October 18, 2017


If nothing else, scammers who target us are predictable in some ways.  After every major news event there will be scams that prey upon people’s empathy, fears or anxieties related to the event.  This has happened after each of the recent major disasters.  The FTC U.S. government website has posted warnings about these scams.  Here are a few links to their warnings:

Wise Giving in the Wake of Hurricane Harvey

Recovering From Hurricane Maria

Hurricane Maria – Make Your Donations Count

In our October 4 Newsletter we wrote about the Equifax security breach and scams that followed.    Here’s another scam meant to prey upon people’s fears about digital security.  The email appears to come from the very legitimate company called LifeLock.  It contains a lot of information about their service, pricing and a discount.  But it is all just camouflage for malicious click bait.  The only “reveal” to this threat occurs if you mouse-over any of the links and look closely in the lower left corner to see where they lead.  They point to a link at the link-shortening service bitly.com (bit.ly).  We used Unshorten.it to see where the link really sends you and discovered that you’ll wind up on a website carrying malware to infect your computer.  Not everything is as it appears to be online.


Sample Scam Subject Lines:

Employment Opportunity

Free Watches Just Pay the Shipping

Hello Dear

Oh my god – you NEED to see this

Michael Kors Handbags 2017 New Styles. 78% Off All Sales. Don’t Miss.

Miracle nutrient STARVES germs and viruses

Never Pay For Covered Home Repairs Again

Pandora 90% OFF SALE, Last Chance!!! Hurry!

RAY-BAN–Limited time only: Final Hours! 94% Off Your Purchase


This is potentially devastating

Voice Message from 876-661-0098

Your attention


Sample Scam Email Addresses

Auto Comparison <AutoComparison @ americlen-DOT-review>

“Cure Your Insomnia” <scientific-breakthrough @ getfliks-DOT-bid>

“INTERNATIONAL MONETARY FUND (IMF)”<monitor @ franweb.net.br>

“Nasty Nail Fungus” <contact @ infectnails-DOT-online>

Pandora <pandora @ must-buy-winter-DOT-top>

“Start Flying Now” <VirtualPilot3D @ pilotdeo-DOT-bid>

The Choice Home Warranty <TheChoiceHomeWarranty @ chopotailjunj-DOT-review>

“The CH0ICE Warranty” <hello @ taakkie.com>

“UNITED NATIONS”<M @ gmail.com>

“vvczzz77@t-online.de” <vvczzz77 @ t-online.de>




Phish NETS: PayPal, American Express, and Bank of America

There are so many clues in this email from “PayPal Update” that should make the recipient suspicious!  Like the fact that it was sent from “paypal @ reviewer.com” not paypal.com. Also, many of the text characters in the email itself are odd, mis-matched and difficult to read. And how about the fact that you are not addressed by name in the email or given a portion of your account number!  Finally, the attached file, “FormAttached-DOT-html, “ is a web document and very dangerous to open!  When we tried to download it our anti-spyware software immediately recognized that it contained dangerous code and deleted the file!



Once again, there are so many signs in this American Express notification that should make you suspicious.  How about the fact that it was sent from a domain that looks like it is for the Navy Federal Credit Union! (notifications @ navyfederal-DOT-yy)  “Your Account Requires Immediate Attention”  The email starts “Hello,” but doesn’t list your name.  Most importantly, it doesn’t give you the last 4 digits of your account number in the upper right corner of the email.  Finally, the button “Continue” points to the hacked website of an architectural college in Madrid, Spain.


Language and grammar are critically important to evaluate the legitimacy of information you receive online or via your smartphone.   You can be certain that real messages from the companies that provide your services will be flawless in grammar, punctuation and use of language.  Read this email carefully and you’ll see what we mean that it can’t possibly be legitimate!  Even though this next email seems like it came from Bank of America via boa.com, you may be surprised to learn that boa.com has nothing to do with Bank of America.  In fact, boa.com appears to be some type of consulting service with a domain set up through a privacy service.   Of course, mousing-over “Verify” reveals that it points to a hacked domain swedishcareerfair.com, not bankofamerica.com.






YOUR MONEY: Get A CVS Gift Card, Become a Kroger Secret Shopper, and Expose Cheaters

The subject line reads “Consumer News: Get an CVS Gift Card!” Does this seem like correct grammar to you? That’s the first tip off. The email goes on to invite you to get a $50 giftcard but then offers a $100 gift card further down the email.  Again, if you read the small paragraph undernearth the text “We want to hear your opinion!” you’ll notice more grammar errors. These errors should be enough to keep you from accepting their invitation!  The link leads to a shortened URL at bit.do.   We used Unshorten.it to discover that you will be redirected to a file on the website firedag-DOT-com, located in Bulgaria. The Zulu URL Risk Analyzer tells us that this website in Bulgaria is 100% malicious.





In the Top Story of our September 20 newsletter, called Pain by the Numbers, we revealed a scam disguised to look like recruitment efforts for secret shoppers at Krogers stores.  It appears that these scams are back.  Check out this email with the spoofed address made to look like it came from Kroger.com for an “Employment Opportunity.”  However, the link for “Sign Up” points to a drilling company in Canada! (2-letter country code of .ca = Canada)  We asked Screenshot Machine to follow that link and tell us what it found.  Look below at the personal information you will be asked to provide to these criminals.

 Best to delete!



“Is your partner cheating? Find out today” says an email from beatacheat @ beatacheat-DOT-com.  All links in the email point to the odd domain newchetr-DOT-bid.   This domain was registered using a private proxy service in Panama on the day the email was sent.  Even beatacheat.com, a site first registered in 2003, has no known functional website and no information that Google can find on it.  But, as you’ll see below, a Google search of beatacheat.com located several links of fake emails being generated through fakemailgenerator.com.  This email is nothing more than malicious click bait!

Now delete.





TOP STORY: Malicious and Spam Texts

We’ve asked groups of people, in very unofficial surveys, if they had ever received random texts from people, phone numbers, bots, or services.  The overwhelming majority of people say yes!  The question that follows is simple.  Are these unsolicited texts safe or legitimate?  Here are two recent examples TDS readers sent to us…

“Hi [name], Receive a $50 Amazon Gift Card or Reward – Just complete a short consumer survey from Amazon.”  The recipient was presented with a link to a website called Magnumseven-DOT-com.


We asked the Zulu URL Risk Analyzer to check out Magnumseven-DOT-com and it told us that this website was harmless.  BUT it also told us that this website held a redirect that will forward visitors to another site called dutyperiuse-DOT-com.  When we asked VirusTotal to tell us about dutyperiuse-DOT-com we learned that the site is hosting malware waiting to infect our smartphone.  Nasty!



Considering how much personal information is now on consumer’s smartphones and how we use these devices to live our lives, criminals want access and control of them to make money.

What about this odd, random text from 619-821-2511 that was sent to one of our readers? “You have been invited! Your friends want to hang 🙂 Check it out” followed by a shortened link using Google’s shortening service…


Let’s start with the phone number 619-821-2511.  The TDS reader tells us that she doesn’t know that phone number and has no idea who the sender is.  We don’t know why, but this phone number was marked as “negative” two months ago at SpyOnCaller.net without any explanation.  Otherwise, there is precious little information about this phone number we can find.

Once again, we used Unshorten.it to see where the link will send you and discovered that you’ll be taken to a website called GatherWith.US.   The actual redirected link from Goo.gl is also rather short… gatherwith.us/dl.   Why would such a short link need to use a shortening service to send people to it?  It’s as if it wanted to hide who they really are.   Apparently, Gatherwith-DOT-US “is an app that let’s you send and receive invites to hang out with friends in real life.”  Sounds innocent enough.  Perhaps our TDS reader got this invitation from a friend’s phone afterall?  Or perhaps she simply got spammed by an app that seems to have built a reputation of spamming it’s users without asking permission.  Read this scathing article posted last April in TechCrunch.com called “Don’t’ Get Played By This Spammy App Like I Did.” Apparently, this app’s misuse of people’s smartphone contacts is so common that it has led to a class-action lawsuit filed against the company for violating FTC rules.  Check out the article at TopClassActions.com. Though “Gather” may not be malicious, does it seem like an application you would want to install on your phone and trust with your contact lists?

The next time you get a text from an unknown source or with a questionable link or content.  Don’t assume it is legitimate, safe, or worth your time to click.  Do a bit of investigation first or simply delete it!  The last thing you want is your phone corrupted with malware or your personal data stolen and misused.



FOR YOUR SAFETY:  View Document, Balance Payment, and File Has Been Corrupted

This next gem was sent to us by another TDS reader.  “Click on the view document below and sign in to access the documents.”  Sound suspicious?  The link leads to malware waiting on a hacked server in Equatorial Guinea. (2-letter country code gq = Equatorial Guinea)


We’ve reported many times in the past about emails that appear to have a pdf file attached and recipients are invited to click on it, such as the email below.  However the “file” is just an image of a pdf icon and they are linked to malicious websites.


Here’s another click bait that tries to fool you into clicking a photo file that it claims is corrupted.  Why you would be asked to click a corrupted file makes no sense to us anyway but whatever….  Instead of a photo file, you are clicking a malicious link to a hacked webserver in Spain.  Even Google can see that the site has been hacked and hosts malware.


ON THE LIGHTER SIDE:   22 Days to Live!

Considering that Liz has only 22 days to live….  Er, strike that.  She wrote it on October 12 and today is October 18 so…. Considering that Liz has only 16 days to live, we have to act fast!  A very warm and big CALVARY greetings to you too!  (Whatever that means.)  We’re not motivated by the 20% we’re going to receive, we’re motivated because Liz invoked the name of God and we want to help Liz do God’s work!

From: Liz Nguyen <lizngu01@aol.fr>
To: –
Subject: Calvary greetings to you
Date: 2017-10-12 07:38AM

Calvary greetings to you,

Greetings in the name of Jesus Christ! may god’s grace and peace be with you. Sorry if this message come to you as a surprise,My name is Mrs. Liz Nguyen, born in texas a citizen of usa, Married to late Dr. Lloyd Nguyen who work in american embassy ivory coast for ten years. Im sending you this message from my sick bed.Nurse help me to write you this mail. Im currently addmited to the hospital here in Ivory Coast suffering from kidney cancer & parkinson disease which denied me making babies,It’s quite obviouse that my Doctor mentioned that I will not last more than 22 days.

My late husband Dr. Garry Nguyen deposited Five million united state dollar in bank here in ivory coast . I wish to know if I can trust you to use this fund for charity project like orphanages, undisprivilege peoples, poor peoples mosques and churches remember in (Proverb 19:17)” He that hath pity upon the poor lendeth unto the LORD; and that which he hath given will he pay him again”. I took this decision because I don’t have any child that will inherit this money and my husband relatives are the one that kill my late husband with food poison.

Take %20 percent of the total fund five million united State dollar as a compensation use %80 for charity as I mentioned.Immidiately I hear from you I will give details to achieve it, Please always be prayerful all through, any delay in your reply will give me room insourcing another man/woman of good faith for this same purpose.

God bless you,
Liz Nguyen.

Until next week, safe surfing!