April 20, 2016


In our last newsletter we reported a noticeable drop in scams and spam at the end of the week. Sadly it didn’t last long. This past week has been the usual deluge and in that deluge we’ve seen an increase in malicious emails targeting people by first name or job function. There was also an increase in malicious emails from people you may recognize but coming from different email domains as the criminals use addresses pulled from hacked accounts. The subject lines are often “hi” or “hi” followed by your name…



We also saw emails that specficially targeted women. First was this strange “membership application approved” email sent from friendlyair.com. THIS NETWORK IS FOR WOMEN ONLY it states. But the email was sent to a man’s email account. (To an obvious male name.) We don’t know if this is a scam or just spam but it is very suspicious. Google can neither find any website to display for friendlyair.com, nor anything about “Electronic Marketing Group” in Lakewood, CO.

2-For Women Only


The second email was also sent to a man’s email account and came, once again (**sigh**), from the International Women’s Leadership Association (IWLA). We have written about their spam tactics many times before and questioned the value of joining their organization. Read our Top Story from December 16, 2015. As long as they continue to spam men, or make deceptive and meaningless remarks like “…in consideration of your contribution to family, career, and community; You have been selected as a woman of outstanding leadership,” we will continue to raise questions about them.

3-You have been selected as a woman[hr_invisible]

Notice that the email doesn’t identify the recipient.

Sample Scam Subject Lines:

A secret of gargantuan proportions!

Are you ready for a new car?

Business Card

Check-Out.. The Latest Cable and Internet Package–Offers

Daily Revenue Statement for April 11

Easy Travel – With Private Jets


Find Deals on Mediterranean Cruises

Full Service Oil-Change Coupons

Online Will and Trust Services

Nutty Mom is Angering Doctors Across The Country With Her Trick

Problems with item deliver n.0003486794

Search Options for Burial Insurance


Sample Scam Email Addresses:






















Phish NETS: USAA Bank and Verify Your Email

As is the case with most phishing emails, this phish is easy to reveal if you look at either the sender’s email address or the link revealed by mousing over the https link to USAA.com. In this case, both are bogus. The email comes from Computer@computer.com and a mouse-over reveals that the link https://www.usaa.com….etc. actually points to a website for a cleaning business in Mexico (.mx) called chrisalim.com.mx. The website has been hacked. The email includes some subtle, and obvious, grammar errors… “Your Account has temporarily suspend”

Just delete!




Our next phishing email was intended for webmail users and came from a bogus or hacked account at UVMnet.edu (University of Vermont). “VERIFY YOUR EMAIL” …You have exceeded your 1GB storage limit on your mailbox… However, the very visible link points to watch00.eu.pn. Can you guess what country this link leads to? Answer below….

Now delete.


(.pn is the 2-letter country code for the Pitcairn Islands. We didn’t know either and had to look it up.)











Your Money: Bed Bath & Beyond Voucher, Amazon Launches Gift Card Giveaway, and Compare Airline Ticket Discounts

Your voucher is ready to print. Thanks for coming by. Please enjoy this gift on us. Just bring this into any store… Would you believe these lines? The email seems very convincing. They are saying all the right things. Even the domain name looks like it belongs: bathbodygiftcenter.com. But this domain was registered by someone named Judy Santiago from Alexandria, Louisiana on the day this email came out. “Judy” has been busy. Last week we showed readers that “Judy” had registered a scam disguised as an Olive Garden coupon.




How about this email asking you to claim your Amazon rewards? Are you ready for the extra deals and savings at Amazon? At least this one came from, and points to, a bizarre website domain gclothe.top. Makes our job easier!


7-Amazon launches giftcard give away


Finally, we wanted to caution our readers against believing emails that appear to be marketing pitches designed to help consumers make choices. Like this email from CheapAirfare@neonet.top. “Compare Ticket Discounts- Business Class Airline Ticket Comparison” Long-time readers will recognize the fake marketing company used in the email called “Lemon Juice.” And there is the hidden white text against the white background meant to fool antispam servers, a standard scammer tactic. And, as expected, the domain neonet.top was registered using Alpnames on the day the email was sent. (Alpnames is a legitimate company but sure seems to be making a lot of money from criminal behavior. Do you think they know it or try to do anything to stop it?) And finally, according to Virustotal.com, the service CloudStat has identified the domain neonet.top as malicious.













TOP STORY: Comment Spam Targets Teachers

Comment Spam refers to the significant problem of spambots (or spammers themselves) dumping thousands of bogus comments into the comment fields of websites around the world. These comments are sometimes fly-by-night, questionable companies trying to generate business or drive traffic to their websites. Most of the time comment spam is simply meant to place malicious links onto websites that ultimately lead to a computer infection or a scam. Take a look at this April 9, 2015 article posted on a legitimate tourist website in St. Louis, Missouri called The Gateway Arch.  Scroll down a few inches and you’ll see what we mean. During our recent visit we found 1,952 comments posted from the “Leave a Comment” form and almost all of them are malicious comment spam. (Dear Readers, we would never put you at risk by providing live malicious links. Though The Gateway Arch website obviously doesn’t monitor the comments posted, or seem to care what is posted, all comment links are automatically stripped of their links, leaving the spambot’s posts as plain text on the page.)

Here is a simple example of one such link that looks quite innocent from someone identified as “Chara” but using the email address jayden.croft@gawab.com. Gawab used to be a free email service out of the Middle East. It was heavily abused as a source of spam and shut down at least 2 years ago, as far as we can tell. Someone should tell Jayden that…



The link “Chara” left is malicious. The comment she/he left is also completely irrelevant to the blog’s purpose. Here’s another comment spam that appears to be a business proposal from “Natalie” offering to improve the website owner’s blog and make it very popular.   “She” offers information about a free service that will do this, first with a link to a website in Germany (2-letter country code = .de meaning Deutschland) and later with a link to a website in Columbia (2-letter country code = .co).




If you read the email again carefully you’ll notice that you get no idea what the blog is about. There is no information in Natalie’s post that actually identifies or references the site she offers to help. But she says that “your site has the potential to become very popular.” This spambot post could have been dropped into the comment form of any blog! And what about those links Natalie offered? Are they helpful? We asked the Zulu URL Risk Analyzer about the Columbian link. Somehow it takes you to a webserver back in Germany that hosts malware. 100% malicious!





So what does comment spam have to do with teachers and teaching? Unfortunately plenty. Schools and teachers are using blogs more than ever for educational purposes with students, and for great reasons! Such is the case for a U.S. History blog site offered through the free blogging service WordPress.com. But educators need to beware and be savvy or comments like this will turn their blogs into computer landmines…

12-US History WP comment spam



The strange comment “I guess that was obviously from a non-PR person…” has nothing to do with the U.S. History blog. The accompanying link left by “AlvaRiggs92798” points to a strange website in India (2-letter country code = .in) This is all a solid argument why educators should never, in our opinion, allow comments to be made live to their blog sites. Comments should always wait for administrator moderation to allow, or trash or mark as spam. There are many tools available, some free and some not, to help you avoid the spambot attacks and keep your site clean without being bothered every 30 minutes by another malicious post. We can highly recommend a WordPress plugin called CleanTalk,  but there are many others as well.

In our article My Hacked Website Costs You Money and No One Cares  we show more examples of comment spam pushing fake products like Louis Vuitton and Prada bags.



FOR YOUR SAFETY: Congratulations You Qualified, Download – Preview Contract, and Play Online Casino

Hey, I’m excited to let you know that you qualified for exclusive access… “Complimentary Download Here” Just click that link and kiss your computer goodbye! We’ve been telling readers about these particular malicious scams for a couple of weeks now and they keep coming. They use the domain name subscriber-manage-### (some numbers).

Just delete and be glad you dodged a bullet!



How about this email from Gymnastguy22@aol.com? “I tried sending you some important documents through attachments but it says files are too large, so I had to re-send using GoogleShare…” But that View and Download link don’t lead to Google at all. They lead to malware on a hacked website called blackwoodautoinsurance.com. VirusTotal tells us that this poor insurance company’s website has been hosting lots of malware recently. VirusTotal lists six security sites that have identified their website as hosting malware.






Isn’t online gambling illegal in the United States? No matter…. We have an invitation to register with an online casino called Fortuna! 100% welcome bonus on your first deposit! (Whatever that means.) The email came from a very strange address in Italy (2-letter country code = .it) and contains another odd link to a design site in Russia called “eyelash.” How about the link provided to linkzip.net? According to the Zulu URL Risk Analyzer it is 100% malcious. We’ll let this go and just play cards using our monopoly money. And now we all say…









ON THE LIGHTER SIDE: Christians and Jews Shocked!

OMG! This recently anonymously uploaded video has caused a tsunami of shock and outrage… …direct proof how members of our government are nothing but puppets on a string to some of the richest and most powerful men in America!




Finally, we have proof!

Until next week, surf safely!