Please support our effort by making a small donation. Thank you!


March 18, 2015


During the past week TDS noted a lot of scams being delivered from email addresses outside the United States. It’s easy to identify these scams because the email addresses will always end with a 2-letter country code. Watch our video about identifying 2-letter country code scams! Though we saw scams coming from Hong Kong (.hk), Columbia (.co) and South Africa (.za –surprise! It isn’t .sa), the great majority came from India (.in) and Reunion (.re). Reunion, you ask? We also had to look it up to learn that it is a small island in the Indian ocean and related to France. Check out this scam sent from, and connected to a web server in Columbia (.co):



Besides seeing many scams sent from overseas email accounts, we also saw tremendous misuse of the newly released domains from the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is the non-profit company that is in charge of governing Internet names. Though they have been releasing many new generic top level domain names, the only folks we see making any use of them are the scammers. We’ve see thousands (literally!) of scams from new domains like “.science”, “.asia”, “.eu”, “.cricket”, “.website”, and


0-Pet food coupons

We also saw a scampaign of emails over several days that were spoofed to look like they came from, a legitimate company. However, all of these emails were malicious and a mouse-over of the links revealed that they pointed to other websites.


We want to remind our readers about scammy/spammy email usernames. Though legitimate businesses and organizations sometimes create usernames that try to suggest the purpose of the email, scammers often select usernames that are meant to deceive recipients and try to add “legitimacy” to their email address. Here are just a few of the usernames scammers selected to appear in front of the “@” symbol of their email addresses:





























Phish NETS: Wells Fargo, Dropbox and PayPal

TDS saw a variety of phishing scams during the past week including these three. (Remember, phishing scams are designed to capture login credentials!) Read our recent feature article called Anatomy of a PhishWells Fargo bank seems to get picked on nearly as much as Apple Computer. Note that the first email below was sent from a username called “Wellsfargo” but the sender’s domain is actually “” A username is very easy to forge. Of course the email doesn’t contain any personal information to identify the recipient or his/her Wells Fargo account. The attached file is a web document and is very dangerous to click on because the web document can instruct your browser to do a wide variety of dangerous things besides showing you a fake Wells Fargo Bank page. For example, the html file can instruct your browser to pull down malicious files off the Internet.

The next phishing email is for the file-sharing site called Dropbox. Fortunately a simple mouse-over reveals that the link doesn’t point back to but points to a website called The Zulu URL Risk Analyzer has rated the website as 100% malicious, primarily because there are two malicious scripts waiting for your arrival and the fact that the site has been used multiple times for phishing scams. Even has identified this website as a phishing site! Don’t be fooled just because you see a file and directory named “dropbox” in the link that appear after the first forward-slash /

2-DropBox phishing site


The third phish we wanted to share with readers was for PayPal.   The email is well crafted and professionally written but if you look carefully you realize three important things about it:

  1. It was not sent from (It was sent from a server in the UK – United Kingdom)
  2. The email contains no personal information to identify the recipient
  3. A mouse-over reveals that the link points to ro which is certainly not PayPal. The country code identifies this link pointing to a website hosted in Romania.


Just delete!

3-Your PayPal account has been limited









YOUR MONEY: Scams hosted on “.us” websites

In “Your Money” this week we want to show you three gift card scams starting with this one that claims to be for Olive Garden. Don’t be misled by the text claiming that this is from an “advertiser” from “an independent program.” The Zulu URL Risk Analyzer rates the site as 100% malicious and reports that the site has been blacklisted by other safety services as well.

Also, the website domain was registered he day the email was sent. Finally, notice the very spammy text at the bottom of the email meant to trick anti-spam filters.

 Just delete.


These next two gift card scams are for very different products and sent two days apart but you can see by the design and content of the emails that these scams were constructed by the same criminal gang. We actually believe that all three of these scams were constructed by the same criminal gang! Look at the text and numbers found at the bottom of each email. What do you think?

5a-Southwest Airline survey to earn gift card

5b-You have earned 50 dollar iTunes gift card






TOP STORY: Risky Invoices

We have seen a jump in fake invoice emails such as the two below. What is most dangerous about them is that they carry files meant to infect computers with malicious software. Again, notice that neither of these emails contain any information to identify the recipient or the business to whom they were sent. The first email contains an “ace” file. This is a type of compressed file made for the Windows operating system. The second email contains an infected Word document.

Can you figure out the 2-letter country code of the second invoice scam? “.tw” means that it was sent from a server in Taiwan.

Just delete, delete, delete!

6-Invoice Attached 7-Invoice attached - word doc







We said some weeks ago that tax scams were on the rise and this past week has been no exception. Check out this scam claiming to resolve issues with back taxes.


Did you notice where the email came from and and where the website is hosted? We’ve never heard of a United States tax business located in the United Kingdom! Just delete!

“Man wins Lotto Jackpot five times in just 90 days!” This “MUST SEE” video is anything but! According to the Zulu URL Risk Analyzer, the link is 100% malicious.

It’s just another clever social engineering trick to lure the curious.

Delete, delete, delete!


9-Man wins lotto 5x - see video 







Finally, we wanted to leave you with this incredibly lame text scam. Notice the strange email address of the sender displayed at the top of the text. This is typical of scam texts. We Googled the telephone number (Have we said how much we love Google?) and found others folks talking about this scam at Apparently this is a “free cruise” scam.

10LS-Cruise Text Scam


Until next week….

surf safely!