February 21, 2018


We need your help! Please take this quick 3-question survey to tell us what you value and don’t value about our weekly newsletter.   This will help us serve you better! Click here to Survey Monkey.

Thank you!

Unlike most weeks, readers sent us many scam audio files they received during the week.  We’ve heard many of these before, or variations of them such as this first one, from “Patrick!”  He reported on February 15 to one of our readers that she had won a holiday cash sweepstakes of $25,000!  Patrick is a man of many names!  We have audio recordings of him pushing similar scams but he calls himself Todd, Ryan, Alex, Travis, and Peter.  You can hear Patrick, or whatever his name really is, in our feature article “You Won An SUV or $25,000.”

Patrick with holiday Cash Giveaway 

Do you know what scammers call U.S. tax season?  Their Christmas bonus!  Judging by the wonderful English skills demonstrated in this recording, the IRS must have hired low-wage agents who don’t speak English very well.  To hear more tax fraud voice messages, visit our article IRS Phone Call Scams.

 Fraud on your tax 

Finally, we offer you this lovely voice message a reader sent us.  She’s not very concerned, even though there are “four serious allegations pressed on your name at this moment.”


 Serious allegations  


Sample Scam Subject Lines:

Don’t Pay A Fortune For Printer Ink. Free Shipping Available

Find Affordable Assisted Living Communities In Your Area Now!

Now I Never Have To Rush To The Bathroom…

Stop Spending Money On Car Repairs

Say Hi To Singles Near You!

Take This Quiz To See If You Qualify For A Reverse Mortgage

The Most dengerous “pen” on Earth [PIC]

Want to Meet Singles? See Who’s on Match.com for F.r.e.e!


Sample Scam Email Addresses

1-ink <1-ink @ fhdbbb-DOT-date>

Activ Guard Control <ActivGuardControl @ jhnspp-DOT-date.

Caringforaparent.com <Caringforaparent.com@bjsjrr-DOT-date>

Defense-Tactical-Pen <Tactical_Pen@bodynw-DOT-bid>

Match <Match @ gfvjdtt-DOT-date>

Reverse Mortgage Quiz <ReverseMortgageQuiz @ rebfffvc-DOT-date>

Total techauto warranty.com <Totaltechautowarranty.com @ vbhdss-DOT-date





Phish NETS: GmailTeam

One of our readers sent us this scam last week.  To be honest, we’re not 100% sure it is a phishing scam.  It could simply be a malicious click to malware.  By the time we investigated it, the trail had gone cold.  However, it sure looks like a phishing scam!  “You have 4 broken messages” says the Gmail Team.  This is funny because the email came from the domain iamsaved-DOT-net.  Mousing-over “View Messages” shows a website located in a country known for their professional 419 scammers.  Can you guess what country the 2-letter country code “ng” refers to?

Answer is below!

(“.ng” = Nigeria)



YOUR MONEY: 1Ink Sale, Winter Deals on Roofing, and Warm Feet

This is not the first time that criminals have targeted Americans with emails disguised as “1ink coupons.”  Just look closely at either the from address or the link revealed by a mouse-over and you can see this is not from/for the real 1ink.comThat crap domain, ssdfvv-DOT-date, was registered on February 16, the day the email was sent, by someone claiming to be “prinsi nema” from California.  A WHOIS look up also reveals that this malicious domain is being hosted by myLoc, a hosting service in Düsseldorf, Germany.    This is especially odd because the real website 1ink.com was registered back in 2001 and is hosted by a company in Texas.  By the way, reading the fine print at the bottom of this email makes us feel that the sender’s first language is not English.  “You received a Mail from Advertisement Agency in USA.”


“Say Goodbye To Your Roofing Issues With Winter Deals.”  This email claims to represent Sear’s “Roofing Cost Guide” but it’s a lie.  Another crap domain, fgjdfff-DOT-top.  According to WHOIS, it was registered to someone named “rani” from “bhopals” India.  And this malicious domain is also being hosted by myLoc in Düsseldorf, Germany.    Hmmmm….. Coincidence?  Keep reading.  We have much more to reveal.

Once again, criminals are pretending to be legitimate businesses as they try to trick you into clicking malicious links.  Like this email that wants you to believe it is from “35 Below Socks.”  But it came from another crap domain jsffbtt-DOT-date.  It was registered on February 15 by “rina meena” from Minnesota, UM.  UM?  Rina meant “US.”  There is no country “UM.”  Do you think you can guess where this domain is being hosted?  MyLoc in Düsseldorf, Germany!

Hmmmm….. Curiouser and curiouser



TOP STORY: Russia Attacks America, again and again!

In our work to uncover online fraud and malicious threats, we find bread crumb trails pointing back to countries (and cities) in the world as the likely origin of these scams.  And we also notice patterns and commonalities in scams such as the design and coding of malicious emails, or the WHOIS registration information and hosting services used by criminals.  For example, we recently helped a woman uncover that a job offer made to her through Google Hangouts, after an initial contact on Indeed.com, was actually an advance-check scam from a “419” scammer who was located in Lagos, Nigeria. (We tricked the scammer into confirming his IP address. You can read about her experience and this scam here.) (Here is an explanation of 419 scams along with many sample scams.)

We notice that three countries come up disproportionally, over and over as the likely source of this cyber-crime effort. They are Russia, India and Nigeria.  Through our lens, Nigerian criminals are most well-known as the source of advance-check or advance-fee 419 scams, while India is most noted for telephone scams like the fake IRS phone scams. (We’ve also written a feature article about Indian Scammers.) However, Russian cybercriminals are most notable for their malware attacks on Americans, amongst many other scams including phony prescription drug websites, phishing scams, online dating scams and sextortion.

Let’s look more closely at the scams we talked about in this week’s Your Money column.  Did you notice how remarkably similar the design of these three emails were?  How about the domain names used in these scams? We believe there is a very good argument that these, and many others, were coded by the same criminal, who swapped out a few graphics and bit of text to create this content.  It’s an interesting coincidence that all these malicious emails appear to be coded/designed by the same person(s), hosted by the same service called myLoc in Düsseldorf, Germany and follow the same domain name pattern.  There is something else they have in common.  The person who registered them made careless mistakes in the registration information…

Ink domain: ssdfvv-DOT-date

It was registered by “prinsi nema” from White Lake, California. There are no residences located at White Lake, California.  None.  Prinsi’s email is listed as prinshinema “@” yandex.com

Roofing Quotes domain: fgjdfff-DOT-top

It was registered by “rani” from “bhopals” India.  Rani misspelled his own city.  It is spelled Bhopal.  Rani’s email is listed as ran.kum4r1 “@” yandex.com

Socks domain: jsffbtt-DOT-date

It was registered by “rina meena” from 3785 Brighton Circle Road, Saint Cloud, Minnesota, UM. (US)  According to Google and Zillow, there is no “Brighton Circle Road” in the state of Minnesota.  Rina listed a Gmail address.

We believe it is a reasonable guess that these were all registered by the same careless person.  But why use an email address with Yandex.com for the first two registrants?  In fact, for someone who claims to live in California or Bhopal, India that choice is bizarre.  Who is Yandex.com?  According to Wikipedia, it is the largest technology company in Russia.  And yes, they offer free email services.  We believe this is an important bread crumb, another careless error that was not intentionally done to deceive and divert attention.  We believe the creator of these malicious emails simply used a familiar email service because he works for a criminal gang located in Russia.

Coincidentally, while we pondered this idea we received this lovely invitation to “Meet Russian Women Today” from the email address DateHotRussian “@” cghsv-DOT-date.

Did you notice similarities between this Russian dating email to the other malicious emails?  According to WHOIS.com the domain cghsv-DOT-date was registered by “rina meena” from that non-existent address in Minnesota and is also hosted by myLoc in Düsseldorf, Germany.  We have collected many more malicious emails of the same design/code and domain name pattern registered in the last couple of weeks including these three emails:

What’s our point?  Russia has been in the news a lot during the last year, in part because of their alleged interference in the 2016 election and effort to sow discord in the United States.  And now the recent indictments just released against 13 Russian nationals and 3 Russian companies for their efforts to interfere in our presidential election.  We believe that is not the only way in which Russians disrupt our economy, democracy, and target Americans.  We believe Russian cyber-criminals have been targeting Americans for years.  It isn’t just The Daily Scam making this claim.  Brian Krebs, investigative journalist, formerly with the Washington Post, published a New York Times bestseller book in 2014 titled “Spam Nation: The inside story of organized cybercrime” about these Russian/Eastern European cyber-gangs.  Coincidentally, two weeks ago Brian Krebs posted this article on his blog about the capture of a Russian Spam Kingpin named Peter Yuryevich Levashov.  To quote Brian from his blog… “Authorities have long suspected he is the cybercriminal behind the once powerful spam botnet known as Waledac (a.k.a. “Kelihos”), a now-defunct malware strain responsible for sending more than 1.5 billion spam, phishing and malware attacks each day.”

And who suffers from this deluge of fraud, attacks, and constant manipulation?  You do.  We do, and so do all Americans.  It’s time for a stronger American response to these cyber-attacks.  As always, we invite your comments.  Email us at RussiaAttacksAmerica@thedailyscam.com.



FOR YOUR SAFETY: Hiya, Check Out My Pics and Your Item Was Purchased

Hiya?  We often get emails from people that say “hiya” followed by a link.  We can say with 100% certainty, those links are never safe to click!  This email contained a shortened link that pointed to a hacked website even Google recognizes as being hacked and not safe.


Here’s another “no subject” email containing only a link.  We can guarantee that it won’t be good outcome to click that link!

Just delete!


ON THE LIGHTER SIDE: Email From Jeff Sessions

Oh my God!  We learned in an email from current Attorney General Jeff Sessions that former Attorney General Loretta Lynch withheld a check to us for $20 million dollars for her own evil plans!  Unbelievable!

From: “Mr.Jeff Session” <“www.”@piano.ocn.ne.jp>
Date: 2018-02-10 03:36AM


You are receiving this email from Mr. Jeff sessions the US. Attorney general. am contacting you today Because you were identified by the Law enforcement as a victim of internet scam . During our Investigation, we found out that you have been receiving Numerous message/ emails and countless call from people offering you Millions of Dollars but you haven’t receive any. i resumed this office as the 84th Attorney General of the United States on February 9, 2017. During my official research i discovered a Certified Bank check valued sum of TWENTY MILLION USD ($20,000,000.00) Belonging to you as the rightful intimate Beneficiary.

I tried to know why this check has not been released to you but i was told by the Vice President that the former Attorney General Mrs Loretta Lynch who left this office withhold your Bank check for her own personal use without knowing that her evil plans towards diverting your fund will be discovered. The Certified Bank check is still available and ready for your receiving . This is a real check so be rest assured that the money will be cleared in your account immediately it is deposited in your account.

You are going to receive this Certified Bank Check through DIPLOMATIC which we have already contracted UNITED STATE POSTAL SERVICE Company to deliver it. You are required to reconfirm your full name, address where the certified bank Check will be sent. Your telephone number is also needed for easy communication. As soon as the information is received, you will receive a mail from me and more details of your Bank check payment will be made known to you as soon as i receive your swift positive Response. Thanks for your understanding, i wait for your positive Response.

Best Regard

Mr.Jeff Session
United States Attorney General


Until next week, surf safely!