January 9, 2019


We often point out to readers how important it is to recognize 2-letter country codes in both email addresses and website links (showing that if you click the link, you will be sent to a website hosted in that country.)  Being able to recognize country codes often makes it extremely easy to identify fraudulent emails and websites. The 2-letter country code will always be found immediately after the domain name, separated by a period. Here are two fictitious examples using the 2-letter country code for China “.cn”

Email: Amazon Survey <amazon-survey-rewards @ rewards.dkingstarter.cn

Link: www.dkingstarter.cn/more-text/even-moretext.php

Look at the 2-letter country codes in these two VERY malicious emails.  The easiest way to determine what country is represented by any 2-letter country code is to ask Google!  Some are obvious, like “.ru” = Russia, while others are not. For example “.de” = Deutschland = Germany. This first email was sent to a TDS reader from a computer in Brazil and contained a link to a website in Romania!  The second email contained a link to a website in Kazakhstan! You’ll see many more country codes in other scams of this week’s newsletter.

Now that 2018 is behind us, we decided to look back to see what were the most read scams on The Daily Scam for the year.  Collectively, these articles were read about 250,000 times and focused on online dating extortion, phony Amazon and Apple customer support phone numbers/calls, fraudulent face/skin cream charges, fake job scams and, oddly enough, million dollar consignment boxes!  Below are the links to our top ten articles for 2018:

  1. http://www.thedailyscam.com/plenty-of-fish-pof-has-plenty-of-sharks/
  2. http://www.thedailyscam.com/sextortion-scam-via-facebook/
  3. http://www.thedailyscam.com/underage-girl-sext-scam/
  4. http://www.thedailyscam.com/not-apple-customer-support/
  5. http://www.thedailyscam.com/apple-tech-support-scams/
  6. http://www.thedailyscam.com/not-amazon-customer-support/
  7. http://www.thedailyscam.com/your-worst-nightmare-sexting-a-minoror-so-you-think/
  8. http://www.thedailyscam.com/anti-aging-face-skin-creams/
  9. http://www.thedailyscam.com/8-million-dollar-consignment-boxes-for-you/
  10. http://www.thedailyscam.com/job-interviews-in-google-hangouts/



Phish NETS: Apple Users Targeted Again!

TDS readers reported these very similar Apple phishing scams to us just a few days apart.  Both phishing scams appear to be receipts for gaming software purchased using the credit card in your Apple account.  These emails would likely get an immediate response of “I didn’t buy that!” and lead you to click the attached receipt.  Both receipts contain links to cancel your order but first you’ll have to sign into your Apple account through a site that is really a phishing scam!

Though this first email says it is from “Apple Store,” the domain name after the “@” symbol is recordelay-information[.]com.  “Thank you for submitting your payment. Your payment has been submitted for processing.”  Were you to open the attached “Apple Store Receipt” (pdf file) you would find links to “Report a problem” with this order or “Cancel and Manage Subscriptions.”  But these links do not point to apple.com. They point to the domain paymentsupport-appid1[.]com.  Missing from this receipt is ANY information connecting YOU to this order!  This phishing domain was registered less than three weeks earlier in Canada by a proxy service and is being hosted on a webserver in Hessen, Germany.

Big fat Delete!

Similarly, the second email states that it is from Apple Support but the domain after the “@” symbol is create-an-automation01[.]com.  “Dear Customer, Your Apple ID has been used for In-App Purchases Need for Speed No Limits into the App Store from a web browser.”  Once again, this phishing email has an attachment that is made to look like an Apple Store receipt. It contains several links but none of them point to Apple.com.  Instead they point to a website named s[.]id, as you can see below.  At least one service we checked recognizes that the s[.]id link is malicious.



YOUR MONEY:  Moncler Jacket Clearance Sale

When we search for “Moncler Brady Puffer Jacket” across the Internet, we find prices ranging from $600 to $1200.  These are not cheap coats! So imagine someone’s excitement to get the email below with the subject line “Up to 75% OFF” these coats.  It’s important to point out that the first coat listed in the email says “save up to 80% off.” Apparently, the sender is not sure how much of a discount they want to give.

The email came from an oddball domain oalxt[.]com.  This domain was registered in China in June, 2018 and Google can’t find anything about it.  All links in this clickbait point to the website zkig[.]cn.  “.cn” is the 2-letter country code for China.  So perhaps you are thinking that these coats are knock-offs and you might order one anyway from China.  Think again…. The Zulu URL Risk Analyzer found the link in this email to be 100% malicious. Ouch! Stick to Neiman Marcus or Bergdorf Goodman.



TOP STORY: BEWARE Breaking News Alerts

While cybercriminals already have a wide assortment of tricks, clickbait, and methods to engineer your online behavior for their financial gain, they are an inventive group and often create new ways to target you.  A new type of landmine we’ve only spotted once before is a fake newsletter. Take a look at this “Breaking News Alert” that was released on January 1st with the headline “Manicurist and mom of 3 killed by customer who tried to leave without paying $35 bill.”  This story, sadly, is true and described in this New York Post article.  However, it is also meant to get your attention to open this email.  Following this “alert” are several “trending stories” including a “SHOCKING VIDEO” with “Viewer discretion advised.”  This got our attention, as did the fact the this email didn’t come from any recognizable news source AND all links in this email were identical.  They all pointed to one source, rather than different articles on the same website. This email started to smell badly…

Digging into this email we see that it was sent from the domain navidpay[.]com.  Navidpay[.]com was registered on October 23, 2018 through a private proxy service and Google can’t find out anything about this domain.  Both of these discoveries make this email suspicious. All links point to a file located on a website called albwed[.]com.   Similarly, albwed[.]com was registered recently (November 19, 2018) through a private proxy service in Panama.

At this point, we smelled a rat.  None of this added up to represent any legitimate “breaking news” newsletter.  So we turned to tools that can analyze whether or not the link in this email was safe to click.  And clearly it is not! The Zulu URL Risk Analyzer found malware waiting for us at the end of that link.  So, once again, dear reader… Don’t believe everything you see on the Internet, in your inbox, or on your smartphone!  Deception is simply too easy and the cybercriminals who target us are creative and inventive.


FOR YOUR SAFETY: I Miss High School, Respond to Message, and You Now Have All Your Data Transferred

One of our readers sent us this email she received with the subject line “I miss highschool.”  It really made us smile! We jumped into action and replied to “Emma” immediately through one of our honeypot accounts.  Our reply is below. Unfortunately, Emma never answered us… boohoo! (By the way, “Emma’s” email came from the service “mcsv.net” which is the mass-email marketing service for MailChimp. Any reply to this email however, will be sent to a new oddball domain at donimo[.]party.)

Dearest Emma,

Oh my God girl, is that you?!? I can’t believe it!!! It’s been more like 10-12 years!!  How are you? Jeff is not going to believe I heard from you!! Did you know we got married? Gotta go now, but more later fur sure!

Love you!


This next email came from a server in Germany (see the 2-letter country code “.de” = Deutschland) with the subject line “Messenger notice.”  It contained the recipients email address SEVEN times, as if that will inform her how very important and legitimate this clickbait is. We wondered about the website listed in the link and to which all the links pointed, including “Respond to message.”  Google told us that this website was likely hacked. Big surprise…not!

Here’s another new bit of malicious clickbait waiting to infect your computer.  “You now have all your data transferred” says an email from “Edwina Davenport Shop Support” from the email address netsytse_1972 “@” bigblue-usa[.]com. (See how similar it is to the first email at the top of this newsletter.) The only Edwina Davenport we find is the leading supersleuth in a murder mystery series called “Murder Flies the Coop” (by a UK Author.)  And “netsytse” means “website” in a West Germanic language spoken mostly in the province of Friesland (Fryslân) in the north of the Netherlands.  And the domain bigblue-usa[.]com is a used computer service in Syosset, New York.  Does any of this feel right to you? The links in this email pointed to a website named trit[.]by, which is hosted on a server in Belarus, Eastern Europe. (2-letter country code “.by”)  And, as Google easily informed us, this brit[.]by website has been hacked.  Now delete!


Before leaving you this week, we wanted to share an email we received from a Nigerian 419-scammer.  We thought his effort was really lame and very funny, but then we have a Geeky sense of humor! We especially enjoyed the scammer’s choice of test questions and answers.  Enjoy….


Until next week, surf safely!