January 27, 2016


This week we’ve decided once again to focus attention on that elite governing body of the Internet’s naming system, policies and oversear of Registrars… ICANN.  The Internet Corporation for Assigned Names and Numbers.  They’ve recently published what they call the “ICANN EXPECTED STANDARDS OF BEHAVIOR.” If it hasn’t already been clear to our readers, we believe that ICANN falls far short of their responsibilities to safeguard netizens.  Could they even possibly be benefiting from their practices and policies because they seem to favor the criminals who target us so easily and without impunity.

If you wonder why we make such a fuss about the domain naming system (like .com, .org, .car, .date, etc…) it is because these names represent the keys to the Kingdom of the Internet.  All things “Internet” are first built from global Top Level Domains (gTLDs) and he who controls them wields tremendous power and wealth.  Don’t take our word for it.  Read these recent articles from Michael Berkens at TheDomains.com titled “.Auto .Car, .Cars Get First Day Registrations at $60K Per Domain”  or  “.Club Sells Over 5,500 Premium Domains in December for Almost $615K.”  Would you be surprised to learn that the owner of the domain Rams.com was asking $650,000 for this name but the last bid seen on January 14 was already up to $1.8 million dollars? (See article at TheDomains.com.)

Sample Scam Subject Lines:

Cops use These – 1 – Tool everyone should Have

Discover The cause of Arthritis And find Treatment Options

Easy Golf Swing for Injured Players

Ending Soon: You have one more gift to open, $50 from Amazon

Internet offers and Deals On High – Speed Internet

The Biggest Lie Obama Ever Told

New Security Safeguards Alert

Re: Your Macy’s $50-voucher expires 01/24/2016, 5584586

Roth IRA Financial Advice

Search Solar options for you!

TIME: Drop 20-lbs in 4 weeks and keep your New Year’s goal

You have new fax, document 00000857942




Sample Scam Email Addresses:





















Phish NETS: Wells Fargo, iTunes Update and Apple GSX Accounts

This Wells Fargo phishing scam is actually pretty lame and laughable.  “We recently detected that some personal information’s are corrupted to our database.”  Read the email and you’ll understand what we mean.  “Thank you for begin a valued Wells Fargo Customer!” The link provided in the email leads to files hidden on the webserver for a restaurant located in the coastal town of Denia, Spain, south of Valencia. Hopefully their fish is better than their phish.



Our next two phishing scams speak to our claim that ICANN is neglecting their responsibility to keep all of us safe.  Stick with us on this one as we go down a rabbit hole…

Each of the two emails below wanted the recipient to believe that they came from Apple.com and concerned his Apple GSX account. (A service for repair technicians.) The first email appears to come from applecare@update.com and the second from internal@apple.jp. The domains may be legitimate but these “from” email addresses were spoofed.  Each email contains an attached “shtml” web file containing instructions to a web server somewhere on the Internet. And buried in that file are the instructions to send the recipients personal login information to the strange domain called telicabunu.eu.





Our long-time readers will recognize that this domain contains the 2-letter country code “.eu” indicating the European Union. We warned readers to be careful of “.eu” domains early in 2015. If you conduct a WHOIS lookup of telicabunu.eu you’ll discover that no information is listed.  If you visit EURID.eu, the Registrar in charge of dot-eu domains, you’ll find that the only information available about the person who registered this domain is the email address dutedute2012@gmail.com.  Visitor’s are told “for privacy reasons, the registration data of private persons is not fully disclosed. You may request this data under strict conditions by completing a personal data disclosure form.”  The form then asks us to “justify your request and indicate how you intend to use the requested data, should it be disclosed.”  We are then asked to provide our personal details such as name, telephone, email, address, etc.  In case this barrier to investigating a crime  isn’t enough to discourage most folks, how about this line at the top of the form from EURID… “You should understand that disclosure of such private data is exceptional and is subject to strict conditions.”  Sounds like the EURID organization is a criminal’s best friend!  To their credit, EURID posts information how they work to “combat malicious registrations” on their About Us webpage  but on January 23 we couldn’t find any place on their entire website to report abused domains.  And they also claim to make .eu top-level domain as secure as possible for Internet users everywhere, we combat malicious domain name registrations by actively screening newly registered .eu domain names.” Given the dozens of malicious .eu domains we have found in the last year, we have a hard time believing their claim.  And who licensed EURID?  Can you guess? …ICANN.  We believe these problems are systemic and a direct result of ICANN’s policies and rules.

Before we close this week’s Phish Nets, here’s another lame phish that also contains a spoofed email from address replyonline@itl.apple.com.  “Please update your Online ID as soon as possible – if no action is taken, you will be required to contact SupportTeam to continue using your ID.”  The link “Update ID” points to a website in India… webbazaar.co.in  

Just delete.


4-Phish-update iTunes ID



Your Money: Affordable Oil Change Options, Student Car Insurance, and Compare Low Cost Dental Insurance Plans

Apparently “affordable” and “low cost” are strong trigger prompts to manipulate consumers to click links because we find them frequently in malicious emails such as the emails below.  Like the hidden website described in this week’s Phish Nets column, the first email points to a dot-eu domain named alloilcoupons.eu. The public has no access to any information about this domain other than an email address and the date the website was registered.  By the way, the alloilcoupons.eu domain registration is listed as January 23, about 2 hours after this email was sent.  We interpret that to mean that the registrar EURID.eu may have been delayed posting the scant information provided.  This is likely because the criminals have a small window of time to send out their malicious email before threat detectors around the world blacklist the domain. Why would they send the email before the world’s name servers provided a path to find their website?  By the way, take notice of an address listed at the bottom of the scam for Sweden.  This address and .eu registration is a contrast to the U.S. companies the email claims to offer discounts for.  A final note… the text appearing in the green box at the bottom of the email was copied from an article by Deanna Sclar from Auto Repair for Dummies, 2nd edition and titled “How often you should change your oil.”



Got younger drivers in your household?  This next email looks appealing to those of us paying high insurance premiums for 16 to 22 year olds.  But don’t click that link no matter how much that attractive young lady smiles at you.  A simple WHOIS look up of the domain studentinsure.xyz was registered by an organization called “Free Bird Research” on the same day the email was sent.  The site is being hosted in Galacia, Spain.  Searching for “Free Bird Research” immediately turns up two historical links on VirusTotal.com.  And what of the beautiful young lady who appears in the pitch? Check it out here. She is a model used in a stock photo found on 2 different commercial photo websites.  Just delete.  By the way, can you find which two scams featured in this week’s Top Story are also associated with Free Bird Research?


INVESTIGATIVE TIP: Wondering where online photos may have come from or been used? Visit TinEye.com  and upload the photo in question (or part of it) to do a reverse image search.


6-Affordable student car insurance


7-Compare Dental Insurance plans


Dental insurance can be a valuable resource, especially for families, but don’t use this email to locate low cost plans!  As our readers can already guess, the domain eaent.top was registered the same day the scam email was sent.  Like thousands (we are not exaggerating) of emails before this one, the email seems to have been registered by a company called Futurebright Solutions.

We’re reported on this suspicious company before.  Check out the Your Money column in both our December 30  and November 4, 2015 newsletters.







TOP STORY: Still One Criminal gang to Rule Them All

In our Top Story of the newsletter of July 22, 2015 we made the bold claim that a large majority of the scams that target U.S. citizens via email are produced by one or two criminal gangs.  Bread crumbs we’ve followed lead us to suspect these gangs operate out of Russia or Eastern Europe, though we have no proof of this. (Read our article Why It Hurts To Be Right.) How is this possible today? Why can’t ICANN and the Registrars work with International police organizations like Interpol to put a stop to it?  We believe there is actually a financial incentive for both ICANN and the Registrars to make it easier for criminals to operate on a massive scale.  In order for these criminals to perpetrate their fraud they have to buy domain names, hosting services and more.  This means millions of dollars pour into the Registrar’s pockets who, in turn, pay ICANN for the licensing rights to operate.  There is a disincentive to make the Internet safer.  Read our feature article How to Make the Internet Safer For Everyone in which we identify seven critical problems with our current system for Internet governance and five ideas for making the Internet safer for all the world’s netizens to use.


Thousands of the scams we see from the graphic designers of these criminal gangs use the same collection of boilerplate templates such as the Dental and Auto insurance scams featured in this week’s Your Money column and in the next three scams below.



9-Kohls 50 Welcome New Year gift card 10-Online Will and Trust Services





However, last week we saw a new design in a number of scam emails that have us wondering if the criminals have either hired a new graphic designer or pressured their existing designers to do something different.  Take a look at the following three scam emails.  Would you agree or disagree that they are different in design from those above, but similar to each other in design? And though the graphic designs may differ from what we usually see from week to week, the overall design, layout and coding is like most of the other scams we see from these gangs.  So it got us speculating… Are these criminal gangs more like corporations?  Do they hire and fire their workers like employees?  Do they offer benefits? Pay raises? Holidays off?  We would love to learn more about them.  In fact, we would love the opportunity to interview someone who works for them or has worked for them! (Anyone out there listening?)


11-Online companies looking for home workers 12-Portable Generators 13-You never know when disaster may strike




FOR YOUR SAFETY: Stranded in Ukraine; Robbed in Philippines and This Is Happening Now!

In 2011 and 2012 there was a deluge of “mugged in London” scams targeting people via email, Facebook posts, live chats and even the old instant messenger app through legitimate, but hacked accounts. (Check out a bunch of these earlier scams on our website!) Be sure to click the right arrow in the upper right corner of the graphic to scroll through them all.) Starting in 2015 we began to see a resurgence in variations of these scams from other parts of the world. Below are two recent variations.  If you ever get one of these scams you should respond immediately saying how concerned you are and where can you send money to help!  After the scammer has taken the bait provide him with a fake Western Union number so he wastes his time trying to claim his money.  Imagine if half of the people these criminals try to scam did this!  Plus it feels good to strike back!  For a Western Union MTCN number use a variation of this 11-digit number by changing some of the last 6 digits: 98769426350.

Have fun!

14-Stranded in Ukraine


15-Amy robbed in Philippines


We just got this very risky malicious email this weekend.  What made it stand out as dangerous, and very different than most, was that the email targeted a single user and identified the organization in the body of the email instead of containing the email username or full address that software bots typically produce.  This means that someone personally took the time to research, create it and target the recipient.  And you’ll see by the email contents that it does a pretty good job of generating curiosity.  The link points to a website in the Netherlands that has been identified as “suspicious” by Websense Threatseeker.


16-this is happening now



ON THE LIGHTER SIDE: Your Compensation Fund from Bank of America

We’re happy to report to our readers that we’ve hit paydirt!   We recently received an email from Bank of America about some funds that were meant to compensate us, though we’re not sure why.  Of course we filled in all the information requested and sent it off immediately.  Do you think they’ll notice anything unusual about the name Micky Mouse from Disneyland, Florida?


From:  info@cpro-telecom.fr
Time:  2016-01-20 06:42:27
To:       TheDailyScam.com


Bank of America
Tower, New York, NY 10036, United States

From Desktop of Mr. Jeff Anderson

Our Ref: BOF-0XX2/987/20

Attn: Beneficiary

Please indicate if you have received your compensation funds sum of (U.S.D $1.M Dollars). We have tried all our possible means to contact you since your Name and email were stated on the manifest list submitted by the world Bank external auditors but it failed and we want to know if you are still Alive, so that we can finalized this transaction once and for all

Finally, you have the opportunity to enjoy positive New Year if you Corporate and follow the official instructions mandated for the processing Release of your fund worth One Million Dollars Only.

Be informed that you are not allowed to correspond with any person or office anymore,

You are required to send bellow Information for your transfer:

1) Your Full Name:
2) Your Full Address:
3) Your Contact Telephone and Fax No:
3) Your Profession, Age and Marital Status:
4) Any Valid Form of Your Identification/Driven License:
5) Bank Name:
6) Bank Address:
7) Account Name:
8) Account Number:
9) Swift Code:
10) Routing Number:

As soon as we receive the above mentioned information, Your payment will be processed and released to you without any further delay

Yours Sincerely

Mr. Jeff Anderson
Bank of America Representative

Until next week, surf safely!