May 29, 2019


Malicious texts, browser hijacks, Russian emails, and malware-laden attachments.  Variety is the spice of life and this week’s newsletter is oh-so-spicey! Let’s start with those malicious texts. The first came to Doug from 971-713-5731, claiming that “we love to spoil our customers.”  But what business does this represent? We looked up that very oddball domain — agn2fn[.]pw — ( “.pw” is the 2-letter country code for Palau) and discovered that it was registered on April 8, about six weeks before this text was sent.  That website is blacklisted by McAfee. When we searched for that phone number in Google, amongst the top 8 returns were these two interesting links “I want to get in touch with him” and “Presley is too smart for that.” Very intriguing!  But remember that curiosity killed the cat! Before you think about clicking either of those links to the UK or Canada, you should know that both links lead to malware, according to (For example, here is Sucuri’s analysis of the site “Presley is too smart for that.”)



The next text came from 657-368-9800 and claimed to be for an Amazon shopping survey. (**roll eyes** We all know how this one turns out) You are offered a $100 reward to visit that link at mey12g7[.]xyz.  This crap domain was registered in Panama just over a week before this text was received and that DOT-xyz domain is being hosted on a server in Hong Kong.  A Google search for that phone number also turns up these very odd remarks on various websites amongst Google’s first page of returns.  And just like the links to the first phone number, malware has been found waiting on each of these websites, like a booby-trap waiting to be stepped on. (For example, check out Sucuri’s analysis of the site “Stop your bellyaching.”)  So, next time you get a text from a number you don’t recognize and it contains a link, DO NOT CLICK, no matter how enticing it seems!  These are just another form of malicious clickbait.




We really do hate to malign an entire country but our rose-colored glasses give us only one view of Russia.  A school recently shared with us that they had received multiple odd emails over the course of a few days that were sent to them through their online contact form.  They were all nearly identical and came from an email server (mail[.]ru) in Russia, from people with Russian-sounding names. Here are just three.




It’s as if they are DARING YOU to search Google for the word Z-A-F-A-R-O-V-O.  Well, we did and found those same messages posted on dozens of website comment forms all over the Internet.  Looks like another form of clickbait to us. Step away from that ledge….

One more important note… Just a few days ago we heard from a reader who received an automated phone message sounding like a woman and claiming to be from Amazon Customer Support.  The call asked about a charge made to the woman’s Amazon account and paid using her Visa card. The automated call invited a call-back if this was a fraudulent charge. THE CALL WAS FRAUDULENT!  This scam is VERY active right now. You can hear this scam call on  The fraud phone number the recipient was asked to call was 888-828-5222.



Phish NETS: Chase Bank, Verizon Email, and Wells Fargo Bank

It only takes a close look at the FROM email address to see that this “URGENT Chase Confirmation” came from a web server in Italy, and not from  However, you can see from the screenshot below that the login page looks exactly like Chase Bank’s login. The criminals are misusing Google’s storage services.  We’ve reported it to Google here but we did find it funny how they spelled “Chaze Bank” in their link.

Just delete.


Below is a type of phish we’ve never seen before.  There are two emails that are trying to target Verizon account holders.  They are asking the account holder “Did you really request us to terminate your account?”  This was followed by “your request to remove your account has been approved and will initiate in one hour.”  Though these emails shared with us by a TDS reader did not contain the active links, it is clear by the sender’s FROM address that they are fraudulent!  They came from “ksrld @ adexec[.]com”  If you look up “” in Google, you’ll see dozens of warnings posted around the internet that this domain is heavily used for fraud, including this post on




Another reader sent us this smelly carp disguised as a message from Wells Fargo.  Again, though we could not see the active link, it is clear that an email from “den[.]edu” is NOT an email from!  Also, there is no website whatsoever or known domain called “den[.]edu.”



YOUR MONEY:  Scam Job Interviews in Google Hangouts

We would like to take this week’s “Your Money” column to bring some attention to a long-running scam that exploded in activity last week!  We’ve been writing about these fake job interviews in Google Hangouts as a form of “advance-check” scam since February, 2018.  We have posted more than 68 fake jobs that people have reported to us.  Last week we heard from ten people in just five days about these scams and that’s a lot. Sadly, two of these people lost thousands of dollars to this scam.  We translate that number to mean many hundreds of Americans are suddenly being targeted by this scam.

For an “advance-check” scam to work, it requires a plausible reason for the criminals to send a fake check to the target person and have them deposit it.  The victim is then asked to keep some of the funds but the bulk of the funds are to be used to purchase items through the sender’s “approved vendor.” The checks are fake, of course!  However, they are usually very good fakes and it sometimes takes the banks five days or more to discover this. We’ve talked to banks about these fake checks. Some of these checks have actually used the names and accounts of real businesses who are customers at the bank but didn’t write the checks!  Here’s an example of a check that an almost-victim received last week for $3,980.60:



The victim is urged to use the deposited funds to immediately pay for the services or goods through the “approved vendor” by some untraceable method, such as a Green-Dot money card or wire transfer.  Of course, it means that the victim is using his or her own real money, or is responsible for the money he or she has transferred. Quite literally, as we write this week’s newsletter, a woman contacted us and reports that she lost $1,900 through this scam.

Check out this email to an almost-victim who was hired two days prior, after a short text interview in Google Hangouts.  Google cannot find any website for “” and a WHOIS shows us that this domain is for sale AND being hosted by a web server in Nassau, Bahamas.  According to this article on, it is possible for anyone to set up an email that appears to come from “” such as this one that looks like it comes from a Human Resources career department.  Notice  in this email that “Mr. Matt Rosenzweig” gives the targeted victim a Gmail address, not an email address associated with the actual Real Estate firm “Marcus & Millichap.”


It is so easy to deceive others online UNLESS you pay close attention to details, verify your sources and information AND apply some simple common sense.  No one in real life is going to send you a check for nearly $4000 after a 20 minute text interview followed by “you’re hired!”



TOP STORY: The Danger of Redirects!

Imagine getting this email below from “Liberty Mutual Insurance” offering savings as much as $509.  You’re invited to request a quote online or call an 800 number. This was sent to us as a screenshot by one of our readers, without the email header information.  However, we could see that the links in this email pointed to an odd website named stagestudy[.]casa.



All of our software resources informed us that there was nothing malicious about the link in this email.  However, waiting and hidden at the stagestudy[.]casa website was a “redirect.” A “redirect” is a snippet of code that will automatically forward a visitor from one web page to another web page instantly.  And the visitor doesn’t typically see or know that he or she is being redirected UNLESS he or she has noticed the domain listed in the original link and then watches the appearance of links at the top of the browser window.  We used the Zulu URL Risk Analyzer to follow the first link.  Like many services, Zulu will tell us if the target site contains any hidden redirects.  And it did! Stagestudy[.]casa redirects to another website called elliornic[.]com. Can you guess what surprise waits for you at elliornic[.]com?



This methodology is often used by criminal gangs who wish to infect our devices with malware.  Security services don’t pick up a threat on the original domain via the emailed links because there are none!  However, hidden in the first domain is a redirect to a second domain where a landmine awaits. We’ve even found instances where a second website is benign but contains another redirect to a third website where the landmine patiently sits.  But this malicious clickbait is filled with even more threats if you choose to peel back another layer. We were curious about the phone number (800-216-3405) listed in the email and Google’d it. We found that it didn’t belong to Liberty Mutual.  Equally important, we found that listed number on a half-dozen free web pages at Below is a screenshot of the first four, clearly showing references to both the phone number and Liberty Mutual. This made us very suspicious and so we asked to investigate these links.  On EACH of these blogspot web pages found malware waiting to infect visitor’s computers! Below is a screenshot from one analysis.



Below are two more recent examples of malicious emails that contain links to harmless websites.  However, these harmless websites contain hidden redirects to malicious websites hosting malware. The moral of this story is simple…. The best online security services to tell you if a website is malicious or not are those that also identify if a website is hosting any hidden redirects! If the report says benign or harmless website BUT it contains a redirect, don’t assume the link is OK!  Ask the security service to ask check out the redirect! Two such services that will identify and report hidden redirects are the Zulu URL Risk Analyzer and (Also note that this “CBD Health News” sham email also targeted people with “Memorial Day” savings up to 40% off.)








FOR YOUR SAFETY: “FileConvertOnline” Browser Hijack, Shipping Instructions (Zip file)

Recently, one of our friends got hit with a browser hijacker called “FileConvertOnline.”  For those who don’t know, a browser hijacker is a type of computer infection that modifies the settings of your web browser (e.g. Chrome, Safari, Internet Explorer, or Firefox) without your permission.  Once modified, they can do a variety of things like inject unwanted advertising on your web pages or through popups. Many of these ads are sleazy or scams by themselves!  Browser hijackers can replace your home page or preferred search engine with their choices. Ultimately, the changes make money for someone else at your expense. Here’s what our friend suddenly saw after visiting an infecting website…



Fortunately, this particular hijacker was easy to find in the Chrome settings and remove.  Others are not so easy!


And finally this week, we leave you with this email sent to a business saying “We just got instruction from our client to contact you on the above subject.  Please, check the shipping documents before we proceed with shipment.” And, as you can probably predict, those “shipping documents” contained malware known as DropZP-A and is described on the Sophos website.


Until next week, surf safely!