January 17, 2018


It’s no surprise to anyone that money is a strong motivating force to engineer clicking behavior.  That’s why a staple of online criminals is to offer money to consumers for taking a survey.  Except, of course, it’s all fake and simply a malicious trick.  Just because the offer looks professionally crafted doesn’t make it real.  For example, look at this email that appears to come from surveys @ surveys-DOT-com.  (Surveys-DOT-com has been around since 1994 but there is no guarantee that this email was sent from this domain.)  “You’ve been selected. Take surveys. Get paid.”  Mousing-over any link in this email shows that you’ll be visiting a domain that was registered on August 16, 2017 through a private proxy service. This domain sounds like the real HarrisPollOnline service but it is a malicious look-alike. The Zulu URL Risk analyzer  rates the links in this email as 100% malicious. ‘Nuf said.

More readers are reporting suspicious redirects popping up on their smartphones since we first reported on them in our January 10 newsletter. Here’s one of them that was a redirect to giftcardtip-DOT-top “You Are Lucky Today! Amazon.com Membership Rewards”  This domain was registered on December 22, 2017 through a proxy service in China.  Sound like Amazon to you?


Sample Scam Subject Lines:

Amazon.com order #7Amazon.com order #7[digig6] processed processed

Blow out Sale on printer ink. Save up to 85%

Document No 488727596

Don’t spend Saturday night alone-Match Seniors

Get 2018 Best Annuity Rates

High Blood Pressure Cured In 9 Minutes

Mark Zuckerberg’s new product will SHOCK you!

Needed: 23 Positions available – work from home

SAVE up to 85% on Ink and Toner today – Free shipping available

The Only Dating Site You Need

This is the most amazing tea I have ever had

This soap will get all your missing hair back

This Survey Might Help Save You Hundreds On Your Energy Bill

Sample Scam Email Addresses

1_ink <1_ink @ mfvbtydcb-DOT-date>

Annuities <Annuities @ annuftvm-DOT-review>

“CVS Pharmacy Rewards” <cvs-pharmacy-rewards @ reportsonyou-DOT-com>

“Darrin D” <darrin-d @ amaazonx-DOT-com>

FinancialHelp <FinancialHelp @ uwaqxx-DOT-club>

“HornyAffairs” <meetgirl @ meetgirl-DOT-com>

“Mark On Shark Tank” <mark_on_shark_tank @ stressreliefz-DOT-com>

“oneink.com” <oneink @ oneinkk-DOT-com>

“Pharmacy Coupons” <pharmacy.coupons @ samsspecial-DOT-com>

SamsClubcom <samsclubcom @ vezyxeu-DOT-com>

SamsClubRewards <samsclubrewards @ givingrewardz-DOT-com>

“Shark Tank Special” <shark_tank_special @ allsharksmoney-DOT-com

Solar Survey Message <SolarSurveyMessage @ ussolfcnn-DOT-date



Phish NETS: American Express, Navy Federal Credit Union, and WebMail

“Cardmember, There is a recent security report for your American Express(R) Accounts(s)” says an email from aexpmail.com, a real domain owned by American Express.  But the email didn’t really come from American Express. This is called email spoofing.” NO credit card company will ever send you a form in html format!  Html docs are web documents that can contain all kinds of instructions to your web browser and can be very dangerous!  We opened that file to find that the “form” is calling for a javascript from the website usdatavault.com.  At least one member of the Virustotal community has reported that this site is being used for malicious purposes.

We agree!



“ACTION NEEDED”  “Our security team flagged your account as needing additional verifications to use our Online banking”  Again, no financial institution would ever say this.  Mousing over the link for Navy federal reveals that it points to a very hacked website called colorall-DOT-com.  Even Google finds that “this website may be hacked.”

Ya think?

Imagine getting this message from mailsecurity.com…  SERVER MESSAGE: Your email will shutdown in 1hour.  We can’t imagine too many people falling for this smelly carp but some might.  The link “Click here to Stop shutdown” points to a shortened URL at tinyurl.com.


We unshortened that URL to see that it redirects you to a web page hidden on a hacked website called ATinternet.com.  Look at the intimidating message waiting for you there…


YOUR MONEY: Student Loan Offer

Do you recall the children’s game “spot the difference?”  Let’s play that game using three short emails… What’s the difference between these?




“According to our info your student loan can be reduce or forgiven.”  How many differences did you find besides the day/time the emails were sent?

Subject line.  ID/Message number.  …and most importantly, the sender’s from address.  Not only are they different but If you look carefully at those email addresses you’ll also see that the names in front of the actual email addresses do not match the names within the email address.  This is often the first big tip-off of a scam email.

Would you like to give the sender(s) the benefit of the doubt a moment?  They’re offering a way to reduce your debt afterall.  Let’s dig into this…  We looked up the phone number 877-294-5212 and found multiple web sites with complaints posted about this number.  Here are two:



Our honeypot email server also received many more of these emails and some with a different phone number:

We also looked up 888-564-2613 and it took little effort to find websites identifying it as a scam or dangerous:



How would you feel now about applying for a loan reduction by calling these numbers?  About as good as having a root canal we think.   We often see lots of online, unsolicited pitches for personal loans, business loans, student loans, etc.  And we don’t recommend responding to any of them.  Did you see a business name and website in any of these emails that can be verified?  No, of course not.  Any reference to a brick and mortar business you can walk into or verify?

No, of course not. 

By the way, if you want to have some real fun with “spot the difference” visit the SpotTheDifference.com website!



TOP STORY: RewardsConnector Website – Real or Fraud?

One of our readers has been inundated with emails, mostly through onmicrosoft.com, that look like promotions from well-known businesses and she’s been sharing them with us.  For example, she sent us this $50 CVS reward.  But oddly, the links in this email point to a shortening service at buff.ly.  Of course, we unshortened that link to see that it will redirect you to a file on a website called RewardsConnector-DOT-com. Rewards Connector? Meaning you will be connected to your reward?



Two days earlier this TDS reader also sent us a delightful email that came to her from another onmicrosoft.com address with the subject “Walmart Reward_Open Immediately”. “Will you be the next winner? Crack the egg !!” It also had links leading back to a URL shortening service, but this one was t.co.

When we unshortened this link we discovered that it sent us to a domain called mosquitonap.com.  Though this domain was registered in May, 2016, Google can’t find any information about it at all. A WHOIS lookup for mosquitonap.com shows  that it is being hosted in Munich, Germany on its own dedicated server.  Even more curious is that the Zulu URL Risk Analyzer shows another redirect waiting for you at mosquitonap website! You’ll be redirected yet again to…. RewardsConnector-DOT-com!


So what exactly is RewardsConnector-DOT-com, and is it a legitimate marketing service?  A WHOIS lookup shows that the domain was registered in February, 2017 through a private, proxy service. We used five different online tools to evaluate this link, and rewardsconnector in general.  To its credit, all services reported the site as clean of malware and not on any known/checked blacklists for suspicious sites.  We then took the Walmart 8-question survey and were finally informed that we were eligible to receive fantastic offers of valuable products if only we paid the shipping.  Here is a list of these “valuable products.”  (To see screenshots and details of these “Walmart offers” and what we found at RewardsConnector-DOT-com, visit our full feature article.)


Clicking OK redirected us to a website called researchcodes-DOT-com. This domain was registered  on December 5, 2017 using a private, proxy service from the Cayman Islands.  ResearchCodes-DOT-com finally gave us a bunch of rewards, none of which had anything to do with Walmart.  Here are the first five of them:

Anti-Aging Skin Cream – Retail price: $129.99; Today’s price: $0.00; Shipping cost $4.95

Garcinia Weight Loss Kit – Retail price: $109.99; Today’s price: $0.00; Shipping cost $4.95

#1 Male Enhancement – Retail price: $129.99; Today’s price: $0.00; Shipping cost $4.95

Anti-Aging Male Skin Cream – Retail price: $129.99; Today’s price: $0.00; Shipping cost $4.95

Brain Power Booster – Retail price: $109.99; Today’s price: $0.00; Shipping cost $4.95

We clicked to confirm three of these “Walmart” rewards and were redirected to the following domains:

Instantly-ageless-DOT-us     Valubody-dot-com    Findbeautyandtruth-DOT-com

So we ask our readers to apply the “smell test” to this maze of emails, redirects and websites connected to rewardsconnector-DOT-com.  Why would a legitimate marketing service keep redirecting you through other websites to get to rewardsconnector-DOT-com?  Why would they send these emails from such strange from addresses using subdomains-domains such as smut.onmicrosoft.com and arletterfgerf.onmicrosoft.com? And, by the way, in small print at the very bottom of the researchcodes webpage we found the following paragraph.  READ IT CAREFULLY…

“We are not affiliated nor partnered with Walmart. Walmart has not authored, participated in, or in any way reviewed this advertisement or authorized it. The trial products offered on the last page pay this website for orders placed. * S&H charges do apply. Some of the products described on this site have terms regarding continued billing after the free trial period ends. This is referred to as negative option, or continuity billing. Therefore, it is important to ensure that you are fully aware of the terms associated with each product before you order. See manufacturer’s website for full terms and conditions before ordering your free trial as these vary by product. Please keep in mind that these are separate companies and we are not the best source for information about orders or specific policies. Because these companies control their own policies, shipping and other fees may change periodically.”

And so, dear TDS reader, what does your “smell test” tell you about rewardsconnector-DOT-com?  We thought as much.  And we have since found similar “rewards” for Amazon and CVS, all pointing to rewardsconnector-DOT-com.

Caveat emptor!



FOR YOUR SAFETY: Documents and Messages Rejected (Yahoo, Pinterest)

Lots of emails carrying malware coming from many different email addresses last week.  But all had nearly identical subject lines as you can see from the list below… “Document No

Apparently the messages you’ve been sending have been rejected.  That is, at least, according to “Yahoo Support” and “Pinterest Service.”  But if you look carefully at the from address you’ll see these emails didn’t come from either Yahoo or Pinterest.  We’ve found many of these reject-messages.  VirusTotal.com tells that the links are malicious.  Big surprise.  Just reject them!



ON THE LIGHTER SIDE: Forgive My Indignation

This is truly impressive!  Director Christopher Wray of the FBI knew that we’ve been “transacting with some impostors and fraudsters!”  (We’re always impressed how the FBI knows this stuff!)  He says we are owed some compensation! We just wonder why his email came from a server in Kazakhstan. (.kz = 2-letter country code for Kazakhstan.)

From: “Dir. Christopher Wray”<sales@minim.kz>
To: undisclosed-recipients:;
Subject: Federal Bureau Of Investigation.
Date: 2018-01-09 07:32PM

Anti-Terrorist and Monitory Crimes Division.
Federal Bureau Of Investigation.
Edgar. Hoover Building Washington D.C


If  you receive this email its means you are yet to receive your scam victim Compensation Funds. Through our Fraud Monitory Unit we have noticed that you have been transacting with some impostors and fraudsters who have been impersonating the likes of Mrs. Gill Marcus of the Reserve Bank Of South Africa, Mr. Patrick Aziza, Bode Williams, Frank Anderson, Stephen Allen, Emmanuel Nnorom, none officials of Oceanic Bank, Zenith Banks, Kelvin Young of  HSBC, Ben of FedEx, Lamido Sanusi of CBN, Ibrahim Sule, Dr. Usman Shamsuddeen, Harry Thompson, Barr. Larry Gold and some impostors claiming to be The Federal Bureau of Investigation who exist in different part of the world e.g Malaysia, Benin Republic, Ghana, Togo, United States, Nigeria, India, China and many others.

The Cyber Crime Division of the FBI, British Interpol and the African Truth and Reconciliation Commission gathered information from the Internet Fraud Complaint Center (IFCC) on how some people have lost outrageous sums of money to these impostors as you have. As a result of this 1000 people where selected across the Globe for this SECOND BATCH OF THE YEAR COMPENSATION and Your email was in the list submitted by our Monitoring Team observers and this is why we are contacting you, this have been agreed upon and have been signed by the US GOVERNMENT in conjunction with the IMF.

We have negotiated with the Federal Ministry of Finance that your payment totaling $5,500,000.00 USD (Five Million Five Hundred Thousand United States Dollars) will be release to you as one of the selected Beneficiaries. To redeem your funds, you are hereby advised to contact the Compensation Center via email or phone for their requirement to proceed for the release of your funds

Dr. Derick Foster
Director- General
Compensation Award Payment Center
Email: drderickfoster@gmail.com

On contacting Dr. Derick Foster with your details your file would be updated with the necessary information’s, below Dr. Derick Foster is obliged to give you a call and treat your case with utmost urgency as soon as you contact him and fill out your correct details including all reachable phone numbers for him to get in touch with you via phone or email.

FULL NAMES: __________________________________
COUNTRY: __________________________________
TELEPHONE NUMBER: _____________________

Note: Disregard any email you get from any impostors or offices claiming to be in possession of your Compensation Funds and forward any emails you get from impostors to Dr. Derick Foster’s office so he could act upon it immediately to help stop cyber crime.

Best Regards,
Dir. Christopher Wray
Edgar Hoover Building
935 Pennsylvania Avenue,
NW Washington, D.C.

Until next week, surf safely!