January 16, 2019


We’ve received positive feedback from readers who like to see occasional legitimate emails, along with pointers why the email is legitimate.  So here are two more recent examples of legitimate real emails that may look suspicious. Look carefully at the domain name that follows the “@” symbol of the FROM address and you’ll see that both show dropbox.com.  If you read both emails carefully you’ll see that they are grammatically correct, with correct punctuation, spelling and capitalization.  This small point is actually very important since the majority of cybercriminals who target Americans don’t write English with the same fluency and accuracy.  The first subject line is “You’ve successfully reset your Dropbox password.” We captured a screenshot while mousing over “account settings.” You’ll notice that the link that appeared in the lower left corner of the email begins with “https” (s = secure protocol) and the domain that immediately follows www is dropbox.com, followed by the first forward slash. This is as it should be!




The subject line of the second email is disturbing if you were not near Tel Aviv, Israel. “We noticed a new sign in to your Dropbox.”  Mousing over the “Yes” or “No” buttons, and “I’m not sure,” all show https (secure) links pointing to dropbox.com.  And, it is very important to note that there is no observable redirect hidden in any of these links!



Alternatively, take a close look at both the FROM email address in this 20% off Dish promotion AND the link revealed by mousing over the promotional graphic.  A quick Google search for Dish TV shows their legitimate domain to be dish.com.  This email came from a domain registered in the European Union called outlawleaves[.]eu.  You can see that the email was sent on January 7 and yet the ad begins with “2019 is Around The Corner…”  Finally, the link revealed by the mouse-over seems to point to an Outlook.com server but then contains a redirect to an oddball domain.  Can you spot the redirect? This clickbait will take you directly to a malware infection.




Phish NETS: Spear-Phishing, PayPal, and JP Morgan Chase Bank

A New England school gave us permission to share an attempted spear-phishing scam that targeted the school’s business office.  While phishing scams are wide spread casts of a net to capture people’s login credentials to personal accounts such as commercial sites (Apple, Amazon) banking, or even social media accounts, spear-phishing scams target a specific individual or small group.  In the case of this school, an employee in the business office received an email that appeared to come from another employee’s school email address. This other employee was informing the business office that she had changed her bank account and wanted her paychecks sent to the new account.  And, as you can guess, the real employee didn’t send this email to the business office. Her email address was spoofed! (Meaning that the email was made to look like it came from her address but did not.)



This next phish is easy to spot!  It claims to represent PayPal but didn’t come from paypal.com.  And a mouse-over of the link for “Check This Now” shows that it points to a secure, but hacked, website called graphics-i-design[.]com.  Read the email carefully.

We spot at least six errors in it!


And finally, we have this lame phish pretending to be from Chase Bank.  A TDS reader sent it to us and we were not able to show the original email.  However, the phishing email contained no active link. Instead it asked the recipient to open the attached document. (Your bank would never send you a Word document.) We count at least four English errors in just the first paragraph!  And of course, the link shown as www.Chase.com didn’t point to Chase.com.  It pointed to a phishing page created on a free web hosting service.





YOUR MONEY:  Background Check on You

OK, we’ll admit that the content in this week’s “Your Money” column doesn’t fit the purpose of the column at all.  But we already had an important Top Story and the malicious clickbait below is also very important to share with readers.  One of our honeypot email accounts received this email with the subject line “Someone may be trying to perform background check on You.” (Notice incorrect capitalization and grammar.)  This is just a social engineering trick to get you to open the email. And when you open it you’ll find the headline “If You Thought You Had Privacy on the Internet, Think Again: This Search Engine Knows Everything.”  Be honest, are you a little curious now? Do you wonder what a search engine might know about you, your friends, and family? This is just more manipulation of your clicking behavior! Besides the incorrect grammar in the subject line, there are at least two major “red flags” about this email that should make you suspicious about its legitimacy.  One is easy to spot and the other is subtle.

Can you find them?



The easy one to spot is the FROM address.  Oddly enough, the email was spoofed to appear as though it came from Walgreens, which is not a logical choice for a search engine or even a news article.  The subtle, and VERY risky red flag to notice is the link. It points to a link shortening service located in Finland. (Notice the 2-letter country code for Finland in the domain name: “urly.fi”)  For those unfamiliar with the risks associated with shortened links or why they are often used by cybercriminals, read our feature article “Shortened URLs: What Are They and Why Should I Care?”

We used our favorite unshortening tool, Unshorten.it, to discover that the link in this suspicious email will send you to a website called warmthpony[.]com.  We were now certain that anyone clicking that link would be in serious trouble.  Our investigations over the last year have taught us that a VERY active and dangerous cybercriminal gang has likely automated the purchase of thousands of domain names by combining two random words, like “warmth” and “pony.”  We’ve seen this hundreds of times in the last year. (Look back at both domains in the FROM address and hidden redirect in the fake Dish email above. You’ll find the FROM domain was made by combining “outlaw” and “leaves” while the redirect sends you to a domain called “low” “mono” dot-com. Yes, technically “mono” is not a stand alone word but you get the idea.)



Web of Trust rated the trustworthiness of warmthpony[.]com as very poor.  The Zulu URL Risk Analyzer rated it as suspicious….



We used a screenshot tool to take a peek at the warmthpony[.]com and found that it presented itself as the people search feature called “The Beacon” from the very legitimate site Truthfinder.com.   Here’s a link to the real Beacon on Truthfinder.com.  This fake site is dangerous clickbait!  Step away from that precipice! (NOTE: We do not represent Truthfinder, nor receive any ad revenue from them.  We have never used their site and have no opinion about their services or it’s value.)




TOP STORY: When Good Food Turns Bad: Hijacked Websites

Last week Doug and his wife wanted to get take-out from a Vietnamese restaurant in Lynn, Massachusetts that they had heard good things about from friends. As most people would, Doug opened a Google window and searched for Pho Minh Ky, Lynn MA to find the address and menu.  Oddly, he found no links to any official site claiming to represent the restaurant itself, only information about the restaurant on sites like Yelp and AllMenus.  However, Google displayed information on the right side of the window about the restaurant, including a link to the restaurant’s website. Doug clicked it and found himself on an unofficial Facebook page for the restaurant… (DANGER: DO NOT CLICK THE WEBSITE NAMED FOR THIS RESTAURANT AND LISTED ON THE FACEBOOK PAGE!)



Still hoping to find a menu and learn more, Doug saw a link posted on the unofficial Facebook page with a domain name that matched the name of the restaurant and so he clicked it.  His web browser went to phominhky[.]com, a blank web page, and was immediately redirected to the following web page…


“Security Check” “By clicking the button above you’ll go through a standard security check, after which you will be redirected to Chrome Store and will be given the option to either install Safe Browsing extension, or continue directly to your destination.”  A security check to visit a restaurant website? We conducted a Google search for the website name found in the link for this “security check.” Searching for getawesome5[.]com turned up dozens of links on how to remove the “getawesome” malware!  And we discovered that there have been other sources of this malware by number… getawesome1[.]com to getawesome8[.]com. You can read about the getawesome5[.]com malware at Virus-Removal-Guide.com.  The safest thing to do here is to immediately quit your browser and run a full anti-virus/anti-spyware check of your computer to be certain that something wasn’t downloaded or tucked into your web browser’s extensions, add-ons or scripting.  But that’s not what Doug did…yet.

We have noticed in the past that cybercriminals maximize their efforts to harm us by dynamically linking multiple malware sites through their redirecting scripts of a hacked website.  Therefore, if the criminals lose one of their weaponized malware-delivery sites, they’ll still have others in place to redirect and infect visitor’s computers/phones. To test this theory, Doug cleared his browser cache, returned to the Facebook page for Pho Minh Ky and clicked the restaurant link on the left side of the web page again. And again he was redirected through phominhky[.]com but this time to another website…



Flash player is software made by Adobe and still used on many websites to stream video/audio content.  It is one of the most insecure software products used on the Internet. In July, 2017, both Microsoft and Google announced that they were phasing out the use of Flash on their platforms because of its many security holes and bugs.  Apple took that step years earlier. (Read “How Apple, Microsoft, Google, and Facebook Plan to Eliminate Flash” on Fortune.com)  The critical thing to notice in this screenshot is that we are not on Adobe.com’s website!  Instead, we were redirected to the domain freesystem-contents[.]review, a website registered in August, 2018 through a proxy service in Panama.  Once again, we were one click away from a malware infection.

It turns out that phominhky[.]com was registered on November 19, 2018.  Though the Zulu URL Risk Analyzer finds nothing wrong or suspicious about this website, it does seem to think that the website is hosted in the Netherlands. This is a red flag for a small Vietnamese restaurant found in Lynn, Massachusetts.  The food, by the way, was outstanding! We wish we could say as much for their website. Time to go clear the browser cache and scan for malware…



FOR YOUR SAFETY: Found Your USB Drive Files and This Really Is Disturbing

A TDS reader recently sent us the email below that came to him from a VERY long-named email address.  “I found this USB drive on the side of the road with instructions so here it is: Final video from Chris.”  To evaluate any possible authenticity of this email that seemed like someone was doing a good deed, we asked the TDS reader three questions…

  1. Did you lose a USB flash drive with instructions how to contact you and return it?
  2. Do you know or recognize the sender’s email?  Presumably, it is the former head of Dalhousier University, Dr. Richard Florizone OR someone named Aaron Miller
  3. Have you been in Nova Scotia in the last year or so? (especially Halifax, where the University is located)

His answer was short and clear…No, no and no!  Once again, this email is clickbait to trick the recipient into downloading and opening malware on his or her computer.




This really is disturbing…. We mean it!  Check out this random email that was sent to another TDS reader.  A mouse-over of the link “Study the secret” points to a shortened link through the goo.gl service.  Unshorten.it showed us that the shortened link redirects to a crap domain called kayolly[.]online.



Using screenshot machine, we snagged a photo of the web page waiting for you at the end of this link.  It looks like a get rich scheme beginning with the header “Use This Spectacular Video To SMASH Your Bank Account With An Absolute FLOOD Of Income.”  Unfortunately, there was a “Player error” and the video can’t play. We’ll bet $5 that you’ll be asked to install a software update in order to play that video!


Until next week, surf safely!