We see lots of different malware, scams and phishing emails. This one really grabbed my attention because of the website involved in the initial redirect.
This website / blog is owned and run by Netgear a major manufacturer and distributor of routers and wifi equipment. Or at least appears to be joint between Netgear and ATT, both of whom have enough technical staff to, or should have, to be able to secure a WordPress blog properly. The domain registration shows it registered to https://ampagency.com/ who probably created the blog and I suppose handed it over to Netgear or ATT to run, but have retained registered Owner and Admin capabilities.
I really cannot accept that 3 major Tech companies can be so useless and careless and not able to stop malware and scams occurring on this website that they control
They use email addresses and subjects that will entice a user to read the email and open the attachment.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: Lacoste Legrand <russell-wood@lineONE.net>
Date: Thu 14/12/2017 04:37
There is something nice I wanted to show you , just glimpse message
If you follow the link in the email you get sent to this compromised Netgear owned or sponsored website. http://www.wififamilyblog.com/wp-content/uploads/2015/12/aqvgx.php?UE9sYW5kbG9yZEBvdXItTG9jYUwuY28udWs-
That redirects you to a fake Tech support scam site http://2callingday1y113121234567890.tk/news/?number=44-173-260-8058 that looks like this:
I am not going to continue with anything about the fake Tech Support site today, they are so common and in this context not very relevant. What is the issue is the Netgear site http://www.wififamilyblog.com has been completely compromised and has been for more than 2 years now!! since February 2015!
There are spam posts on the site, allegedly posted by Netgear Admin and various other names. There are also open directories under http://www.wififamilyblog.com/wp-content/uploads/ which clearly show multiple compromises, redirects to sex sites, scam sites and god knows what else.
wififamilyblog.com. registered 12 January 2015. Registrar: Godaddy | Hosted on 188.8.131.52 ( Amazon AWS) |
Registrant Name: Robynne Tanner
Registrant Organization: AMP Agency
Registrant Street: 77 North Washington St
Registrant Street: 8th Floor
Registrant City: Boston
Registrant State/Province: Massachusetts
Registrant Postal Code: 02114
Registrant Country: US
Registrant Phone: +1.6178378109
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: email@example.com
Update: 16 December 2017: The wififamilyblog.com appears to have been taken offline completely now and this holding page on the Amazon AWS service is displayed
We all get very blasé about phishing and scams and think we know so much that we will never fall for a phishing or scam attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
The email is just generic enough to invite the curious to click the link
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.