November 15, 2017


Last week we wrote about international criminals targeting Americans by sending malicious emails disguised as information for health insurance during the Open Enrollment period, from November 1 through December 15.  We were able to get a site taken down called EnrollmentMarket-DOT-com.  Well, these bastards bounced back pretty quickly and registered another website called EnrollInsure-DOT-com running the same malicious scam email….


Of course we immediately reported this fraudulent domain to the service hosting it.

Also last week we reminded readers that criminals try to use content meant to trigger a visceral response from email recipients.  Here’s another example targeting any woman who has ever suspected her spouse or boyfriend is cheating on her.  It is malicious click bait. “Track the owner of any phone” says an email from exposecheatnow-DOT-com, a domain that actually doesn’t exist as of November 11.

Read our latest featured scam on our website: Google Listing Scam Call 


Sample Scam Subject Lines:

16,000 woodworking plans inside…(2 days left)

ACH Transaction


Do Something This Holiday Your Child Will Never Forget

Eliminate psoriasis forever

How to hit the lottery over and over

Invoice OMN1215364

Miracle cream hits biggest deal in Shark Tank History

Payment Confirmation – Please Review Today!

Swiss-Army Knife-Like Organizer!

The Most Realistic Airplane Flight Simulator!

This could lead to cancer (read this before you brush your teeth again)

Will your heating system fail this winter?

Sample Scam Email Addresses

“CCH debt solutions” <sparks @ welcomewin-DOT-com>

“choice HOME warranty” <john @ perfactbluesky-DOT-com>

FreeForLife @ upeops-DOT-bid

“Intelligence Flight Simulator” <contact @ simulationsgame-DOT-bid>

KeySmart – Key Organizer <KeySmart-KeyOrganizer @ easykesy-DOT-date>

Li Kung Liver Detoxifier <Liver-Health-Institute @ retrephs-DOT-bid>

MICHAEL KORS <hello @ 068795-DOT-com>

Santa’s Workshop <SantasWorkshop @ bsantadg-DOT-date>

“Stop Snoring Tonight” <snoring.problem @ seresw-DOT-bid>

“TedsWoodworking” <woodworking-project-plans @ trekrpls-DOT-bid>

“TrumpHealthcareReplacement” <skyroad @ grandefragrance-DOT-com>

“Consumer Rewards” <consumer_rewards @ vouchwithme-DOT-com>

Wells Fargo <noreply @ wellsfargomessage67-DOT-ml>



Phish NETS: Netflix, Bank of America, PayPal and Amazon

This phish pretends to be from Netflix but it is easy to see through it if you just look at the sender’s email or mouse-over the link for “Update Now.”  The email was sent from France (“.fr” = 2-letter country code for France).  Lame.  And besides, anyone who tells you they are having trouble authorising your Credit Card had better identify you by name and give you the last 4 digits of that card!  This phish is trying to capture your credit card information.  By the way, the link will send you to a website in Thailand. (“.th” = 2-letter country code for Thailand.)

Just delete.

This Bank of America phish is equally as lame.  “Dear Valued Customer, You have an incoming payment stated from your Checking account.”  Awkward English! Read the email and you’ll find multiple instances of awkward English.  The from address is actually from Northwest Missouri University.  The link for actually points to a hacked website in Germany that is written in Persian!


“Dear Member, your account will be limited” says an email from the fictional domain inside.paipalcom.  No such domain exists.  The link “Click here to activate your account” points to the link shortening service  We unshortened that link to find that it will send you to a hacked website for the Oklahoma Public School Resource Center.  (We’ve notified them.)  Below you can see the fake PayPal login waiting for you there.



Finally, here’s another Amazon scam sent to us by one of our sharp-eyed readers!  But, truth be told, we’re not sure if it is a phish or just social engineering trick sending you to malware.  We have been unable to get our tools to give us any information about the destination of the link “View or manage order.”  …Other than the fact that it points to an obvious subdomain for a hacked Ophthalmic office website in Peru.  Our reader’s eyes were good enough to spot this fraud so we think we’ll just move on….



YOUR MONEY: Huge Thanks from Costco, Pandora 80% off, and Amazon Prime Survey

We LOVE the effort the criminals are making in this next malicious email “A huge thanks from Costco.”  Look at the from address carefully.  It came from!  “Cammie Macpherson” registered that domain on the day the email was sent and is hosting it in Istanbul, Turkey.  We’ve found many other malicious domains registered by “Cammie.”   The domain was registered through, a favorite registrar used by criminal gangs lately.  Why they can’t see the obvious fraud in a domain name like is beyond us.

Do you like Pandora jewelry?  Want a chance to purchase it at 80% off?  This is not that chance.  It’s just click bait.  The links all point to a hacked website for an antiques dealer in France.  Malware waits for you there, not Pandora jewelry.

The same TDS Reader who sent us the Amazon scam also sent us this click-bait.  Look carefully at the from address.  Is this for Amazon or Sears?  The criminals most likely re-used a Sears scam email and forgot to change the from information.  “Take a survey about Amazon to get a FREE GIFT!”  Errrr…. No thanks.  The link to Poland (”.pl”= 2-letter country code for Poland) is scary enough by itself.



TOP STORY: Tricks to Infect Apple Computers

We remind Apple computer owners that they are not immune to the malware that targets the Windows operating system.  During the last few weeks we have seen an increase in the number of malicious emails and tricks that are specifically targeting Apple computer owners and we made this point in last week’s Your Money column called “Detox My Mac.”

In the past week we saw more tricks targeting Mac owners.  Doug at The Daily Scam was visiting a well known news website when this gem popped up!  “Please Install Media Player To Continue (Recommended) Installing takes under a minute – No restart is required”  How convenient!  Notice the domain name connected to this helpful “Media Downloader”…  cdn-DOT-nylondigital-DOT-win. This bogus domain was registered on October 29 using NameCheap (again!) but through a private proxy service in Panama.  This popup has bad mojo all over it.


Doug wondered what website had been hacked and was responsible for this poison pill.  Here is a screenshot of the most recent history that lead to the popup poop…

At 7:06 pm he got hammered from three very suspicious domains (spotscenered-DOT-info, plaimedia-DOT-com, and solidcpm-DOT-com)  And if you look at the above screenshot carefully, you’ll see that Doug was on when this happened.  Ouch!  Either CNN or one of their advertisers/services got hacked and manipulated.  In any case, DON’T install software because a popup tells you to!  Here’s what VirusTotal said about the domain nylondigital-DOT-win:


Another type of social engineering targeted iPhone users last week.  On November 8 and 9 our honeypot servers were hit with hundreds of emails that were spoofed to look like they came from Soul Electronics from California.  They did not.  The real Soul Electronics even has a warning about these emails here. This email even included a copy of YOUR supposed email to them that you sent the day before…  “RE: iPhone X pre-order”  “good morning , we have managed to ship your iPhone.  Here is the USPS tracking info”  But that tracking info doesn’t point to the USPS website as shown.  A mouse-over reveals that it points to a website called captainspeedy-DOT-com.  And it is 100% malicious with malware waiting to attack your computer.


So, you Apple owners… Want to sleep better at night?  Understand that you are targeted too!  Get yourself some solid Anti-virus/Anti-spyware software installed on your desktops/laptops, such as Sophos.



FOR YOUR SAFETY: Private File Uploaded, Funny Stuff, and “Re”

Readers have sometimes asked us why we separate emails like those below into a separate category when they are malicious like most of the emails we describe in our newsletter.  The reason is because of the design and presentation of these emails, not because they may have attached files or links that are malicious.  These emails tend to be short and made to look like something a friend sent you.  They may even come from his or her hacked account or with an account name you recognize.  In the case of the 3rd email below “Re” it was sent to a group of people who knew each other because another friend had her email hacked and the full contact list was stolen.  Sadly, this malicious spam will continue for years.




ON THE LIGHTER SIDE: Pay Just $185 For $3.75 Million!

We can’t think of a better deal!  All we have to do is pay $185 and we’ll receive millions!  It is a bit odd though that Sterling Bank of Nigeria is using an email address in Japan.  Maybe they have offices there too?

from: Sterling Bank Nigeria <>
date:   Tue, Nov 7, 2017 at 11:14 PM
subject:           Good News !!!!!

Sterling Bank Nigeria
36, Marina Lagos.

Attn: Beneficiary

Sequel to the directive from the Federal Ministry of Finance to pay your withheld sum of $3,750,000 USD. An ATM Card Number worth USD $3,750,000 has been approved for release by the Sterling Bank Nigeria. You are to provide us with this information’s for verification and release of your ATM CARD for delivery.

1.Full Name:

2.Phone number:

3.Delivery Address (not postal address):

The courier cost for the shipment of your ATM CARD is $185 ONLY. No more fees will be charged after this payment. Please help us to serve you better.

Yours faithfully,
Mr. George Gbolahan Duke

Until next week, safe surfing!