November 30, 2016


“Black Friday” was last week, in case you were living in a cave and didn’t notice.  Though we expected to see lots of scams disguised as Black Friday deals we only found a handful such as this one from the odd domain  The criminal gangs responsible for this junk are apparently frugal.  This email contains the  line “Offers Ends October 21, 2016” so most likely this scam email was produced in October and then re-born as a “Black Friday Special.”


During the last two weeks we had fun playing with some of the 419ers in Africa.  Read our new feature article We’re Giving Away Money to see how these criminals tried to turn us from being lucky winners into losers.  You can also read some of our former articles about 419 scams here:


Sample Scam Subject Lines:

Are You Living in Chaos Because of Clutter?

Bid pennies and win hot Apple items for only a few bucks

Children’s animation software

How to Give Your Partner Great Massages and Pleasure

Islamic State militants vow to attack major American cities

Make Christmas magical again!

National Alert: Are You Infected With This Nail Parasite?

New Fat Burner Takes CVS by Storm!

Save Money And NEVER Buy A New Battery Again

Senior citizen lovematch

Updated Amazon points balance

Want to improve your skin?

Wireless security systems

Sample Scam Email Addresses

Black Friday Deals – Up to 58% off magazine subscriptions

choice_home_warranty-[YOUR EMAIL]

efficientwindows-[YOUR EMAIL]–[YOUR EMAIL]

medical-marijuana-[YOUR EMAIL]

star_night_laser_deal-[YOUR EMAIL]






Phish NETS: American Express, Paypal and USAA Bank (again!)

This first phish, with the subject “Secure your account,” is really well done! Would it have fooled you? It is disguised as an email from American Express. It was most likely created by one of the skilled criminal gangs in Russia.  First, it was spoofed to appear as though it came from the real domain but we can assure you it did not.  The recipient is informed that “American Express SafeKey is an authentication service that provides an additional layer of fraud protection. This service is part of our continuous efforts to increase account security.”  American Express has such a service! The grammar and punctuation used in the email are perfect.  Links in the email point to a website that seems legitimate… amexsafekeyupdate-dot-com.  How do we know this is a phishing scam? Our favorite tool reveals it… A WHOIS lookup shows that was registered on November 21 to someone named Ivan Huilo from Ekaturinburg, Russia.



“Action Required” “We’ve Limited access to your PayPal” says an email from   If you read carefully though you’ll see several spelling, capital-letter,  and spacing errors in the email.  A mouse-over of the “Click Here” link shows that it points to a shortened URL at  We used the service to determine that the link will redirect you to a malicious web page at thinnow-dot-com.  The Zulu URL Risk analyzer identified the thinnow website as containing a malicious file waiting to install on your computer too.





Finally, here’s another phish disguised as a “Security Preference Notice” from USAA.Services@  Notice in the upper right corner that the email does not show the recipient her last 4 digits on her bank card. A mouse-over of the link “Click here to Validate your Account” reveals that it points to the hacked website, not




Your Money: Go Solar, Your Credit Rating, and Rising Mortgage Rates

“Go Solar & Cut Energy Bills up to 80%” says the email from Polish Mac?  A WHOIS shows that the website was registered using a privacy protection service in Panama on the day this email was sent.


The next email wants you to believe it represents Free Score 360 but it does not.  “Buying a car? Find out your credit rating first (Free-Trial)” The domain being used is and was registered by a Mabelle Malakaney from Parkstrabe, Germany on the day the email was sent.




Here’s another wolf in sheep’s clothing meant to look like an email from the service called LendingTree.  However, the email came from, and links lead back to, the domain Once again, a WHOIS reveals that it was registered just the day before through the privacy service in Panama.  If it isn’t already obvious to our readers, newly registered domains are highly suspicious for a variety of reasons, including the fact that they have no searchable history to determine their safety or reputation.





TOP STORY: New Levels of Deception

We have reported many different types of Internet deception leading to victimization and financial loss.  We thought we had seen most every form of deception but this past week we were surprised to see a couple of new tricks and tricks we haven’t seen in a very long time.  One example is the use of “offensive flash-game sites” as a means to attract visitors to websites that cause computer infections.  Using Google to search for offensive flash games we found flashgames247-dot-com.  The description offered to Google struck us as a bit odd so we asked the Zulu Url Risk Analyzer to investigate.  Have a look at the Zulu report below.





At first we wondered if Zulu had mis-identified the adcash-dot-com link.  Was it really malicious or just an annoying pop-up? If you type adcash and malware into Google, you’ll see many tips addressing the malware installed by Adcash and how best to remove it.  This isn’t the first time we’ve seen flash game sites being used to infect computers.

Here’s a different type of deception that is not malicious but certainly manipulative in a way that doesn’t build trust in the service it represents.  A school recently received the following email from a random web visitor who wanted to suggest a resource for the school’s website.  The school representative was suspicious and asked us to investigate.  The first oddity was that the email was sent from a user named MrsSuzanneAnderson but it was signed by Loretta.  Normally this wouldn’t be so terribly suspicious until we peaked under the hood and noticed that the email also contained a tracking gif.  Tracking gifs are tiny web graphics that report information back to the sender’s data center.  Information includes the time  the email is opened, how many times it is opened, and other related data. Email recipients would not normally notice these tiny graphics.  Why would a person who suggests a link for a school’s website add a tracking gif to the email?  This got our attention!


A school staff member replied to the email asking “Loretta” what site she wanted to recommend and also why she included a tracking gif in her email.  The first response we almost immediately was this… “Hi, Thanks for getting back to me. I’m just leaving the house for a few hours to run some errands. When I return, I’ll be sure to let you know what I was thinking. Warm Regards, Sue” followed by the religious quote “Don’t seek God’s presents… seek His presence! – Joyce Meyer”  Hours later we got a much longer response from “Loretta.” Loretta’s response began with… “Sorry for that just wanted to reach out and share with you a resource that I’ve found invaluable over the years. The site is a vast directory of small business and banking information complete with otherwise hard to find phone numbers and addresses of government related finance institutions (think SBA loans, USDA loans, and government sponsored business mentorship programs like SCORE).”  She went on to describe a resource that had absolutely nothing to do with the web resources for parents listed on the school’s site.  And she never addressed the question why she included a tracking gif.  We believe this email was sent by a marketing firm hired to promote their client’s click rate and eyeballs on their site.  Marketers send out thousands of emails like the one above to manipulate people’s web behavior and trick them into adding client’s link’s to their websites.  The entire email was fake.   But to add insult to injury, a few days later “Sue” contacted the school to ask if they had considered her request to add the link to the parent’s page.  A school employee responded that they would not do so.  Guess what reply he received minutes later?  “Hi, Thanks for getting back to me. I’m just leaving the house for a few hours to run some errands. When I return, I’ll be sure to let you know what I was thinking. Warm Regards, Sue” followed by the religious quote “Don’t seek God’s presents… seek His presence! – Joyce Meyer”  We are purposely not going to name the site the marketers want to promote.

Another new deception we saw was this email from abusemonitor247-dot-com with the subject “Email Abuse Report.”  It’s actually quite clever! It informs the recipient “we’ve been receiving spam mailout from your address recently…”  An abuse report has been filed and the recipient is asked to view it at abusemonitor247-dot-com.  The domain sounds like it could be legitimate considering the reason stated in the email…


We asked the Zulu URL Risk Analyzer to check out the link and it reports an 85% chance that this link is malicious.   Also, a WHOIS lookup shows that the domain was registered the same day the email was sent and offers a site screeshot that looks like it came from the popular site called

As long as ICANN (the only governing body over the Internet) does nothing to protect citizens and there are few consequences for cyber-criminals, deception will continue to be the “business as usual.”







FOR YOUR SAFETY:  Thank You For Your Order and Overdue Invoice

Malware-laden emails are still way up.  Check out this screenshot of dangerous emails hitting one of our honeypot email servers during a 30 hour period.  Notice that two were sent from fake domains made to appear like but they are not!  The faked domains are docusignsecured-dot-com and docusign-document-dot-com.  Also, many of the emails were spoofed to look like they were sent from the institution that received them. (The from domain is blurred out.)  A clever trick.


We want to remind readers about the risks associated with shortened URLs (links).  There are many link shortening services on the internet that will take a long link and turn it into a shortened link for convenience.  Criminals often use them because you cannot see where the link directs you until it is too late…. Unless you use an unshortening service like

This email from informs the recipient “your tracking code was confirmed”  “We would like to thank you for your order!” “Your order is being processed and your funds will be ready soon.”  However, the link is a shortened link through the service


You can see in the next screenshot that Unshorten.It reveals that the link points to a website in Columbia called 1kdailyprofit.  Of course we asked the Zulu URL Risk Analyzer to check out that Columbian website and, of course, you can guess what we learned.






“Berta Wood on behalf of Gail Russell” informs the recipient that he has an overdue invoice for 681.62.  However, the attached zip file contains only malware.



ON THE LIGHTER SIDE: Laundering Dirty Money

We’ve been contacted by a Mr. Peter Alexandra who says he works with Exxon Mobil.  He wants us to help him launder stolen funds from Exxon.  He’s offering us 40% of $12.2 million dollars.  Should we hold out for 50% or go for it?  [TDS NOTE: These types of scams are often sent from one email address but the recipient is asked to reply to a different email address.  We wonder why this is such a common practice.  Got any ideas?  Let us know!]

Time:  2016-11-19 13:32:46
Subject: Dear Sir/Madam

ExxonMobil House
Ermyn Way
Surrey, KT22 8UX.

Dear Sir/Madam

I am Mr. Peter Alexandra, representing the operation and corporate affairs in contract related matters of Exxon Mobil in London (  Exxon Mobil is one of the World Largest oil producing and Management Company with over 1.2 Trillion pounds Capital contract Investment.

As a senior operational and corporate affairs representative of Exxon Mobil that handle contract related matters, I successfully over invoiced a contract few years back which is not known by anybody and, I need your full cooperation and partnership to re-profile this contract funds amounting to US$12.2M to your name as the contractor that executed this contract in Asia few years.

The fund will be paid to you through a Finance Company where it is presently deposited as soon as the filing and documentation process is concluded in your name because the contract was executed by Exxon Mobil United Kingdom in Asia.

Most importantly, you will be required to fill your data’s stated below to enable me arrange legal documents that will proof you as a sole contractor with EXXON MOBIL:

(1). Stand as the beneficiary / contractor with Exxon Mobil to receive the funds as I will present you before the firm with legal documents.
(2). Receive the funds into a business/personal bank account in your country.
(3). At the completion of this transaction, the sharing rates shall be 60% for me, 40% for you.
(4) Full Names;
(5) Contact Address:
(6) Direct Telephone No:
(7) Occupation:
(8) Age and Marital Status:
(9) Means of Identification:

Note: Do not contact my office number or company email for security reasons. Get back to me as soon as
possible For more details about the funds.

Best Regards.
Mr. Peter Alexandra,
Operation and Corporate Affairs Officer
ExxonMobil London


Until next week, surf safely.