November 1, 2017


Happy November! We would like to save everyone from a lot of scary consequences this post-Halloween season.  If you see any email containing links that point to a domain ending with .date, .review or .bid just delete them!  If the email came from any of these top level domains, also delete them!  As you’ll read in our Top Story this week, criminal gangs are using these top level domains over and over to host malicious software. (Statistically, this malware is most likely ransomware waiting to encrypt your computer.  You’ll have to pay a ransom to decrypt it and get access to your files.)  By contrast, familiar “top level domains” (also known as a TLDs) are .com, .org, .gov, .edu and .net.

Two weeks ago our Top Story was about Malicious and Spam Texts. We wrote about an app that appears to spam your contact list to get people to sign up for it.  It is called Gatherwith-DOT-us.  They’re still at it.  One of our TDS readers got one of these bogus texts.

This is a reminder to readers, if you see these, just delete them…



We’re hearing from a number of people who’ve been contacted by phone from someone claiming to represent “The Department of Legal Services.”  Learn about this new scam by visiting our latest article at:


Sample Scam Subject Lines:

Act Now- Because It Won’t Last!

Bank Details

Bank Of America Software Verification and Updates

Confirm payment

Don’t Face Costly Repairs On Home Appliances! Get A Choice Home Warranty Today

Fed Up With Fake Dating? – Try This. You Will Be Surprised!

Hi, Are You Still Single? Find Your Next Date Today!

Important notice

Instantly Save On Burial Insurance With Fast, Easy And F r e e Quotes.

Michael Kors Handbags 2017 New Styles. 78% Off All Sales. Don’t Miss.

Missed delivery notification for tracking 1Z0E0Y413225612727

Provide Everyday Relief for Lower Back Muscles

Rack ’em up: BOGO 90% OFF

Sample Scam Email Addresses

AIG Direct <AIGDirect @ diraigcvhjkl-DOT-review>

Copper Fit Back <CopperFitBack @ ficopghjuiop-DOT-date>

Exoticbride <Exoticbride @ mlkrtybvc-DOT-date>

Finalexpenselifequotes <Finalexpenselifequotes @ finalexpend-DOT-date> Offer <HarpSurvey.comOffer @ harpbgyuiop-DOT-date>

International Woman Online <InternationalWomanOnline @ victhuiopyt-DOT-review>

Jazz Piano Made Easy <JazzPianoMadeEasy @ pianoforhc-DOT-date>

Match Affiliate <MatchAffiliate @ matghaewrt-DOT-date>

Natalia <Natalia @ dateniceru-DOT-date>

Natural Alcohol Detox <NaturalAlcoholDetox @ quitalcvlj-DOT-date>

The CHOICE Home Warranty <TheCHOICEHomeWarranty @ choifghuiyo-DOT-date>

RussianWomenOnline-DOT-com < @ nicrussvajlk-DOT-date>

Usahomeprotection.Com <Usahomeprotection.Com @ homeproteb-DOT-date>



Phish NETS: Netflix and Bank of America

“Your Netflix Membership is on hold” says an email from “”  Notice that this is not the same as an email from  “We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details.”  You’re asked to click the link “Click here to verify your account.”  It points to a website that is trying sooooo hard to look official:



The actual domain (versus subdomain) you are directed to is membership-netflixid-DOT-com and it was registered the day the email was sent by someone named “Jamie Wilson” from London, England.  The domain is being hosted in Panama.  Does this sound like Netflix to you?  Yet here’s what the webpage looks like if you were to click that link:

“Online Banking Alert: Action Required”  This phish even correctly spoofs the from address of   But don’t be fooled by this!  If you read the email carefully you’ll find several grammatical and capitalization errors that should make anyone suspicious.  Also, no bank will send you a verification file!  They’ll ask you to visit their website and log in.  The attached file is a web document meant to trick you into logging into a fake page and handing over your banking credentials.





YOUR MONEY: Convert YouTube Videos and Amazon Consumer Survey

Though VidMate is a real app for Android phone users that claims to download YouTube videos, this email is not from the real VidMate!  The from email suggests that it came from but we doubt that.  Most importantly, mousing over any of the links, such as “INSTALL NOW FOR FREE” reveal that they point to the domain TipTopLoan-DOT-US. This domain was registered at the end of August to someone named “Marshall Davis” from Tanger, Morocco.  This isn’t the domain of the real VidMate app.  (And has identified this domain as a spam source.)

A big fat delete.


We wish we had a dollar for every scam that pretended to be Amazon!  We could retire quite nicely!  But we don’t so…  This “Amazon consumer survey” is just click bait.  But we love their opening line… “Dear You have been a kind person and people around you have noticed that.”  Awwww…. Isn’t that sweet?  And so we’ve been sent a prize.  The link for that lovely surprise points to the domain giftzoness-DOT-bid.  Google can’t find anything at all about this domain.  A WHOIS look up tells us that it was registered the day the email was sent through a private proxy service in Panama.  Are you thinking about writing that address in Staten Island to have your email removed from their lists?   The Suite 702 address is used by the Platinum Elevator Group, an elevator service company.  We’re sure they would be happy to take you off their Amazon consumer survey list. 😉



TOP STORY: Even Criminal Gangs Are Frugal

In the good old days of the Internet there were just six top level domains that are now so familiar to all of us.  They are DOT com, org, gov, net, mil and edu.  ICANN, the governing body of all Internet names, has been expanding this list aggressively during the last few years.  We checked recently and there are now more than 1500 top level domains.  (Visit ICANN to see the list.) Based on our experiences, the vast majority of the newest domains are used exclusively by criminal gangs to target netizens with malicious software.  Unfortunately for the criminals, their use of any domain has a short lifespan before security services discover the risks and put it on their blacklists.  It may be a few hours, days or if they are lucky, weeks.  Therefore they are constantly registering lots of domains every day and that costs money!  Like any good business, they take steps to reduce their costs.

Two newer top level domains favored by the most active Internet criminal gang are DOT-review and DOT-date.  Take a look at these three recent malicious fake emails as an example…

  • Must Have Christmas Gift – Personal Letter From Santa
  • Saving You More – Term Life Coverage – $0.50/Day! From Fidelity Life
  • Piano Lessons – You Get to Sound Like A Pro Right From the Start



To host their malicious software, the criminals purchased these respective domain names:

  • offisanlopiyui-DOT-date
  • fidelvbnmkio-DOT-review
  • vbfhde-DOT-date

All three of these domains were registered through a service called NameCheap.comThough we cannot see what the criminals paid for these exact domain names, we can deduce how much they paid for them, versus the cost of more familiar top level domain names.  We asked to quote us a price to purchase the exact same domains used in these malicious emails but dropped the last letter before the DOT-date or DOT-review.  NameCheap quoted us a price of 48 cents for a 1-year lease!  However, look at the prices we found if we used more familiar top level domains.


Even other obscure top level domain names such as DOT-club ($0.77/yr), DOT-life ($1.88/yr), and DOT-world ($1.88/yr) are more expensive than DOT-date and DOT-review.  These are clearly the cheapest domain purchases that can be made.  Also, criminals purchase them by the THOUSANDS every year so they might even be able to buy them in bulk at a lower cost, thereby saving themselves even more money!  How very frugal of them.  And this also explains WHY we all need to recognize the top level domain in the from address of an email, or in the link revealed by a mouse-over!  If you see DOT-date or DOT-review, you need to DOT-DELETE!  Below are a few more of their frugal choice malicious emails.


IMPORTANT FOOTNOTE: According to Wikipedia, “Namecheap, Inc. is an ICANN accredited registrar, which provide services on domain name registration, and offer for sale domain names that are registered to third parties.”  And according to their own website, NameCheap is owned by Richard Kirkendall. Do you think Mr. Kirkendall or his key administration know that criminals are purchasing thousands of domain names through them to target millions of people across the world?  We think the answer is very likely yes, they know.  Do they care?  Do they work with the FBI, Interpol or other agency to report the misuse of their services to make it harder for the criminals to operate?  We HIGHLY doubt it!  And it isn’t just NameCheap.  We’ve found other Registrars that have been heavily used by criminal gangs.  There is NO incentive for them to do the right thing.  Neither does ICANN have any moral backbone to help the average Internet user.  In fact, the entire system of Registrars and ICANN seems rigged to enrich their pockets at our expense.

Additional note: There is a good article titled “How to Register a Domain Name” found at to learn about the proper way to register a domain.




FOR YOUR SAFETY: Your Invoice, Your Shipment, Missed Deliveries and More!

It’s important to recognize when our email services or Google informs you that an email is spam or may be malicious.  They don’t always get it right and our newsletter is a perfect example of that!  (We are often classified as spam or risky because of the content we address, especially reporting on the names of malicious domains.  That’s why we changed our practices to say DOT-name instead of writing “.name”)

Here’s a perfect example.  This email from “Janis” about an attached invoice came with a warning that the Word document was malicious.  We asked to confirm this warning and the results below are very clear!



This next invoice from “Jake” contains a link to a malicious website.  Can you tell the country from which this email originated? The 2-letter country code is “.de”  The answer is below.


(Look at the domain in the from address:  .de = Deutschland = Germany)

It appears that you have a DHL arrival notice and it looks like it actually came from  But it didn’t.  It was spoofed.  Read the email carefully… “Your package has been arrived…”  The attached file is nothing more than a graphic that is linked to a legitimate, but hacked, Florida website called They are already aware they were hacked and have removed the malicious content.


Check out this missed delivery notification.  It clearly didn’t come from  Of course, clicking to download the missed shipping notice will just lead to an infected computer.  We saw hundreds of these notifications!  Just look below at a small window of what hit our honeypot server.



Finally, we leave you with this short message sent to us by one of our readers… “Steve wrote: probably you will appreciate it” and a link to a DOT-stream website.  The link is 100% malicious.

Just delete!


ON THE LIGHTER SIDE: Will Smith Talks About Being An Alchemist

Will Smith is such a fantastic actor and we’ve always loved his films!  So you can imagine how excited we were to see this email about an interview he gave, calling himself  “an alchemist,” metaphorically of course.  We’re eager to find out what Mr. Smith has in common with NASA Scientists and Tech billionaires and it’s all just a click away…

Until next week, safe surfing!