The IT Nerd

There’s been a long running text message scam that has been targeting TD customers that appears to have plenty of steam as I am still getting emails and message about that scam. Plus there’s a second text message scam that I discovered that also targets TD customers. Though this one isn’t as pervasive as the first one. Well I’m sorry to say that there’s now a third text message scam that you have to be on the lookout for. Here’s how it works. You start with receiving this message:

I’ve redacted the phone number of the person who sent this to me. But the premise of this scam is that your TD account is locked and you need to unlock it. If you reply “Yes” to this text, you instantly get a link that you should click on. Which by the way you should never ever do. But I am going to because I want to show you what happens next. But before I do, you’ll note that there’s a URL in it that says web-recovery1.com which is not a TD bank controlled domain. That’s the big hint that you should delete this text right away.

However there is good news in this. It appears that TD has stepped in and stopped this. When I tried to go to web-recovery1.com, it was redirected to TD’s website. Thus this kills this scam in its tracks. Thus I will applaud TD on doing this as they are taking scams like this seriously. Something that I have criticized them for not doing in the past. Hopefully this continues as it is in their interest to protect their customers from scams like this.

Good on you TD!

Canada Revenue Agency scams are very popular with threat actors as they are likely to ensnare people who receive some sort of government assistance via the Canada Revenue Agency. And this scam is no different as it has returned from the grave apparently. Let’s start with the email that you get from the threat actors:

So the email claims that you’re going to get $235.00. Or as the threat actors who clearly don’t have the attention to detail say, 235.00$. Then there’s also sentences like “Please click to The link below to receive your money”. Poor grammar like this is the hallmark of scams.

But what got my attention is the link that they refer to. It says http://www.interac.ca. But it isn’t when you inspect it closely.

You can see that they’ve embedded another web page address. This is meant to fool you into clicking the link as you will think that this is a legitimate web page. By the way, you should never ever click links like this. But I’m going to so that I can see the scam in action.

The link in the email forwards you to another link which takes you to this website where you’re supposed to pick the financial institution that you deal with. Thus the scam is trying to grab your banking details so that the threat actors can drain your bank account. And what’s interesting is this:

On top of being able to just pick your financial institution above, you can make a choice below. That implies that the threat actors put some time and effort into this. Though as I will show you, it starts to fall apart a bit here:

When I pick CIBC, I am presented with this. Which isn’t even close to what the actual CIBC website looks like. And if you look at the address bar, it clearly isn’t the CIBC website. But one clever thing that the threat actors did is this:

They fake a two factor authentication setup to make you believe that this is the legitimate website. Which it is not of course. And at this point the threat actors are using the login information that has been provided to drain the bank account that is connected to it dry. And the thing is, this isn’t the first time I’ve seen this scam before. I covered this just a few weeks ago. Thus the same threat actors have returned which means that my advice is the same. If you get an email like this, delete it and move on with your life.

If you are in a citizen of Ottawa Ontario, you need to be aware of a parking ticket scam that is making the rounds. And this one is good from a scam research standpoint. Here’s how the scam works:

• You receive at text message that addresses you by your full name, telling you that you have an overdue parking infraction and provided a URL to “ottawa-parking.ca” or “nfractionottawa.ca”, both of which have been taken down as I type this.
• This is where it gets good. While it was still live, it was an exact replication of Ottawa.ca and even links back to the legitimate website for paying “parking tickets”. That shows that the threat actors spent a lot of time and a lot of effort to pull this scam off. This screenshot was captured from the scam site before it was taken down.

The goal of this scam is to get your credit card details. And the threat actor behind this appears to be someone that based on my research, they have tried similar scams in Toronto and Vancouver. It just seems to be Ottawa’s turn. And the fact that it’s been taken down twice and has reappeared means that the threat actor isn’t done with Ottawa yet. Not to mention that they will move on to other cities.

The good news, Ottawa is getting the word out to warn residents about this scam. Thanks to a reader for sending this over:

My advice is a follows: If you get a text message that claims that you owe some money for a parking infraction, you should ignore it. Full stop.

A reader sent me a scam email that he received which uses courier company UPS as a lure to suck you in. Here’s the email in question:

So unlike the last UPS scam email that I covered here, the threat actor behind this trying harder to make this more convincing. Though the lack of proper punctuation, missing capital letters in sentences, and only marginal grammar make it clear that this is a scam email. And there’s the fact that the logo in the top left says “ips” and not UPS. Plus the email address indicates that it didn’t come from UPS. The net result is that all of this should make you delete this email the second you get it. But the threat actor has an interesting setup if you click “Check Here” which by the way, you should never, ever do.

You get taken to a website that if you look in the address bar, isn’t UPS. That’s a red flag. The use of the same colorus as UPS is meant to make you more likely to get sucked into this scam. It kind of falls apart with the words at the top “[1] Reward Pending – Shipping Survey – We Want Your Opinion!”. That suggests to me that they’ve used this website in another scam.

For giggles, lets click confirm and see what happens.

Well, it claims that I have to schedule my delivery, and it gives a tracking number that isn’t a UPS tracking number. So I’m going to schedule this mythical delivery.

Apparently I owe some money for customs. The fee that is being quoted is way under what UPS charges for anything customs related, which is another red flag. But I am guessing that the threat actor is expecting you not to know that. Lets continue down the rabbit hole:

Now this is a sign that this threat actor is really trying as they created this whole menu map to have you select your delivery preferences. That’s clever.

So according to this, I’ll get my mythical package in three days. Let’s see what happens when I enter my delivery information.

Okay… This is a bit weird. I’m not trying to claim my offer. I’m trying to get a package delivered. This underscores that this threat actor has likely recycled parts of this website to pull this scam off. I decided to have a bit of fun with them:

I wonder if the threat actor will understand that the phone number is a song from the 20th century? Anyway, let’s move on.

Ah! So now we know what the endgame is. They want you credit card details. That possibly ties into the previous screen as having your name and phone number along with possibly your email address would help the threat actors go to town at your expense. Let’s enter some bogus info and see if they do any validity checking in terms of if the card is valid:

And the answer is yes they do as this webpage rejected my bogus credit card info. I’ll give this threat actor credit as they tried hard in the right places to pull this scam off. Specifically in the area to get your credit card details. That makes this threat actor kind of dangerous.

So what’s my bottom line on this specific scam? Avoid it by deleting the email the moment you get it. Because if you get sucked in, it won’t end well for you.

UPS appears to the latest company that I’ve found that a threat actor has decided to use as part of an email scam. The email in question looks like this:

It appears to be from UPS, but the UPS logo is wrong. The quality of the English is also a #Fail as well as evidenced by phrases like “Your package was stopped at the distribution hub due to incomplete delivery informations.” The tracking number is also not consistent with the format that UPS uses. And finally, there’s the email address.

Clearly this isn’t a UPS email address.

Other than that, the colours that are used are pretty much on point. It won’t fool most people. But I can imagine that a few might fall of it.

So, what’s the endgame here for the threat actors? I can’t say as when I tried to access the site that was linked in the email, it didn’t appear. Perhaps someone already took it out or the threat actors have moved on? It’s hard to say. But I can safely say that if this email hits your inbox, delete it.

It seems that today is scam day on this blog. Well, to be honest, I track so many scams and report them to you that every day can be considered to be scam day. But in any case, I have a new scam that I’d like to draw your attention to. It starts with this email:

So I am going to go out on a limb and suggest that this is an email based scam that is meant to get you to call in and perhaps have the scammer take control of your computer or something like that. We’ll get to that in a bit. But the vehicle for the scammer to get you to call them is that this is a email that purports to inform you that you’re being billed for a service that you were testing out. Now this is a somewhat effective means to scam you because a lot of us test out a lot of services and it is entirely possible that you might forget what you’ve tried out and fall for this. And remember, a scam doesn’t have to successful in volume to be successful. So if only 1% of the people who open this email call in, the scammers win.

In any case, one thing that you’ll note is that this email is all over the place. While it does use some product names in the email, there’s nothing that has this email wrapped around a brand. For example I’ve seen Best Buy themed scam emails in the past that use that brand to get your confidence. I suspect that this is deliberate as a like this one disjointed email like this one would be harder to filter out via a spam filter. The downside to that for the scammer is that it is likely that less people would act on it. But clearly they’re taking their chances on this.

This also ties into what happens when you click “see details” in the email.

This seems inconsistent with the content in the email if you read the email and compare it to this website. That may make it more likely that you’d call in and be more likely to fall for the scam.

Some other random observations:

• The English used in the email is horrible as usual.
• The email address that this email was supposedly sent from is suspect as usual:

All of the above should make you delete this email the second you get it. But in the interest of figuring out what the scam is, I called the number in the email. Which for the record is something that you should never, ever do. I was greeted by cheesy hold music. And messages that said that “all scammers representatives are currently busy. Please stay on the line. And your call will be answered by the next available scammers representative”. This to me seemed very much like the experience that I had with this scam which makes me wonder if the same threat actor is behind this scam, or this sort of setup to carry off a scam like this is now a thing. In any case, I hung up after 5 minutes without speaking to anyone as I had better things to do. But it is clear that this is an active scam that you need to be aware of and make sure that you’re not a victim of.

These email scams are multiplying like Rabbits. The latest one that I have for you involves Canada Post and looks like this when it hits your inbox:

Right off the bat, there’s no tracking number which should be the first hint that there’s something suspicious with this email. The other thing that should set off alarm bells is that it’s asking for payment “within 2 days prior to the validity period.” That’s not only to give the email a sense of urgency which will make you act upon it. But as usual, the English is poor. Finally, there’s this:

This isn’t sent by Canada Post as it clearly doesn’t come from a domain that is controlled by them.

All of this should say to you that you should delete this email upon receipt. But what is the scam that the email is trying to get you to fall for. Glad you asked. I tried to go down the rabbit hole on this one, but got nowhere as all this did was take me to a blank screen. So maybe this scam was shut down, or got shut down by the authorities. Either way, my guess is that given that the scammers were asking for payment to get your package, I am guessing that this was a scam to grab either your credit card details or banking details. Regardless, this is one email that you should instantly delete when you get it in your inbox.

A new email scam that is likely a phishing scam that is using Microsoft as its hook is making the rounds. Here’s the email in question:

The first hint that this is a email scam is that this email does not fit Microsoft’s brand design. But there is a simpler way to tell that this is a email scam:

There’s looking at the email address. In this case, this did not come from Microsoft as this is not a Microsoft domain that is being used. That’s a #fail right out of the gate and should cause you to delete this email immediately.

Going further going down the rabbit hole, it references a Microsoft update. Specifically KB40341836081 which doesn’t exist. Microsoft update numbers are six digits at present and this one is way too long. The English is also horrible. Example “perhaps you may experience difficulties signing into your account following a restart or sign-out.”

It also encourages you to log into a website to fix this. And serves up a lot of technically incorrect information to push you to go to this website. It also tries to reassure you by saying that you don’t have to download anything which will reassure you that you won’t get infected by a virus or something. Finally, it offers a site where you can stop or change these “security alerts”. But that site isn’t actually a link so it’s just there to reassure you that this email is legit, which of course it isn’t.

As for the website that it takes you to, well I couldn’t get it to load. Perhaps it’s been taken out by Microsoft? Or maybe because I did this on a Mac it wouldn’t respond to me because it was looking for a PC to perhaps load malware on it? It’s hard to say.

Regardless, if you see this email show up in your inbox, delete it.

I have to admit that the readership of this blog is engaged. I say that because a reader sent me this latest extortion phishing scam email. From what I can tell, it’s similar to this extortion phishing email which makes me believe that it’s the same threat actor behind it. Here’s the email:

Hello there!

Unfortunately, there are some bad news for you.
Around several months ago I have obtained access to your devices that you were using to browse internet.
Subsequently, I have proceeded with tracking down internet activities of yours.

Below, is the sequence of past events: 
In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online).
Clearly, I have effortlessly logged in to email account of yours (EMAIL ADDRESS REDACTED).

A week after that, I have managed to install Trojan virus to Operating Systems of all your devices that are used for email access.
Actually, that was quite simple (because you were clicking the links in inbox emails).
All smart things are quite straightforward. (^-^)

The software of mine allows me to access to all controllers in your devices, such as video camera, microphone and keyboard.
I have managed to download all your personal data, as well as web browsing history and photos to my servers.
I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history.
My virus unceasingly refreshes its signatures (since it is driver-based), and hereby stays invisible for your antivirus.

So, by now you should already understand the reason why I remained unnoticed until this very moment…

While collecting your information, I have found out that you are also a huge fan of websites for adults.
You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun.
I have recorded several kinky scenes of yours and montaged some videos, where you reach orgasms while passionately masturbating.

If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos with your friends, relatives and even colleagues.
It is also not a problem for me to allow those vids for access of public as well.
I truly believe, you would not want this to occur, understanding how special are the videos you love watching, (you are clearly aware of that) all that stuff can result in a real disaster for you.

Let’s resolve it like this:
All you need is $1450 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that kinky stuff without delay.
Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises.

That is quite a fair deal with a low price, bearing in mind that I have spent a lot of effort to go through your profile and traffic for a long period.
If you are unaware how to buy and send bitcoins – it can be easily fixed by searching all related information online.

Below is bitcoin wallet of mine: [BITCOIN WALLET ADDRESS REDACTED]

You are given not more than 48 hours after you have opened this email (2 days to be precise).

Below is the list of actions that you should not attempt doing:

Do not attempt to reply my email (the email in your inbox was created by me together with return address).
Do not attempt to call police or any other security services. Moreover, don’t even think to share this with friends of yours. Once I find that out (make no doubt about it, I can do that effortlessly, bearing in mind that I have full control over all your systems) – the video of yours will become available to public immediately. 
Do not attempt to search for me – there is completely no point in that. All cryptocurrency transactions remain anonymous at all times.
Do not attempt reinstalling the OS on devices of yours or get rid of them. It is meaningless too, because all your videos are already available at remote servers.

Below is the list of things you don’t need to be concerned about:

That I will not receive the money you transferred.

– Don’t you worry, I can still track it, after the transaction is successfully completed, because I still monitor all your activities (trojan virus of mine includes a remote-control option, just like TeamViewer).

That I still will make your videos available to public after your money transfer is complete.

– Believe me, it is meaningless for me to keep on making your life complicated. If I indeed wanted to make it happen, it would happen long time ago! 

Everything will be carried out based on fairness!

Before I forget…moving forward try not to get involved in this kind of situations anymore!
An advice from me – regularly change all the passwords to your accounts.

If you check out the post that I linked to above, it has very similar hallmarks. The only difference is that the proof that the threat actor is using to get your attention is that they spoofed your email address and reinforced it by including it in the body of the email. The rest of the playbook is exactly the same. And the language used is similar. Which is why I think it’s the same threat actor behind this. Finally, I checked the BitCoin wallet and there’s nothing in it. That implies either this scam isn’t working for the threat actor, or it hasn’t worked yet.

If you see this email hit your inbox, delete and go on with your life.