May 2, 2018


As we predicted in our last newsletter, the criminal gang most responsible for malicious emails that mimic legitimate businesses is now purchasing many domain names that end in DOT-stream.  Here are several examples of malicious email addresses that all end in this bogus top level domain DOT-stream:

Caring For A <”@” ioikgt[.]stream>
FHA Rate Guide Affiliate <FHARateGuideAffiliate “@” rate4u[.]stream>
The < ”@” mbnhfg[.]stream>
US Foreclosure <USForeclosure “@” ytsdcs[.]stream>
Medicare Supplemental <MedicareSupplemental “@” gdgda[.]stream>

During the past week, we saw a surge in job scams, especially those in which the criminals ask to interview a candidate using Google Hangouts.  The interview doesn’t include a video conference or voice phone call.  Everything is done via a text conversation.  It takes no time before the “candidate” (i.e. victim) is offered the job.  If you want to find out the details of this scam, check out our article Job Interviews in Google Hangouts.

Finally, listen to this phone scam call we received last week from a TDS reader saying that your AT&T account has been suspended!



Phish NETS: Apple Alert, Your Amazon Order, and Mailbox De-Activation

Though the subject line may get your immediate attention, we can’t imagine many people falling for this smelly phish because it was so poorly crafted and obviously did not come from  Subject line states “Apple alert regarding your recent order.”  There are several grammatical errors in the email along with awkward English.  As we often believe, this scam likely originated from another country and English is not the scammer’s first language.  The link for “view receipt” points to a hacked website for a defunct service in Los Angeles, CA that cleans up junk collected by hoarders. had no problem informing us that 3 services have reported the site as malicious.

Here is another poorly designed phish asking for confirmation of an order placed with Amazon.  Someone would have to be brain-dead not to be suspicious about this email.  It came from the domain brarust[.]com, which was registered on November 17, 2017 by someone claiming to be from Billings, Montana.  The links point to another domain called smootdeo[.]net.  Coincidentally, this second domain was registered on the exact same November day by a different person claiming to be from California.

A big fat deeeeleeeete!

And finally, rounding out this week’s lame phish market, is this de-activation notice for your web email account sent to us from a TDS reader.  She was informed that “we are doing a spam and fraudulent verification survey, which your email account [EMAIL REDACTED] was listed and has recently been updated.”

Easy delete.



YOUR MONEY: Oakley Sunglasses and Finding the Perfect Dentist

With some regularity we see unbelievable sales offers for designer products, with as much as 90% off.  We’re pretty sure this falls under the category of “if it seems too good to be true, it probably is.”  The email may say Oakley but it came from an account identified as “alejandro” from the domain hbaxg-DOT-com and all the links in the email point to another crap domain eezz-DOT-top.

Hbaxg-DOT-com was registered December 26, 2017 by someone from Shanghai, China claiming to represent a company called Shanghai Meicheng Technology Information Development Company.  When we look up this company in a Google search we get many links to scams, fake websites, and spam including this link from 2014 with Adding insult to injury, we discovered that eezz-DOT-top was registered on September 22, 2017 to someone in Hangzhou, China and he listed Nexperian Holding Limited as the “admin” for this domain.  We’ve written about Nexperian Holding Limited in two previous newsletters this year.  (February 7 Newsletter and April 25 Newsletter) So, how about buying those Oakley sunglasses now?

Do you feel lucky, punk?

“Finding The Perfect Dentist is F.r.e.e!”  The fact that this subject line contains the word “free” broken up by periods identifies this as spam at best, but more likely malicious.  “View vetted and approved, highly rated Dentists with openings today!”  Perhaps oddly, what we most admire about this criminal effort is the variety of content they use to engineer our clicking behavior.  We can imagine a conversation in the Stelka bar, not far from Gorky Park in Moscow between Vladimir, Boris, and Yevgeny discussing topics that might trick Americans into clicking malicious links.  Bogus dating emails with pretty faces are standard tools but so, too, are emails claiming to represent health insurance, auto warranties and yes, emails offering help to find the perfect dentist.

Notice that the domain used in this email is the crap domain claps8-DOT-review. It was registered by someone named “shenawestarn shenawestarn” from Idaho, Idaho on the same day this email was sent.  Delete delete.



TOP STORY: CVS Text – Retail Evaluation Survey

Doug at TDS received a text Saturday evening, April 28 that appeared to be for a CVS survey.  It came from (318) 504-4758.   The text was followed by a shortened link with the service, even though the link appears to be part of the text in the Message window.




We hope our readers would be extremely suspicious were they to receive this text.  There are four things about it that immediately caught our attention as odd…

  1. Incorrect use of capital letters
  2. Spaces separating the letters of CVS
  3. Rather than write $300, the sender wrote 300-USD, as in U. S. Dollars. We often see this format to describe US currency from people in other countries.
  4. Twice, the sender misplaced the period at the end of a sentence.

Not exactly the kind of standards one would expect from a marketing firm or department representing the largest pharmacy chain in the United States.

There is one other oddity worth noting.  Notice at the top of the text screenshot that it was received at 8:09 pm.  Doug was in New York when he received it.  But also notice the local time shown in the text when it was sent.  3:49 pm.  Assuming the phone was showing a reasonably correct local time, it suggests that the text was sent from a time zone that was about 4 hours earlier.  This puts the time zone in a part of the world that includes Alaska and several islands in the South Pacific such as the Pitcairn Islands.

A Google search for the phone number (318) 504-4758 shows nothing about the caller except that it is a Louisiana area code.  And what about the shortened link?  We used to show us that it points back to a free email form service that allows users to build their own online forms for people to fill out.  The data collected is then emailed wherever the form-builder wishes.

Why would CVS use a free form-building service?  Unfortunately, by the time we investigated the email form to see what questions were being asked for this “Retail Evaluation Survey” had already taken it down.  No explanation for the take-down was offered but it confirmed for us that this was a fraudulent effort to gather personal information.  In this era of rampant fraud and personal data theft we’re reminded that consumers have lost all control over their personal information and are being assaulted by data thieves on multiple fronts.  The next time you see a request for a survey of any kind, legitimate or not, we urge you to think twice about what you share.

If we push to an extreme the idea that criminals and governments know EVERYTHING about us, we’re reminded of the extreme dystopia, Oceania, in George Orwell’s book 1984.   But that fictional society where the elite gather all data about citizens and monitor their every move is not as fictional as you might think.  Chinese citizens are in the middle of these extreme invasions of their privacy now.  Read these articles published in the last 6 months about China’s effort to monitor its citizens and give everyone a “social score” for their behavior.  You can imagine the impact of a positive or negative score on a person’s advantages in Chinese society.  Or disadvantages…

What is our world coming to?



FOR YOUR SAFETY: Kroger Secret Shopper

And while we’re on the topic about the privacy of personal information, here’s one more clever bit of erosion that crossed our desk last week.  “Become a Kroger Secret Shopper” says an email that was correctly spoofed so that it appeared to come from, a company estimated by Wikipedia to have close to half-a-million employees.  If you read the pitch in this email, it looks like easy money…

The criminals who perpetrated this scam were very clever.  Not only did they spoof the real Kroger domain in the from address, but a mouse-over of  “Join Us” seems like it could be legitimate because it points to a job recruitment firm called Davis Recruitment.  However, the scam is revealed by the fact that Davis Recruitment is located in Australia and focuses on the medical industry only, and that is not Kroger’s industry.  (Did you spot “.au” in the link?  “.au” = Australia)

Had you clicked “Join Us” you would have been asked to provide your name, address and phone number.  Who knows what they would have asked for after this initial contact.

Caveat emptor!


Until next week, surf safely!