December 12, 2018


Last week was a potpourri of scamlets and malicious petals littering our Internet travels and those of our readers.  However, we did receive a very funny message from someone working at a school that is worth sharing. The school has a “contact us” form on their website and they received very unusual feedback and an offer from someone who appears to be Russian, though the email address uses the name of a Vietnamese singer who has posted a video on YouTube.)  Here is the message, beginning with the subject line “Important question”…


The message appears to contain two phone numbers, making it feel so important that it was worthy of translation.  We were very surprised to learn that “Alexander” was making an offer to rebuild the school’s website. But this was no ordinary offer!  Apparently, some Russians use a hard tact when they give you feedback. Though the school appreciated the feedback, last we heard they declined his “polite” offer.  Check out the translation of the Russian text… (We’ve obscured the most obscene words.)




Phish NETS: American Express Account Info, Update Cox Billing Info, and Email

One of our readers sent us this helpful email that appeared to come from American Express via the email address @Not[.]com rather than  “Please Update Your Income Information.”  We don’t like providing this information to the real credit card companies, and certainly won’t give it to cybercriminals!

American Express will ALWAYS inform you of the last 5 digits of your account number in the upper right corner of an email AND greet you by name. (see “Hello,”)  Check out the account number listed in this email! Also, if you read the content of the email, you’ll find that it contains a demand that NO REAL credit card company would ever say…  “failure to update your account [with your income info] may result in temporary suspension of your account.”

That’s harsh! Deeeleeete!

“Dear COX Customer, READ NOW :– FINAL WARNING!” says the subject line WITH ATTITUDE!  But it didn’t come from NOTHING in front of the “@” symbol has any meaning regarding the source of an email.  What comes AFTER the “@” symbol is important (though the best cybercriminals can spoof that too). This phishing email came from vrkrtech[.]com, a domain name that was registered in India early in January, 2018 and is being hosted on a server in Hong Kong.  How do you feel about this “alert” to help you update your Cox online account now?


If your “account storage capacity is very low” are you worried?  Will that keep you up at night or have you reaching for the Tums dispenser?  According to this next email, you ought to be worried or “we may be forced to terminate the activities of your account.”   This message is about your email account, but no email service is named. They don’t even confirm your name! That link to “Re-active” your account points to the hacked website of a Southern fitness center called MyAchieveFitness[.]com.  Time to “exercise” that delete key! (At least we didn’t say “bench press” that delete key!)





YOUR MONEY: Amazon Survey Reward and Prepaid Visa Card for Aldi Survey

We’ve told readers umpteen times to be VERY suspicious of reward surveys, and for good reason!  About 99 out of 100 we’ve seen have been malicious clickbait pointing to nasty malware, phishing scams to collect your personal information, or are sleazy tricks to get you to purchase other products before you can earn your reward. (…which is technically not much of a reward at all if you have to spend $100 on other junk first.)  Here are two more surveys we’ve recently collected…

Let’s start with this email sent to us by one of our readers in the UK.  It appears to have come from the UK website of the Wayfair company, a very legitimate online home goods service.  “You have (1) new amazon survey reward ready to claim perfect picks here!” You read that correctly… Amazon survey, not a survey for Wayfair!  That and the lack of capitalization in the subject or From address should be enough to raise your suspicions that this is NOT what it appears to be!  Take, for example, the unsubscribe address in Post Falls, Idaho at the bottom of the email. We looked it up in Google and found the following three choices at this confusing address with two numbers (2600-A and 317).  This address is either for an Auto Parts store, Youth Ranch Thrift store, or a lovely residential home with a quintessential white picket fence.  We think that egg is already cracked.


Ever heard of the store chain called ALDI?  According to Google, it is a German supermarket chain located in at least 20 countries.  This email invites you to take a “short survey” to receive a prepaid Visa card for ALDI. Except that the email appears to have come from Jessica at swimworkoutsdiet[.]com or “Better Sleep” at a random domain name made up of 54 letters, dot com.  Mousing over the image for ALDI reveals a link that points to a website called anpdm[.]com.  We can stop right here because we identified that domain as malicious in our November 28 Newsletter top story called “Russian Criminals and Clickbait.”




TOP STORY: Celebrating No Good English!

We will be the first to admit that our English skills are not perfect, but we try hard to be as grammatically correct as possible!  We perseverate over our word choices, editing and re-editing to try to make our articles and newsletters accurate and interesting to our readers. (Though we don’t always succeed, especially when exhausted late at night, trying to inform readers of a new  scam or new update to an old scam we just learned about.) We are confident that our cApItaliZaTIon is correct and our punctuation is spot-on…!!!

Fortunately, the overwhelming majority of scams and malicious clickbait come from criminals for whom English is not their first language, they don’t have an eye for subtle language details, or they simply don’t know any better.  Contrast these less-than-stellar-English-skills with the exceptional skill level and thoughtfulness you can expect from a marketing team at Capital One Bank, Amazon, PayPal or other commercial service! You can be certain that the emails and ads sent from these legitimate businesses will be flawless!  So what does it mean when you receive a message with critical English language errors that would make your Elementary school grammar teacher roll her eyes? The question is rhetorical.

Take a more critical look at the top third of that Amazon reward email in this week’s “Your Money” column.  Can you find the three English errors…



Let’s revisit the Cox Communications phishing email as another example.  We count eleven errors including capitalization, punctuation, grammar, and the use of awkward English. (2 capitalization errors in the first paragraph, a variety of six errors in the second paragraph, and three errors in the final paragraph.)


(3 Amazon reward errors above: Missing capitalization on “congratulations” and “amazon,” misspelled the word “th” in the white text with the orange background.  Also, one can argue that the subject line contains awkward phrasing at the end.)

Sometimes, the cyber-criminal’s English skills are so bad that we lose count of all the errors!  Take this short phishing email we documented in our March 7, 2018 newsletter about an Outlook email account.  We see, at least, ten errors. How many can you spot?

And sometimes the English is so awkwardly written that it makes us wince just to read it!  Look at this text that we posted in our May 9, 2018 newsletter claiming to represent Gmail users…

Our point should be obvious! It pays to carefully read texts, emails and ads that target us before we click on anything.  If you spot errors then you should be very suspicious that it is not what it appears to be. We became so focused on this obvious “xyz” crap domain in the header of this next October email about automobile insurance that we didn’t spot the very obvious misspelling the first time we read it!  Critical reading and observation can go a long way to protecting you online!


However, we can’t rely on just our English language skills.  Some of the criminals who target Americans have excellent English language skills.  Below is just such an example. About the only red flag that jumps out at us about the legitimacy of this email is that this email was first used last summer and then recycled for use again.  However, the criminals forgot to remove or change the reference to “consolidate your debt this July 4th.” (The email was sent November 12 and says it is FROM “Happy Thanksgiving!”) Oh well, no one’s perfect.


FOR YOUR SAFETY: Confirmation of Purchase, Edit Your Order, and Important Message for YOU

This email to confirm your purchase is pure clickbait!  The links point to a Spanish website hosted in Italy and

a search for “Efrain Hariharan Service” via Google turns up nothing at all!  The email also appears to have come from a domain that is private and here in the US.  Nothing about this one makes sense or looks safe.


The TDS reader who sends us these emails says that they are from the “Big Button Gang!”  She gets them most every week and they are all variations of the same email. Like the email above, this is just clickbait to a cybercriminal mouse-trap.


We found this clickbait to be especially funny!  The FROM address has been spoofed to appear as the legitimate domain of the Democratic Congressional Campaign Committee, the campaign group of the Democratic members of the House of Representatives.  Do you really think they would be sending a message about “Judge Judy?” The link points to Google Ad Services but you’ll be redirected to a web page on the free web hosting service called The malicious Wix web page had already been removed by the time we tried to look at it.  Perhaps this was sent by a Russian cybercriminal with a sense of humor. Maybe Alexander, the Russian who sent the above message to the school!


Until next week, surf safely!