“Phishing” is when scammers send you an email that’s trying to trick you into revealing information, or installing malware on your computer or phone. And a lot of you are falling for it.
How do I know?
Hundreds of thousands of people have “interacted” with me by email, from friends I chat with on an almost daily basis to people who subscribed to my newsletter and got at least one message from “me” (aka, my email address). I get to know a lot of readers by name because they comment, or simply because they have recurring subscriptions and I see their renewals come in.
For weeks I’ve been getting a lot of very similar emails, and I often recognize the “From” name — various readers. They are always in my spam folder.
Yes, I recognize “Mary Wilson” as a reader, and chose that example because not only do I have at least two readers named “Mary Wilson”, but it’s a generic-enough name to not embarrass them. Many others come from much more unusual names that I also recognize as readers.
This particular flavor of scam all have the same format: a URL to click that looks like but isn’t a link to search for my email address on Google. That’s called a cloaked link.
What is it cloaking? Malware. Click the link and you won’t go to Google, you’ll go to the criminals’ site.
In fact, the link is double-cloaked: it first goes to the link-shortener and -tracker Bit.ly, as shown above. From there Bit.ly sends it off to a redirector hosted on Amazon Web Services which, no, doesn’t have the malware, because it then hops over to the real destination, contentnatgets.world, a 27-day old (as of today) site hosted on the “Google Private Cloud” at an I.P. address assigned to Finland in South Karelia, very close to the Russian border.
Smell a rat yet?
And see all that LinkID coding in there (some of which I blurred)? That lets the criminals know exactly who clicked their link: they have now verified that 1) your email address works, 2) you opened the message, and 3) you are gullible enough to have clicked the link — the perfect mark for further exploitation.
But what’s the harm?
First, once you get their malware loaded up, it scans your email and address books looking for new victims: your friends, business associates, charitable organizations, etc. will start getting similar emails with your name in the From line. I get many of them daily since my address is in so many of your email folders. (Gosh, thanks.)
Second, what else is in your email? Messages from your bank(s), investment companies, retirement funds, and more. And maybe the malware you loaded has a module to grab your login and password for those financial institutions and send that to them. I mean, why wouldn’t it? They’re criminals and they’re after money. Your money. Easy money.
Getting scared yet? You should be!
Lesson Number 1
Never ever ever click an unsolicited link.
The message is “from” a friend? Check it: is that their real email? Does the link even go where you think it does? Hover it with your mouse, rather than clicking it, as shown above, to see. (The procedure is different on phones and tablets: learn it!)
Note that on most browsers that preview comes up in the lower-left corner of the window, just as shown above, and could be far enough away from the link that you don’t notice it.
So, am I sure these are Russian criminals? Nope: could be Chinese. Why Chinese? Because “Mary Wilson’s” email address is shows as email@example.com and, indeed, here’s the header of where the message was sent from:
But then, within 24 hours of this one, there was another from “Mary Wilson” …from a different email address. Routed through different servers. The criminals could actually be anywhere: this is the Internet, after all! Anyone can rent a server anywhere.
The “Google search link” in that message also cloaked a (different) Bit.ly URL, which went similarly through different routes to a different but similar final destination (naturalgetcontents.world), which is also 27 days old. To me, the same fingerprints = the same criminals.
Can You Complain?
Sure, have at it. First, you need to find the abuse form at Bit.ly, and know what to tell them so they can take the needed action. And then the abuse form at Amazon Web Services (ditto). And Google Private Cloud (ditto). Maybe the registrar of the .world domains (ditto).
But, of course, the criminals will simply set up a different Bit.ly address, copy their code over to new AWS and GPC instances, and start again.
Which is what they are already doing, as noted above, because someone might go to the trouble and get one of their paths shut down, so they are simply proactive and copy their efforts multiple times with different routes to get the same information, and the victims are left playing whack-a-mole while the criminals clean out bank accounts to fund yet another round of scamming.
I sure don’t have time for that. Unlike criminals, I need to work for a living.
So What, Then?
So get smarter: don’t click the frigging link!
And do this: scan your computer for malware. My favorite tool for this is Malwarebytes, but even there you need to be smart: get their free scanner, install it or other options carefully to not get anything you don’t want (like toolbars, or a free trial of paid services). You might want the paid services, but make that decision consciously, not letting them default you into paying. And certainly don’t start with paying: test first.
Once the scan is complete and shows you clear (or shows you need to remove malware and then scan again), change your passwords on all important sites, such as your financial institutions. Every password needs to be unique (never use it on multiple sites), long (long is more secure than complex), and kept in a safe place.
What safe place? I use the free Bitwarden password locker. I only have to know one password: the one that opens Bitwarden to decrypt my passwords and fill them in for me. Yes, it’s safe, and is highly recommended by experts that are much more knowledgeable than I am about computer security (and I’m no slouch at it).
Last, if any of this is new or surprising to you, you simply must read my free Spam Primer, which covers other types of noxious, criminal email practices. On its own site, SpamPrimer.com (not a cloaked link!)
The bottom line is what True is about in the first place: Thinking. That’s why so many people subscribe, and you should too if you don’t already. [Open Subscribe Form] It could save your retirement accounts, just as a start!
– – –
Bad link? Broken image? Other problem on this page? Use the Help button lower right, and thanks.
This page is an example of my style of “Thought-Provoking Entertainment”. This is True is an email newsletter that uses “weird news” as a vehicle to explore the human condition in an entertaining way. If that sounds good, click here to open a subscribe form.
To really support This is True, you’re invited to sign up for a subscription to the much-expanded “Premium” edition:
Q: Why would I want to pay more than the minimum rate?
A: To support the publication to help it thrive and stay online: this kind of support means less future need for price increases (and smaller increases when they do happen), which enables more people to upgrade. This option was requested by existing Premium subscribers.