October 11, 2017


Ten days ago the United States suffered the greatest mass shooting in our countries history.  Sadly, horrific events like these are becoming more common.  And it is also becoming more common that large scale criminal organizations operating outside the U.S. seize these moments to target our fears and anxieties that grow from these events.  They send out malicious emails designed to prey upon our desire to be safe or, for some of us, to prey upon the fear that we will lose our second amendment rights.  Look below in the Your Money column at the two malicious emails we found just days after the massacre in Los Vegas. These gangs are the scum of the earth.


Sample Scam Subject Lines:

A Safer Alternative To Energize Your Home!

Costco-Gift-Card, $50 Value, Participation Required..

Emailing – DOC085



Instantly Save Up To 40% Off Medicare Insurance With Fast, Easy And Free Quotes!

Kidney Problems? What If You Only Had 5 Years To Live?

Never Pay Full Price For Printer Ink Again! Save With Us Today.

Payment No. 2793-4845

Pre-Qualify For Solar Today – Save Now!

Private Invite: 85% Off Custom Canvas Prints

The Ingenious New Way To Learn Piano & Keyboard

Unlock your preloaded Amazon card today (prime members)


Sample Scam Email Addresses

1ink Coupon Offer <1inkCouponOffer @ ertew-DOT-review>

California Charcoal Works <CaliforniaCharcoalWorks @ charodaryawf-DOT-trade>

Dating.com <Dating.com @ lblobe-DOT-trade>

eCoverage Fidelity Life <eCoverageFidelityLife @ fidelmbiramuy-DOT-review>

Eyeglass Hacks <EyeglassHacks @ carbosteadsedk-DOT-review>

“Grab your Gift” <GrabyourGift @ skylative.stream>

Keysmart Key Organizer <KeysmartKeyOrganizer @ krysmagvg-DOT-review>

Match Affiliate <MatchAffiliate @ masebatpalaka-DOT-review>

Natural Kidney Health <NaturalKidneyHealth @ kidsuitedunitliv-DOT-trade>

OurTime <OurTime @ lifeteleboyedder-DOT-review>

Santa’s Official Letters <SantasOfficialLetters @ santaenlgoel-DOT-review>

Solar Panel System <SolarPanelSystem @ msweasw-DOT-review>

Toe Fungus Cure <ToeFungusCure @ swasdej-DOT-trade>




Phish NETS: iTunes and Web Email

This first phish was sent to us by a TDS reader.  She was savvy enough to recognize three important signs that it was a scam…

  1. The email did not come from Apple.com
  2. October is misspelled in the email as “Octomber” (By the way, the date is also written in the European style of day first, then month, a subtle oddity.)
  3. A mouse-over of the link “Cancel / Refund Subscriptions” shows that it points to a website called davelawmusic-DOT-com. (We’ve notified Dave that his website is hosting a phishing scam and other malware.)

And we all say….  DEEELEEETE



Two days later the same TDS reader sent us another phish targeting her.  She can spot them! Again, notice that the email didn’t come from Apple.com and the link “Request Refund” doesn’t point to Apple.com!  But if you were to visit the link, WHICH WE DO NOT RECOMMEND out of concern for getting a malware infection, you’ll see an Apple look-alike site inviting you to login.  See below.

Then Deeeleeete! 


“Sever Message” “Our record indicates that you recently made a request to deactivate email And this request will be processed shortly.”  Of course the email provides a link to “Cancel De-activation.”  And that link points to a website in “.ru”  –Russia.  You know what to do.



YOUR MONEY:  ADT Monitoring and Hey Gun Enthusiast

This next very long scam email was very professionally done.  The from address was successfully spoofed to appear as though it came from the very real company ADT.com, but it did not.  The email contains so many details and information to make it appear like a legitimate promotion.  The English is flawless.  And, not coincidentally, it comes just two days after the mass shooting in Las Vegas.  There is only one detail that identifies this as suspicious.  All links point to the strange domain newgift-DOT-bid (as revealed in the lower left corner of the email.)  A WHOIS lookup reveals that this domain was registered on the same day the email was sent using a proxy company in Panama.

Delete. (Note: there is another way we know it is bogus but you’ll have to read further to find out.)


After mass shootings such as Las Vegas, attention rightfully turns to second amendment rights.  Gun enthusiasts often brace for new efforts that try to reduce the ease with which people can obtain powerful guns in the United States, or their accessories.  And this is now a real debate as our Congressional Leaders focus their attention on the accessory called a “bump stock” that turned a semi-automatic weapon into an automatic weapon used in Las Vegas.  Automatic weapons are illegal in the hands of citizens because of their destructive capabilities.  And into this debate, criminals send emails like this one below that begins “Hey Gun Enthusiest.” (See the misspelling?) The email appears to come from an address for guns.com but that was spoofed.  All the links in this email point to the domain seenews-DOT-download. Like the email above for ADT, it was registered on October 3 through a proxy service in Panama.  This is no coincidence.  Both malicious emails were sent by the same criminal gang.  Look at the email address provided at the very bottom of both emails.  It is for a phony marketing company called Apexpoint, located in India.  (We’re working on a feature article exposing this fake company to be released later this month!)

Now delete.




TOP STORY: Why Are These Emails Legitimate?

We spend so much time and effort exposing fraud that sometimes it’s important to pause and remind people why legitimate emails are legitimate! Let’s jump right in with this email from American Express.  The subject line reads “Card Not Present Transaction Approved” and it appears to come from AmericanExpress@welcome.aexp.com.  We have already demonstrated in the ADT.com email that you cannot always trust the from address.  It can be spoofed by professionals.  Here are the signs of legitimacy…

  1. It addressed the full name of the recipient after “Hello.” (We know this is not proof positive because spear-phishing emails are capable of doing that, but it helps.)
  2. In the upper right hand corner can be found the last 5 digits of the card or account number. This is easy to verify!  And it was accurate.  (We’ve seen bogus phishing emails listing the last 5 digits as xxxx3.)
  3. Most importantly, every link in the email pointed back to the legitimate American Express domain: americanexpress.com. This link begins with a secure connection “https” followed by a sub-domain “online.”  https://online.americanexpress.com

Very legitimate!  Don’t delete!


This next email begins with “Dear” and a correct full name to identify the recipient. “Thank you for enabling two-factor authentication for your Apple ID.”  A mouse-over of all links confirm that they point back to apple.com.  And, once again, we find it reassuring that the link is a secure one using the secure protocol “httpS” to send information (as opposed to http, which is not secure.)  Don’t be misled by the “iforgot” in the link.  It is just a sub-domain that appears in front of apple.com.



Finally, we offer this email from no-reply@accounts.google.com with the subject line “Review blocked sign-in attempt.”  “Hi [name], Google just blocked someone from signing into your Google Account [full address] from an app that may put your account at risk.”  Though this email is a bit disturbing, Google is informing you that it is doing the right thing by monitoring your account! Criminals use modified emails that look nearly identical to this to drive you to phishing sites that steal your login credentials.  But this is legitimate.  A mouse-over of the link SECURE YOUR ACCOUNT shows that it points to https://accounts.google.com/  And though the link does contain a redirect (see arrow in bottom right), the redirect is also legitimate: https://myaccount.google.com/   In both cases, accounts and myaccount are subdomains separated by a period from the domain you want to see…. Google.com!


If you found this article helpful, send it to a friend!  And visit our feature article titled Why is this Legitimate?



FOR YOUR SAFETY:  You Have A New Fax, and Invoice

This email wants you to believe it came from RingCentral, a communications provider, but look carefully at the from address. And of course the link for “here” points to a website (golfstationparts-DOT-com) hosting malware according to VirusTotal.com.


This next email about an attached invoice is clearly malicious.  The “invoice” attached is actually an html web document containing web code.  We cracked it open to discover that it actually seems to point the recipient to a Gmail login window which would make it a phishing scam.  But there was also code in the file that we didn’t understand and had the potential to do more harm.

Just delete.



ON THE LIGHTER SIDE:   Get a Grip on the Humman Body

At heart we are educators.  So we were very interested to see this email from Dr. James Ross, offering a course in Human Anatomy and Physiology.  We can’t wait to learn what a Humman body is!  And from a man who has so many international roots too!  His domain, humagbg-DOT-review,  was registered the day the email was sent by a woman in New York who uses a Russian email service (yandex.com) and is hosting the domain in Hamburg, Germany.


Until next week, safe surfing!