July 11, 2018


Though it feels like a major chunk of malicious spam is no longer reaching our inboxes, the junk that does arrive still consists of extremely dangerous social engineering tricks leading directly to malware infections or emails for bogus Chinese knock-off products (whom we would never trust with our credit card and personal information).  Is this what you are experiencing? Let us know what you see on your end. Email us at feedback@thedailyscam.com.

CRITICAL ALERT: We are finding that a criminal group has become very successful at manipulating Google to prey upon consumers who are looking for customer support telephone numbers. This evil manipulation of a search engine is called “search engine poisoning.”  We reported on this trick months ago in our article about fake Amazon Prime Customer phone numbers and fake Apple Customer Support phone numbers.  We’ve also  seen this trick target other services as well, but not on such a big scale.  Consumers who are looking for various Airline Customer Support phone numbers are now being targeted and we are investigating this fraud.  Here is a sample of what we mean… We conducted a Google search for “Spirit reservation number” for Spirit Airlines on July 7.  Look at the screenshot of Google’s returned links:

Google has been tricked into showing you a FRAUDULENT (red arrow) phone number (877-294-2894) that was posted on a LinkedIn account.  It is not the real Spirit customer service phone number.  If you look at the next listing returned by Google, you’ll see the REAL Spirit customer service phone number, (blue arrow) 801-401-2222, exactly as it is listed on Spirit’s official web page.

BEWARE of any customer support numbers you search for on the web!  Make sure the website they come from is the OFFICIAL SITE representing the company!  We’ll let you know more once our investigation is done and posted.




Phish NETS: Lyft Account, Office-365 Team and American Express

Until last week, we’ve never before seen a phishing text disguised as an invitation to become a Lyft driver!   On July 4th a reader sent us the following text. (We’ve modified the link to prevent against accidental clicks.)

You’ve been hired for a driver job paying 37 an hour. Register today. Call 888-201-5101,  drivefamily[.]us/67f66e. Reply stop to cancel.

The domain, drivefamily[.]us, was registered just 12 days before the text was sent.  This alone makes the link very suspicious.  On June 8, a man reported to 800notes.com that he received a similar text, but the link in the text was for a different website called appsaccepted[.]us.  Both links pointed to fake Lyft web pages inviting people to sign up for a Lyft account.  Can you imagine the personal information you’ll be asked to enter!

OK, anyone with an IQ higher than the average fourth grader ought to be able to spot this fraud but we had to show it to you because it is pretty funny.  Of course it didn’t come from Microsoft.com or Office.com. You can clearly see that it came from the email address mmn4 “@” poies[.]org.  (Poies[.]org was registered by Isleta Pueblo more than 3 years ago from a Domain purchasing service in the UK.)

“We recommend you confirm your mail-box within 12 hours to avoid being.”   We certainly don’t want to “avoid being” or “permanent disable” either!


Here’s a phish that has many subtle, and not so subtle problems that should raise suspicions.  The subject line says “Final Notification : Online Banking Security” and claims to represent American Express.  But the email came from mail “@” hotels.com for goodness sake!  The link “Click Here to Verify Your Account Info” points to a web server in Poland (“.pl” = 2-letter country code for Poland)  Many thanks to the dedicated TDS reader who sent this to us!

Now deeeeleeeete!



YOUR MONEY: Coach Counter Season and Coach Campaign Bags

These bogus designer product websites created in China just don’t stop!  They have been the predominant purchasing scam emails we see in our honeypot accounts for weeks now! (Some also appear to be malicious, possibly leading to computer infections.)  And they all seem to be created by the same people who are behind the bogus company called Nexperian Holding Limited, in Hangzhou, China.  We’ve been reporting on this company for many weeks. These artfully created emails are proof-positive that anyone can build a pretty website and send email ads, but it doesn’t mean they are real or safe.  Both of the domains used for these emails (qnbuy[.]top and xfbuy[.]top) were registered in January, 2018 by Nexperian Holding Limited.



TOP STORY: Navigating Landmines

During the last week we collected multiple dangerous emails that were landmines waiting to be stepped on.  Each of these emails lead to dangerous malware infections. The malware could be ransomware (extortionware), or a type of spyware, or something else… we just don’t know.  Take this little email sent to us by a savvy person at a business, with the subject line “[Email address redacted] verification.” “Dear sales Please kindly download the attachment upgrade”

The attached file is an html web document and these can be extremely dangerous because they contain instructions for your web browser to do something.  Naturally, we cracked it open to see what was inside…

The html file contained one simple instruction to send your web browser to the website konqsberg[.]com.  We checked with VirusTotal.com about this website and seven antivirus services identified it as malicious, as did the Zulu URL Risk Analyzer!


Here is different kind of malicious email that was also sent to a business.  “Dear Sir, Please review the attached file with our new PO.” Again, the email contains an html web file. (HTML web files can end in DOT-html or DOT-htm.)  The file opens up showing an image of a purchase order on the left. This image is actually pulled from the website purchaseordersample.com.  On the right you are asked to log into your Microsoft account.

Again, we cracked this file open to learn that your account information will be sent to a legitimate but hacked website called thesawdustshack[.]com.  We’ve informed them that they have been compromised.

Finally, a TDS reader sent us this bizarre email that begins with “Dear Brother or sister.”  We’ve seen a lot of digital fraud in our days but nothing like this. And yes, it is also malicious, as pointed out below by VirusTotal.  Be careful of the landmines!



And finally, a reminder to our readers….  NEVER, EVER click links in emails like this, even when you recognize the person’s name in the email (though it comes from an odd email address).  Criminals use shortened links such as the goo.gl link in this email, to send you to malicious web pages waiting to infect your computer.



FOOTNOTE: There are lots of criminals around the world who would like to shut us down.  We are constantly watching our own online “front door” very carefully at The Daily Scam.  As we’re writing this newsletter, we see that hackers are trying to break into our website at least 45 times in just a few hours.  They are targeting us from Quito, Ecuador; Tangerang, Indonesia; Chateaubriand, Argentina; Cuiabá, Brazil, Antigua, Laos and other locations around the world.  Never a dull moment in this reporting business.


Until next week, surf safely!