April 25, 2018


Last week our Top Story focused on malicious emails using the top level domain (TLD) DOT-faith.  We have also often reminded readers how very untrustworthy “online surveys” can be. (Even “legitimate” marketing surveys!) So, here’s a double-whammy email inviting you to take a short survey to save money on a quote for roofing work.  The links point to the junk domain tyohhj-DOT-faith.  You can see so many of the other signs that shout “malicious intent” that we have addressed…. The criminals try to break up certain words in the subject line so that they won’t be spotted by anti-spam servers.  Look what they did with the word “Save.”  Also, we found a lot of hidden white text within the big white space at the bottom of the email.  And the pièce de résistance is what you’ll discover if you look up this domain in a WHOIS…. The domain was registered the day the email was sent by “Carol Kaufmann” who listed her address on a road that doesn’t exist in Pennsylvania, her home state.  And she reported an email address with Yandex.com, a popular service in Russia.  **sigh**

It is so very important to look carefully at emails, texts, posts and messages we receive on our phones, in social media accounts and email.  One of our readers told us she received a scam email trying to trick her into believing it was a coupon from Bath and Body Works. But the email came from the domain bathandbodyy[.]bid, not bathandbodyworks.com.  Just as our reader reported, we continue to see lots of malicious emails disguised as well-known commercial products and services.



Phish NETS: Rackspace Support Ticket and UK Vehicle Tax Refund

In this week’s phish nets we have two very unusual phish to report!  The first came to us from the Director of Technology at a Massachusetts school.  Her school uses the service called Rackspace, which  offers dedicated and managed cloud computer services.  Check out this email she received…

This was a very professionally created scam!  The from address was correctly spoofed to look like it came from Rackspace.com.  She was sharp enough to catch the discrepancy revealed by a mouse-over of the link “view ticket details.”  It pointed to a shortened link via Twitter.  We unshortened that Twitter link and discovered that it points to a domain hosted in the European Union! (“.eu”). The domain is:


Another one of our readers in the UK sent us this gem…. A FINAL REQUEST from the Driver & Vehicle Licensing Agency in the UK about receiving a refund from an outstanding overpayment made to the agency.  Look VERY CLOSELY at the link revealed by mousing-over “Get Started.”   Can you figure out the REAL domain in that link?


The criminals tried very hard to obfuscate the real domain.  There are actually four subdomains IN FRONT OF the real domain and one of them consists of six hyphenated words or abbreviations.  The domain is bestbettingwebsites[.]org, followed by the country code UK.   We can imagine our UK readers shouting loudly at these scammers to bugger off!



YOUR MONEY: Pet’s Vet Care and Magic Bax Lift Earings

Many of us have pets and purchasing pet health insurance may be a reasonable idea.  One such insurance firm is called Pet First Insurance.  But this email does not represent them, though the sender wants you to believe otherwise.  Focus your attention on the from address…. PetFirst.com “@” btgsvc-DOT-stream.  The only information that is important here is what follows the “@” symbol.  There we see a crap domain,  again.  This is just click-bait to malicious content.

A big, fat delete!

Once you recognize top level domains and notice the ones that are routinely misused by criminals, it becomes easy to spot them.  We’ve already talked about the misuse of the TLD DOT-faith.  Now it seems there is a rise in the misuse of DOT-stream!  Notice this bogus email below claiming to be the product known as Magic Bax, earing lifters.  This is more malicious click-bait and identical in design and layout to the email above.




TOP STORY: Shades of Instagram

During the past week we investigated several suspicious websites related to Instagram and some interesting stories about Instagram.  We were reminded that Facebook bought Instagram in 2012.  Facebook has been all over the news recently for their misuse of people’s personal information, lack of security to protect their users from malicious content, and inability to keep foreign players from using their product to influence our electoral process.  Also, there are no standards whatsoever to prevent the posting of lies and misleading information.  It stands to reason that those of us who use Instagram should also use it with caution and consider carefully the type of personal information we post.  For example, it is never a good idea to post your birthday date or phone number.  Keep a healthy dose of skepticism when you see ads, shares, and accounts of others.  Equally important, do you have teens or younger children using Instagram?  Teach them!  Go over this article with them!


Some Instagram users think their accounts are set to private but often overlook two critical points… One, Facebook has been notorious for changing the privacy terms or “terms of service” during the year.  These changes have often resulted in private accounts becoming more public or even completely public.  Two, if you comment, share or post something to a friend’s account and his/her account is public, it means that your comment, share and post will be public!  And let’s not forget that there are many websites that claim to scrape Instagram accounts and offer their visitors links to what they find.  During a recent Google search, we were able to locate eleven of these “Instagram Viewer” websites.  Some of them felt extremely sleazy, and we’ve indicated these with question marks below. In our short test, others easily worked, as promised, finding content posted by people whose accounts we were told are “private.”  We do not recommend using any of them but provide the list here, and a few screenshots below, to educate our readers that they exist:

16gram[.]com ?? Instaspy[.]net ? Instaviewer[.]ru (.ru = Russia) ??? Jolygram[.]com Mystalk[.]com ? Picbear[.]club ? Pictame[.]com ? Pikdo[.]com ? Piknu[.]com ? snap361[.]com vibbi[.]com/viewer



Scams abound on Instagram, such as the well-known scam called the “money flip.” It has been around for at least 5 years.  As crazy as it sounds, people still fall for it and it targets users of both Instagram and Facebook.  Here are several YouTube videos that describe it and ways to detect it:




Another common scam occurs when criminals create fake accounts made to look like they represent legitimate businesses.  For example, there have been hundreds of phony iPhone X giveaways!  These fake accounts offer giveaways and coupons in exchange for likes, followers and, most importantly, personal information.  The “likes” and “followers” increase attention to these phony sites and the personal information is monetized.  For example, it may enable the scammer to access the victim’s Instagram account to target his/her friends and family, or compromise personal security.  It also marks the victim as gullible and a good person to target for another scam later.  Here are a couple of links to articles that describe how to identify fake giveaway accounts and a scam alert from January, 2018 about phony Lululemon and Zara giveaways:



And while we’re on the topic of “fake” we want to point out how easy it is to buy fake “likes” and followers on Instagram.  This has become so simple that dozens of websites routinely advertise this service, such as Famoid.com. There are even vending machines in Russia and Eastern Europe that enable you to instantly buy “likes” and followers for your Instagram account.  Enter the equivalent of about $2 and voila, 200 more followers! (CNET’s article about this vending machine.  or YouTube video showing how it use it.) So the next time you see someone with thousands of likes to a photo or thousands of followers, be skeptical.  It doesn’t mean it is true!  Scammers often use this trick when they create fake celebrity accounts and make them appear to be legitimate.  If 35,689 people are following an account, the account feels more credible.

This article titled “The Biggest Instagram Scams of 2017” is an interesting read.  At the bottom of it, someone named Rodway claimed to have found more than 30 British Royal family accounts last month for Prince Harry.  All the accounts asked for donations to his mother’s charities, such as saving starving children in Africa.  And there is another good article about Instagram scams at Scam-Detector.com As in all things online, deception is routine and surprisingly simple to execute.



FOR YOUR SAFETY: Call Apple Help Desk Immediately and View Message

One of our readers contacted us a few days ago to report that she got hit with a fake redirect and popup after doing a Google search for Amazon on April 21.  She clicked the link at the top (non-Ad).  She was urged to call the “Apple Help Desk Immediately” after her “firewall detecting ‘suspicious’ incoming network connections…”  But the phone number is not for Apple computer.  On April 22, 2018, at least ten people have marked that phone number as “unsafe” on Callername.com. Look at the scare tactics in the popup.

It is complete crap!

This really short email is another landmine.  “View message.”   It came from a known user name to the recipient, but from an unknown email address.  This is another one of those emails from friends and acquaintances we call From Hell.”  You can see from the Zulu URL Risk Analyzer that there is no ambiguity here.

100% malicious link!



Until next week, surf safely!