The Latest “Pump and Dump” Stock Scams

For a while it was quiet about stock spam pushing penny stocks, but recently they’ve been making a comeback. Recently we’ve seen these campaigns:

  • 2017-03-20: Incapta Inc (INCT)
  • 2017-04-11: Quest Management (QSMG)

If you receive spam pushing shares, beware! Never buy stock based on “information” sent out as spam. The only people making money on such stocks are the scammers, who wait for the spammed buyers to offload their near worthless shares at grossly inflated prices. Reselling such stock is near impossible and and usually will lead to great losses.

Native ads, a race to the bottom for online media

Over the past year you will have seen a steady increase of so-called “native ads” while reading articles online. You know, those half dozen or more links with pictures to what at first looks like other articles recommended by the publisher. Only, they are really outside links. Many are click-bait ads, with pictures and headlines designed to grab your attention. They are introduced with tags like “From the web” or “Promoted stories”. The small print will mention companies like Outbrain, Taboola or Revcontent that place the ads in the space that they rent from the website owner.

At best, the advertised content doesn’t live up to the attention-grabbing ads. At worst, the advertisers try to sell you something utterly worthless through deception and lies, including miracle weight loss, anti-aging and anti-Alzheimer pills or promises of jobs that make thousands of dollars a month with no special skills required. Many of these offerings involve recurring credit card charges that are very difficult to get out of.

So why have reputable publishers like the Washington Post, Newsweek and The Atlantic embraced “native ads” on their websites? The answer of course is money. As the Internet grew, print advertising revenues have been collapsing for traditional media as much of the ads have moved online. What’s worse, with Google Adsense and Facebook ads, traditional publishers now have to compete for eyeballs against an almost unlimited number of websites and SNS, making it very hard to replace print ad revenue with online ad revenue. Companies like Outbrain and Taboola (both based in Israel) and RevContent (based in Florida) are offering better rates to site owners, but they can only do that because they seem to have few ethical problems selling anything that makes money.

Back in the 1990s I used to read High Times, which always carried pages of “fake pot” ads. The description for these products might lead naive readers to think that these legal products offered some of the effects of illegal marijuana, but it was really just bullshit and the High Times editors knew that. Their dilemma was that Congress had passed anti-paraphernalia laws that discouraged their traditional advertisers (e.g. for glass pipes) from advertising and the “fake pot” scammers were ready to fill the gap. When rival magazine Cannabis Culture pointed out the hypocrisy of High Times helping to defraud their readers, one of the editors offered an excuse along these lines: “If you don’t like these ads, why don’t you buy that advertising space yourself?” It’s not quite as simple as that.

While every business needs revenue to survive, I think ultimately, accepting money from unethical sources such as scammers does undermine your credibility. Gradually, more and more consumers will realize these “promoted stories” and “sponsored content” are nothing but deceptive junk. Taking money from these advertisers is a devil’s bargain that will damage the reputation of sites running unethical ads. If readers of reputable news sites lose faith in them, what will they have left that distinguishes them from fake news sites?

OTCH:SWRM spam

Never buy stock advertised via spam (especially penny stocks), such as this one:

Subject: This company is a rare opportunity to quintuple your money before Christmas.

Appswarm needs your attention. This is the only stock you need to buy today.
Keep on reading to find out why..

Appswarm (ticker: SWRM) is a mobile games developer that has built some of
the most popular games on the planet.

The games have been downloaded more than 100 million times and the company is
planning to launch 5 new titles in January 2017 (next month).

SWRM is extremely undervalued and there are serious rumors circulating that the maker of
Candy Crush (King, a multi billion dollar company) is about to buy it out for $1.17 per share before Christmas.

At this moment SWRM is trading at just pennies but a buy out from King will automatically
send it to over $1 in a matter of minutes.

This is your chance to buy a stock just days before a major acquisition and stand to
gain more than 1,500% just days before Christmas.

This is a scam, the only people making money on this stock are the spam senders who will be trying to offload their existing holdings.

PayPal malware social engineering

I instantly got very suspicious when I received this from PayPal today:

Hello [my name here],

Colin Neal would like to be paid through PayPal.

Note from Colin Neal: Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.

Details

Request Date: November 29, 2016
Requested Amount: $200.00 USD
Your Email Address: [my PayPal email address]

Click the button below to send Colin Neal your payment and see the details of this money request.

[ Pay now! ]

Of course I did not click on the “Pay Now!” button, but looking at the email header, the mail was actually sent via PayPal’s mail servers!

I logged into PayPal from scratch on another machine by typing in the PayPal domain name and verified that there was indeed a money request for $200 in my PayPal account. However, it came from a random looking Gmail address, “pvbkrngkjqo@gmail.com” and not the address I was told to contact. Even more suspicious than the first email!

So I fired off an email from another mail account (not my PayPal mail account) to “kcsystems1@gmail.com” and explained that I had not received any funds and that this must be a scam. But as suggested in the initial message, they then sent me a link to an “invoice”:

Good afternoon. This is a copy of invoice.
https://paypal.com/user/files/paypalInvoice_000092419298377.doc

Looking forward your reply. Thanks.

Looking at the actual target of the link, it pointed at a completely different location:

http://myotaku.com.my/system/helper/json/paypalInvoice_000092419298377.doc

When I downloaded it using a secure tool and submitted it to VirusTotal.com, six of the tools consulted detected it as malware:

AVware LooksLike.Macro.Malware.k (v) 20161130
Avast VBA:Downloader-DSH [Trj] 20161130
Fortinet WM/Agent.CBW!tr 20161130
Qihoo-360 virus.office.gen.85 20161130
Symantec W97M.Downloader 20161130
VIPRE LooksLike.Macro.Malware.k (v) 20161130

This scam uses a clever bit of social engineering. The original email comes from a real PayPal server, a trusted source and it doesn’t include any malicious links or attachments.

By getting you to initiate contact with the malware scammer, the subsequent reply with its malicious link will arrive from an email address that you have previously contacted, which will subject that email to less severe filtering. This makes it more likely the malicious link goes through.

Always be alert to how scammers set up mail exchanges where malware will only arrive after several steps specifically designed to defeat filtering. For example, they may contact you first to ask for a quote and then email you what is supposed to be an order, but is really malware.

“EU Business Register” spammers

Here is some spam sent to one of my mailboxes recently:

Hello,

In order to have your company inserted in the EU Business Register for 2016/2017, please print, complete and submit the attached form (PDF file) to the following address:

EU BUSINESS REGISTER
P.O. BOX 34
3700 AA ZEIST
THE NETHERLANDS

Fax: +31 30 310 0126

You can also attach the completed form in a reply to this email.

Updating is free of charge!

A very deceptive offer, because even though updates may well be free (as stated), the offer itself is not: A careful reading of the small print in the attached PDF revealed it to be a solicitation for a three year subscription at 995 EUR per year, automatically renewing unless cancelled two months in advance. So filling and signing the form would cost you at least 2985 EUR.

A quick Google search showed that these guys are already known to Spamhaus, who think that they’re from Romania.

“Helfen Sie uns, Ihr eBay-Konto zu schützen”

I received an email today that claimed to come from eBay Germany and at the first glance looked like yet another phishing scam, complete with link to a website for me to click on to “protect my account”. Even more suspiciously, the greeting at the top did not address me by my first name or full name.

Only when I looked at the message headers did I realize that the mail actually came from eBay’s mail servers. It was real. Still, as a simple precaution I typed eBay’s website address into a browser window to log in from scratch, ignoring the link in the email, just in case…

Later, when I had another look I noticed the small print at the bottom did actually mention my full name, again supporting that the mail was legitimate.

I found the whole experience pretty disappointing for a company of this size that has been in the business for so long and during that time has always been a prime target for phishing scams:

1. Please address the customer by their full name, otherwise you undermine years of education efforts. PayPal addresses all their customer mails to the full name of the recipient, why not eBay? Sceptical people may have ignored that email while for naive people it has made it harder to distinguish phishing mails from real mails.

2. Please do not ask people to click a link in an email claiming to be from you to go to a website that asks for their user name and password. Simply ask them to go to the eBay website in a browser and log in there. That removes any question whether any link is genuine or not or whether it’s safe to click on.

Don’t train customers to do things in your real business emails that phishing scammers would also like them to do, especially when there are alternatives.

Search engine registration scam / 1-716-328-1722

We received the following to our domain registrant contact address (listed in WHOIS) from Domain Services <notice@domainnotices666.com>:

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: MY-DOMAIN-HERE

Complete and return by fax to:
1-716-328-1722

ATT: MY-NAME-HERE
ADMINISTRATIVE CONTACT
MY-NAME-HERE
MY-EMAIL-HERE
MY-ADDRESS-HERE
WWW.MY-DOMAIN-HERE
Please ensure that your contact information is correct or make the necessary changes above

Requested Reply Before
November 23,2015

PART I: REVIEW SOLICITATION

Attn: MY-NAME-HERE
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission. You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: WWW.MY-DOMAIN-HERE will expire on November 23,2015 Act today!

Select Term:

[ ] 1 year 11/23/2015 – 11/23/2016 $75.00
[ ] 2 year 11/23/2015 – 11/23/2017 $119.00
[ ] 5 year 11/23/2015 – 11/23/2020 $199.00
[ ] 10 year -Most Recommended- 11/23/2015 – 11/23/2025 $295.00
[ ] Lifetime (NEW!) Limited time offer – Best value! Lifetime $499.00

Today’s Date: _____________________ Signature: _____________________

Payment by Credit Card
Select the term above, then return by fax: 1-716-328-1722

MY-DOMAIN-HERE

——————————————————————————————-

By accepting this offer, you agree not to hold DS liable for any part. Note that THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amounts stated unless you accept this offer. The information in this letter contains confidential and/or legally privileged information from the notification processing department of the DS 3501 Jack Northrop Ave. Suite #F9238 Hawthorne, CA 90250 USA, This information is intended only for the use of the individual(s) named above. There is no pre-existing relationship between DS and the domain mentioned above. This notice is not in any part associated with a continuation of services for domain registration. Search engine submission is an optional service that you can use as a part of your website optimization and alone may not increase the traffic to your site. If you do not wish to receive further updates from DS reply with Remove to unsubscribe. If you are not the intended recipient, you are hereby notified that disclosur
e, copying, distribution or the taking of any action in reliance on the contents for this letter is strictly prohibited.

If you have received a message like that, ignore it. It’s actually an illegal solicitation, as it’s against the terms of use of WHOIS lookups to use them for spamming, which is what this is.

All it takes for search engines to find you after you register a domain and create a website for it is one public link on a website. There is no need to pay any registration service for it. Besides, if the spammers already found you, you obviously don’t need “search engine registration” 🙂

Domains hijacked by fake brand spammers

Spammer who set up fake websites offering brand name products to sell counterfeit merchandise or to steal credit card details of would-be buyers often hack third party websites to host ads and shopping websites on them.

On top of that we’ve also come across many cases of them taking over control of existing domains, whose names then don’t make any mention of the brands being offered.

For example the domain “itelekom.net”, which currently hosts a site selling Nike shoes, has been around since 2004 and apparently was previously owned by a telecommunications company in Nigeria. Looking up its current ownership using WHOIS, it still has a 2004 creation date but appears to be owned by someone in China:

[CODE]Domain Name: ITELEKOM.NET
Registry Domain ID: 119763324_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-06-22T11:19:59Z
Creation Date: 2004-05-11T08:50:26Z
Registrar Registration Expiration Date: 2015-05-11T08:50:26Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID:
Registrant Name: gina zipperian
Registrant Organization:
Registrant Street: pu tian
Registrant Street: fu jian
Registrant City: fujian
Registrant State/Province: jiao wei
Registrant Postal Code: 351253
Registrant Country: China
Registrant Phone: +86.15860339007
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 157505829@qq.com
Registry Admin ID:
Admin Name: gina zipperian
Admin Organization:
Admin Street: pu tian
Admin Street: fu jian
Admin City: fujian
Admin State/Province: jiao wei
Admin Postal Code: 351253
Admin Country: China
Admin Phone: +86.15860339007
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 157505829@qq.com
Registry Tech ID:
Tech Name: gina zipperian
Tech Organization:
Tech Street: pu tian
Tech Street: fu jian
Tech City: fujian
Tech State/Province: jiao wei
Tech Postal Code: 351253
Tech Country: China
Tech Phone: +86.15860339007
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 157505829@qq.com
Name Server: NS47.DOMAINCONTROL.COM
Name Server: NS48.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/[/CODE]

We suspect that that phishing and malware were used to enable a domain transfer away from the legitimate owners to the scammers. Having to reinstall your PC to get rid of a malware infestation is one thing. Losing an established domain that you spent years promoting on the web is another.

Protecting yourself from phishing and malware is more important than ever.

OTC:TLPY – Pump and Dump Spam

Beware of any stock that’s advertised via spam!

Here is an example of spam flogging the latest stock to avoid:

Hi Kids,

Ok.. the wait is over TLPY is here!

OUR BIGGEST MONSTER PICK EVER – TLPY!

I will be sending you the TLPY video over the weekend. Along with my usual report. I just wanted to give this to you super quick before the MASSES get it on Monday!

All the best in the markets and stay tuned Sunday at 7PM EST for my TLPY video and report!

I believe TLPY is going to be EPIC! BUY TLPY TODAY!

Happy Trading,
Mike
Co-Editor
www.StockTips.com

The only person making money in spammed stocks are the ones sending the spam or paying the spammer, who will manage to offload overpriced illiquid stocks onto unsuspecting buyers who fall for the scam.

“Free Audio Editor 2014” adware spam

Every now and then I check comments stuck in the spam filter of my blog. Mostly I find spam postings advertising fake brand merchandise, with the odd bit of SEO spam thrown in. Today I found a link to a site selling a product called “Free Audio Editor 2014” (free-audio-editor dot com), which as it turns out is also available at download.cnet.com. Why would a free product be advertised via blog spams, I wondered. What would they gain?

So I downloaded a copy and uploaded it to virustotal.com for checking for malware. As it turns out 11 out of 57 products that analysed it didn’t like it:

AVware InstallCore (fs) 20150307
Avira Adware/InstallCore.A.367 20150307
Baidu-International Adware.Win32.InstallCore.XA 20150306
Comodo Application.Win32.InstallCore.AEK 20150306
DrWeb Trojan.InstallCore.151 20150306
ESET-NOD32 a variant of Win32/InstallCore.XA potentially unwanted 20150307
K7AntiVirus Unwanted-Program ( 004a9d5f1 ) 20150306
K7GW Unwanted-Program ( 004a9d5f1 ) 20150306
Norman InstallCore.CERT 20150306
VBA32 Malware-Cryptor.InstallCore.gen 20150306
VIPRE InstallCore (fs) 20150307

The results suggest that this product may be adware.

I would never install software on my PC that was advertised via spam. If you’re looking for a free audio file editor, I recommend Audacity (http://audacity.sourceforge.net/), which is open source and works great.