August 9, 2017


In our July 26 newsletter we wrote about a big increase in fake “reward” domains that appear to be associated with real companies, or real promotions for companies we all visit.  We continue to see lots of these phony domains.  You’ll see many listed below in our sample scam email addresses.  Here are two more recent examples.  Just look carefully at the from address in each.

This is another malicious email disguised as a 90% off sale with free shipping on Ray Ban sunglasses but the idiots who created it misspelled Ray Ban!  It certainly made us smile.  Look at the subject line!


Sample Scam Subject Lines:

Dumb, Average, Smart.  Which one are you? Try this.

FIRED: Megyn Kelly removed on air (CBS 3234)

Hey, I could really use the help, (it’s Part Time work)

How to get into photography

New gift from – Print here your $50 voucher

Paper towels are toxic!

Power Companies Didn’t Expect This…

Ran-Ban Sunglasses 90% OFF + Free Shipping, Get Now!

Re: invoice 35315406 bullshit

This is Not A Test!

Vanna White confirms Wheel of Fortune cancellation rumors

You WILL NOT survive!

Your hair getting thinner?


Sample Scam Email Addresses

amazon-[YOUR EMAIL] @

amazon-[YOUR EMAIL] @

consumer-survey-[YOUR EMAIL] @

costcocom-[YOUR EMAIL] @

costco.wholesale-[YOUR EMAIL] @

howard-[YOUR EMAIL] @

macys-[YOUR EMAIL] @

macyscom-[YOUR EMAIL] @

marguerite-[YOUR EMAIL] @

TinnitusRemedy @

walgreen.rewards-[YOUR EMAIL] @

walgreenscom-[YOUR EMAIL] @[YOUR EMAIL] @




Phish NETS:  Email Security Team

We only found one lame phish in this week’s sea of trickery.  This email from Poland (.pl = 2-letter country code.) targeted employees at a school.  “Mail Box De-Activation”  “Your Mail Box will expire soon.”  Just for the record, if you really ever exceeded a mailbox size quota, you simply could not get any new email.  Your mailbox would not “expire” or be deactivated.

Now delete. 



YOUR MONEY:  Get This T-Shirt Free, Get Started with eHarmony, and Free Auto Warranty Quote

This email is clearly meant to appeal to NRA supporters.  It pretends to represent the American Gun Association and offer a free t-shirt.  But it is a wolf in sheep’s clothing.  It has nothing to do with the NRA or AGA.  The domain western23-DOT-info  was registered in April of this year.  The Zulu URL Risk Analyzer informs us that this domain is 100% malicious and already on several blacklists.

Periodically the criminals who target us like using popular dating sites as their lure for us to click a link.  Don’t fall for this malarkey.   Look at the source of the email… eHarmonyPartner @  Did they mean survival?  Hidden in the white space below the email content was white text meant to fool anti-spam servers.  If you have any doubts, the Zulu URL Risk Analyzer informs us that there is malware waiting to infect you at the other end of that click.



The criminal gangs who routinely target us are sometimes lazy and reuse the same graphics over and over.  We’ve seen similar fake emails before that have used the same graphic of this young lady (with the awesome bracelet) in her car.  The domain used in this scam, jackybaba-DOT-us, was registered to someone in India the day before this email was sent.



TOP STORY:  Hand Grenades From Friends

About three years ago there was a significant jump in the number of email accounts at Yahoo and AOL that were hacked.  One of the nasty things that criminals did was to send out emails to all the friends of the hacked user’s account.  The email that was sent contained a malicious link designed to cause a computer, or email account infection. This was primarily meant to increase the hacker’s effort to gain access to the private information in people’s email accounts and/or monetize people’s computers.  About a year later the criminals changed tactics.  They created new phony email accounts using the same hacked username and resent malicious emails to everyone who had been targeted originally. (The criminals kept the stolen addresses from a hacked account.)  We wrote about this awful tactic years ago in our article titled From” Hell.

Like thousands of people, for months we received malicious emails from friends’ usernames, but through different email services.  And then about 6 – 8 months ago they stopped.  Unfortunately, they are back and seem to be making a resurgence.  Here are several examples of what we mean.



The most important thing to notice is that the emails contain little or nothing other than a malicious link or file, and the person’s name the email claims to be sent from.  The embedded links often appear to be legitimate including two of the three above… A link that appears to be for a woman’s travel blog and another for a wedding website.  But all of these links are malicious.  So here’s what you can do to best protect yourself….

  1. If you are hacked, it is a guarantee that your address book will be stolen and misused to target your friends and colleagues. Inform them immediately that your account has been hacked and to be suspicious of any emails that appear to come from your email account or with your name and containing links or attached files.  (You’ll probably know you’ve been hacked because a friend will contact you about a suspicious email.)
  2. If you get an email similar to those above, with little more than his or her name, or a one line like “Sup?” or “How u doing?” –DON’T CLICK ANYTHING! Contact the person via some other means, phone/text, etc, and ask if he or she really sent it.  Chances are good he/she did not.
  3. Once you’ve confirmed that a friend’s or colleague’s account has been hacked and their address book is being misused, be prepared for the worst. You’ll likely continue to get malicious emails with his or her name on them, from multiple different accounts for years.  Yes, years!

It’s the pain that keeps on giving.



FOR YOUR SAFETY:   I Cannot Agree With This Invoice! And HSBC Payment Advice

“Re: invoice 63735042 bullsh*t”  “This is too much. I am sorry but I can not agree to this bullsh*t.”  This angry email is meant to appear as a response to an email sent by the recipient.  But it is all a lie, including the sender’s domain hvacofamerica-DOT-com.  This domain is parked, meaning that it is not in use though someone bought it and holds the right to use it.   A TDS reader contacted us to say that he received eighteen of these emails in just a few hours!  Zulu saw right through this and found malware waiting at the other end of that invoice link.

A BIG fat delete.


HSBC is a multi-national bank and offers a wide variety of financial services around the globe.  It’s therefore likely that someone receiving this next email is an HSBC client. “HSBC REFERENCE PAYMENT RC….”  But this email didn’t come from HSBC.  “Dear Sir/Madam, The attached payment advice is issued at the request of our customer.”  The attached file is a “jar” file, as in Java Archive. This is a collection of java scripts designed to do bad things to you and your computer.




ON THE LIGHTER SIDE:  From Melania Trump

We know the best people!  Even Melania Trump!  She email’d us from an address in Italy to say that we have $60 million dollars waiting to be delivered!  We understand that Mrs. Trump was born in Slovenia but we thought her skills in English were much better than how she writes in this email.  Fortunately, she tells us that we can call or text her husband, President Trump, if we have any questions about this email.  She even provided the phone number so we can verify this payment.

How nice!

Time:  2017-08-03 17:41:12

I am  Mrs. Melania Trump, and I am writing to inform you about your Bank Check Draft brought back by the United Embassy from the government of Benin Republic in the white house Washington DC been mandated to be deliver to your home address once you reconfirm it with the one we have here with us to avoid wrong delivery

Sixty million united states dollars 60,000,000,00usd that was assigned to be delivered to your humble home address by my husband Honorable president Donald Trump the president of this great country this week by a delivery agent Mr ROCHAS JESUS

I will like you to reconfirm to me the following details

  1. Full Names :
  2. Residential Address :
  3. Mobile Number:
  4. Fax Number :
  5. Occupation :
  6. Sex :
  7. Age :
  8. Nationality :
  9. Country :
  10. Marital Status :

The reason I ask you to reconfirm to me this following details is to avoid wrong delivery.


Yours Sincerely,

MRS Melania Trump

1600 Pennsylvania Ave NW, Washington, DC 20500, United States

Until next week, safe surfing!