January 24, 2018


It’s simply shocking how often we need to mention that scammers love to use the word shocking, or lie about celebrities in their effort to manipulate your clicking behavior.   Megyn Kelly has been a favorite target for their tricks for many months now.  And not unexpected, they have recently been focusing on the marriage between Prince Harry and Meghan Markle to advance their malicious tricks.  Check out these two emails, both of which lead to malware…


Both domains used in theses malicious emails (Megyn Kelly scam email: mhozn-DOT-com and Meghan Markle email: comisihtrue-DOT-com) were registered by the same person, Esteban Hunter, on the day each email was sent out.  A newly registered domain is a sure sign of very high risk!


Sample Scam Subject Lines:

(Amazon.com) delivery notice DHL771955

Build Any Shed In A Weekend Even If You’ve Zero Woodworking Experience!


Are you online? Browse Singles In Your Area

Message // Messenger Notice

Need Term Life? Get A Quote In 5 Minutes Or Less.

Recipe that kills Obesity

Swiss-Army Knife-Like Organizer!

Tom Hanks presented on Shark Tank this amazing Hair Recovery supplement – Try it now

We Can Repair Your Home – Plain And Simple!

Will Prince Harry call of the wedding after hearing this news

Your Costco member reward ends today: (cust 76536791


Sample Scam Email Addresses

AIG Direct <AIGDirect @ erfgdse-DOT-date>

Amazon <amazon @ rewardzamason.com>

“Amazon AccountUpdate” <amazon.accountupdate @ freakfastgift-DOT-com>

“Amazon Points” <amazon.points @ rewardzforyou-DOT-com>

Back Pain <BackPain@xdsewkl-DOT-date>

“Big Diabetes Lie” <diabetescare @ diabeteslie-DOT-com>

Dashcam <Dashcam @ poyirhf-DOT-date>

“Eye Health Guide” <contact @ eyesvision-DOT-bid>

Federal Bureau of Investigation <info @ fbbii-DOT0com>

Forward Head Posture <ForwardHeadPosture @ textnac-DOT-club>

KeySmart – Key Organizer <KeySmart-KeyOrganizer @ wyrgds-DOT-date>

“Man Boob Elimination Program” <regainbreast @ brestsolution-DOT-com>

VA Benefit Survey <VABenefitSurvey @ chgfrted-DOT-date>




Phish NETS: FedEx, Chase Bank, Apple and Web Mail

While we frequently see malicious emails linked to malware appear as delivery notices from FedEx, USPS, and DHL, we rarely see any of these disguised as phishing scams.  Look at this email that appears to be sent from the domain deliveryman-DOT-com.  (Searching Google for this domain shows a list of many scam emails for this domain from the anti-scam site 419Scam.org  “Dear Customer, You have an important Pending Update in you’re my UPS Account.”  Mousing-over the link shows that it points to a domain (dowhol-DOT-ga) hosted in the country of Georgia, next to Russia. (2-letter country code .ga = Georgia). We visited this link to Georgia.  Look below to see that the phishing web page looks like a real UPS web page!

Then delete.



The criminals responsible for this UPS phish didn’t stop there.  Three days later we found a FedEx phishing scam email that also came from deliveryman-DOT-com and with a link pointing to the Georgia domain dowhol-DOT-ga.

This next email was well-crafted to look like a JPMorgan Chase Bank “notice about funds in your Chase account” but look closely at the from address.  Also, a mouse-over of “Secure Log On” shows that it points to the legitimate but hacked website raisoni.net, not chase.com



This Apple account phish is sooooo lame!  We can’t imagine anyone falling for it.  The email is sent from ser @ doe.com, not apple.com.  “Your Apple Account Will Be Limited!”  Read the email and you’ll see how awful is the grammar and punctuation.  The link points to a hacked website in Vancouver, Canada.

Finally, in this week’s sea of phish we saw several web mail phishing scams meant to pressure you into handing over your login information.  Here are two… “We detected a virus and suspicious e-mails on your account” and “Your email has used up the storage limite of 99.9 gigabytes.”



YOUR MONEY: Amazon Voucher, Extended Auto Warranty and Dog Food Secrets

Criminals continue to register crap domains that are meant to resemble the real thing.  We posted a few in our Sample Scam Email Addresses above and here is another in this email supposedly sent from Amazon.  Amazoncom @ amazngiiftcenter-DOT-com. “Gary Little” from the state of Georgia registered that domain last year, not Amazon.com.


“Your used car doesn’t have to be Out of Warranty! See our New Lower Prices Now!”  The link points to another crap domain hosting malicious software… youthyto16-DOT-us


“Improve the health and add years to the life of your dog” We doubt it will do anything but take years off your life if you don’t handle the stress well after clicking the link!  Though we couldn’t see who registered the domain adroger-DOT-date on January 18, we could see that it is being hosted in Hamburg, Germany.

By the way, do you see the last paragraph in the email?  It begins with “You received a Mail from TedMed Inc.”  This is not related to the health division of TED conferences, TedMed.  This is pure smelly carp!  Google maps cannot even find any such address in Washington, Maryland.

Now delete!



TOP STORY: Malicious Shark Tank!

Shark Tank premiered in the U.S. in 2009 and has become extremely popular!  So popular that scammers trying to engineer YOUR clicking behavior often use it as a lure.  We often see malicious emails disguised as Shark Tank marketing news but last week we saw hundreds of such emails.  Many of these emails appeared to have been sent by individuals or by Shark Tank itself, but some appear to have come from ABC News and USA Today.  Look at the list of email subject lines we saw on one honeypot email server in just 3 days…



The subject lines are often ridiculous and over the top, such as…

Biggest deal ever made on Shark Tank

CEO of major company outbids everyone on new brain supplement

Lori and Mark offers 43-million on a brain supplement – Amazing Results

New Brain pill raises 150M on Shark Tank – Exclusive!

But then, sometimes so is the real Shark Tank wheeling and dealing!  Here’s one example of a malicious email using Shark Tank as bait.  See that website we highlighted?  “Roger” wants you to visit it so your computer will be infected.  Fortinet found malware on the site and the Zulu URL Risk Analyzer says the chances are very good that the site is malicious.



So the next time you get an email, text or social media post yammering away about Shark Tank, do yourself a favor and don’t click.  If you really need a Shark Tank fix, visit their legitimate website at abc.go.com.



FOR YOUR SAFETY: Congratulations Sweepstakes and Cash Making Software

“Congratulations! You are a finalist.  You’re one of a select few who is entered to win $500 at midnight tonight” says an email from prizesweeps-DOT-com.  That domain is for sale and not being used so we guess it was spoofed or hacked.  There is no business listed in the email for this award.  It doesn’t identify you by name, how they got your information or were selected.  This is crap-o-la for sure!  And if you were to click that link to go to the website at wraphim-Dot-pro, you’ll be forwarded to another website being hosted in the Netherlands called teomany-DOT-com.

Step away from this landmine.



How about making some real easy cash! (Anytime those 3 words appear together, RUN!)  “A limited number of slots have been made available for this incredible new cash making software.”  Right.  And we have just acquired 100 bitcoins that we’ll sell you dirt cheap.  The link isn’t even hidden.  It points to the domain trulix-DOT-co.  The Zulu URL Risk Analyzer gives that site an 80% chance of being malicious, plus you’ll be forwarded to another site we’ve already shown to be malicious in a previous newsletter.

Just delete.




We have friends all over the world!  So many, in fact, that we forget who they are exactly…. Like Mr. Wong here.  He must be our financial partner in Dubai.  It’s nice of him to think of us after all this time!

From: “Xin Wong” <yazengsoccer@asia.com>
Date: January 16, 2018 at 3:01:03 PM EST
To: yazengsoccer@asia.com
Subject: Dear friend


How are you? I hope you are fine. I know you will be surprise to read my mail after a long time of non communication. Anyway I want to inform you that I have finalized the transaction with the help of my new partner from Dubai.

Right now I am in Dubai investing my own share of the money. But I never forget the assistance you rendered despite you didn’t conclude the transaction with me. Therefore, I have compensated you with $350,000 Dollars for your efforts. The money has been credited in ATM VISA CARD. I have deposited it to my pastor. His names are Pastor Dave Hopewell.

Contact my pastor with this email address (dhopewell053@outlook.com) so that he can send the card to you. I will not be regular checking my mails because I am very busy at the moment. So deal with my pastor so that you can pick your card as soon as possible.


Xin Wong


Until next week, surf safely!