February 20, 2019


Remarkably, we thought last week was a reasonably quiet week from scams and malicious emails, until the end of the week when we suddenly heard from many readers.

We marvel at the fact that scammers will sometimes use the same scam over many years AND that people continue to fall for these old scams.  Case in point is the “Microsoft” and “Bill & Melinda Gate Foundation” award scam. We found web links for variations of this scam going back to 2011, but we’re certain this particular scam reaches back to the turn of the last century.  It’s your basic Nigerian 419 scam in which the recipient is asked to pay some minor upfront fees in order to receive his or her winnings, which never come, of course.





Phish NETS: U.S. Bank. JP Morgan Chase, and Apple Purchase

One of our readers sent us this screenshot of a U.S. Bank security alert.  Mousing over the button labelled “Start Now” revealed that it pointed to a shortened link through tiny.cc.    That shortened link pointed to a phishing page created on the free web hosting service called Neocities.org. (see below)





Another TDS reader sent us this email that was spoofed to appear as though it came from Chase.com.  Subject line… “Caution: An illegal money transfer process !” The link for “Confirm Information” points to another link shortening service identified as u.to.  However, the phishing page was already removed by the time we tried to visit it.  This phish employs a commonly used trick by scammers to generate a click. This email creates a phony circumstance that feels very urgent.  Like many scam emails and texts, it is meant to produce a sudden emotional response that is likely to bypass rational, careful evaluation of this message.



To be perfectly honest, we’re not so sure this next email was meant to be a phishing attempt to capture your Apple login credentials or something more nefarious.  As luck would have it, Doug was with a relative who received this email AND clicked the link. Doug caught it just in time as the web browser redirected to the domain ul1.dvtps[.]com and tried to download a file we suspect was malware.  The email sent to the Comcast account and seen at the top of the screenshot below, claimed to be a receipt for game software payment at the Apple App Store. If you look carefully at the FROM address, you can easily see that this isn’t apple.com.  The email came from the domain vicherchese[.]com which was registered just one week earlier.  The App Store receipt is the bottom of this screenshot.  The Zulu URL risk analyzer found the redirected domain to be suspicious.  They got that right!





YOUR MONEY:  Moncler Clothing and Keep Feet Warm

This next email is 100% malicious.  Unfortunately, by the time we opened it, all the graphics were broken.  However, we felt it was important to inform readers since this is the third such email pretending to be Moncler clothing that we’ve seen in recent weeks. Notice what follows the “@” symbol in the FROM address. The domain is vvdfg[.]com and was registered in Guangi, China in June, 2018.  The links point to a different domain, sdmall[.]top, that was registered last year to Nexperian Holding, Ltd. of China.  We have written about this shady company in eight previous emails. The first time was February 7, 2018.



There is a real business called “35 Below Socks” but this next email didn’t come from them!  Notice that after the “@” symbol is the domain animony[.]com.  This domain, from which the email was sent, is being hosted on a server in Buzau, Romania.  All links in this email point to another domain called rmonym[.]top which was registered on the same day this email was sent.  None of this adds any credibility that this is what it appears to be.

A Big Fat Deeeeleeeeete!




TOP STORY: A Rise in Malicious Fake Newsletters

Sometimes the best clickbait meant to trick us into clicking a malicious link hides in plain site as phony newsletters about popular culture.  Such was the case this past week when we received three different phony newsletters!

This first one seems to be called “Daytime Showcase” though the article about the Family Feud Star, Steve Harvey, appears to be written by someone named “Rafael Paschito” from the Daily News.  All of this is completely fabricated, starting with “Daytime Showcase.” A Google search turns up nothing about it. And a search for the reporter named “Rafael Paschito” from the Daily News only turns up one link to another phony news story discovered on July 5, 2018 about Denzel Washington and documented on URLScan.io.  That July 5 email was also malicious and linked to a domain called improbableentrance[.]com.  This malicious clickbait came from, and has links pointing to the domain casenegre[.]com.  But you don’t have to take our word for it that this newsletter is malicious clickbait.  Look below at the assessments from both the Zulu URL Risk Analyzer and Surcuri.net. Also, a lookup of casenegre[.]com on a WHOIS shows that it was registered through a proxy service in Panama in late October, 2018, is hosted in Mumbai, India but no website can be found at this domain.






Received at the same time was this next bit of “news” about Mark Zuckerberg, and included a scammer favorite headline meant to urge us into clicking… “Shocking Secret Revealed!”  The email seems to be sent from both “Socialite Gossip Hotline” and “Entertainment Today” but none of this is true either.  You’ll easily see that the domain this email came from is also casenegre[.]com.  However, unlike the email above, the links in this crap point to an official-sounding domain called localnewstalk[.]info.



Our honeypot email account received another similar email from casenegre[.]com about “Megyn Kelly’s Secret” that “has NBC furious.”  Like the email above, this one also points to the official-sounding domain localnewstalk[.]info.



What do we know about localnewstalk[.]info?  A screenshot of the WHOIS public record shows that it was registered in Panama through a private proxy service about a month before these emails were sent and that there is no website at the top of this domain.  Does any of this sound legitimate? As you’ll see below, both the Zulu URL Risk Analyzer and Sucuri.net think that this domain is malicious.

Next time you get unsolicited “news” or some celeb “secret” think more critically before clicking.  That click could cost you a lot more than you anticipate!






FOR YOUR SAFETY: We Wired Your Payment

We write about scam domains all the time.  However, behind every domain name is an “IP address.”  An IP address is a unique string of numbers separated by periods that identifies each computer on the Internet.  These numbers make it easy for computers to find each other across the Internet. But domain names are easier for people to remember than IP addresses and so domain names are associated with IP addresses.  Sometimes, you may see an IP address instead of a domain name. We’ve learned by experience that 99% of the time that this happens it is not a mistake! It is done on purpose by criminals who are trying to hide the name of a website.  Such is the case with this email about an invoice sent to the recipient. A service like iplocation.net easily determines that the IP address in the link in this email points to a server in Amsterdam.  Thankfully, the real threat waiting for you in Amsterdam is obvious to the Zulu URL Risk Analyzer!




Until next week, surf safely!