April 12, 2017


We love hearing from our readers.  One recently informed us of some bogus Instagram accounts that send him requests to follow.  We asked for a sample and he sent us this screenshot from an Instagram user called fastfundss.  If you Google the phone number listed on the account you’ll see lots of links to odd websites with the same pitch to make money.  Feels like a ponzi scheme but we can’t be sure.  What we can be sure of is that it can’t be legal and someone’s likely to lose money.  Wanna guess who?




At least one of the criminal gangs who push out much of this malicious trash must have hired a new idea person because we saw far more new and interesting malicious emails in the past week than in the past six months!  Like this one from pianoinstruction@ pianfrall.top.  “Now ANYONE Can Learn Piano or Keyboard”  The domain pianfrall.top was registered by someone named dev thakur from chandigahr, India.  It was registered using Alpnames.com a few hours before this email was sent. Dev Thakur listed his (her?) organization as “medicare group.”  This is one more example that Registrars like Alpnames are either stupid or don’t give a damn about the malicious use of their services because they make lots of money.  Their lack of responsibility to the public exemplifies a broken system.

Take a look at the bogus opt-out address at the bottom of the email.  We’re starting to see it on many malicious emails.  Google Earth shows this address to be a modest residential neighborhood in Virginia.


Sample Scam Subject Lines:

#1 odd Bible Tip of a flat belly

Activate your Costco gift card!

Amazon.com Needs your confirmation

Have a Beautiful Body You’ve Always Dreamt Of

Navy SEAL survival secrets released for the first time

Only $24.99 Oakley Outlet

Opera & Jennifer Aniston talk facial treatments

Redeem your Costco weekly award

Save on printer ink

The Cable Companies Want Us to Keep Quiet About This…

The real reason you’re ALWAYS tired

Warning: Read This Before You Buy A Flashlight

You have notifications pending


Sample Scam Email Addresses

8hrs_left-[YOUR EMAIL]@ cloudbend.win

amazongift.cards-[YOUR EMAIL]@ orangefastship.com

BestFlightSimulator@ airfightgame.bid

costcocom-[YOUR EMAIL]@ givingonfriday.com

freeanimationsoftware@ illustware.top

healthyliving@ greatbrainss.top

homemoleremoval@ molearts.top

he_shepherds_diet-[YOUR EMAIL]@ couchhive.win

home_warranty_special-[YOUR EMAIL]@ duhaiku.com

January-Order@ rp.businessdegreemia.com

mark-zuckerberg-on-fox-[YOUR EMAIL]@ bornclover.men

naturaldiabetes@ DogFolly.com

womensweightloss@ venxtre.top






Phish NETS:  Amazon, Apple and Paypal, Oh My!

Here we go again.  First is this very spoofed email that appears to have come from seller-notification@amazon.com but did not!  “Action Required: Pay your seller account balance.” “You have a balance due in your Amazon seller account. We attempted to charge your credit card for the balance, but your bank declined the charge.”  The English grammar and content in this email are flawless!  Adding to this threat is that the attached file is an html web document, so mousing over will not reveal a destination.  Opening that html document is extremely dangerous because it can contain all kinds of Internet instructions for your web browser.  This phish is one of the best we’ve seen.


We cracked open the attached html file “Account_Information” and carefully peaked under the hood.  The entire malicious file was coded in the obscure language called “base64,” adding another layer of deceit.  We used an online base64 decoder to turn it back into html so that we could actually read it and discovered the following…

  1. The file contains several javascripts that direct the browser to do different things.
  2. The file creates a fake webpage identified as “Amazon Seller Central” and pulls in legitimate graphics from the real Amazon.
  3. The fake web page asks the user to sign in with an email address and password and also asks for your mobile number.
  4. Most importantly, the sign-in information collected is sent to a file hidden on a web server at fajarpaper.com. Fajarpaper.com is a cardboard company located in Bekasi, Indonesia


One of our readers sent us these two Apple phishing scams he received within forty minutes of each other.  Both were extremely easy to see through.  The from address alone was a dead give-away and the content contains subtle hints that English is not the sender’s first language.  Would you have been fooled?





And finally in this week’s Phish Nets is this rotten phish disguised as a PayPal email.  The email was sent from an address in the Netherlands (.nl = Netherlands country code)  “Important: Temporarily unable to load your account.”  This phish is good!  The link points to a hacked website that offers a secure https connection.  We’ve notified the site owner.

Now delete.



YOUR MONEY:  Watch the Video…

We see an increasing number of malicious emails using social engineering to trick people into clicking what they believe is a link to some shocking, amazing or otherwise important video.  So we thought we would use “watch the video” as this week’s theme in our Your Money section.  Enjoy!

Urgent message.. How to “BulletProof Your Home.  “Hey, What you’’’’’’’’re about to discover here, contradicts everything you’’’’’’’’ve ever known about protecting your home and family….”  Read the full email for a laugh. It ends with “Watch this video now and stay safe!”  Our new friend, dev thakur from India registered the site on the same day and the bottom of the email contains the Danville, VA opt-out address.  ‘nuf said.


Dev Thakur has been very busy!  Did you know that “1 IN 3 ADULTS HAVE THIS… DO YOU?”  Of course there’s a shocking video dear dev wants you to watch so you can learn how to get control of your blood pressure.  Imagine what your blood pressure will be after you infect your computer with Dev’s malware!  You know what to do.


Of course we can’t leave out our favorite type of “shocking video” email…  “Has Trump gone too far? The shocking statement you wont see on the news…”  “And once you see this shocking video you will understand why.”  You already know who created this email and where the opt-out address is located.  Go Dev!










TOP STORY:   Seeing Through Crap Domains

It is remarkable how much information is contained in the from address of an email and what it reveals if you have a basic understanding of “from.”  We explained this in several articles on our website, such as Where its @ and How to Surf Safely. However, there is another trick criminals use that needs additional attention. Sometimes scammers are clever enough to register domain names that sound authentic or seem to be a legitimate representation of a company/business.  For example, the domain may seem to be familiar because it is trying to pass as the real company name.  Here are a few examples…

Legitimate: apple.com icloud.apple.com login.apple.com 4939240A4300.mail.apple.com

Malicious look alikes: apple.notifications.com apple-support-service.com icloud-login-apple.com apple.co.tr apple.support apple.click apple.icloud-support.com

If you look carefully at the legitimate examples of Apple’s domain you see that the domain always ends in apple.com.  In a from address, the apple.com will be the very last part of the address. Nothing will appear after it.  If we were looking at a link instead of a from address, the apple.com would be near the beginning and be the last thing that you’ll see before the first single forward slash /.  (Remember that we mean the real link as revealed by mousing-over a link to see what shows up in the lower left corner of your window, not what is actually written in an email, post or found on the web page because what is written can be a trick!)

Now look again at the malicious look alikes above.  Though they contain the basic domain name apple you’ll see that none of them ends in apple.com except icloud-login-apple.com.  This is a more complicated malicious domain.  But it is still not just apple.com.

But what about domain names that claim to represent known businesses or seem to be marketing offers?  For example, marketing firms are often hired to represent a business and market special deals or discounts.  In these cases the emails may not come from the domain they represent but might legitimately come from somewhere else.  How can we determine if they are legitimate or a scam just by focusing on the from email address? 

Take this example from samsclubcash-[YOUR EMAIL]@ giftfromsamclub.com.  “Wednesday Gifts = $50 From Sam’s Club” “Sam’s Club Customer Questionnaire”  “Answer the question below to activate your $50 gift card.”  Might this be a promotional item in exchange for an online survey that Sam’s Club is offering through a marketing firm?


Let’s take a closer look at this from address.  samsclubcash-[YOUR EMAIL]@ giftfromsamclub.com  Completely ignore everything that appears in front of the @ symbol when evaluating the legitimacy of an email.  Anyone can write anything in front of the @ symbol.  What follows the @ symbol is important!  giftfromsamclub.com seems like it could represent Sam’s Club but it is odd that it is written as “samclub.”  (The real domain for Sam’s Club is simply samsclub.com.) Details like this matter!  However, to evaluate this domain and see if it is legitimate requires the use of a WHOIS tool. (Watch our video How to Use a WHOIS) There are many WHOIS tools on the Internet that will come up when you use Google to search the word WHOIS.  However, our favorite is http://whois.domaintools.com   Into the WHOIS search field put the domain name that appears after the @ symbol, along with it’s “dot” something, e.g. .com, .info, .org etc.  In this case we enter giftfromsamclub.com.  Looking into the results, find the following information:

  1. Registrant Org: Who registered the domain? Be suspicious if it was registered by an individual, rather than a company/corporation IF the email is supposed to represent a company/corporation.  If it is a foreign name, then be highly suspicious!
  2. Dates: When was this domain registered? The likelyhood of this being a scam domain is very high if the site was registered in the last few months. It is absolutely a scam if registered within the past few days!
  3. Registrant information: Who registered the domain? A corporation or an individual? A foreign sounding name?  From a foreign country?  The REAL samsclub.com was registered by the corporation Wal-Mart Stores, Inc. but giftfromsamclub.com was registered by someone named James Wilson.

How about this next promotional email from costcodollars-[YOUR EMAIL]@ sundaygiveaways.com? Use this WHOIS to look up the domain sundaygiveaways.com and decide for yourself.


Think you’ve got it?  We’ve got a quiz for you!  Use a WHOIS to look up the domains from these email addresses we’ve seen in the last week.  We’ll give you a hint.  Three of them are legitimate and three are scam domains.  Can you tell which is which?  (Answer at the bottom of the newsletter.)

samsclubbonus-[YOUR EMAIL]@ bonusclubnewpoints.top notification+kjdmRdu77kpm21@ facebookmail.com pinbot@ reply.pinterest.com

walgreenspoints-[YOUR EMAIL]@ updatedbonusnewrewards.com rewards-costco-[YOUR EMAIL]@ givingonfriday.com CostcoB2C_C3F2E7B308D1FB83F2F5B8A0D4BA797B5EF9BCDE@ online.costco.com



FOR YOUR SAFETY:  Pharmacy Newsletter Subscription and Your ADP Monthly Bill

We saw these two nearly identical “newsletter confirmation requests” sent just a few hours apart from two different sources and containing links that will send you to two different hacked websites.  Both smell like a rat.  We tried to use several tricks to sleuth what might be waiting for us on each server but came up empty handed.  Can’t be good.

Just delete.






ADP is a big company that offers payroll and HR management resources across the U.S.  Their domain is adp.com.  Take a look at this email sent from  bill@ adpm.com.  “Your ADP monthy bill has been issued and is available for your review.”  ADPM.com  is a domain for sale on the Internet.  This email contains a link that looks like billing.adp.com/files…. But a mouse-over reveals that it points to an ADP-wannabee.  The link points to the domain adp-monthly-billling.com Yes, three “l” in billling.  Look below to see how the Zulu URL Analyzer scored the link in this email.




ON THE LIGHTER SIDE: Your Payment Is Ready for Pickup

The United Nations, federal government AND International Monetary Fund are all working hard to get us $1.5 million dollars!  Wow!  Mr. Morgan tells us that we’re going to get $5,000 on a daily basis through a money gram, no less!  We’re so excited.

From: dsanders@virginbroadband.com.au
Time:  2017-04-05 23:54:59


We have this month of APRIL 2017 received a payment credit instruction from the federal Government and United Nation (UN) to credit your account with your  payment This is to notify you that your funds

$1.5 MILLION (USD) has been programmed for immediate release into your nominated account but we can not transfer this funds directly to your nominated bank account,Because International Monetary Fund (IMF) didn’t abide the plan by transferring the whole payment at once, so we scheduled earlier to pay you $5,000 on daily basis through MONEY GRAM ONLINE CASH.

Your first payment was sent to you through Money Gram $5000 each, HERE is the reference number :(69133972) senders name: Ike

It is available for pick up at Money Gram now .  Contact Mr,Alex Vincent, via his office email


Bear it in mind that you must re_confirm your full information to him such as:

  1. Your full name……………….
  2. Your Country…………………
  3. Your Occupation………………
  4. Your direct mobile phone no……
  5. Your Age & Sex……………….
  6. Copy of your ID.

Congratulation In Advance
Best Regard
Mr,Brent Morgan.

Answers to Crap Domain Quiz Above:

Scam   samsclubbonus-[YOUR EMAIL]@bonusclubnewpoints.top
Legit    notification+kjdmRdu77kpm21@facebookmail.com
Legit    pinbot@reply.pinterest.com
Scam   walgreenspoints-[YOUR EMAIL]@updatedbonusnewrewards.com
Scam   rewards-costco-[YOUR EMAIL]@givingonfriday.com
Legit    CostcoB2C_C3F2E7B308D1FB83F2F5B8A0D4BA797B5EF9BCDE@online.costco.com

NOTE: In the last example, online.costco.com, “online” is a subdomain separated from the domain “costco” by a period.

Until next week, surf safely!