May 9, 2018


Creative, resilient, tenacious, clever and persistent.  These are admirable qualities we would hope for in our children, employees or friends seeking to develop their professional careers.  However, we’re referring to some of the scammers we’ve recently been hearing about or in contact with.  In our last newsletter we berated the amateur phishers for their, thankfully, lackluster skill to create risky phish.  What a difference a week can make.  This week we’ve seen and heard about some very professionally-crafted scams conducted by very smart people who can well be described by our opening line above.  One scam that we’re still documenting targeted a school for a large sum of money and was nearly successful.  We’ll let you know about it once we finish our article.

In the meantime, a bit of the mundane…  You would think we’re looking for love in the all the wrong places. We’re not.  But we’ve been seeing so many malicious emails pretending to be from a wide variety of fake dating sites, hook-up sites, and meet Russian, Asian, or other foreign women online sites.   Every one of these emails is a malware landmine.  Here are a few of the from email addresses that have bombarded us.  We’re certain they are all from the same source:

Be Naughty <BeNaughty “@” award4u[.]review>
Date-Hot-Russian <Date-Hot-Russian “@” youpopular[.]review>
Silver- Singles <Silver-Singles “@” rmfdsfk[.]date>
Silver-Singles <Silver-Singles “@” mfsdghs[.]date>
Via Loveswans <ViaLoveswans “@” ask4u[.]review>
Via Loveswans <ViaLoveswans “@” every4u[.]review>



Phish NETS: Verify Your COX Account, and Your Email Will Be Terminated

Besides mousing over the link “Verify Now” to reveal the fraudulent destination, there is little else about this email that might make one suspicious.  The criminals spoofed the email to appear as though it comes from Xfinity by Comcast.  But this is not unreasonable since Comcast has a distribution agreement with Cox for content and use of hardware.  “Hello, Your account has been suspended for reactivation.  We detected unusual activity when we asked you to provide an Advance Access code.”

There are a few subtle issues with the text in this email, and the fact that your name is missing from it.  The link “Verify Now” points to a legitimate, but hacked, web server in Brazil.  Can you spot the 2-letter country code in the link?  “.br” = Brazil.  Using Screenshot Machine, we snapped a photo of the web page waiting for you at the end of that link.  It sure looks like a Cox sign-in window.

Now delete.

We can’t help but wonder if this next phish were made by the same criminals as the Cox phish.  Once again, the fraudulent link points to a hacked server in…. Brazil!  We would like to visit Brazil one day but not like this.  The email is total BS and contains several errors and incorrect English.





YOUR MONEY: Misreading “cl” for “d” Will Cost You Money

“cl” and “d”   Have you ever seen vehicles plastered with logos or ads?  Some of these drivers are paid for this service.  But there have also been numerous advance-check scams pretending to hire drivers and their cars for advertising purposes.  People who are hired are sent a check for a large sum of money, some of which is to pay the folks who make and apply the ad decals or magnets to your car, and the rest is for your first month’s payment.  Victims are told to deposit the checks and wire the lion’s share of the money to the company before bringing in their car.  Of course, the checks bounce but only after the victim wires their real money to an untraceable source.

So imagine how thrilled we were to receive the email below from “Cassandra Easterly” claiming to represent, a very real marketing firm who registered their domain name in 1998.  Look what we noticed about Cassandra’s email address!  She told us to email her at Lanclor-DOT-com, a domain that was registered the day before this email was sent.  We immediately sprung into action and contacted Ms. Easterly as a woman named “Mary” to tell her we wanted the job!

From “her” address at Lanclor-DOT-com, Ms. Easterly sent us this reply…

Dear Mary,

How are you doing today?I appreciate your willingness to participate in this program.My name is Cassandra Easterly and am the Logistics Supervisor for Landor Associates in North America.Landor Associates is a brand consulting firm founded in 1941 by Walter Landon who pioneered some research, design, and consulting methods that the branding industry still uses up to this moment.Headquartered in San Francisco, the company maintains 26 offices in 20 countries, including China, France, Germany, India, the United Kingdom, Mexico, Singapore, Australia, Japan,and the United States.Landor is a member of the Young & Rubicam Group network within WPP PLC,the world’s largest advertising company by revenues..Earlier this year we were contracted by the Australian Open Management to carry out campaign for the 2019 Australian Open which would begin in January.Due to the low number of viewers recorded at The 2018 Australian Open,we have been chosen to carry out a major campaign for the upcoming tournament.It is not a surprise as our reputation precedes us and the fact that we have worked with top Companies such as BMW,Ethad Airways,Qatar Airways,Coca-cola to mention a few is no doubt that we are the best at what we do.Apart from carrying out TV commercials and Bill Board,we have decided to take our marketing practice to another level by adding automobiles and trains to the campaign list so as to reach a broader audience thereby passing out the message to a large audience which is why we seek interested candidates to go about their normal routine with the advert of the “2019 AUSTRALIAN OPEN” on their Car,Bus or Truck.We have chosen sharp colors so the decal will be eye catching and attract lots of attention to people whenever the car pulls up or stucked in traffic..The program will last for 6 months and the minimum a candidate can participate is 2 months..If thereafter a candidate chose not to participate anymore,the decal can be removed..The decal is of 2 types;Wrap or Sticker.The wrap covers every portion of your car’s exterior surface while the Sticker will just be on the doors and also the hood of the car..It is the same amount and we have recruited professionals in our selected cities to carry out the process so no damage will occur on any participants car..It is important that the specialist record the mileage of the car so as to ensure that the car is driven at least 5 hours weekly.

Participants will be compensated with $300 weekly which includes $50 for gas..The payment will arrive every friday in form of a certified cashier check..Each participant will be provided with flyers to be distributed as well as Face Cap and T-Shirt with the “2019 Australian Open” inscription boldly written on it.The specialist will provide this material after he as placed the decal (sticker/wrap)  on the car..

Landor do not require any fee to participate in this program as the application form is  free..You can find below the application form to apply for this offer.Only successful candidates will be contacted for wrap Schedule and Placement

Full Name: Residential Mailing Address (Not PO BOX): City: State: Zip code: Country: Make of car/ year: Telephone numbers:

Warm Regards, Cassandra E Easterly Area Coordinator/Logistic Supervisor

Landor Associates

(270) 693-2261

In response to this email, we sent Ms. Easterly the information she requested plus a link we hoped she would click so we could find out her location.  This is the reply we got:

“you must be so dumb to think you can get me by opening it…Shame on you”

We then admitted that we were not a woman named “Mary” just as he wasn’t Cassandra from Landor.  We asked if we could interview him for an article we were writing about these scams.  His response?  In caps he told us to kiss a part of his anatomy that rhymes with glass.  Oh well, at least we tried.



TOP STORY: Dangerous Texts

The majority of people over the age of 14 carry a smartphone.  For most adults, that phone is used for so many personal things such as email, texting, social media, banking, store purchases and more.  The amount and kind of personal information available through our smartphones is extremely valuable and easily monetized by criminals.  That’s why smartphone malware can be so dangerous.  Android phones are the highest percentage of the world’s phones and, also the most vulnerable and targeted by malware.   There are literally hundreds of malware “families” (types of malware) each with thousands of variations.  This is possible because the Android platform is open-source and less regulated. Perhaps surprisingly, Apple iPhone users are also heavily targeted.  There are hundreds of different malware that target iPhones.  Though the iOS is very tightly controlled by Apple, it sometimes makes mistakes and vulnerabilities are exploited like any other software.  That’s one very good reason why it is important to keep your phones updated to the latest software versions and should never be jail-broken! (Jail-breaking an iPhone voids the warranty but allows the user to install whatever software he or she wants, including software found in places other than the Apple App store.)

While there are several methods for getting malware onto smartphones, the most commonly used method is to send someone a text with a link that points to infecting software, such as this text posted recently by a Reddit member on  Fortunately, the poor grammar and spelling make this Gmail notice easy to spot as fraud.

Here are a few links to articles about malware targeting smartphones:

  1. Android vs. iOS Security. Which is Better?
  2. List of Mac Viruses, Malware and Security Flaws
  3. ‘Pegasus’ Malware Package Also Found to Impact OS X

But malware is not the only type of threat targeting us via texts.  What about this text posted by another Reddit member recently.  It came from 614-349-9084.  “Your transfer is prepared and waiting for you to select the amount you want” followed by “Finish/Withdraw on withdrawcenter-DOT-com.”  The small graphic square under the link suggests to us that it may be a web beacon.  These are tiny transparent images that are used to track user interaction with emails and texts.  They can report such things as whether or not a message is opened, when it was opened, how many times opened, and the general location of the person who opened the message.  This Reddit user has their text preferences set with a purple background which revealed that the graphic was there.



Assuming the link really does point to withdrawcenter-DOT-com, what is this website?  According to a WHOIS look up, withdrawcenter-DOT-com was registered the same day that this text was received.  That is NEVER a good sign!  Instead, it is a hallmark of criminal intentions.  There is also no website at this domain, but there is a redirect that will send you to another website called agencyface-DOT-com. AgencyFace was registered on January 13, 2018.  Both domains were registered using a privacy proxy service in Panama.



We followed that link for AgencyFace and snapped a screenshot of the top page of the website to find that “Your Loan Is Moments Away.”  What drew our attention here was the icon and name “WhiteRockLoans.”

Since both withdraw[.]com and agencyface[.]com were both registered anonymously, we have no idea if this website truly represents a real business called “White Rock Loans” but we decided to dig into this as if it were true.  Who is “White Rock Loans?”  It turns out that a Google search will return many positive reviews of this loan service but there is one link that stands out amongst those platitudes.  It is a link to a well-written, detailed article at about White Rock Loans.  Based on their article we would never take out a loan through this service!

Caveat emptor!


FOR YOUR SAFETY: Venmo Funds Credited To Your Account and Your Verizon Bill Is Ready to View

“Welcome to Venmo! Funds credited to your account!” That sounds exciting, especially considering that the recipient of this email didn’t have an account with Venmo!  This “Automated Payment Notice From Venmo” obviously didn’t come from Venmo either.  One might assume that this is another phishing email to gain access to user’s accounts but that is not what’s going on here.  It’s simple social engineering to infect your computer. VirusTotal informs us that Spamhaus reports malware waiting at the website listed in the links.  Ouch!


Again, we first thought that this email made to look like it came from Verizon Wireless, was a phishing scam but we were wrong!  VirusTotal had no problem informing us about the real intention of this email.  Fortunately, the from address and poor English in the email are clear signs that the email is fraudulent.

A BIG delete!



Until next week, surf safely!