The IT Nerd

Another day, another scam. This one involves the CRA or Canada Revenue Agency. It is delivered via text message and looks like this when it hits your phone:

I left the phone number in place so that you can compare it to this screenshot if you get a text like this. Some comments about this text:

• The CRA will never contact you in this manner. For more details about how the CRA might contact you, this link will help you with that.
• I replied HELP and a web link immediately appeared. That implies that this is an automated scam and suggests a high degree of skill from the scammers.
• The phone number originates from Central Michigan based on the 989 area code. Which should make you think that this is a scam.

If you click on the web link, you see this:

There was actually a captcha present. I am guessing that this is here to add to the impression that this website is legit. Another sign that these scammers have some skill. Next up is this:

You’re prompted for your social insurance number. And the website that you’re sent to looks very much like the actual CRA website. Thus I can see how people might be fooled by this. But if you look at the URL at the top of screen, it’s clearly not a Government of Canada web site. Here’s a closer look:

This is clearly a scam based on this URL. But I wanted to dig into this more, so I entered a bogus number that was nine digits in length. That’s important as social insurance numbers are nine digits long and this is what I got:

The spinning wheel that you see here is the same behaviour as the actual CRA website. Again, this suggests a high level of skill from the scammers. Though I do note that it doesn’t seem that they are validating the number that is entered. That implies that grabbing social insurance numbers is not the scammers end game.

You are then take to this page:

Clearly this is the end game for the scammer which is to steal your banking details. I picked my bank which is CIBC and got this:

Another sign that this scam is run by people who have a high degree of skill is that this website looks just like the CIBC website. Though that falls down a bit because the URL at the top has not changed. You would think that it would go to something with “CIBC” in it. But it doesn’t. #FAIL.

The skill of the scammers is highlighted by this when I tried to enter a bogus card number:

This website actually checks for the validity of the card number. I have to give it to whomever who is behind this scam. Unlike most of these scams where they don’t do any of this, these guys are trying to get accurate info so that they don’t waste their time capturing bogus card numbers and passwords. That way they are more likely to score in terms of being able to drain bank accounts. If they also get a valid social insurance number, that’s a bonus.

Because of this, I wasn’t able to go any further to investigate this scam. But it shows that these scams are getting better and better. Which means that you need to really have to have your head in the right place to avoid getting scammed. Thus consider yourself warned.

The scumbags that want to use nefarious means to separate you from your money clearly aren’t taking this Mother’s Day off. I say that because I just got this text message on my iPhone:

I have left the phone number in so that if you get this text, you can compare it to my picture. Though the scammers may change this at any time. In any case, it claims to be from Scotiabank, but it’s not really from Scotiabank as the website that the text is asking you to go to is “myscotia-mobilealerts.com” which isn’t a domain that Scotiabank would ever use. In fact, if you do a Whois lookup on the domain, you get this:

The scammer has used a service called Privacy Guardian to hide their identity. Scotiabank (or any other bank, company, etc) would ever do that. That’s a big hint that this domain isn’t legitimate. Also if you look at the creation date, it was created a few days ago. Another big hint that this website isn’t legitimate as companies have domains for years and not days.

Because I like to go down the rabbit hole in order to educate my readers on how to avoid these scams, I clicked on the link, which is something that you should never do, and got this:

This has phishing scam written all over it. As in you put your bank login details into this website and the scammer then uses them to steal everything out of your bank accounts. The questionable grammar is the next big hint that this isn’t legitimate as companies take the time and effort to get that right, and scammers don’t. Take this for example:

Sent to [you]? #Fail.

Going further down the rabbit hole I get this when I click on “Verify Account”:

This is a very, very good replication of the actual Scotiabank login page. You can compare the picture above to the actual Scotiabank login page by clicking here. Clearly this is where the scammers invested their time and effort.

I didn’t go any further as it is clear that this is a phishing scam. As usual, I’ll be alerting Scotiabank to this so that they can take action against the scammers however they can. In the meantime, this is proof positive that you need to have your head in the came by constantly being on the look out for scams like these. Because they can literally come from anywhere and if you’re not careful, it could cost you a pile of money.

I use Apple Pay a lot either via my iPhone or my Apple Watch as I feel more secure about using it versus using my physical debit or credit card. But apparently this is a great way for scammers to go to town as Vice is reporting. And this doesn’t just cover Apple Pay, but Google Pay, and Samsung Pay as well:

Recently criminals have started using bots that automatically place phone calls to victims and trick people into handing over their multi-factor authentication codes. Now, various fraudsters selling access to these underground bots are highlighting a particular money making scheme: using the bots to link stolen credit cards to contactless payment systems like Apple, Samsung, and Google Pay and then buying items at the victim’s expense. 

And:

The Telegram posts don’t explain explicitly why fraudsters may see Apple Pay as a preferred option when using multi-factor authentication bypass bots. But when a scammer adds a debit card to Apple Pay, perhaps using stolen card details they’ve purchased online, the scammer does not require the card’s PIN or the physical card itself to start spending the victim’s money. The contactless payment system, in a way, bypasses the need for the PIN or the physical card by creating another avenue to use the stolen card details. When using Apple Pay, a cashier does not see the name that would be present on the physical card and doesn’t ask for identification from the buyer.

Coincidentally, Kevin Costain got a call from someone at “Amazon” who wanted to get remote access to his phone. He decided to record it and Tweeted about it:

This makes we wonder if this is part of the same scam.

Chris Olson, CEO of The Media Trust has this comment:

“Malicious actors have a tough time using the credit card numbers they steal through Web and mobile attacks; the usual way is to sell those numbers in bulk through DarkNet markets or use them to acquire gift cards that can be redeemed for goods. Mobile bots like the ones described by Vice provide them with yet another way to use financial information, and it’s not the first-time mobile payment features have been abused – through PayLeak-3PC, hackers were also able to initiate attacks directly through Apple Wallet. Consumers and businesses alike need to be more conscientious of mobile devices as threat surfaces.”

My advice is that neither a bank or “Amazon” will call or text you for a multi factor authentication code, and it shouldn’t be shared with anyone else. Regardless, clearly this is another example as to why you have to be vigilant at all times as clearly the bad guys are out to get you.

Frequent readers of this blog will know that one of the things that I like to do is not only investigate scams, but when possible expose them so that you know what the bad guys are doing, and that the bad guys are less effective at scamming you. Yesterday, something very interesting hit my inbox, and I would like to detail it to you. It all started with this email:

Now right off the the top, this screamed scam to me. And my first thought about the Word document at the bottom right is that it was booby trapped with some sort of malware. But in the interest of science, I started poking around. First there was the email address it was sent from:

I Googled that and it came back as a legitimate address related to the New Delhi Police and their cybercrime unit. Here’s an example of what I found:

So at first blush, someone might be taken in by this and think that this was legitimate. But I was pretty sure it wasn’t. So I decided to dig further. I opened the attachment in a virtual machine so that if it had some sort of malware, it wouldn’t affect me. And I found this after determining that this Word document was not booby trapped:

A couple of things on this. First they did not include “our press clipping”. Which if they did, it would have tried to add some legitimacy to this. The second thing is that they say that my “contact details were found in their system” during their raid. If that is true, should they not be referring to me by name seeing as they have my details instead of sending me a very generic letter? That was kind of odd.

Having said that, I decided to go down the rabbit hole further by Googling “Insp. Manoj Kumar”. That actually brings up a real police officer in the Delhi police that works in the cyber crimes group. That was interesting and I’ll get back to Insp. Kumar in a bit. I decided to do some further research and found some news articles like this one that detailed a raid last summer that almost precisely fit the description of what this Word document was talking about. In short, it seems like the Delhi Police took down a pair of call centers that were scamming Americans.

I was beginning to think that this could be real unlike 99% of the things that I look into. And doing a whois lookup on the domain that the email came from yielded some interesting results. It came back as being legitimate as I compared them to other Indian Government organizations, all of which had the same registration details with the same registrar.

So to really get to the bottom of this, I called “Insp. Manoj Kumar” and I got him on his mobile phone to have a brief conversation with him. He claims trying to get to all the victims of the scam call center that the Delhi Police raided. He asked me a few questions without asking for any personal information. And I should note that the phone I called him from wasn’t broadcasting my caller ID. So there would be no way for him to call me back. He acted very professional during our entire conversation.

So what I am left with? It appears that this who episode is legitimate. But I am not 100% convinced of that just yet as I am cynical by default. After all this could just be a really sophisticated scam where the scammers have gone to great lengths to ensure that they can take advantage of as many people as possible. Thus I have reached out to Delhi Police for additional commentary. Hopefully they get back to me quickly so that I can update you on this.

Stay tuned for more.

Today’s scam alert revolves around an email that you might get that claims to be from Shaw:

Now, let’s ignore the fact that I am not a Shaw customer for a second. Which should be the first sign that this is a scam. And let’s ignore that this was sent directly to me, which makes it a targeted scam that concerns me a bit. And finally let’s ignore that the last sentence is grammatically incorrect (“please make payment immediately”) the big hint that this is a scam is this:

When I hover my mouse over one of the links, it comes back with this. Which could be a redirect to a website to steal your credit card details, or a means to download malware of some sort. I don’t know and I don’t care as I am not going to click it to find out. The bottom line is that it is not https://signin.shaw.ca which is Shaw’s account page. So this is a scam. Guaranteed. That means that if you get one of these emails, your best route is to delete it and move on with your life. Oh yeah, don’t click on any links either.

I will be alerting Shaw to this just in case they are not aware of this scam and hopefully they will get the word out to their customer base as they are clearly being used to scam the unsuspecting.

UPDATE: There’s one other sign that this is a scam:

This is the email address that the email came from. That’s not Shaw. Thus it’s a big red flag that should tell you that this is a scam.

UPDATE #2: Shaw replied to this rather quickly with some good advice and a request. First the advice:

Hey there. Thanks for taking the time out to share this with us. Please do not click the link or reply to the email. Shaw will never request for you to confirm your personal information unsolicitied by email. We are aware of a recent influx of phishing emails and appreciate you letting us know. Of course Shaw will never request account or personal details via email.

They also requested that I send the email and the headers to their Internet Abuse department. Hopefully they can use that info to do something about this scam.

Today I had to jump into a situation where one of my clients got this email from someone claiming to be Geek Squad:

She called the number and when they started to ask about the passwords to her Google accounts, her credit card info, and some other personal info, she hung up. Then she phoned me.

Good call as this is a scam. Ignoring the fact that the fonts and the logos are not consistent with the Geek Squad brand, that this seems to clearly come from someone with a South Asian background (based on words like “queries” and phrases like “continue taking our service” and “for the last one year”) as that’s where these scams often originate from, and the lack of use of a toll free number, there’s these other telltale signs:

If you look at the From address, it is sent from a @gmail.com address. Best Buy who owns Geek Squad would never, ever use an @gmail.com address to send anything. The second thing is that this is not addressed to the end customer. Based on the To field, It is addressed to dearcustomer@geeksquad.com. Again Geek Squad would never do this. That implies that this is a phishing attempt. As in they send this email to hundreds or thousands of people hoping that 1% fall for the scam. Because a scam doesn’t have to be successful in volume to be successful. 

Thus if you get one of these emails, ignore it, delete it, and go about your day.

If you’re a customer of Scotiabank, and even if you’re not, there’s a new email scam that is making the rounds. Let me break it down for you:

Let’s start with the email address. Clearly this isn’t a Scotiabank email address as their domain is “scotiabank.com” as far as I know. Thus this alone should say to you that this email is a phishing scam. But let’s go further down the rabbit hole. Reading the email itself shows the typical poor grammar that phishing emails typically have. But ignoring that, it’s just generally not written well. And of course it has the typical threat that if you don’t do what this email says, access to your bank account will become “restricted”.

In the interest of science, I clicked on login from my iPhone and got this:

If you look at the website, this is not Scotiabank as the domain isn’t Scotiabank.com. Again validating that this is a phishing scam. For fun, I typed in a bogus card number and password. It then took me to this page:

Apparently I have to choose some security questions. They have some pre set ones that you have to choose from that I suspect match what Scotiabank does. And you can see that I had some fun with this as I suspect that this is more information gathering on the part of the scumbags behind this scam. When I save this info, it kicks me back to the login page. Presumably because they have all the info that they need to pwn your bank account. Crafty and moderately sophisticated.

I’m passing all this info along to Scotiabank so that they can take action. Hopefully they respond in a manner that protects their customers. Unlike my experience with TD in terms of reporting a scam that involved them. I’ll keep you posted on that.

I recently posted a story on an email scam that claims that you did a hit and run and that you needed to call a number to sort things out. Which means that you’re handing over money to a scammer. Well, the same person who tipped me off to this scam got another email from the same scammers. But the email is different. Let me show you the email:

Let’s dissect this scam email:

• Even though I redacted the email address, it comes from a gmail.com account. No business would use a gmail.com account. That’s your first hint that this is a scam.
• The email uses the recipients name. So it is targeted.
• The English is pretty bad. Another hint that this is a scam.
• The name of the insurance company has the word “Insurance” twice. #Fail.
• The date of the supposed accident in the subject line is different than the date in the body of the email. #Fail
• They threaten to send your info to the cops. Which is meant to make you call them.

And just like the last scam email, my attempt to call the number (which is different than the last scam email that I wrote about) to find out how they perpetrate that scam while blocking the number that I was calling from failed with an immediate hang up. So this suggests that this is from the same group of scammers as they clearly want to grab your number.

The bottom line is this. Clearly this scam is an active one. You need to keep your eyes open to make sure that you don’t become a victim. Thus if you get one of these emails, delete it from your inbox and move on with your day.

Another day, another scam. Such is life at the moment. This scam starts with an email that hits your inbox claiming that you did a hit and run and they have evidence of that. And if you do not call them, they will rat you out to the authorities. Here’s a copy of the email that was forwarded to me:

Here’s why this is a scam:

• The grammar is rather bad. Typically this is the first clue that this might be a scam
• While I did redact the sender’s email address, it was a gmail.com email address. No business would ever use a gmail.com email address.
• If you look at the section where they give you a number to call, it says “= +” right before the phone number. Clearly a typo.
• The date of the alleged incident is 9/12/2021. As I type this the date is 7/27/2021 which means that somehow this accident occurred in the future.
• It encourages you to phone or they will rat you out to the cops. Which I am guessing that the scammer is hoping that you’ll call to say that this isn’t you. Which in turn they will badger you into paying up after sucking up your personal information.
• A Google search indicates that LLP Insurance is a real Insurance company located in the Greater Toronto Area. But not with a number that starts with 313. However, searching the phone number indicates that this number has been used in scams previously.

So I will give the scammers points for using a local insurance company to front their scam. And I will also give them points for trying to use the name of their potential victim to social engineer their way into getting paid. But in the interest of trying further figure out what these scammers were up to, I did try to phone the number using a call display block and I did get some upbeat elevator music. But then the call hung up. Likely because I was blocking the number that I was calling from. I suspect that the scammers want to capture the number that you’re calling from so that they can harass you into paying them.

In any case, this is clearly a scam that you need to avoid. Thus if one of these emails hits your inbox, delete it and go about your day.