It’s no secret that highly-anticipated events like the Super Bowl generate buzz around everything from commercials to merchandise, allowing opportunistic businesses to capitalize on the millions of eyes viewing from around the globe. However, what many folks fail to recognize is the opportunity events like the Super Bowl also create for scammers to generate disingenuous websites and emails to trap people into paying for items they will never see. This year is shaping up to be no different as proven by Barracuda Labs, which has already detected spam for replica jerseys on sale for the 2016 Super Bowl teams via sites such as pantherssuperbowlshop-dot-com and broncossuperbowlshop-dot-com.
A new year may have begun, but the big business of spam is still very present. Barracuda Central has recently detected a new spam tactic that uses Donald Trump’s name and image in make-money-quick schemes. Regardless of political or personal views, Donald Trump is a name that most people know. Spammers are very much aware of this, and are using it to their advantage.
Get-rich-quick schemes are not new to the big business of spam, but the tactics to get recipients to read these spam emails are always changing. Specific to these ‘Donald Trump’ messages, spammers are using these angles of enticement:
- A mainstream name in the media (‘Donald Trump’)
- Words or phrases similar from actual news conferences (‘You’re Fired!’)
- An email alias that disguises the spammer as a Trump or a legitimate news source (ex. CNN, see Figure 1)
Spam is big business all year long, and it never goes out of season. Unfortunately, spammers do kick things into high gear during the fall. This is when people are buying gifts, thinking about how to get money to buy gifts, or opening holiday E-Cards that aren't really from friendly people. Spam tends to increase during this time, just because there's more opportunity when people are in the holiday spirit.
Fall is also the time of year when insurance companies allow businesses and individuals to adjust their health and life insurance coverage. This is known as Open Enrollment, and spammers come out in force to try to take advantage of this well-known event.
Barracuda Central, our 24×7 advanced security operations center, has detected an increase in health and life insurance spam over the last few weeks. We have picked up several hundred examples of these emails since October. These particular spam messages use names of real insurance companies, such as AIG, Fidelity Life Insurance, and Medicare. The messages have generic subject lines such as “Open Enrollment is here!” and “Now is the time to change your plan.” See Figure 1 for example.
So what’s the point of this type of spam? By clicking on the fraudulent links included in these types of scam emails, spammers can harvest information from a recipient like their full legal name, social security number, and credit card information, basically anything you share online. Spammers can identify the users who open these messages, which allows them to create additional emails used for “social engineering.” Social engineering is defined by TechTarget as “a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” Social engineering is one of the biggest threats faced by organizations today, because it takes advantage of human mistakes rather than technical vulnerabilities.
Fortunately there are ways to avoid being victimized by this type of spam message. The most important step you can take is to always double check the sending domain of any email you receive about health insurance. Do not open any insurance-related email that was sent from a domain that ends in “.xyz” or any unfamiliar or strange domain name, like you see in Figure 3. Instead, contact your provider directly and let them know about the email you received and if any action is actually required on your part. By flagging this email to your provider you might just help alert them to block this particular piece of spam and subsequently save an innocent user from being exploited.
Barracuda Labs has covered quite a few topics related to how scammers are profiting from spam related tactics, to read more in our Big Business of Spam series, check out the following posts:
- The Big Business of Spam: What Caitlyn Jenner Uses to Prevent Wrinkles and Stop the Aging Process
- The Big Business of Spam: Stay clear of these “too-hot-to-miss” sale opportunities from your Facebook Friends
- The Big Business of Spam: Adulterers beware, scammers may be targeting you
- The Big Business of Spam: Online Dating Requests Through Email – Not So Fast
Meeting people online has never been easier, unfortunately for some people, falling for that perfect connection may not be the only thing they are falling for these days. Online dating scams are quickly becoming a likely possibility due to the giant audience attracted to online dating sites. It’s no secret that scammers target large audiences, and according to an article published on Match.com, there are currently over 40 million people trying to meet that special someone online. So, how can users avoid falling victim to an online dating scam without dumping the scene all together?
One way is to remain aware that any email you receive regardless of the topic – could be a scam in disguise. For example, through Barracuda Central, the Barracuda Labs team recently flagged and dissected a series of factious emails from scammers attempting to impersonate a missed connection from a dating site. These scams are banking on the potential that the recipient has an online dating account in order to bait them into replying to an offsite message. This particular email scam suggests that the recipient email them directly so they can get to know each other, which is simply a tactic used in order to bypass spam filters. Here is one of the messages we came across:
As you can see, this particular message is written poorly which should always raise a red flag, and if the recipient takes action and replies, the scammer's sob story quickly follows in hopes to earn the trust of the victim. Eventually these communications will lead to a request for the victim to wire money, which will be withdrawn from their bank account immediately and into an offshore account – where a refund is far from likely. Not only will your wallet be empty, your heart may be broken along with it, and you’ll be well on your way to a number one hit on the county music charts.
Not your idea of a good time? Fortunately, it might actually be easier to avoid these types of scams than to fall for one if you know how to stay safe. Based on the messages we’ve seen come through, scams similar to this one seem to be targeting men over 18, but that doesn’t mean you’re off the hook if you don’t fit that demographic. To keep yourself out of harm’s way when it comes to online dating and related email scams, take the following precautions:
- Don’t reply to emails from a “missed connection” or to someone claiming to want to get to know you better through email – they most likely aren’t your soul mate.
- When participating in online dating, keep your initial communications with connections through the dating site. You signed up to meet people – let them help you do that.
- If you’re suspicious of any email, regardless of topic – don’t open it, reply to it, or click on any links associated. Better safe than sorry.
Barracuda Labs has covered quite a few topics related to how scammers are profiting from spam related tactics, to read more in our Big Business of Spam series, check out the following links:
As you have probably heard by now, a group of hackers who call themselves The Impact Team recently breached the systems of Avid Life Media (ALM), and stole sensitive data from AshleyMadison.com. The group has since published a large cache of data that includes personal information from members of the site, and are making that data available online for download. To make the situation worse, opportunistic scammers are looking to capitalize on this unique opportunity for a financial gain of their own.
To start, the scammers will send phishing emails suggesting that they have information on the recipient that will expose them as an AshleyMadison user. The scam methods they’re using are quite simple and common, yet highly effective when used as a scare tactic like this. Spammers often buy full lists of verified addresses (email addresses in this case) after a large breach, then target and attempt to solicit the users.
Here’s how this particular scam works:
An unsuspecting user will get an email titled – “Recent data leak, your details are there!” (image below)
Once the user opens the email, they will see a note that implies that their personal information has been leaked along with the other 37 million people. At the end of the note, they are directed to click on a link that will direct them to a page that offers services from UnTraceMe. From there, they are directed to pay a fee of $19.95 to get their information secured and removed. (image below)
After a spooked user agrees to pay the fee and clicks on the link provided, they are then directed to use a PayPal-like site to pay the fee and “secure their information.” (image below)
What folks don’t know is that the leaked data can be retrieved by just about anyone, and will not disappear no matter what ransom is paid. At this time, Barracuda Labs has blocked over 1000 emails similar to the one imaged above, and depending on the monetary success that the spammers receive, the prices will likely increase as users rush to clear their names.
It is important to follow best practices when receiving emails from unknown users. If you aren’t sure where the email is coming from, it’s always best to:
- never click on links in the body of an email
- never download attached files
- be cautious of strange subject lines
For more information on the Big Business of Spam, check out the links below
We’ve previously warned about deals that are too good to be true (https://barracudalabs.com/2015/05/the-big-business-of-spam-dr-ozs-brand-new-trick-to-shed-27-pounds-in-just-one-month/) – and with summer in full swing, the Barracuda Labs team has seen more and more false domains like (rb-to.com, raybanglassesofhot.com and summer-raybans.com) popping up in feeds and social media timelines. Our Labs team ran a background check on the domains and many of them appear to be registered in China, including the domain listed above.
While browsing your Facebook or Twitter timelines, you may have come across “sponsored ads” that seem too good to be true. Most can be spotted immediately and swiftly ignored; however, you may have been tagged in a post or received a message on your personal timeline posted by a friend, directing you to a killer sale. See figure 1 for an example.
The example above shows an ad for Ray Ban, a popular sunglass retailer whose classic sunglasses range from $155 to $200, that looks as though it was shared by a regular user or even a friend on Facebook. The ad targets unsuspecting consumers looking to score the name brand sunglasses for up to 80% off.
The idea here, like any scam, is to entice unknowing consumers to jump on the hot deals and “buy” the Ray Ban’s at such low prices. Once the links are clicked on, the consumer is redirected to what looks like a legitimate discount website that is offering deals with up to 80% savings on multiple styles, see Figure 2 and Figure 3 for examples.
The phisher hopes that the deal is too good for the consumer to pass up and engages in purchasing the product. Here, the phisher is hoping the consumer will enter their personal data like first and last name, emails address, personal home address and credit card information, to then flip and sell to third parties.
It is always smart to use best practices when shopping online. Here are a few tips:
- Do a bit of research and go directly to the name brand website to see what offers are on the official website
- Look for plain websites as a warning, as they are quickly put together with minimal tabs and functionality
- Look for poor grammar and misspellings; because these fake sites are so quickly put together, often times spell checking isn’t their highest priority
Barracuda Labs encourages – if you do get tagged in an ad like this or find it posted to your wall – immediately untag yourself and delete it from your wall so you can avoid letting your friends or family members fall victim to the scam as well.
For more resources on the Big Business of Spam, you can see previous posts here:
The cover for Vanity Fair’s July 2015 print issue was publicized on the Vanity Fair website June 1, and revealed the newly transformed, Caitlyn Jenner. The cover photo went viral reaching over 46 million people across Vanity Fair’s website and social media – with the internet virtually exploding. Jenner even beat President Obama’s record for reaching 1 million Twitter followers in just under five hours.
With Jenner’s name in the headlines this week, it’s no surprise that spammers have jumped on the opportunity to try and use her likeliness to trick users into visiting sites to push beauty products in hopes to gain monetary value.
So far, we’ve seen over 100K samples and variants of spam emails using Caitlyn Jenner as the lure to get people to click on compromised links. The emails all have different subject lines, but include the same content in the email body. The spam appears to be coming from possible compromised machines, most of which trace back to IP addresses in the United States.
Figure 1 below is an example of the emails that are being sent out in large quantities, hoping to entice users into clicking on spammy links. The embedded links in the email titled “Caitlyn swears she just used this” and “Here is what went down” redirects users to the following website –
http://www.goodbodyhealthtips.org/index.php?aff_sub=1394&aff_sub2=190076&aff_sub3=1021342e9d6b955d9a9c66e5ed3293 (labeled “wrinkle miracle”) – that pushes an anti-aging facial cream to prevent wrinkles, revealed by Dr. Oz called Dermakin Anti-Aging Cream.
As shown in Figure 2 below, once on the page, the user will see the headline “Revealed by Dr. Oz! Jen’s Closely Guarded Secret For A Wrinkle Free Face” that is said to be featured in Yahoo!, Woman’s Day, VANITY FAIR, TIME, People and Aol.
Figure 3 below shows that while on the page, the user will see “before” and “after” photos of stars like Ellen DeGeneres, Katie Couric, Goldie Hawn and Barbara Streisand who have allegedly used the wrinkle cream.
At the bottom of the page (see Figure 4), there is a “limited time offer for readers” and an expiration date of June 3, 2015. The spammer’s hope is that the recipient will click on the prompt titled “Click Here to Get a Bottle of Dermakin Anti-Aging Cream” to purchase the product, sharing sensitive information in the process.
Below this ‘special offer’ the spammers have posted fake Facebook comments to make the product appear even more real, (see Figure 6).
The above tricks used by spammers to fool unsuspecting consumers are not new. We’ve recently seen the likes of Dr. Oz and Rachael Ray being used to promote a weight loss pill that promises to melt fat away – https://barracudalabs.com/2015/05/the-big-business-of-spam-dr-ozs-brand-new-trick-to-shed-27-pounds-in-just-one-month/.
Unfortunately, this is another example of how scammers are building a big business around the use of various spam techniques. As a natural rule of thumb, it’s probably best to keep in mind, that if it sounds too good to be true, it most likely is. Users are protected against this type of email spam with Barracuda Spam Firewall and Barracuda Email Security Service. For more in this Barracuda Labs blog series, The Big Business of Spam, please visit:
For more education on how to keep safe from these types of emails, please visit: Barracuda Central
Additional blogs around the topic –
According to reports from ABC Australia (http://www.abc.net.au/news/2015-05-11/new-computer-ransomware-encrypts-files-asks-for-up-to-1000/6461606) a new crypto ransomware threat is circling Australian’s email inboxes.
You probably remember the Cryptolocker Trojan, as it is one of the scariest bits of malware we’ve seen in a while. Cryptolocker is ransomware that restricts access to a victim’s files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files. Read more about Cryptolocker in this blog post, https://blog.barracuda.com/2014/01/09/are-you-prepared-for-cryptolocker/
This latest version of Cryptolocker takes on the branding of the late, great, popular tv show, Breaking Bad. It uses the “Los Pollos Amigos” name, which is the restaurant that provided money laundering and was the base for other functions on the show.
The ransomware also links to a video that shows victims how to use bitcoin, which was likely included to help the victims pay the ransom. Researchers believe that the ransomware is spread via email, and downloaded through an infected zip attachment. Barracuda Email Security Service and Barracuda Spam Firewall customers are protected from these types of emails.
Ransomware a is particularly sinister attack, because it forces you to interact with the criminals in order to get access to your data. This particular version even includes the phrase “the one who knocks” in the email address, which is just insult added to injury for those who are familiar with Breaking Bad.
Most of you reading this blog are IT pros, so you already know how to deal with malware, and you’ve probably already heard of Cryptolocker. This Breaking Bad version gives you a good opportunity to revisit your Cryptolocker defense plan, including security software, your backups, and the overall state of your network. Are your users protected from malware, and ransomware in particular? Is there anything more you can do?
If you are battling a budget crunch and you need help selling the decision makers on solutions, consider adding Cryptolocker to your talking points:
- Even police departments and governments are paying the ransom
- Untraceable bitcoins are required for payment, meaning effective legal action and loss recovery are very unlikely
- There is a $100 make-your-own-Cryptolocker kit, opening the ransomware market to pretty much anyone. The Malware Must Die blog has an extensive and updated post on this here – http://malwaremustdie.blogspot.in/2014/01/threat-intelligence-new-locker-prison.html
- Cryptolocker designers are modifying their business model to remain an effective an active threat.
Additionally, consider adding the following Cryptolocker defense kit:
- User education on spam and phishing attacks
- Regular monitoring of the types of traffic on your network
- Regular backups that are kept off-site
- Proactive patch management
- Good antivirus software that can provide real-time scanning
We reported on another version of Cryptolocker a few months ago, here. https://barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/
Cryptolocker isn’t going away anytime soon. Secure your threat vectors, protect your data, and follow best practices, to ensure that you are not a victim.
Tragic events such as the 7.8 earthquake that hit Nepal last week has brought a tremendous outpouring of help from countries all over the world. Unfortunately, it has also been used as a ploy to try and dupe users into falling for monetary scams.
Spammers looking to capitalize on the best intentions of others have begun their campaign of deception by following a well-known scam known as “419,” a scam that promises a victim a significant amount of money, but only after a payment has been made to ‘verify the identity' of a would be victim. Online versions of the scam originate primarily in the United States, the United Kingdom and Nigeria. The number “419” refers to the section of the Nigerian Criminal Code dealing with fraud.
Once the information is given, the next steps of collecting the relief fund are then sent. The potential victim is instructed to send a wire transfer fee via Western Union to receive the funds that have been promised to them. Sadly, this isn’t the case and victims are left with their money and sensitive data in the hands of scammers.
The FBI has set up a phone number (866) 720-5721 to report any such instances of this and more information regarding these types of attacks as well as good information to stay safe can additionally be found here: http://www.fbi.gov/sandiego/press-releases/2015/fbi-warns-public-of-disaster-scams.
This is yet another example of how scammers are building a big business around the use of various spam techniques. Yesterday we shared with you a scam in which spammers are using the recent Bruce Jenner interview as a way to drive users to potentially malicious websites that sell weight loss drugs. As always, we recommend that no unsolicited donations be made or sensitive information be shared online with persons that are not familiar. As a natural rule of thumb, it’s probably best to keep in mind, that if it sounds too good to be true, it most likely is. For more in this Barracuda Labs blog series, The Big Business of Spam, please visit: https://barracudalabs.com/2015/04/the-big-business-of-spam-bruce-jenners-untold-confession-and-allegations-of-abuse-of-the-kardashian-sisters/
For more education on how to keep safe from these types of emails, please visit:
Additional blogs around the topic –
The rise in third-party affiliate spam that markets pharmaceutical products is one of the more alarming trends we have seen. In fact, we have seen pharmacy spam increase 20 percent so far in 2015 compared to what we saw in 2014. Although the products are legal for purchase and use, they have not been vetted or approved by the FDA. This presents a double risk for victims: the dubious business practice may result in financial loss and identity theft, while the use of the product may result in a serious health problem.
In this blog series, The Big Business of Spam, Barracuda Labs will explore the various business opportunities created using different spam techniques.
The media has covered the Bruce Jenner special with Diane Sawyer more than it has covered the recent tragedy in Nepal, where a magnitude 7.8 earthquake hit, taking the lives of over 4,000 people. That makes it a perfect topic for spammers, who are always willing to take advantage of a positive story about personal triumph and use it to steal from curious readers.
Spam using various subject lines such as ‘Kardashians beaten by Bruce Jenner’ and ‘Bruce Jenner posts naughty photos of Kardashian sisters’ have been distributed with links that redirect consumers to a website for pills with the extract Caralluma, a plant from India that is often used in the suppression of appetite.
[Spammers often use celebrities to promote products in hopes to make them look more legitimate to consumers.]
Barracuda Central has detected over 750,000 instances of these emails being sent from botnets and individually infected hosts around the world. These emails lead to several different domains, which all lead back to a single purchase page for Caralluma. This attack is similar to the recent Pope / Neuroflexyn email, in that it uses sensational topics and spam to market what appears to be a legitimate product (https://barracudalabs.com/2015/04/the-pope-makes-shocking-admission-he-takes-pills-for-what/).
In this case we have not yet observed infected attachments, phishing attempts, or drive-by downloads. However, spam is a big business, and the business will adapt to ensure maximum profitability. If it is more profitable to try to infect hosts while also selling Caralluma, that is exactly what they will do.
We encourage users to purchase only from legitimate companies that fully disclose the ingredients of their products. Additionally, we encourage everyone to refrain from doing business with companies that allow spammers to market their products.
The reality is users remain one of the biggest threats to a network, as well as its greatest ally. Education is critical to ensuring that this type of email does not result in an infected host and compromised network. Caution should be taken any time a user receives a solicitation for a product, especially if the email uses a sensational subject line to entice curiosity.
Customers using the Barracuda Spam Firewall or Barracuda Email Security Service are protected from these emails.
For more education on how to keep safe from these types of emails, please visit the following pages:
Barracuda central – https://techlib.barracuda.com/display/cp/barracuda+central+operations+center
Additional blogs around the topic –