April 11, 2018


We wonder if our readers noticed a significant upsurge in spam landing in their inboxes, or perhaps their spam folders.  We certainly saw it.  Many readers forwarded their scam emails and texts to us.  Thank you!  Our personal favorite was this email pretending to be from Fedex.  Here’s a tip to the criminals who created this carp… learn how to spell the word address.  You’ve spelled it three different ways.  One of them is correct!

Can figure out which one? 

We’re not so worried that people can’t spot this as fraud. “Please reply us with the correct shipping addresse.”  Buried in the link revealed by mousing over the purple button are the words “Please Update us your Adress.”  Clearly, some Einsteins put this one together.

Another reader also sent us this “bank wire copy” she received in an email claiming there was money waiting for her.  The email came from a domain listed online as an engineering firm in Egypt.  The quality of the graphic is so poor that we struggle to make out the contents.  But the contents say a payment of $15,000 USD was sent from HSBC bank to the Asia Commercial Bank in Vietnam. (Not the reverse, as you might expect.)  And yet, the logo at the top of the document is for IBC, the International Bank of Commerce, based in Laredo, Texas.  The signatures alone are priceless.  We suspect they were made by a pencil attached to the tail of a drunken Chihuahua.  We enjoy a good shot of tequila ourselves, but we urge our friends overseas not to overindulge the dog.

All kidding aside, we sincerely wished that all the criminals targeting Americans across the Internet were this lame.  It would make our job a whole lot easier.  Sadly, for all of us, that’s not the case as you’ll read below.



Phish NETS: Confirm Apple Store Purchase and Lloyds TSB Bank Account Suspended

This phish is a very clever piece of social engineering.  Immediately following “From:” is a correct Apple email address.  But don’t be fooled because the truth is that this email came from the hyperlinked blue text that follows between the symbols <> and that ain’t Apple!  Subject line states “Apple notice : Confirmation Purchase in Apple Store! Please read [PDF].“ There is no text in the email, only the attached pdf file.  The pdf doesn’t contain any malware or virus as some might think.

However, it does contain an active link!

Imagine opening that pdf to see a Payment Confirmation from Moonton Technology, the makers of the game Mobile Legends.  You’ve purchased 5000 diamonds in the game for only $99.99!  Can you picture how the parent of a young teen gamer might react?  “What the hell did he buy!”  But wait!  The purchase can be cancelled, thank God!  Just click that embedded link in the pdf in the statement “To learn more or cancel, review Payment Now.”   But that link doesn’t point back to Apple.com!

Nice phishing trick.


A casual look at the from address shows that this email appears to have come from emailslloyds.co.uk.  However, the email address was completely spoofed.  The full domain represented in the from address is ID-5286960520-emailslloyds.co.uk and according to a WHOIS look up, it was never registered.  “Dear Valued Customer, Your access to our internet banking service has been suspended…”  The link provided  to verify your account details points to a website in India (saffola-DOT-in) instead of Lloydsbank.com.

This is a big, fat delete!




YOUR MONEY: Cofirmation of Tax Refund and Ashley Madison – Chat with New Members Today!

Happy tax season.  The good news is that it’s almost over!  The bad news (for some) is that it’s almost over.  This email appears to have been sent from HMRC which stands for “Her Majesty’s Revenue and Customs, a tax collecting department of the UK government!  But, if you mouse over the linked letters HMRC you’ll find that the email was really sent from an imposter.

Also, if you are a careful reader, you’ll notice that these criminals misspelled confirmation two out of three times.  This email is total BS targeting British citizens.  Ironically, the link connected to “you have to complete a refund form with your personal information” will send you to the hacked website of a brokerage firm based in Riyadh, Saudi Arabia.


Are you married and looking for a little indiscretion?  We can’t help you and neither will this email that seems to come from the infamous site for cheaters, Ashley Madison.  It’s one long piece of click bait.  The reveal is right there at the top in plain sight but reader excitement might move beyond it to look at the photo and read the captions.  All links in this junk point to the domain mnce-DOT-faith.  It was registered by someone named “Luis Welter from Ruckman Road in Oklahoma City, Oklahoma hours after the email was sent.  Luis uses an email address with Yandex, a service based in Russia.  Also, though Google maps can’t find any road named “Ruckman Road” in Oklahoma City, we found three very suspicious listings for businesses or foreclosed properties for sale on the fictitious Ruckman Road in Oklahoma City.  One of them was a business called “Urgent Therapy Physical in Oklahoma City.”  It has no reviews, no photos of the business, and Google maps placed its location in the middle of a body of water.   It never ceases to amaze us how easy it is to deceive others online.




TOP STORY: Your Payment Has Posted

Internet-based criminals use many tricks to lure their victims into making a bad decision. One of our readers was hammered with multiple emails and texts over a couple of days.  All were informing her that money had been posted to her account.  “Your payment of $554.30 was successful.  Receipt #331044” said this email from “Online Bill Pay.”  Take a close look… What’s missing from this email?  Also, what’s odd and very suspicious about this information?

It’s very obvious that you can click the BIG RED BUTTON to “ACCESS ACCOUNT” but for what account?  There’s nothing in this email to identify your financial account.   Also, did any of our readers notice the address listed in faint grey letters underneath the red button at the bottom?  We looked up that address, wondering what business might be found in those big, beautiful skyscrapers and discovered that there is a Sunoco Station with a “Shop Quik” inside at 113 Pennsylvania Ave, Bangor, PA.

Our reader also received this email from “Automatic Bill Pay.”  It was sent from an odd-ball email address in the European Union. (“.eu”)  The links in it pointed back to that odd-ball EU domain.  Clearly, this was made by the same criminals who made the “Online Bill Pay” email above.

And finally, this same person received at least four emails like the one below.  All were sent from different email addresses in the EU but saying “Auto Pay.”   All the links pointed back to more odd-ball domains in the EU. “THANK YOU.  YOUR PAYMENT HAS POSTED.”

We tried to follow these links to better understand the threat but each of them was crafted in such a way that our investigative tools were redirected to a bogus tech website admonishing the sins of Microsoft.  It was bizarre and we felt that the criminals were toying with us.  At least they have a sense of humor.  We were surprised to learn that there really is a Mansion Street located in the city of Louisiana in the state of Missouri!  Can you guess what’s located at #222?  Another gas station and convenience store.  (This one is called Ayerco 65.)

What is most interesting to us is the “why.”  Our reader informed us that she does not work in accounting or anything associated with paying bills.  Nor does she work in with a firm that is associated with convenient stores or gas stations. So why was this woman so heavily targeted by so many similar emails over the course of a couple of days?  We’ll never know but someone took an interest in her.




FOR YOUR SAFETY: Download Your Files, Photo from Maria

WeTransfer is a cloud-based file transfer service.  This bogus email was made to look like it came from WeTransfer but it didn’t.  It was spoofed.  If you had received this email would you have clicked the link?  “File was successfully sent to…” You can click to download your 6 files, including one named COMMERCIAL INVOICE.pdf and another named CONTRACT.pdf.  But pay close attention to that link for “Get your files” because it doesn’t point back to WeTransfer.  It points to a website for a seed producing company in Kenya.  We asked VirusTotal.com what it thought of that link’s destination and the response couldn’t have been stronger.

Do not click!


Fortunately for Doug at TDS, his email service easily identified the virus hidden in the zip file attached to this email he received with subject line “Photo from Maria.”  However, what is most notable here is how the criminals who targeted him spoofed the email so it looked like it came from someone at his organization.  The email appeared to be sent from his domain by someone named “Maria2018.”  Email spoofing requires a level of sophistication that many Internet criminals don’t have.



Last week a reader forwarded to us a Nigerian 419 advance-fee scam that was made to look like it was an email from the FBI.  It claimed that $3.5 million dollars were waiting for the recipient and would be released if he paid the $185 fee.  It was actually, quite funny.  However, what angered us was the email address being used by the scammer.  It was fbi.officeauthority “@” gmail.com.  We believe that is a critically important responsibility of the companies that offer us Internet-related services like email to work harder to protect the public against obvious fraud and misuse.  If someone registers the Gmail name fbi.officeauthority it should be noticed by Google and shut down immediately!  Google should be doing a better job protecting the public.  Are you listening Google?!


Until next week, surf safely!