March 21, 2018


No doubt, you are tired of hearing these two monosyllabic words spoken together: fake news.  We suppose this is largely because these words have become the rallying cry for President Trump when he hears something he doesn’t like about himself or his administration.  Yet, we’re recently reminded that fake news is still a serious problem in our country, especially on social media.  It is spit out by people (or foreign governments, extremist groups, etc.) who want to manipulate our opinions, nudge our behaviors, and ultimately push us into making a decision that benefits their agenda.  Last week, Doug was scrolling through his Facebook feed when the following photo appeared, having been shared by a friend.  It did not have the word “HOAX” written on it, and all African-American faces were visible, not blurred.


There are many disturbing things about this photo and its combined caption.  Fortunately, it has been proven to be a complete hoax and you can read about it on multiple websites, including the venerable However, we ask our readers to look closely at the text and notice the subtle, but important, grammatical error in the claim.  A native English-speaker would never make such a basic error, but someone whose first language is not English would more easily have made this mistake.  The second point we want to make is that Cadbury, the company clearly targeted by this claim, is a British international company.  Could this possibly be an economic attack on a British company rather than just someone’s sick joke?  We believe this is likely.

If you use social media, keep a wary eye for claims and startling stories.  Usually, it takes very little effort to debunk them!  Just cite the claim/text in a Google search window with the word “fake” or “scam” and see what links Google returns.  You’ll know immediately.  And if it turns out to be fake, post a comment under the claim/story to tell others that it is fake news…for real!

Speaking of fake, we loved getting this email from a reader who was congratulated by the C.E.O. of Google for becoming a “winner of the Google Reward Promotion.”  If you look carefully, you’ll notice that the email came from an account called milkglass through a server in Japan.  You must read the 2-OFFICIAL NOTIFICATION LETTER. We give Mr. Bradley Bennington (or whatever his real name is) an A+ for his effort to create a convincing Google award certificate!



Phish NETS: Help Us Protect Your Email Account

This is a serious warning because the word “warning” is followed by three exclamation points in the subject line!!! Once again, sharp eyes easily reveal this fraud.  This phish says it came from the “E-Mail Administrator” but look at the actual email address that follows it.  Can you guess what country this email was sent from?  We’ll give you a hint… “.de” is the 2-letter country code for Deutschland!  So… “HELP US PROTECT YOUR ACCOUNT” by not clicking on that link to CONFIRM.

And then delete!



YOUR MONEY: UGG Winter Boot Sale, Home Protection Services, and Smart Gum

We like sales and we like UGG boots, so what’s not to like about end-of-season 85% off sale of them?  Except that it’s just click-bait!  This make-believe marketing email came from criminals who want nothing more than to infect and take control of your computer.  This email came from elena “@” wesley.iiaqq-DOT-com and all the links point to a subdomain (wm1da42w27t) of the crap domain xxlx-DOT-trade.  It took only seconds for the Zulu URL Risk Analyzer to identify that link as 100% malicious. told us that Fortinet AV Service found malware waiting for you at the end of that link.  85% off?




This next email is meant to frighten home owners by design.  The photos are upsetting and the opening paragraph says it all… “what you’re about to discover here, contradicts everything you’ve ever known about protecting your home and family from looters, thieves and rapists during a crisis.”  All links in this email point to back to the domain keper-DOT-bid.   Once again, the Zulu URL Risk Analyzer identifies these links as 90% malicious.


Who knew?!  You can chew gum and it will make you smarter! “Boost Focus and Energy Levels with Smart Gum.”  Never mind the truth of that claim…. What does the article in this malicious email have to do with Smart Gum?  We also know that this malicious email has nothing to do with the website of the same name, smartgum-dot-com.  Below the red box of this email was a large white space followed by text information at the bottom saying this was sent from an “Advertising Agency in USA.”  We know what that means.  Hidden white text can be found against a white background meant to fool anti-spam servers!

A big, fat delete!




TOP STORY: Website Names Meant to Deceive

TDS recently published an article about deceptive websites designed to trick consumers into believing they are contacting legitimate customer service centers.  Criminals register domain names like 1800customerservicenumber-DOT-com and instantcustomercare-DOT-com and wait for unsuspecting consumers to visit and call the phone numbers for help, much like a spider builds a web and patiently waits for prey. (To read more about these deceptive consumer domains, read our feature article.) This predatorial behavior is actually common online and for many years criminals have registered thousands of deceptive domain names.

In the summer of 2017, the FBI put out a warning concerning more than one hundred malicious domain names that were thought to be linked to cyber criminals in Iran.  What struck us most when we first looked at these domain names was how many were selected to appear as legitimate resources that people might turn to for assistance, or assume they represented well-known American businesses.  Here is a sampling of these malicious domain names, arranged by topic.  All were used to deliver malware or phish personal information.

Computer Security Domains:

mcafee-analyzer-DOT-com mcafeemonitoring-DOT-com mcafee-monitoring-DOT-com microsoft-security-DOT-host windefender-DOT-org


Microsoft Windows Updates/Patches

microsoftserver-DOT-org microsoft-tool-DOT-com micro-windows-DOT-in mpmicrosoft-DOT-com patch7-windows-DOT-com patch8-windows-DOT-com patchthiswindows-DOT-com sharepoint-microsoft-DOT-co windowkernel-DOT-com windowkernel14-DOT-com windows-10patch-DOT-in windows24-kernel-DOT-in windows-api-DOT-com windows-drive20-DOT-com windows-india-DOT-in windowskernel-DOT-com windowskernel-DOT-in windows-kernel-DOT-in windowskernel-DOT-net windowskernel14-DOT-com windowslayer-DOT-in windowssup-DOT-in windowsupup-DOT-com win-update-DOT-com winupdate64-DOT-com winupdate64-DOT-net winupdate64-DOT-org winupdate64-DOT-us win-updates-DOT-com


Microsoft Office Products mswordupdate15-DOT-com mswordupdate16-DOT-com mswordupdate17-DOT-com officeapps-live-DOT-com officeapps-live-DOT-net officeapps-live-DOT-org outlook360-DOT-net outlook360-DOT-org


Google Products/Resources Chromeupdates-DOT-online gmailtagmanager-DOT-com google-api-analyse-DOT-com google-api-update-DOT-com


YouTube Resources ads-youtube-DOT-net ads-youtube-DOT-tech

Over the years, we have exposed many domain names used for phishing personal information that are similarly registered because they look like legitimate business domains.  For example, here are several that were used in phishing scams for your Apple ID and password, or meant to pitch you fake phone support numbers for Apple.  None of them are the real

Apple-DOT-co appleid.ssl-DOT-com iapple-DOT-com appletechsupportnumber-DOT-net applesupportcentre-DOT-com applephonesupport-DOT-com applemacsupportnumber-DOT-com appletechnicalsupportnumbers-DOT-com apple-support.applehelp-DOT-support


Below are phony domain names that were meant to represent other consumer businesses.  In many of these, you can see the name of the business they were pretending to represent:

amazonscard-DOT-com coscowholesalez-DOT-com cvsextrakares-DOT-com dealforsams-DOT-com dogfoodss-DOT-us extrakarecvs-DOT-com freemacyscard-DOT-com giftfromsamclub-DOT-com giiftfromprime-DOT-com nowinwalgrins-DOT-com nowmacyz-DOT-com pandoraye-DOT-com pharmacvsusa-DOT-com primezonusa-DOT-com rewardwithpriime-DOT-com rewarfromsams-DOT-com shoppingonlinegood-DOT-com todayamzn-DOT-com ussamzclub-DOT-com walgrinisnow-DOT-com

Criminals have even targeted news media websites in their effort to engineer your clicking behavior, such as the fake domain cnntodaynews-DOT-bid.

As people spend more time online and conduct more of our social and consumer lives online, it becomes increasingly important for us to look carefully at the places we intent to visit before we visit!  If something feels odd about the destination in the link we’re about to click, ask Google about the site.  Don’t just enter the questionable domain into Google, for fear your web browser will just send you there.  Instead, ask Google a question like “Is a scam?” or ask for “ reviews.”  What does Google find and report to you about this website?  You can also try visiting a WHOIS tool (such as and look up the domain name.  If the WHOIS tool reports that the domain is owned by a private proxy service in Panama or someone from India or Russia, that should give you reason to back off from visiting the website.  These are also good tips to help you evaluate legitimate domains!  Doug’s daughter recently asked him about a domain she found to purchase concert tickets.  It seemed odd to her because it was [redacted]-DOT-expert.  Doug entered the domain name followed by “reviews” into Google.  It turns out the company was legitimate but it had a very poor reputation from many consumers, including the Better Business Bureau!

What an online world it has become!  Where are the Internet police?  Oh yeah, we forgot.  There are none.



FOR YOUR SAFETY: Dangerous Zip Files

Fortunately, the recipient’s Gmail account flagged this email as spam and suspicious.  It turns out that the attached zip file contained malware.  This was the equivalent of some criminal lobbing a hand-grenade at a business.  Zip files are extremely dangerous to open because you typically can’t see what’s inside of them until you open them.  And with certain types of malware, that’s too late.

What also makes this malicious email startling is that it was made to look like someone at the business had sent it to the recipient!  The target person knew there was no one at their business named Paul, and so the pin never came out of that hand grenade.

We can’t help leave you with one more bit of chicanery this week, given all our focus on “fake” things online.  Doug received the following email on March 15 that appeared to be sent from his own email address, with the subject line “Welcome to our company.”

Our company is looking for a Project Administrator in our marketing division either on a full-time or part-time basis. The salary is $70000 per year. Location: USA/All states. Schedule: Full-Time and Part-Time Relocation: Not required; Job Specifics and requirements: On this position you will be responsible for working with the overall management of a project or some partsof larger project under the direction of the Head of the Project. Required skills: – US citizen only. – More than 5 years of work experience. – Ability to manage and analyze data; – Negotiate and manage agreements and ongoing relationship with logistics providers as required – Work with Sales to understand demand and construct forecasts – IT literate Please, attach your Resume if you want to get more information. Notice Only persons with Resume will be considered. Our Contact: Jonathon “@” investsoinvest-DOT-info [EMAIL MODIFIED BY TDS].

We visited a WHOIS tool and entered the domain used by “Jonathon” à investsoinvest-DOT-info It turns out that this domain was registered just three days earlier by “Georgii Mitisov” from “spb, Russia.” (Presumably meant to be Saint Petersburg.). The email “Georgii” listed is for an entirely different name, Alex Kitai.   Once more, it is so easy to deceive others online.


Until next week, surf safely!