April 3, 2019


We have long believed that at least one of the sophisticated criminal gangs that target us with malicious clickbait has created software to help them automate their work. One of the reasons we believe this is because we often see domain names or web directories that appear to be created from two random words in the English dictionary.  Sometimes they are hyphenated and sometimes not. But we have to laugh sometimes when we see words used in their automated file structure that make no sense. Look at the two random words that appear in the revealed URL link as the final folder into this hacked web server. Would any legitimate web developer name a folder “Dismally Autopsies?”  ….especially for a “Windows Survey” to “slash your energy bills?” You can greatly reduce your online risks by paying attention to details!



Last week we published a Top Story called Sextortion on the Rise.  A few days later we were contacted by a friend who received the following series of extortion texts from an unknown number.  In the interest of space, we consolidated them all into one text. Essentially, the sender claimed to have installed malware that captured embarrassing video/sound files, etc and threatens to expose them if the woman didn’t pay money.  The entire text series was phony-baloney.





Phish NETS: American Express, Wells Fargo, SunTrust Bank and USPS

They are back with a vengeance!  We received many sample phishing scams from TDS readers last week.  Let’s start with this American Express “Final Warning : Fraud Attempts on your American Express Card.”  It came from the domain “suddentlink[.]net”  The linked phrase “Click here to verify your account info” points to a hacked import/export service business based in Saudi Arabia.  Check out the screenshot of the phishing page set up by the criminals, below. It looks VERY authentic!



Next are two emails that claim to represent Wells Fargo Bank.  The first correctly spoofed the “from” address to look like it came from wellsfargo.com. The criminals set up a phishing page (again) on the free hosting service called 000webhost.com.  Can you find the grammar error in the text of this phish? That should always make recipients suspicious!  The second Wells Fargo phish had the link point to a link shortening service called u.to.



Next is a phishing scam that was created by the same criminals who created the American Express phish above.  It also was sent from the domain suddenlink[.]net.  The link for “View your account” points to a server in the Netherlands!  (“.nl” is the 2-letter country code for the Netherlands.)

And finally, in this week’s phishing column comes this email allegedly from the United States Postal Service, except that it was sent from shortcake20 “@” att.net.  At first glance, we thought it was malicious clickbait aimed at infecting your computer with malware.  However, according to Kaspersky, the link “View Details” points to a known phishing site in the Ukraine! (see below.)  “.ua” is the 2-letter country code for Ukraine and the domain is “promus[.]com[.]ua.”

Another big, fat deeeleeeete!




YOUR MONEY:  The Clever Reach of Spam

This week we’re going to depart from the usual collection of malicious clickbait emails to talk about unwanted, unsolicited email advertisements we all call SPAM.  Beginning on March 26, our personal email accounts were spammed by an email marketing company called Clever Reach. Clever Reach, founded in 2007, claims to have over 200,000 customers worldwide from more than 100 countries and sends more than two million emails each month.  We never agreed to receive their solicitations and, quite honestly, we initially thought their solicitations were malicious clickbait because they presented with many of the same clues, features and designs as the malicious clickbait we routinely see. Take a look at what we mean…

“Wow — check the rates on 15-year fixed mortgages” says this email that was sent from the domain purevoltagegame[.]com even though the email says that it was “Powered by Lendingtree.”  That purely electrical domain name was registered privately 2 months before this email was sent.  But Lendingtree.com, on the other hand, was registered in 1998 to Lending Tree LLC.  All links in this spam point to the domain cleverreach[.]com.



Below are more of these emails. They come from the same source, purevoltagegame[.]com and with links back to the same marketing campaign number at CleverReach[.]com. “Got skin tags? Remove them without surgery” “Can Coffee Cure You? This new Shark Tank product has the medical world asking…” and “Low Monthly Payments” about auto repair policies.  We evaluated these email for malicious intent but found none… yet. However, we NEVER clicked the links themselves. The email above for Refi Rate Advisor does, in fact, redirect from cleverreach[.]com to refirateadvisor[.]com. But we found all of these spam emails to be very suspicious for several reasons….

  1. Their designs/presentation is identical to known malicious emails we’ve written about for more than a year.
  2. The fact that the same marketing account using the service CleverReach.com sent emails that cover very different topics, and topics that are often used by criminal gangs pushing malicious clickbait.
  3. Why did the marketing account source use a domain, purevoltagegame[.]com, that was registered just two months ago?  We also received other spam with links to CleverReach.com but the sender’s FROM address was the domain academicteam[.]info.  Like purevoltagegame[.]com, this domain was registered about 2 months ago.

When we evaluate all these factors, this content appears to be unsolicited spam hyperbole at best, or the misuse of a legitimate marketing service by criminals with malicious intent at worst.  Regardless of the real case here, there’s no way we’re going to click any of those links. We’ve reported this content to CleverReach.com as abuse of anti-spam rules. If you get similar emails, forward one to abuse@cleverreach.com and let them know you don’t appreciate this junk either!






TOP STORY: From vs. Reply-To

When you analyze thousands of scam and spam emails, texts, websites, and website advertisements you see patterns and common themes.  One of these patterns concerns the group of scams broadly known as “419 scams.” Most typically, these are the email scams we get when someone reaches out to you to offer money for a wide variety of reasons…

  • She/he is in the army and found boxes of money stashed in Afghanistan but needs your help to get it to the US.
  • She/he is wealthy, is dying but has no heirs and wants your help to donate and distribute money to charities.
  • She/he represents some government agency/entity and is reporting that money was found in your name (or a relatives name) and wants you to claim it.

Blah, blah, blah… all BS.  There are hundreds of variations of these 419 scams, named after the Nigerian penal code from which many originated.  Nigeria has a billion dollar industry of scammers who try to make a living bloodsucking off of the rest of the world. All of these scams are just variations of the advance fee scam.  Presumably, in order to get your money, you have a pay fees in advance.  Of course, your money never comes but you’ll pay fees until you wake up and realize it is all a scam.

The pattern we have seen for years that is most particular to these scams is that the email address you may receive the scam FROM is almost always different than the REPLY-TO email address (or the address you are asked to contact.) In most instances, you won’t even notice this because the “Reply-to” email is embedded in the header and may not be visible to you, unless you actually see that you are replying to some other address than the one you received the email from. Here are several examples…



Contrast this detail with the emails that you routinely receive and send with friends and family.  You get an email from one email address and your reply goes to that same email address! Often times you won’t even see a “reply-to” section in the email header because there is no other distinction made.  Your email will reply to the sender. Period.

So why do criminals often send email from one address, but have you reply to another?  We’re not sure but speculate that it may be because it is much harder to trace their criminal activity if the solicitation takes place via one server and email service, while the actual fraud takes place via another.  If you have any ideas about the reason for this criminal behavior, let us know by emailing spoofs@thedailyscam.com!  By the way, that last example above from “Patricia Walker” who has offered you a sneak peak how people are earning $267 a day online, the links lead to a website (see screenshot below) at takeachance[.]cf, which is hosted in the Central African Republic (“.cf” is the 2-letter country code for Central African Republic).  Of course, it is very common knowledge that citizens of the Central African Republic are all very rich, so this must be why, right? Should we be concerned that the security service McAfee has blacklisted the website takeachance[.]cf? (see below.)

Caveat emptor!




FOR YOUR SAFETY: Outlook Malicious Redirects Again

For months we wrote about “Outlook.com” emails containing redirects to malicious websites.  And then these Outlook emails all but dried up. We’re seeing a small resurgence of them, such as the email below with subject line “Your 2019 Transunion, Equifax and Experian Credit-Scores.”  If you look carefully at the link revealed by the mouse-over, it appears to point to safelinks.protection.outlook.com.  However, embedded and visible in the link itself, is a redirect to the random 2-word domain forceparticipation[.]com.  It was registered in January, 2019 through a privacy protection proxy service and is being hosted in England.  Try practicing your country code skills! Ask yourself what country might the 2-letter country code “tr” refer to.  If you guess right, you might win a Thanksgiving bird!




Until next week, surf safely!