some time after this, the victim discovers that their bank account has been emptied, or seriously reduced, through fraud. They report it to their bank, who launch a follow the money investigation. Since the pilfered funds went by direct deposit to somebody in the same country, the bank will contact your bank to demand full repayment of illegally transferred funds. Your bank will attempt to comply and take that amount out of your accounts, to satisfy the return order. If your account lacks sufficient funds, the Police will be called, along with your State, or County Attorney General. You will be interviewed and possibly arrested for participating in a money laundering scheme.

Not only will the mules be out the money they transferred, they will also have to pay for a good attorney to defend them in Federal Court. Bank account theft across State lines is a Federal offense. Some of the consequences are listed below (see this document).


  • Inaccessible bank accounts - During an investigation, law enforcement officials may freeze a money mule‟s bank accounts. Being unable to access funds may create a significant financial burden. These activities may also have a long-term impact on credit scores.

  • Prosecution - Money mules may be prosecuted for their participation in these schemes. Severe penalties may be meted out to those convicted of money laundering.

  • Accountability for charges - In some cases, money mules are found personally responsible for repaying the losses suffered by the other victims.

  • Vulnerability of personal information - As described in the typical process, criminals often collect personal information from the money mules. It is possible that the criminals may use this information for other malicious purposes, including extortion.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 9, 2013

E-mail spam and scam roundup for June 3 - 9, 2013.

June 9, 2013

Since the recent forced shutdown and seizure of Liberty Reserve, a major payment portal used by cybercriminals (and also, unfortunately, many innocent people), spammers and scammers have been experiencing trouble getting paid their ill-gotten money. Nonetheless, certain types of spam continue to flood our inboxes, as shown in this article.

My stats are derived from MailWasher Pro, which is a desktop POP3 and IMAP spam filter that goes between your email server and your email client. The classifications of spam come from spam filters I write and publish for use by other MailWasher Pro users.

SPAM

This week the majority of spam was for counterfeit or useless drugs, most with domain names that begin with "greecoffeeultra." These domains are often registered on the day you begin seeing spam claiming you only have 24 or 48 hours to act, or some similar garbage subject. I did some research into a few of these domains and learned that the ones arriving today were just registered a few hours earlier and are set to expire in just two weeks. The "Registrar" is listed as Domain Silver Inc., in the Seychelles. It is very unusual to allow such a short registration period and it is no surprise that spammers are attracted to this company.

The From addresses are composed in two parts. The first shows a name, like iWellHealth, GreatHealth, or something similar. The second part is the email address, which is totally bogus. They are composed of about 10 or 12 characters of random upper and lower case letters, followed by three digits, then some imaginary or real domain name. I have updated my MailWasher filter for "Known Spam [From] to detect and auto-delete these messages so you don't have to deal with them.

Most of these "greencoffee" domains end in the extension .pl - which stands for Poland. The websites are hosted in the Ukraine and did not return any results when I checked them. But, they are active websites and may be populated with illicit content at any time.

Other drug spam is for Russian domains (.ru), which are only supposed to be registered to Russian citizens. The websites at the end of the links were mostly hosted in ...The Ukraine. They have a big spam hosting problem there.

If you value your health and money, don't click on the links in these Russian/Ukrainian drug spam messages! The drugs, should you ever receive them (most are seized by Customs) sometimes contain dangerous additives and are concocted in rogue drug labs. The websites promoting these drugs are built by Russian cybercriminal enterprises running affiliate programs and using botnets to send out billions of email spam and scams to folks like you and me. Once they get your debit or credit card details, they may sell it on the black market, or try to blackmail buyers into paying hush-money to not get turned in to Customs or your local Police for buying illicit controlled substances over the Internet.

Scams

This week's email scams include Nigerian 419 advance fee fraud scams, which almost never disappear completely, followed by the last minute return of a new Pump And Dump Scam. This Pump And Dump is pushing a stock with the unlikely symbol HAIR. They are talking it up with all kinds of fake news and imaginary projections. They have invested some big money into this stock and want to fool you and as many others as possible into purchasing large volumes of it to drive up the price. As soon as the price reaches what looks like the best it will reach, these scammers will dump all of their shares. You, and the other persons who were fooled will be left holding the bag, which will be empty.

What happened to the last company that was Pump and Dumped?

In case you missed it, or was unlucky enough to have invested into it, the previous Pump and Dump scam was for a stock with the symbol BYSD. At the height of the scam it reached about 1.5 cents per share. It shelved at that level for a few hours on the first couple of days it ran, at the end of May, then began tanking, as the people behind the scam sold off their shares. Instead of tripling or quadrupling their holdings, the later investors ended up scamming each other to try to just break even. Eventually, after two weeks, the value is not even listed on the penny stock chart, as it is way below a few hundredths of a cent. All you see is goose-eggs for the value per share. OTC refused to list its value at all because it was being promoted by spam. All you see on the otcmarkets.com reports pages for BYSD is a black skull and crossbones.

People who bought into that scam at a penny would have lost everything they invested and be left with less than half the value. Worse, the stock value of the company itself has been cut in half, leaving them in a financial mess.

Epilogue

Delete scams and spam on sight. If you lack proper rules and filters from browser based email, see if you can convert over to POP3 email, using a desktop email client (program). Windows Live Mail (WLM) is easy to use and offers user configurable spam rules and other means of detecting and routing spam to a junk folder. I use this email client, but set it to not check for incoming messages automatically. Instead, I use MailWasher Pro to screen all incoming email for spam, scams, or malware threats in links or attachments. The bad stuff gets deleted, then I manually download the desired messages to WLM.

Avoid buying or investing into any goods or services promoted by spammers. This is the best way to discourage these criminals who only persist because many people are still willing to buy the junk the spam out via their botnets. Not buying from them is as effective than shutting down servers and payment processors (which is damn effective!).

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^