April 17, 2019


We have long been advocates for privacy and have tried to bring attention to consumer products that are unexpected invasions of our right to privacy.  Last week, major news broke about the serious invasion of privacy associated with a smart product used by millions of people, including some of our own friends and family.  Amazon’s “smart” speaker/microphone called Echo does much more than just listen and wait for you to say “hey Alexa, what’s the weather today?” It has been revealed that Amazon employs nearly a thousand workers from Boston to Costa Rica, India and Romania specifically to listen to people’s conversations with Alexa.  But sometimes “Alexa” thinks it hears its name even when you don’t call it and so it turns on, listening and recording the sounds in your home. Amazon says they make this effort to improve the capabilities of the device to understand language. We say no thanks! Smart phones, fitbits, and other i-devices have already stripped so much away from the privacy in our lives, the last thing we would want to do is put a company’s microphone in our home for their listening pleasure. (Imagine the possible abuse of this device?) In case you missed it, here are three links to this news:




If you want to expand your understanding how our devices have stripped away the privacy of our lives for marketing and other nefarious purposes, watch these two TED talks. And note that these were created in 2015 and 2017, respectively.  Privacy protection is no better today in 2019. It is worse!

  The Future of Your Personal Data – Privacy vs Monetization by Stuart Lacey

  How Data Brokers Sold My Identity by Madhumita Murjia

Also, back in January, 2017 one of our Top Stories was titled “You Think Your Life Is Private?”  Check it out!  You’ll be surprised by what you read!

Some of our readers have been telling us that they’ve been seeing malicious clickbait disguised as “crack the egg” surprises from Amazon. The links in this “crack the egg” redirect to a website that is blacklisted by security service McAfee called phllyscks[.]com.  As we get closer to Easter it makes perfect sense that criminals are using Easter themes to generate a click to their malware. Stay away from these eggs!






Phish NETS: Amazon, Chase Bank, Cox Email and Webmail

Support[.]net is definitely NOT the same as Amazon.com.  But the criminals who sent this phish are hoping you won’t notice that.  “Fraudulent Activity on your Amazon Card Ending” Ending in what? Just one of many red flags!  “Click here” points to an online shortening service. But look at the mimic login page waiting for you at the other end of that bogus link!





Fortunately, this email claiming to represent Amazon.com, sent to us by a TDS reader, is VERY lame and easy to spot as fraudulent by the sender’s email address. (We only have the Header information.)



Chase Bank card holders are getting hammered lately by phishing emails such as the two below.  And both correctly spoofed the FROM address to look like chase.com. We believe that both of these were created by the same professional and very active cybercriminal gang based on the design, build and free web-hosting service used to create the phishing login page.  In past newsletters we’ve pointed out that a cybercriminal gang very likely uses automated software to create directories on hacked or misused servers. The software makes random combinations of two words, often separated by a hyphen. Take a close look at the subdomains created in these phishing links: plumate-alcohol and relocated-make.  Fortunately, the first email has so many errors in it that it is easy to spot as fraudulent even if you didn’t think to look at the link revealed by mousing-over www.Chase.com.



Here is another phish targeting Cox account holders.  Thankfully, there are sooooo many red flags with this email using the subject line “Regarding Your Information Verification.”




And finally, another webmail phish.  People who own/operate websites often use generic webmail accounts to receive email through their website provider.  This phish is targeting those people. It was sent to us by a TDS reader who, unfortunately, didn’t capture the link destination so we don’t know where it will send you.  However, here’s why we know it is a phishing scam:

  1. We count 3 grammatical or capitalization errors
  2. No email service will tell you that “all your email data will be lost permanently” (Every email service provider makes backup files to guard against this loss.)
  3. No email service will say “if you do not cancel this request your account will be shutdown shortly.”  Number 2 and 3 are just forms of behavior engineering meant to get a response by raising your anxiety.  
  4. Were this a REAL notification you would not see “This email is meant for: Account User.”  You would be identified by name!




YOUR MONEY:  Clickbait – Bizarre Claims & Consumer Products

Clickbait has been around since the early days of the Internet when content providers and others figured out that certain tricks and content are more likely to manipulate people into clicking a link.  When we refer to clickbait, we mean malicious clickbait! Cybercriminals employ dozens of tricks to manipulate your clicking behavior, from the bizarre and lame to the subtle and sophisticated.  Here’s a look at some of these tricks that seem to be about a product to be purchased.

Let’s start with this lame sexual potency enhancer.  We rarely publish content that is beyond PG-13 because we hope that teachers will use our content to teach young Internet users how to recognize online threats and reduce their risks.  But we’ll make this exception… This email appears to be from victoriassecret.com and yet includes the subject line “Get Auto Warranty Coverage today!” However, opening the email shows content claiming to help men become a little more….manly.  And all the links point to the link shortening service at Ow.ly, meaning that you have no idea where on the Internet you’ll be sent. This email is about as limp as they get.



Also, under the category of “that’s just ridiculous” and “a pack of lies” is this email pretending to hawk the dietary supplement product called “Ketofuel.” It shows “before” and “after” pictures that will have you shaking your head in disbelief.  (If, however, you believe those before and after pics, please contact us immediately because we have land to sell you in Atlantis!) By the way, you know these idiots are lying like dogs when they send an email from another country and use little tricks in their subject line to try to sneak past anti-spam servers.  “Rapid FatLossss Every 3Daysss.”  It is worth noting that the Mayo Clinic, a very well respected source of medical information, says that losing more than one or two pounds of weight in a week is unhealthy.  This bogus malicious clickbait claims that these people lost a pound a day for 90 days!  That’s more than triple the healthy and recommended weight loss regimen.

Click me! Click me!



Our next malicious clickbait may not seem so outrageous given the increasing popularity and use of marijuana products.  Many actually hail the health benefits of CBD oil, made from cannabis. But would you want to put it in your coffee? Users of CBD oil tell us that it tastes awful, so this email may seem plausible but far-fetched.  However, why would it come from the real store called Party City? It wouldn’t. This is just another form of malicious social engineering.



And finally, our last bit of malicious clickbait is an email advertising a legitimate product using stolen graphics.  The email claims to represent the product MagicPad. If you look carefully at the FROM address and where the links point, you’ll notice that it is not for the legitimate domain, which can easily be found online.  The domain used is gooatda[.]world and it is clearly identifiable as malicious, as you can see below.






TOP STORY: Telltale Signs of Scammer Email Addresses

If you know what to look for in the details, there are many ways to spot suspicious and fraudulent emails just by looking at the FROM and REPLY-TO addresses.  Here are some quick tips:

  1. Scammers very frequently email you from one address, but then either ask you to respond to a different email address OR embed a different email address in a “reply-to” field that you may not even notice. (Compare this to emails sent to you by friends and legitimate associates and you’ll RARELY see this.)
  2. Country codes!  Learning to recognize country codes in email addresses can help you evaluate the authenticity of the sender, or at least know that this person is using a server from another country.  For example, this information can be critically important to evaluate if someone is who he says he is. (See example below.)
  3. The format of email addresses allow people to list a name in front of the actual email address.  In most instances, the names in front match, or are easily related to, the name in front of the “@” symbol.  For example: “John Smith” <jsmitty34 @ gmail.com> as opposed to “Clarice Ebson” <michaelr @ yahoo.com> (The second email address is so mismatched that it is obviously fraudulent.)
  4. The domain name that follows the “@” symbol can be critically important to separate truth from falsehood.  Though “Tom Smith” <tomsmith666 @ gmail.com> may not help you separate fact from fiction, this next email address should obviously reveal that it is fraudulent: “American Express Alerts” <amex-alert @ support.net>  The domain after the “@” symbol SHOULD be americanexpress.com!
  5. Criminals create email accounts with free email services and use official-sounding names that they hope will trick recipients into thinking the email is something it is not.  No matter what letters/characters come in front of “@gmail.com” it is just a free Gmail address! Here are a few real examples from scams we’ve documented:
    1. recruitment.alphagraphicsinc “@” gmail.com (Sender claimed to work in HR dept. of a graphics company.)
    2. lisadonohue.synacor “@” gmail.com (“Lisa” claimed to be an employee of Synacor.)
    3. hiringdesk30 “@” gmail.com AND hireforspring2018 “@” gmail.com
    4. bestjobsforfall “@” gmail.com and workforus2019 “@” gmail.com

Let’s take a look at a few examples of subterfuge.  Our first two examples meet three of the five criteria above.



In this next example, “Neivia Oberg” sends an email but “francy” appears in front of the “@” symbol, a mismatch of names.  This encouraged us to open the HEADER information to look more closely at it and discovered that the “reply-to” address is a different email address (at Yahoo).  


This next example was very poorly done.  A scammer was posing as a job recruiter and created the email address 247virtualhelper “@” gmail.com.  But he misspelled “Canada” in the subject line!

Our final example contains a very malicious link intended to infect computers with malware.  What we want readers to see is that cybercriminals use software that will send their landmines out automatically to a group of emails in alphabetical order, as they appear in the cybercriminal’s email database.  Sadly, this is the “gift that keeps on giving.” Once your email is collected by these bastards and entered into their database, it will be a lifetime of email threats. Our best hope is that the anti-spam and anti-malware software used by email providers is enough to weed out most or all of these scams and threats.  Unfortunately, we hear from Cox Communications email account holders that Cox does a very poor job of removing these threats. Time for a new email provider.


FOR YOUR SAFETY: Surveys with Malicious Intent

Almost every survey we have ever come across in the last five years has been malicious clickbait or phishing scams meant to gather important personal information that can be monetized by the scammers.  And when we do see a rare legitimate survey we have made two important observations:

  1. Legitimate surveys don’t offer to pay $50 – $200.  (For example, we’ve seen real surveys offer a $10-$15 gift card.)
  2. Legitimate surveys will have verifiable contact information that usually includes a phone number and business name that can be contacted.

However, we’ve seen so few marketing surveys that are legitimate, it begs the question… why take the risk?  Below are a few malicious clickbait and phishing surveys to remind our readers what they should avoid. We especially loved the “customer reviews” in the Amazon survey, such as “James K.” who gives a 5-star review and says “Taking these surveys is fun!”  We think James K.’s life must be pretty lame.

Until next week, surf safely!