January 11, 2017


Dear TDS Readers, besides the usual bad winter weather across much of the United States, the past week also brought us a bad collection of new criminal tricks designed to engineer your clicking behavior.  Of course this new effort is in addition to the routine scams that target us weekly, such as this pitch to get quotes from Medicare Providers.  The domain it uses, medicarebvhv.date, was registered on the day the email was sent by someone from India identified as “raj” and the domain is being hosted on a server in Baden, Germany.  Sound like a legitimate service to get medicare quotes to you?


We also continue to see the corrupted and malicious use of legitimate products and companies such as the Photostick.  Here’s a link to the legitimate Photostick manufacturer and product. This email, however, came from the domain clickurpic.club and contains links back to it.  This domain was registered on the same day the email was sent using a privacy proxy service in Panama.  Email recipients are invited to “re-move messages from our list” by contacting Riight Vision Media, a fake company we wrote about just last week.




Check out our latest feature article about the most unlikely of Anti-Scam Crusaders!

Sample Scam Subject Lines:

[eBook] Extremely Limited Quantity…

Avoid the Hassles of Home Repair. Get Your First Month FREE!

Diabetics: do this 1 thing before you eat sugar

Do THIS & NEVER Forget a Single Thing Again! (NEVER)

Do you speak English?

Drop lbs Fast without Diet and Exercise

Find Affordable Assisted Living Areas in your community now!

Home warranty plan: Search Now

How to recondition batteries at home

Intensify your sex drive

Kick into high gear with an exciting new SUV

Mortgage rates are rising. Refi now. Don’t miss out!

You Really Can Crack the LOTTO Code!

Sample Scam Email Addresses

agora.financial-[YOUR EMAIL]@cobrizametals.com





honest_loans_online_loans-[YOUR EMAIL]@gradallserv.com






trump_breaking_news-[YOUR EMAIL]@lenademsky.com

vibrant.health.news-[YOUR EMAIL]@pirrionline.com







Phish NETS:  PayPal and Apple ID

The subject line says “Account notification” but rather than coming from paypal.com it came from kundenserver.de.  Think you recognize that 2-letter country code?  It isn’t Denmark.  It’s Germany (Deutschland).  This phish wants you to think Paypal but the link will send you to a phishing site in Chile.  These criminals are so international, aren’t they?  Can you spot the subtle grammar or capital letter errors in the email?


“Your Apple ID was used to sign in to iCloud” says this email from chrisw @theacesinc.com, not Apple.com.  This is followed by “Your Apple ID was used to sign in to iMessage.”  A Google search for the phishing destination of haofang-dot-ren informs us the website has been hacked and misused.  Ya think?

Just delete.





YOUR MONEY: Targeting Campers, Do-It-Yourselfers and Survivalists

The criminal gangs who target us most often tend to target groups of people whom they feel are most likely to fall for their scams.  These groups always include diabetics and others who are coping with a variety of long term health problems.  But it also includes those interested in using dating services, the elderly, homeowners doing home repairs, people looking for insurance, and many, many more groups.  A “rising” group they have been targeting include campers, do-it-yourself-ers (DIY) and survivalists.  We wanted to use this week’s Your Money column to show you a few of these malicious emails.

Let’s start with this email from 1Tac-Support@ genuine.staisun.us with the subject line “Hydro Water Bottle Removes 99.9999% of Waterborne Bacteria And 99,9% of Parasites.”  You see the email clearly targets campers, offering 90% off plus free shipping.  What a deal!  But it takes no time at all to use a WHOIS and see that staisun.us was registered the day the email was sent by someone named Munroe Mansfield from Rovaniemi, Finland. Or that a Google search finds nothing on the Internet about that domain.  But if you look carefully at the email you’ll see that it claims to represent the company 1Tac.com, a legitimate company and an easily identifiable commercial website.  This is just a wolf in sheep’s clothing.


How about “DIY Biker Repair Videos?”  This email was sent from the domain edyfurt.xyz and has links pointing back to it.    But this do-it-yourself promotion is baloney.  A Google search for this domain only finds similar bogus emails hitting websites in Poland.  And, as you can guess, a WHOIS lookup shows that the domain was registered the day the email was sent by someone named Mohit from Guna, India.  How’s that bike repair course looking now?


Finally, for all you I’m-ready-for-the-world-to-go-to-hell survivalists, this isn’t what you think.  “Dear Survivalist, This is your chance to get your hands on the hottest new emergency gear on the market… It’s called the PopLamp.”  Like so many other malicious emails, this scam preys on a real product from a real company.  And the domain used here, poplampbeam.club, seems like it could be legitimate.  You know the drill…   Google finds no such website but does find similar emails on blogs in Poland and some that originate from email-fake.com, a common source of malicious emails.  The domain was registered on January 2 (big surprise) using a privacy proxy service in Panama.  Busted!

So the next time you or a family member see some cool product promotion fly into your inbox, look carefully before clicking.  If you are the least bit suspicious, take a moment to use Google and a WHOIS to check it out.



TOP STORY: Lessons to Learn – Tracking Cookies & Malware Tricks

This week we wanted to bring attention to two different tricks used by criminals that just might creep you out (as our teens might say).  Let’s begin with Internet privacy, a commonly stated oxymoron.  Internet privacy doesn’t exist for the overwhelming masses using the Internet.  Does it surprise you to learn that it is possible for someone to know the very moment you open an email, how many times you open that email, the exact IP address (computer address on the Internet) you used as you open that email (or the proxy server you use to connect to the Internet)?  All of these things are easy to gather if the email sender uses a web beacon.  (Web beacons also have other names such as web bug or tracking bug.)  You can read more about these little spies on Wikipedia.

Usually web beacons are rendered invisible to the recipient and the only way to see that one was placed in your email is to use a program that will crack open the code and show you what’s under the hood.  But sometimes they are right in front of your face but you just don’t know what you are seeing.  Take this email below that appears to have come from stockoptionadvisors.com with the subject “#1 Drink for Alzheimer’s.”  “Dear Reader, Can a homeade beverage permanently end Alzheimer’s disease?” says Christine O’Brien from Nutrition & Healing.  First off, does this even seem like legitimate content from the very real website stockoptionadvisors.com?  Of course it isn’t.  They were hacked and misused.  However, look at the bottom of the email.  Can you find the tiny rectangular box, barely visible at the bottom?


Think you spotted them all?  Did you also see the tiny square just underneath the red link “Click here now to play the private video?”  Yup, both are web beacons.  Below is a screenshot of the behind-the-scenes code showing both.  We highlighted the code used to create the tiny square, 1 pixel by 1 pixel in size.  This web beacon is being pulled from a subdomain of a business called NewMarketHealth.com.  What makes this even more suspicious is that NewMarketHealth.com is not a marketing or web-tracking company, it is a company focusing on new health solutions.  Curiouser and curiouser.  It appears that NewMarketHealth.com has likely been hacked and misused as well as stockoptionadvisors.com.


This little snippet of code is tracking the recipients behaviors with that email.  The criminals know everytime the email is opened and when.  Creepy, huh?  It is just one way in which they can evaluate the effectiveness of their social engineering tricks.

A second trick sometimes used by criminals to target you is to scream fire!  That’s right.  When someone screams fire it usually gets attention and fast.  One of our readers sent us a screenshot of a graphic that was found in an email he received….



This graphic is the equivalent of screaming “fire.”  “Notice – Your Computer is Being Tracked.”  (No s#%t, Sherlock! All of our computers are being tracked, all the time.) This graphic was meant to alarm and trigger a knee-jerk response to click “DISABLE.”  So what’s waiting at the end of that DISABLE button?  The link points to a VERY long and unique key-code on the website quickprivacycheck-dot-comDO NOT visit this website!  We asked Google what it knew about this site and the response was overwhelming.  We looked at the top 12 links AFTER the actual link to the website itself (which contains precious little information) and each link offered advice how to remove malware installed by that website.  The next time you you get an email that screams “fire” we want you to resist your first impulse to click!  Instead, close the offending email, popup, window and then investigate.  If you actually can’t close the window, shut down your computer immediately and seek help.  Think we’re over-reacting?  Check out these related articles of someone screaming “fire” across the Internet:








FOR YOUR SAFETY: WhatsApp Missed Voice Message and New Success Newsletter Subscription Approved

We have seen this malicious email before but it has returned and it is worth mentioning again.  Beware ANY emails that claim to be from Whatsapp about a missed voice message!  This one clearly didn’t come from Whatsapp and a mouse-over points to an IP address that is located in Singapore.  We asked the Zulu URL Risk Analyzer to evaluate the link and it says 85% chance it is malicious.




This email sent from Romania (.ro = 2-letter country code) is something new!  Apparently we’ve signed up for a new subscription and didn’t even know it.  A mouse-over of the link “log into your profile” is a landmine waiting for us in Turkey. (.tr = 2-letter country code)   According to Virustotal.com, the link has been identified as malicious by Trustwave.  Big surprise.





Normally we wouldn’t answer a stranger’s knock on the digital door but this email from Jasmine sent via AOL in France caught our attention.  We always wonder why these emails come from one address but the sender then identifies himself as another person using a different email address.  No matter.  How can we resist a “genuine business transaction” with the good Doctor, especially when she tells us to have a nice day?


From:  maramirez @inti.gob.ve
Subject: [BLANK]
From:  jasminekarim2@aol.fr
Time:  2017-01-03 01:15:59

Subject: Please write me through this my private Emaildrharunabello868@gmail.com

Hello Dear ,

God Bless You….

Please write me through this my private Email drharunabello868@gmail.com

I am Dr Haruna Bello

I have a Geniue business transaction of 18.5 Million Us Dollars to do with You

Hence You Co-operate with me I am assured you that within (7) seven banking working days, this said amount will enter your given Bank account with immediate alacrity. If you agree to my business proposal, further details of the transfer will be forwarded to you as soon as I receive your wiliness to join hand with me.

Am awaiting your urgent response with this informations

Tel/ Fax:……………
Country Of origin:……….

Have a nice day!!

Dr Haruna Bello. drharunabello868@gmail.com

Just call Me +226 6803 9466


Until next week, surf safely!