February 7, 2018


Last week our top story was about online dating scams and we also published a feature article about these scams (which we updated a few days ago with new information).  And then our honeypot servers were bombarded by emails from Russian women!  No joke!  Look at the time stamp on these.  We received hundreds!



We selected four at random. Notice any similarities from these from Tanya, Yana, Anastasiya, and Mary?   We mean besides the fact that they think we’re cute, or sexy, or what they want in a man.  Apparently, Russian women are so worldly!  Tanya’s email came from Brazil, Yana’s from Mexico, Anastaiya’s from Poland, and Mary’s from a server in Germany!





Sample Scam Subject Lines:

Build Any Shed In A Weekend Even If You’ve Zero Woodworking Experience!

Don’t spend Saturday night alone-Match Seniors

Fed Up With Fake Dating? Try This. You Will Be Surprised!

FW: RE: Invoice does not bear your Company’s Bank details,

Fwd: Outstanding Payment For Overdue Invoices


See the most watched video in history

The fastest selling product in history

These people are waiting to chat with you

Top 2018 product all women need

Your 50.00 voucher is expiring – Access Now

Your message was deleted without being read!

Your Payment Authorization has been approved!

Sample Scam Email Addresses

Aig Direct <AigDirect @ aifvsmd-DOT-review>

Amazon <amazon @ amazngiving-DOT-com>

AmazonDollars <amazondollars @ amaznis-DOT-com>

AmazonGift <amazongift @ smarttvoucherz-DOT-com>

“Brain Health” <contact @ brainhealthtoday-DOT-bid>

CVScom <cvscom @ couponrxi-DOT-com>

“еFax” <i @ herewith-DOT-website>

“Groundbreaking New Research” <diabetes @ diaberemove-DOT-com>

<quicksearch.mexico.vacations @ readtruthh-DOT-com>


Roofing Survey Message <RoofingSurveyMessage @ rofvvc-DOT-date>

Samscom <samscom @ samsclubx-DOT-com>

“Tоtal Hоme Prоtectiоn” <information @ email.knowsystem-DOT-website>




Phish NETS: Chase Bank, Apple App and ID, DCU, and Email Migration

One of our readers sent us this phish.  Notice that it didn’t come from chasebank.com and a mouse-over of “Click Here to access message” points to a website in the Republic of Gambia, West Africa! (.gm = 2-letter country code for Gambia.).

Big fat delete!


Technically speaking, the second email isn’t a phish.  It actually contained a virus meant to infect your computer and it also targeted Apple GSX users…


Here are two very rotten Apples.  They may say they come from the “Apple Store Team” or “AppleID,Inc.” but we could say that we’re the POTUS and SCOTUS.  It doesn’t make it true!  Look at the domains that follow the “@” symbol in the from address.  It doesn’t say apple.com!  Mousing-over the link in the first for “Learn More” shows that it points to a hacked website for a school in Malaysia.  (.my = 2-letter country code for Malaysia)  The link in the second “Log In Here” points to a free webpage at blogspot.com.




Wow!  Digital Credit Union (DCU) members have been getting hammered for weeks with phishing emails.  Like this one saying “you sent $1,500.00 to Jennine Redmond’s bank account.”   AND, to make this more convincing, the phishers have correctly spoofed the from address to look like it came from dcu.org, the correct domain for DCU.  The ONLY way to see this is not legitimate is to mouse-over the link “Login Now.”  You can clearly see that this link points to a crap domain at the top-level-domain .xyz.

Run, don’t walk!

This email looks like it came from the official Microsoft servers @account.outlook.  However, we can say with certainty that no such domain or server exists!  This is not one of the many legitimate logins for Outlook.  Mousing-over the link “CLICK HERE” confirms that this is a phish and not a login for Microsoft Outlook Webaccess!

Move on.




YOUR MONEY: Money Pak and Green Dot, UGG Boots and Amazon Reward


There are hundreds of ways that criminals trick you into giving them your hard-earned money.  That is the essence of fraud.  To enable this crime they need an untraceable method for you to transfer your money to them where they have a high degree of confidence they won’t be caught.  For most scammers, this means convincing you to purchase a Green Dot MoneyPack card or other moneygram.  It is the most used method of moving cash by fraudsters!

A criminal will ask you to “load” money on the card when you buy it at a Walgreens, CVS, Kmart or dozens of other national stores.  Once you’ve done that, the criminal wants you to scratch off the numbers on the back and send them to him.  He can then submit those numbers from anywhere in the world and retrieve the cash.  Here’s a phone screenshot taken by a victim who contacted us recently and shared her experience.

If anyone asks you to make a payment using a Green Dot Moneypak or similar service, you can be 100% certain it is a scam!


This next email is a complete rip off of the very real UGG Boot products.  It looks official and legitimate but look carefully at the from address!  It was sent from Janice “@” bernedette[.]ddrdq[.]com.  All the links in this email point back to a crap domain at ggmg[.]trade.  This crap domain was registered in April 2017 by a Chinese firm identified as “Nexperian Holding Limited.” We certainly found many domains registered to this Chinese company but not the company itself.   We also found a trade disagreement brought against them at the World International Property Organization (WIPO.int) And the domain ddrdq.com was registered by a Chinese firm identified as Wuxi Yilian LLC in June, 2017.  Does any of this inspire you to believe you’re going to get real UGG boots or get any boots at all?


A week without an Amazon scam email is like a week without sunshine.  So here’s your sunshine…. The fraudulent domain used in this malicious email, primegiift-DOT-com, was registered by “David Free” on January 3, 2018.

Now delete.



TOP STORY: Free Merchandise via Facebook

We’re sorry to say that this warning to readers comes from a young woman who contacted us about a purchase she made through a Facebook Ad.  The ad, she tells us, was a promotional item offering black mesh fit leggings for free!  All one had to do was pay the tax and shipping cost.  And, of course, this promotion was not going to last long.

She clicked the link and visited the website raymensapparel.com in early January.  Everything about this website made it look like a legitimate website selling clothing.  So, she placed her order, entered her credit card information and looked forward to getting her leggings!  She was even sent a confirming email, which she sent to us…


There were no red flags and nothing seemed out of the ordinary about this online purchase.  Afterall, consumers often see promotions for various products.  However, after two weeks the young lady still had not received her leggings.  So she tried to look up her order and visit the online store again.  Only there wasn’t any online store.  Her browser kept informing her of an error.  No website could be found for raymensapparel.com. She went back onto Facebook and could no longer find the ad.  Yet, when she contacted her credit card company, she learned that she had paid $10.93 for a product she never received.

So what do we know about Raymensapparel.com?  A WHOIS lookup tells that this domain was registered on December 1, 2017 using a proxy privacy service in Ontario, Canada.  This was just a few weeks before our reader ordered her free leggings.  Using Google, we find many links for former web pages at this website but none of them are working at the end of January.  Not one.  This search also turned up links to Facebook pages for Raymens Apparel showing more than 2000 likes and a rating of 5 stars, but none of those links work anymore.  It’s as if Raymens Apparel has fallen off the Internet.  The young lady who contacted us lost less than $11.

Not a huge loss.

Her loss, however, is part of a bigger game.  Imagine as many as 2000 women losing $11 from this “free promotion.”  If this were true we’re now talking about $22,000.  Not bad for a few weeks work with a small investment in a web domain, a website and some time to market on Facebook.  We reported last September, 2017 about fraudulent ads appearing on Facebook.  (Read “Fooled on Facebook.”) Once again, caveat emptorLet the buyer beware.  Facebook, and other social media, have repeatedly demonstrated an inability to keep fraudsters and other criminals from using their sites to target the public.  You cannot depend on them!  And so, it is important to apply the age-old smell test.  If someone offers you something at a price (free) that is ridiculously low, maybe things aren’t what they appear to be.

Walk away.



FOR YOUR SAFETY: Kindly Find Attached, Your Package Was Delivered, DHL Express and Docusign

Last week a Chiropractor contacted us because he received an email that made him feel very suspicious.   This email contained an attached pdf file.  He is a member of the American Specialty Health network, or ASH. He asked our advice.  What makes you suspicious about this email?


Several red flags should be front and center…

  1. The email doesn’t identify the person to whom it was sent. Hello who?
  2. “Kindly find the attached PDF for new updates and securities” doesn’t really make sense.
  3. “Regards President” –who is this from? What company?  Where is the verifiable information?

We downloaded the pdf and fully expected to find a virus in it.  But it was completely clean, so we opened it…


This pdf file, like the email, contained no personal information to connect to our recipient.  It was totally generic.  When we moused-over the link “VIEW INFORMATION” we were not surprised to see that this pdf contained a link to a webserver in Brazil.  (“.br” is the 2-letter country code for Brazil.). We asked VirusTotal.com to look at that website and it told us that both Kaspersky Labs and Fortinet have identified that website in Brazil as a phishing scam site.  This was a very clever scam.  ‘nuf said.

Your package was delivered!  But look closely and you’ll see that this email didn’t come from FedEx Shipping.  It came from a domain called sujacsewing-DOT-com and the links lead to a domain called texasoriginalbits-DOT-biz.  Just delete.


“Hi Your parcel has arrived at the post office on 30th January, 2018.”  Unless your post office is located in Poland, we suggest you just delete this BS.  A mouse-over of “VIEW STATUS” shows a website located in Poland.


Your document is ready for signature!  Except that this email didn’t come from Docusign and the link points to a very suspicious website called larrygarcia-DOT-us.



ON THE LIGHTER SIDE: We Don’t Mean to Show Off…

But our readers know that we mingle with all the best people.  Our friend Warren Buffet just send us this email last week about an urgent donation to us and our families.  He’s such a generous man.

From: “MR WARREN” <info@no-reply.org>
To: Recipients <info@no-reply.org>
Subject: urgent donation information
Date: 2018-01-31 08:16AM

Your Attention Please,

My name is Warren Buffett and I have an urgent donation information for you which will benefit you and your entire family,with the less privileged in your local community.

Respond back to this email immediately so as to enable me provide you with the complete information regarding this donation.

God Bless you richly.

Warren Buffett
Email : warrenbb@163.com


Until next week, surf safely!