March 15, 2017


Last week we mentioned seeing an increasing number of vanity scams.  They have continued at a small but steady pace.  Take this email from MariaB with the subject line “Nomination Received –  New England Business Excellence Awards 2017”  “I am very pleased to inform you that XXXX School has received a nomination in the New England Business Excellence Awards 2017, hosted by Corporate America News.”  Yes, readers, you read that correctly…. This email was sent to a school.  Read the rest of the email.  It’s very funny considering it was sent to a school.  If you search in Google for corporate american news scam you’ll find that this scam has been going on for years.  The Better Business Bureau wrote consumers about it in June, 2016.

It’s a good read!




Congratulations from Nike! Congratulations from Target! Congratulations from Johnson & Johnson!  Congratulations from…everyone!  There was a spike of these bogus congratulatory emails on March 7.

Here is a list of just a few…


The message in each was the same…. “An Amazing Offer Has Been Made” “We must hear from you no later then March 7” (Notice the error of using “then”)  The domain is being hosted in the Czech Republic.  It must be Nike’s headquarters.  😉





Sample Scam Subject Lines:


Come view your message at

Compensation Information for your Personal Injury claim


Free IRS E-Filing, Start Today…

I think you’ll like this…

Make sure you submit your application!!

Thank you for shopping at

This crazy story gave me chills down my spine!

Trouble sleeping? This is a MUST read.

Try our best razor for a buck!

You have a free Tarot reading pending

You have notifications pending

Sample Scam Email Addresses

kohls-gifts-[YOUR EMAIL]

paul.mampilly-[YOUR EMAIL]







Phish NETS:  PayPal Verification, Navy Federal Credit Union and Amazon

“PayPal verification – Update your account information” says an email from bigbozz @  A mouse-over of the link “Check your account” points to a server in the Ukraine called (.ua = 2-letter country code for Ukraine)


We’ve seen phish like this email sent from Navyonline  The real Navy Federal Bank’s domain is  We wondered who was “” and learned it is a website about Navy jobs and careers.  Ironically, Google reports that the website has been hacked.  Ya think?  Of course, a mouse-over of the link “Click Here” reveals the fraud!






How about this email from “service” sent from  It was sent to us by one of our readers with the subject line “Payment refund order.”  Amazon seems to say “Dear Customer, we double charged your card for your last order, a refund process was Initiated but could not be completed due to errors in your Information.”   Of course they want you to “click here to update your address” and give away your Amazon account information!

A big, fat delete!


Finally in this week’s Phish Nets is this text that was reported by a user recently.  “Cathalina just sent you $3,182.00 USD with Paypal.  Paypal recommends to withdraw it now.”  Awfully nice of Cathalina!  Of course we’ll click that link and withdraw her generous gift.  All we have to do is log in….


We used the online tool to learn where this link will send you.  It turns out that this is a PayPal phishing scam hiding on another hacked server at mopscovington-dot-org!

Now delete!


YOUR MONEY: All Canvas Prints Sale, eHarmony, and DirectTV

“85% OFF All Custom Canvas Prints | Limited Time Offer!”  The email came from, and links point back to the domain  DON’T believe that line in the ad that this is a “Google Trusted Store” with a 4.7 star rating!  That’s as fake as a $20 Trump bill.   The bottom of the email tells the tale… To be removed from future mailings contact that famous mail drop in Grandville, Michigan!  We’ve reported on this address dozens of times.  It is a mail drop used by the criminal gang that pushes out this malicious junk.  In fact, a WHOIS lookup shows that they even registered the domain to this mail drop address.  And in case there was any doubt, have a look below the email to see the screenshot we pulled off the website waiting for you at the end of their 85% discount.  (The dog “ad” contains a link to the Czech Republic).

Just delete and be happy you dodged a bullet!




It’s been a while since we’ve seen the deluge of malicious emails disguised as dating site promotions but they now seem to be making a come back.  Take this message from the odd email address latitudinal with the subject “eHarmoney – 0 Risk – Free Match Month”  The links point back to, not eHarmony or a legitimate marketing firm.  This domain was registered just a few hours before the email was sent and Google can’t find any such website.



Looking for a good offer from DirectTV?  Don’t click the links in this email from depravement  The domain was registered in January to a Barbara J. Voggle of “Hungington, New York.”  Also, a search for the phone number 855-656-7734 doesn’t locate DirectTV or any re-seller, though Google does find a link to that number on a Russian website.

Don’t hurry.  Don’t act now.  Just delete.





TOP STORY: When Tech Support Scams and Malware Collide

We have posted articles in the past about tech support scams such as Apple Tech Support Scams and Microsoft Tech Support Scams. Just recently we were contacted by a friend who seemed to have one of these scams blow up on her Apple computer.  Digging a bit deeper we learned she was not only hit from an infected website popup disguised to look like a plea for tech support, but she was also hit with a nasty browser-hijack and slick bit of malware as well.  We were able to save the day and grab some screenshots to help our readers recognize and pull themselves out of these traps. Let’s begin at the beginning…

There’s really nothing you can do if a website you’ve visited has been infected by malware resulting in a popup like this one.  The infected website redirected her browser to the bogus domain macproblem90-online-05-DOT-com. When she arrived, she was hit with the web page showing “Potential Virus Found!  MAC has detected some possible suspicious activity from your IP address. Some spyware may have caused a security breach at your network location.”  You are urged to contact Mac technicians at 888-440-9853.



Here’s what you shouldn’t do…  DON’T click OK (it could trigger additional malware installation) and DON’T call the tech support number! Let’s take a closer look at both the phone number and the website our friend got directed to.  Using Google to look up 888-440-9853 is very informativeThe first link we see is for instructions from, (even though this is also an Apple hijacker.)  There are many other links that identify this phone number as a scam and offering instructions how to remove it from your computer.  There’s lesson number one! And what about that domain macproblem90-online-05-DOT-com? A WHOIS look up of this domain shows that it was registered on March 6 to “lin hongyu” from “sui xi, China.”  Does any of this sound like a tech support number you want to call?

What is a browser hijacker anyway?  It didn’t matter if the woman quit the browser and restarted it, opened a new window or tab.  Every time she opened her browser she was sent right back to macproblem90-online-05-DOT-com and those nasty messages.  Her browser was completely hijacked and she lost control over it.

Why was this also a malware infection?  We put our healing hands on this computer and tried to dig under the hood of the browser while stopping the hijack.  What we discovered was a script had been installed on her computer and it was also directing her browser to another odd website called eu1.echo-ice-DOT-com.


Using Google to explore this new domain is very revealing.  You’ll see many links in Google that identify this domain as a malware installer responsible for redirects and nasty popups in both Macs and PCs, and how to remove it.  But wait, there was more…  When our friend got hit by this attack she happened to be logged into an account that contains a monthly calendar.  This nasty collision of tech support scam and malware also managed to completely infect her calendar account by turning random words on her calendar into popup ads that are triggered by simploy passing a mouse over them.  There were so many that it was like trying to navigate a mine field to get the mouse across the screen without triggering popups everywhere.  In the image below you can see 2 of these adware links in the words “LEARNING” and “Run.”  The small green symbol next to each link is a sure sign of a mouse-over popup.


So what can you do to stop this malware and take control over the hijack?  The most important thing is to get to the preferences of your web browser and clear your browser cache completely!  That means clearing all history and go back to default settings like when the software was installed for the first time.  Once we were able to do that, her browser returned to normal, no more hijacks or popups and all the ad links in her calendar disappeared.

For some people, like the elderly or inexperienced,  what happened can be frightening and intimidating.  They are likely to pick up the phone and call that bogus number.  Who’s most vulnerable amongst your friends and family?  Teach them to never, ever call a phone number that pops up on their screen!




FOR YOUR SAFETY:  Your Mailbox is Almost Full

Normally we would file this email under a phishing attack but there’s more going on here.  If you look at the link revealed by the mouse-over you’ll see that it points to a site in Italy. (.it = 2-letter country code for Italy)  When we asked the Zulu URL Risk Analyzer to investigate this link, it came back as 100% malicious including the threat of malware.






ON THE LIGHTER SIDE: You Are Blessed and Hello Dearest One

From Doug’s personal experience while travelling in Africa and from his friends from African countries he has learned that there are many religious Africans who use the term “dearest one” as a greeting or routinely offer blessings.  Thus we think that many scams that include these phrases originate from Africans or from African scammers.  In any case, we’re very honored and happy to be so blessed!


From: municafernandez @
Time: 2017-03-09 07:11:53

Dear friend
I am a widow to a late oil & Gas merchant and now diagnosed with cancer ,
The doctors said I have a few months to live, I want you to help me distribute sum of
twenty Million United State Dollars to charity organization
in your country . Please reply me if you can help me distribute my funds and
I am willing to give you 20% for your time and effort. furnish me your private telephone
to establish communication with you .

Email me at my email address. Mrsfernandez @
Monica Garcia Fernandez

Subject: Hello Dearest One
Date: Mon, 06 Mar 2017 20:29:03 +0000 (UTC)
From: evelyn baily <evelynt2002 @>


Hello Dearest One,

I know it might be difficult for you to believe me because of the high rate of scam going round the internet. I am not asking for your financial assistance in anyway, but to plead in the name of god, please accept the last wish of a dying woman. I want my only adopted daughter to come over your country.

I’m Evelyn Baily, 65yrs old, suffering from cancer of the lungs. From the doctor’s report, I do not have much time to live and my daughter’s future is bothering me so much. She is just 17yrs old and I want the best for her. I promise to pay for whatever is going to cost to get her over to your country, help me accept her as a daughter, friend, sister and be her guardian. Please, accept my last wish for the sake of god and humanity.

I will be glad to hear from you please. Put me in your prayers and please god will bless you and your family.

You can always reach me through this my email address;evelynbailly2002 @


Evelyn Baily


Until next week, surf safely!