June 26, 2019


During the last two weeks, several people have contacted us to say that they, or a family member, had  either received a call from someone claiming to be from Amazon, or they had needed to call Amazon Customer Support.  They searched for a phone number using the Google phone app and unfortunately Google had been poisoned by scammer manipulation and returned to them fraudulent phone numbers claiming to be Amazon Customer Support.  This was a VERY serious problem in 2018 with Google’s main website and we documented this poisoning over many weeks in our article “Amazon Customer Support…NOT!” (We have documented and listed more than 116 fraudulent phone numbers and fake websites used by cybercriminals.) It took Google many weeks to stop this problem, but it now appears that scammers are once again successfully poisoning Google searches!  You’ll read about another type of “search-engine poisoning” in this week’s Top Story as well. Here are three comments TDS Readers have sent to us about this unfortunate circumstance…



“I Googled Amazon customer support phone number and called.  I was trying to get a refund for a lost package and an item that had a safety recall. They said servers for refunds were down and I would have to go purchase a Google play card (while they were on the phone) then they would refund the merchandise amount plus $200 for my inconvenience. I said this doesn’t sound right, I will wait until the servers are back up. They said if I don’t get the Google card within 24 hours the offer would expire and it would take 5 to 6 months to get a refund. I hung up & contacted the real Amazon support. They were experiencing server problems too but he was able to help me. I reported the scam to them. I also changed my Amazon password.  The scam number was 855-446-8989, Michael at ext. 103 and David ext 101.”



“I had similar scam as “Martha” in your article.  A man called from Amazon and said I had been successfully charged $299.99 for my prime membership. So, I called back to dispute. He (middle eastern accent) said I had been hacked and he needed access to my Amazon account and computer to assist to track the hacker. Once in my account he placed digital gift card orders on my account and did things on my computer. Said I needed a Western Union account to get my money back.  He even gave an Amazon invoice. I finally realized this was a scam and hung up. But he continued remotely on my computer. I frantically called my computer service and they said to disconnect the internet cable. I hope he is gone, but I am afraid and feel horrible. I have no idea what else he has accessed or others in my family. We found added hidden files placed under something else from a different date, called Supremo. Very difficult to remove. need to do an emergency computer clean. I got an email from Amazon that he tried to access my account again yesterday.”


[NOTE: Supremo is malware that targets Windows computers.  You can read about this scam and malware in this thread in the Microsoft community.]  A search online for “Suprimo malware” returns many resources on how to remove it, including this post in the Sophos community.



“I called the number provided for Amazon Prime on Google. Phone number was a scammer. They wanted to verify my email account by sending me a code to my phone and read the code to them once I had it texted to me. I acted like I didn’t receive the text. Then they sent an email to follow steps to eventually click on links for gift cards.  Also, in another phone call, the scammer instructed me to go to any store that sells Google play gift cards and put 300.00 for a lifetime Amazon Prime service. If the cashier questions me about the card I was supposed to tell them it’s personal.” The fraudulent phone numbers were 877-225-9020 and 888-885-2666. The criminals also created a phony Amazon email address at Gmail called delivertoamazon “@” gmail.com that they used to send their link and instructions to the victim.



UPDATE 1: A few days ago we published a new feature article about “package reshipping scams.”  What makes this scam especially unique is that the scammers actually do pay YOU!  You’ll be tricked into shipping their stolen goods or merchandise purchased with stolen credit cards.  Good luck explaining that to the police when they eventually show up at your door!

Also, today we just published another article about consumer fraud.  It exposes fake stores posted online through Shopify and other website platforms.  Read about Victorious-Shoes!

UPDATE 2: Last week we informed our readers that the legitimate marketing service CleverReach was being successfully misused by cybercriminals to target people with malicious emails.  This has continued, such as this eyebrow-raising email with the subject line “11,000 People Die of a Heart Attack During Sex Each Year,” and sent from a website (photography-green[.]com) that was registered in India just a few months earlier.




Phish NETS: Spear-phishing a Targeted Victim

One of our regular readers works in the chemical industry.  She contacted us recently to tell us that a scammer had targeted the accounting department in her company by pretending to be her!  The criminal had sent an email to her firm’s accountant using her name and email service at AOL, but coming from a different personal AOL address.  Fortunately, the accountant was very suspicious of the email and recognized that the email address was not the one she used. (It was iilljl “@” aol.com) Here is that email…



Spear-phishing is a targeted attack on an individual.  Cybercriminals will research the people who work at critical positions at a company or organization, such as those in the business office and those in leadership or management.  They may actually reach out to these people disguised as consumers etc. to see what the person’s email address, email signature, or writing style might be. Then they create a fake email in that person’s name and send it to a person in finance to ask that they make financial changes or pay fake bills, etc.  We know of a school whose business office came close to transferring $9000 into a criminal’s account. (They would not give us permission to publish their full story so that’s as much as we can share.) If you work in an organization or company, it is critically important that your business office people get trained to recognize fraudulent communications!




YOUR MONEY:  $100 Reward for Amazon Survey (via text) and the Secret of Ageless Beauty

Last week Doug from TDS received 3 nearly identical texts from 3 different phone numbers.  “Hey beautiful, Amazon will send an awesome $100 reward / You will spend one minute filling this super short customer survey”  The texts came from 714-343-0685, 747-266-5125, and 323-327-1707 and each contained a shortened link created through Twitter’s shortening service “t.co.”  The t.co links forwarded a visitor to the domain Apposal-Oppated[.]com. (Domain registered in May, about 3 weeks before Doug received the text.)  From here, two things happen… A script is triggered through a connection to another website called kerylanors[.]com (Domain registered in the Kayman Islands, April 5, 2019) AND you will be redirected once again to yet another website named comusone[.]com where you are presented with several different “Amazon surveys.”




The survey is completely fraudulent and we see hints of malicious intent all along this dark route.  For example, when we asked Google “who is kerylanors” Google returned only 5 links. Three of these links were related to fraud and malware!  Honestly, we’re not sure if these bogus texts were phishing tricks or attempts to install malware onto smartphones. But we knew they were dangerous!  The only thing true about these texts were the words “Hey beautiful!” 😉





And now for something completely different…. The secret of ageless beauty!  Surely, you knew it was a secret, right? Well…secret, no more! We have it on good authority that Croatian woman have kept and guarded this secret for many years because it comes from the flower of a plant in Croatia called the Immortelle! So says “Amy Thompson” from the “Croatian Beauty Institute.”  If you think this sounds like some snake oil elixir sold by a travelling salesman, you are wrong. It’s malicious clickbait. Google can’t find anything about the “Croatian Beauty Institute” except for a handful of links posted on the free blogging site called Blogspot.com. This “institute” certainly doesn’t have a website and no one on the Internet is talking about them! This email was sent from, and contains links to, the domain called Zoopitre[.]world.  This domain was registered from India on June 17, a day before this email was sent.  Fortunately, it has already been identified by the Zulu URL Risk Analyzer as malicious and blacklisted by the security service McAfee, but a click to this site doesn’t just stop there.  You’ll be redirected to a very sheek-sounding consumer domain called NextCoolDeal[.]com.





As for the “next cool deal” website, Google can see that it exists, but knows absolutely nothing about it.  No one is talking about it and no pages on this website have been identified by Google. The domain was registered less than 3 months ago using a proxy service in Panama.  Step away from this precipice!




TOP STORY: Poisoned Google Searches?

During the last few weeks we have noticed something very odd while using Google to research phone numbers associated with suspected scams and malicious clickbait emails and texts.  Our searches began to return very oddball websites in Google returns. Moreover, the text displayed by a Google search from each of these oddball websites felt as if it was also clickbait.  Here’s an example of what we mean while searching for information about the phone number 714-343-0685…


“Is it for wii? Kinda excited to know that there is download play support. Because you are awesome. Anyone try to watch the summer league …” posted on the domain tnsrsys[.]org.  To us, this text, along with that oddball website domain felt “off.”  Especially as we began to see these kinds of Google returns more and more.  On a whim, we used our various safety tools to check out that oddball link associated with this phone number and text.  BINGO…A malware landmine! And if you look at Sucuri’s analysis you’ll see that after getting hit with a computer infection, you’ll be redirected to a VERY SUSPICIOUS phone search site called phonesear[.]ch.  Several things make this phone search website suspicious…

  1. Google can’t find this phone search website at all BUT people on the internet are asking questions about odd links to it, including a categorization of “Suspicious” on an automated malware analysis website known as Hybrid-Analysis.
  2. We have discovered a STRONG connection between this phone search website and the very sites that are designed to infect your computer with malware, through the association of subdomains!  Look at the Securi analysis in the graphic below. You’ll see that malware was detected on the subdomain “ae6670685” of the website tnsrsys[.]org. And Sucuri also tells us that this malicious website has a redirect that will send the visitor to the subdomain “ae6670685” at the phone search site!  This is NOT a coincidence!
  3. When we try to use online screenshot tools to capture an image of the phone search site without visiting, they fail or simply return a blank white page, or a page with just a Spokeo advertisement embedded in it.  No other content can be gleaned.
  4. According to the Canadian OVH Hosting service, where phonesear[.]ch is hosted, this domain was registered on May 26, 2018.  Phonesear[.]ch was registered by a business called “CJB Management, Inc.” with an address listed as 32790 Titus Hill Ln, US-44012 Avon Lake, Ohio.  The only thing we find at this address, according to Realtor.com, is a family home.  “CJB Management, Inc.” appears to have no website that Google can find and the Better Business Bureau (BBB.org) can only find a realtor in Florida with a similar, but not identical name.



NOTE: We did find a fascinating essay posted on ElectricLiteracture.com about phonesear[.]ch by Kristen O’Neal titled “This Mysterious Website Generates Weird Short Stories About Phone Numbers.” (we do NOT recommend clicking the link to actually visit the phonesear[.]ch website!)

In case you think this poisoned Google phone search is a one-off event, we can assure you it isn’t.  Here are several more searches we’ve conducted, only to find more oddball websites, many of which are identified as hosting malware….

Searching for 407-627-1545…







We have uncovered dozens of these malicious oddball websites, by conducting phone number searches for both suspicious phone numbers we were investigating, but also by entering completely random phone numbers like this one on June 23…



We don’t claim to understand everything that’s going on here but we’re certain about one thing.  A cybercriminal gang has managed to poison Google phone number searches and these malicious websites all seem to redirect to a VERY SUSPICIOUS website called phonesear[.]ch, which is hosted on an OVH server in Canada.  (OVH Hosting service has never impressed us before with their poor attention to security, or their responsiveness to being told they are hosting malicious websites. This information adds to our concerns about their safety awareness.)


FOR YOUR SAFETY: Adobe Flash Player Out of Date, Security Check, and Facebook IM: its you?

This next screenshot should elicit a knee-jerk lunge-for-the-QUIT key from our longtime readers.  Nevermind that it happened by a visit to an Amazon Reseller’s website. This “Software Update” popup is 100% malicious!  The only place you should safely install an Adobe flash update is from Adobe.com. And this ain’t it! Just for good measure, we revisited the reseller’s link and got a completely different bogus landmine.  Look below at this “security message.” We’ve notified the reseller but don’t wish to publicly shame them.




Finally, Doug and his son simultaneously received the same following message from a friend WHO RARELY uses Facebook Messenger. (Each of their messages was personalized by first name.)  This seemed very out-of-character for the friend. Also, the graphic looked like it was very low resolution and poor quality. We searched YouTube for “Lorenny Esther Berroa Sånchez” and found nothing.  As a result, Doug reached out to his friend to ask if he had actually sent this message. The answer was a resounding no! It turns out that his Facebook Instant Messenger account was hacked and misused.  We suspect that clicking that fake YouTube link would either lead to having your Facebook account information phished or malware installed on your phone, or both!


Until next week, surf safely!