July 26, 2017


During the last six months we have reported many times on an advance check scam that begins when the scammer offers a job on a website to hire a personal assistant.  What these scams have in common is the scammer is willing to hire somone without talking to them in person, by phone or even via Skype or Facetime. After a quick evaluation process (often via text, email or Google Hangouts) a job offer is extended and the scammer soon sends a large check.  The new hire is asked to desposit the check, keep a portion, and pay a large bill with the remainder.  Of course the check eventually bounces, sometimes taking as long as 6-7 business days before the bank realizes the check is bad.  But the victim has already sent his or her real irretrievable dollars to the scammer.  One of our readers saw a job posting on the free website builder wix.com, and asked us to evaluate it.  The website on Wix will likely be taken down soon but this is what was posted


The name of the company is listed as Ozan, a company that “specializes in the design, develoment, and production of quality plastic injection moldings.”  We ask… why wouldn’t this job be posted on Ozan’s own business website instead of using Wix, a freebie site?  The answer is because there is no such business.  There is no website for Ozan and Google can’t find anything about it.  However, there are links to several scam warnings about this type of business looking to hire a personal assistant.  Check out these links:

Posted 2015 on VCU Phishing Net

Posted 2013 on ScamWarners.com

Posted 2012 on Scam Recruiters

To read more about these scams, visit our article Personal Assistant Employment Scams


Sample Scam Subject Lines:

Activate your $50 reward from Amazon.com

Activate your $50 reward from Walgreens by Sunday

Everything in Theaters and on TV might be free now

Fw: Online Data Entry Openings with Google and Facebook

Improve your breathing for more power

I used this today and made 300 bucks

New Bacteria linked to Acid Reflux (and stomach cancer too)

This cause Megan Kellys firing from FOX

UNBELIEVABLE but 100% true!

Unlock your body’s inner power to heal itself

Winter Discounts on Roofing Materials & Installation

Your-new order #8130183 : The greatest product ever made (Bill Gates and Musk)

You’ve received $50 from CVS Pharmacy


Sample Scam Email Addresses

amazon-accounts-[YOUR EMAIL] @ giiftfromprime.com

amazon_prime-[YOUR EMAIL] @ zonamareward.com

amazon_storenews-[YOUR EMAIL] @ rewardwithpriime.com

amazoncom-[YOUR EMAIL] @ givefromamaazon.com

bkocuuva @ 1800radiator.com

cvs.pharmacy-[YOUR EMAIL] @ cvsextrakares.com

cvspharmacycom-[YOUR EMAIL] @ extrakarecvs.com

home-roofing-deals-[YOUR EMAIL] @ rufremodelz.com

macys_gifts-[YOUR EMAIL] @ freemacyscard.com

macys-[YOUR EMAIL] @ yourevouch.com

walgreens.rewards-[YOUR EMAIL] @ rewardskardz.com

Any email address ending in “.date” such as:

Gangway @ hapred.date








Phish NETS:  PayPal Account and Email Alert

We saw several emails pretending to be from Paypal.com stating that your account has been closed.  You are asked to log in again to confirm your information in order to reopen the account.  But the emails don’t come from Paypal.  This one came from mteams.net and the link for “confirm now” points to a secure, but hacked, website called ataamz.com that also hosts malware just waiting to infect your computer.


This is what the web page looks like from the link in this phishing email


Here is a similar phish that was sent from a different email account and points to a different secure, but hacked webserver in Chile.  No doubt, it was created by the same criminal who created the one above…




And then we found this phish targeting faculty at a school.  The link points to a Vietnamese website.  Another big, fat delete!




YOUR MONEY:  Home Depot Windows Center, Looking to Rebuild Your Credit, and Best PC Game of  2017

Want an e-voucher from Home Depot Windows Center?  Don’t go clicking these links!  They lead to the domain anywaydemo-DOT-date.  This domain was registered by someone named David Payne from California just minutes before the email was sent.  It’s odd that David listed his email address as “evan.sharb” using a Yahoo service in the United Arab Emerites.  This certainly isn’t Home Depot.


Are you looking to rebuild your credit?  “You have been approved for a Platinum Visa Card”  It looks like you are applying for a Capital One Visa Card but hold on just a moment!  The links in the email point to the webserver company1fit.party.  That’s right, DOT-party.  That oddball domain was registered the same day the email was sent and the website is being hosted in Hessen, Germany.  Sound like anyone you want to hand over your personal credit information to, or even trust enough to click the link?  Next….


Do you know anyone who enjoys flight simulator games?  Supposedly this one is the Best PC game in 2017.  “The perfect most realisitc flight sim you ever tried.”  Except for the fact that it’s a lie.  The email came from, and links point back to the domain wyartz-DOT-date.   This domain was also registered on the same day the email was sent.  This time it was registered to someone from Texas named Owen Patterson who also happened to use an email address from the United Arab Emerites.






TOP STORY:  Venus Fly Traps of the Internet: Fake Reward Domains

The Venus Fly Trap is a carnivorous plant that tricks unsuspecting insects to land in it’s trap.  Criminals have been sending click bait for malicious domains that sound a lot like consumer reward websites associated with familiar brands.  Such as this email that appears to be associated with Sam’s Club.  “Your Sam’s Club Weekend reward” is now ready to use.  The email came from, and has links to the domain ussamzclub-DOT-com.  As in “US Samz Club.”  Sounds kinda like it could be associated with the real Sam’s Club.  But of course it’s not.


The domain ussamzclub-DOT-com was registered to someone named James Wilson from Dallas, Georgia on the day this email was sent.  James has been busy.  Since January, 2017 we’ve reported five times on malicious domains registered to James Wilson.  He now has nearly 2000 domains registered in his name and we’ll bet every one of them is meant to hurt people.

Criminals routinely look for ways to make their venus fly traps seem more believable and convincing so you’ll click.  Recognizable brands are targeted all the time for this purpose.  Like this next scam that feels like a message from CVS pharmacy with subject line “CVS Pharmacy bonus: Redeem your $50-voucher by Sunday.”  The scammers were so quick to produce this crap that they didn’t notice their silly spelling error in the word certificate.


Once again, they use domain names that seem as though they are legitimate. In this case, pharmacvsusa-DOT-com.  As in “pharma CVS USA.”   In this case it was “Darrell Lemley” who registered the bogus website on the day this email was sent.  We’ve also reported on Darrell’s malicious streak several times this summer.  “Darrell” has registered more than 1,140 malicious websites.

No doubt, both of these men are fictitious but the fact remains that at least two thousand one hundred malicious websites have been registered by these two aliases alone!   And yet, the Internet police can’t stop them.  Oh yah, there are no Internet police, only the governing body of Internet Names known as ICANNs. And ICANNs, that bloated, gutless body of people who manage Internet rules and regulations, continue to do nothing to stop the fraud and criminal misuse of the Internet.  These brand-name wannabe domains litter the Internet.  In the last week alone we found the following…









“James Wilson” registered every one of the bogus reward domains listed above except for the last domain in the list.  That was registered by “Darrell Lemley.”  So the next time you get a promotional deal in your inbox or posted through your social media, look carefully at the domain.  Try doing a simple look up using a WHOIS tool and save yourself a lot of heartache down the road.  (Watch our short video, “How to Use a WHOIS tool”)



FOR YOUR SAFETY:  File Sent Via Dropbox, Zip File from Yourself, Unable to Show Full Message, and Resume Attached

This email is a ticking time bomb.  The scammers have spoofed the from address so it looks like it comes from dropbox.com but it did not!  A mouse-over of the link “Click Here to View” points to another secure, but hacked website called rovercarclubsa.org.  They are a car club in South Australia and we’ve notified them of the hack


This next email appeared to come from the same person it was sent to!  The only contents were an attached zip file called “EMAIL…”  You already know what it contains.  Nasty malware.




We periodically see emails like this, especially from a real person’s hacked email account.  “Unable to show full message. To view this message please click here”  For goodness sake, that’s the last thing you should do!  You can see that the click will send you to a site called zynda-design-DOT-com but you’ll be redirected to another site that is 100% malicious, triggering a malware infection!




Would your HR team open this sender’s resume?  God, we hope not.  That Word document contains a Trojan!



ON THE LIGHTER SIDE:  Citizen’s Bank of Canada

This email is simply too precious to pass over.  You can’t make this stuff up!

From:  info@ndaj.org
Time:  2017-07-21 19:14:52

Citizens Bank Of Canada
401-815 Hastings st w
Vancouver BC V6C 1B4



Attn: Beneficiary,

This is to inform you that a compensation payment in the amount of US$12,600,000.00 (Twelve Million six Hundred Thousand United State Dollars) has been approved and deposited few days ago with our Bank, Citizens Bank Of Canada in your name by the foreign debts settlement/compensation committee of European Union and the Executive members of World Bank, and they instructed us to credit this fund direct to your private bank account with immediate effect.

Meanwhile, the good news about your fund now is that your compensation payment file with some of the legal documents backing this fund has been forwarded to the Canadian Ministry Of Finance and the United Nations for final approval, And we shall proceed with the transfer = immediately we hear from you because we were mandated to transfer this fund to you as one of the beneficiary whom the name is listed in the World Bank foreign debts settlement/compensation payment file.

Kindly provide us the following information to enable us proceed with the transfer of the fund to your bank account.


Full Name………………..
Home Address……………..
Valid Phone number…………
Any Of Your Identity Card……..

Kindly get back to us by reconfirming your full information.

Mr. Harold Wesley
Head Of Foreign Operation
Replytocitibnkforeigntransunit @ gmail.com

Until next week, surf safely!