August 1, 2018


In our July 18 newsletter we wrote about a TDS reader named David who had been receiving very creepy emails for about a year and shared some examples.  This past week another reader shared a similarly odd email she received. This one feels like its purpose was to generate a response from the reader. The “from” address strongly suggests this email isn’t legitimate. Our advice in all of these cases… Never respond.  It just encourages them and confirms that you open them.

Also in two previous newsletters (July 5 and June 27) we reported on sextortion emails that were randomly sent, probably by the tens of thousands, with the hope of getting payment from someone guilty and gullible. They are making the rounds again, but now with a very clever and frightening twist.  The sender claims to show the recipient a password belonging to the recipient. How could the extortionist have this information UNLESS the scammer really does have eyes inside your computer, right? Very cleverly, the scammers have been on the “dark web” and located old stolen password lists.  There are many sites that post and sell them. The recipient of this email told me that the password in the email is not his current password, but a former one. This trick can add to the intimidation of the threat, especially if the recipient has been looking at online porn. Sophos wrote about this scam on their Naked Security blog on July 13.  Do you wonder if your password has ever been ‘pawned’ — meaning it was found and posted on the dark web?  Visit “HaveIBeenPwned?” to find out.



Phish NETS: Discover Card and Bank of America

“Suspicious Logon: Your Discover Card has been Locked”  We loved the email address that followed the word “To”! You!  And how about your account number listed in this email?  “My Account Last 4 #: ****”

Though the warning signs are clear that this email didn’t come from Discover Card and the sender hasn’t a clue who “You” are, it still points to a well made phishing site that looks just like but is not!

One of our readers sent us this email.  It is a very lame effort to phish your Bank of America login credentials.  The link is visible and clearly points to a website in South Africa (if you can recognize the 2-letter country code.)  “.za” is the official abbreviation of the Dutch name “Zuid-Afrika.” However, were you to click this link, you’ll find an excellent look-alike for Bank of America.




YOUR MONEY:  Save On Your Mortgage and Theramine for Back Pain

We are very impressed with the effort this criminal gang put into using an unusual mix of characters in the subject line and before the “from” email address to try to trick anti-spam servers from identifying this as spam and blocking it.  But it is exactly this effort that clearly identifies this as malicious! The email appears to come from a domain called sendswim[.]com and the links point to a domain named ideallovely[.]com.  If you’ve been reading our newsletters lately, you’ll recognize that this was created by the gang who use “Two Words In Their Selected” domain. We’re going to call them the TWITS gang for short! Bottom line: This email didn’t come from, nor does it point to, anything to do with FHA loans.  If you were to click the link, you’ll be redirected from one website (ideallovely[.]com) to another ([aluminumobese[.]com) which is also owned by the TWITS gang!  A survey at this second website is a phishing quiz asking you for LOTS of personal information! (see below.)


Many people deal with back pain and it can be a terrible burden impacting your life.  Theramine is a prescription-only amino acid food product sometimes used to treat back pain.  This email wants you to believe it is the salvation of back pain sufferers. But it was sent from the crap domain adiaus[.]review, with links pointing back to it as well.  This domain was registered on July 24, the same day the email was sent.  And surprisingly, it was registered without ANY information whatsoever by the Registrant.  We don’t know how this is possible? Oh, wait… yes we do! ICANNs and Registrar services don’t give a damn about the public they serve.  That’s why. Fortunately, the Zulu URL Risk Analyzer sees right through this crap and identifies the website as 100% malicious.



TOP STORY:  Facebook Virus

Just a few days ago my wife and I both received the same message from a cousin through Facebook Instant Messenger.  It appeared to be a link to a video posted on someone’s Facebook account whom we didn’t know, along with the message “Omg Look [my name or my wife’s name]”  I’m overly cautious and immediately felt like that suggestion “Omg Look” was manipulative and uncharacteristic of our cousin. When I texted my non-tech savvy wife, she also thought it was odd and didn’t take the bait.  Of course I emailed AND texted our cousin to ask if she really sent this message and her response was “I was hacked.”

Ask yourself…. Had this come to you via Facebook IM, would you have clicked the link?  If you had, you would have created some major headaches for yourself. I copied the link to see where it pointed and discovered that it pointed to a post on a user’s account named “luis.corporan.357”  The link did not point to any account named “Cindy Castillo Gonzalez” that you see as the name of the video. This Facebook user had, at that time, 124 friends on Facebook.

I couldn’t find anything obviously malicious and was not willing to click the link to find out what happened.  My cousin confirmed she didn’t send the message. But whomever sent it was clearly trying to engineer a click and we all know what that means in today’s day and age.  Whether or not this Facebook account is real, isn’t clear to me. There was very little content on this user’s site and 124 followers is pretty small for a young man on social media.  So what was really going on here?

After doing some cyber-sleuthing with Google, I believe I have the answer.  The hacker sent us a link to a video posted on that Facebook site. However, I have found other folks online exposing a dangerous trick in which hackers use fake Facebook links to YouTube videos.  The link actually redirects you to a website that will target you with malware. Here is a detailed article posted on about this nasty trick.   It is titled “Messenger virus. A new threat for Facebook users. (Jun 2018)“ by Lucia Danes.

As long as we are susceptible to social engineering tricks like this, our personal information and our devices are at risk of being used against us and for a criminals financial gain.  By the way, previous malicious Facebook posts to IM have included phrases like ““You are in this video?” and “This is your video?”

Do you suspect that your Facebook account may have been hacked? Wondering how to prevent it?  CNET posted some good tips in this 2017 article titled How to Tell If Your Facebook Has Been Hacked (and What To Do).


FOR YOUR SAFETY: : You Have Received a Secure Document

“You have received a secure Doc-0075” says the subject line AND that secure document magically expires in a few hours.  This email claims that the document has been sent to you via the service OneDrive but the link is a shortened link at  Criminals often use link shortening services to hide where that click will send you. (Read our feature article about this threat and how to recognize it: Shortened URLS – What are they and why should I care?)  We used to discover that the link in this email will send you to a website in Turkey called duzcemadeniyag[.]com[.]tr.  The “.tr” is the 2-letter country code for Turkey.  Fortunately, both the Zulu URL Risk Analyzer and “Unmask Parasites” website recognize the risks.



Until next week, surf safely!