October 19, 2016


Enough already! It’s time to move on from dating scams but Internet criminals insist that we keep returning to this topic week after week.  We apologize to our readers, especially those who aren’t looking for a partner.  It’s not our fault! Here goes…  Eharmony and Asian dating.  Both phony-baloney.  Both malicious as hell. Now let’s move on…






A worthwhile topic that is important to return to is the hyperbole often used by criminals to engineer you into clicking a malicious link.  Like this email from “urgent_info” at the domain susannelyork.net.  “WARNING: 11-Second Video Clip Not for the Faint of Heart.”  “This Could Be the Most Important Advance of the Last 100 Years…”   Like, we said… hyperbole duck poop!




Sample Scam Subject Lines:

75% off while inventory in stock

Chat with her!

Compare the Best Dog Food Choices

Facebook Opening Thousands of Positions, See Details 18948573

Find the Perfect Windows at the Perfect Price

Health Alert: Unhealthy Nails Are More Serious Than You Think

Jesus Lost Words Stun Christians (Not in the Bible!)

Natural Diabetes Treatment Works Better Than Prescription Drugs *PROOF*

Protect Your Home With a Home Warranty. First Month FREE

We Need Your Input About Trump!

You Could Get Paid For Your Time

You Have Been Selected to Receive a $50-Amazon Voucher 7573576

Your personalized numerological report

Sample Scam Email Addresses





lendingtree-partners-[YOUR EMAIL]@passingglimpse.com





reverse-mortgage-info-[YOUR EMAIL]@passiveaccommodation.com

senior_living_servicing-[YOUR EMAIL]@cadencecoupons.com









Phish NETS: Infragard and Apple GSX

“InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.” (Source: Google)  So we took notice when InfraGard announced a few days ago that many of its members were the target of a phishing attack.  What makes this attack different, from our perspective, is that there is no financial gain for the attackers.  This was meant to gain access to the well-protected digital meeting place of the InfraGard members in order to gain intelligence.  This is one more reminder that today’s battlefields include cyberspace.  Below is a copy of the phishing email that targeted InfraGard users.  It appeared to be fraudulently sent from the email of a financial account associate at a company in Wisconsin.  The “reply to” email @tech-center.com is often used by scammers to make an email look legitimate.

From: Help Desk <EMAIL REMOVED> Date: October 13, 2016 at 3:52:46 PM EDT To: <EMAIL REMOVED> Subject: Scheduled Maintenance & Upgrade Reply-To: help.deskteam001@tech-center.com

Help Desk

Scheduled Maintenance & Upgrade

Your account is in the process of being upgraded to the newest Windows-based servers and an enhanced online email interface inline with internet infrastructure Maintenance. The new servers will provide better anti-spam and anti-virus functions, along with IMAP Support for mobile devices to enhance your usage.

To ensure that your account is not disrupted but active during and after this upgrade, you are required to kindly confirm your account by stating the details below:

* Domain\user name: * Password:

This will prompt the upgrade of your account.

Failure to acknowledge the receipt of this notification, might result to a temporary deactivation of your account from our database. Your account shall remain active upon your confirmation of your login details.

During this maintenance window, there may be periods of interruption to email services.  This will include sending and receiving email in Outlook, on webmail, and on mobile devices. Also, if you leave your Mailbox open during the maintenance period, you may be prompted to close and reopen.

We appreciate your patience as this maintenance is performed and we do apologize for any inconveniences caused.


Customer Care Team


Here is another phishing email targeting Apple Certified techs through their “GSX” Global Service Exchange.  The email appears to come from the very real Apple domain “apple.net.” (This from address has been spoofed.)  Instead of a link, the email contained a very dangerous web file identified as ast_approved_download_form.html.




We cracked open the code to the attached html file to see what was really going on. The form requested the login credentials of Apple GSX users.  But there was one line of code in this web document that stood out to us.  Look at the highlighted action showing where data will be sent after filling out the form…




Clicking “submit” will send the user’s data to a website identified as c56.pl    Can you recognize the 2-letter country code in this domain?  .pl = Poland.  We’re not sure how this is possible but various tools inform us that this website is actually being hosted in Moscow, Russia, not Poland.  Either way, it certainly isn’t Apple.com.  Here’s what the Zulu URL Risk Analyzer had to say about this website…



Your Money: Cash Back While Shopping, Massive Holiday Discounts, Kohl’s Rewards

How would you like to receive 20% cash back each month from most of what you are buying each month on food, gaz, cloth, drugstore etc….  Sounds good to us!  “WHATCH THIS SHORT VIDEO YOU WILL LOVE IT”  Ok, hold on. “Louise” made no effort to hide the link’s destination.  It points to economie.saivian.net.  We were curious and asked Google.  Much to our surprise we found many links and information about the company Saivian.net as a “savings benefit program.”


However, it also took no effort at all to find reviews of Saivian.net from people who were calling it a very clever scam that sucks up your dollars and returns little.  This article at AvertScams.com does a great job exposing this sham.



As we approach Halloween, we’re reminded that scammers will soon be targeting consumers with holiday scams via emails, text and web coupons mimicing real seasonal specials.  Here is our first spotted (somewhat) seasonal scam email with the subject line “Massive Holiday Discounts on Popular iPad Case & Keyboard.”  If you think this discount is being offered by the real Touchfire manufacturer of these products, look again.  The email came from a domain in the European Union called softouch.eu, not touchfire.com.  (Also notice spammy hidden text and “Free Bird Research” –a bogus non-existent company we’ve reported on in the past.)



“You have 1 new message” says an email sent to us by one of our readers.  “Congrats! KOHLS rewards – Open immediately!”  …Hell no!  A mouse-over of the link reveals that it points to a strange website identified as esstitusta.net A WHOIS lookup tells us that this domain was registered at the end of August by someone named “Sure Winter” from Livonia, Michigan and the domain is being hosted in Falkenstein, Germany.  Sound like Kohl’s to you yet?






TOP STORY: Can 2 Letters Save Your Life?

Have you had enough of this political season?  Unless you live in some deep, dark hole we’re guessing that you’ve had quite enough.  As have we.  We’re sick and tired of all of the nastiness and seeing American politics sink to the lowest level of ethics and decency we have ever witnessed. While wondering about the outcome of the election and the curret sad state of affairs we got this email…  Will Trump win?  It appears to be an invitation to participate in a survey from giftcardchief.com and receive a $100 Visa Gift Card (some conditions and restrictions apply.)

Everything about this survey seems like a marketing promotion, including the fact that there is indeed a real GiftCardChief.com company.  We invite our readers to look at this email with a very critical eye.  There are two letters in the entire email more than any others that should make the recipient so suspicious that he or she will lunge for the delete key.  Can you spot them?


We’re hoping that our readers will intuitively first look at the from address and then at the link revealed at the bottom of the email by mousing-over the “click here” or graphic.  Both show a domain called issue1withn.pw.   The two letters that should scream out to those who understand them are PW.   In 1974 the International Standards Organization (ISO) devised 2-letter abbreviations for countries, territories, and special geographical areas of the world.  Beginning in 1985 they were adopted for use into the developing Internet geography to identify the location of some webservers outside the U.S. as well as the location of  some email servers.  This 2-letter identification is incomplete and somewhat inconsistent but one thing holds true.  If you see a 2-letter country code at the end of an email address or domain name, it means that the email came from that country or that the website is being hosted in that country.  There are many websites that identify these codes across the Internet but Wikipedia, in particular, has a thorough article on the topic and lists all known 2-letter country codes.

So what does .pw tell us about this email?  According to the ISO standards, pw indicates that the origin of the email, and links in the email, point to services in Palau, an archipelago of 500+ islands in Micronesia.  This is important because it strongly suggests that this email is something other than what it claims to be.  Why would anyone in Palau run a survey about our politics? Why would a company in the U.S. use a service in Palau for this purpose? The moment you cast doubt on the authenticity of anything on the Internet is the moment to pause and look deeper…

A WHOIS lookup of the domain issue1withn.pw informs us that it was registered on October 4 to someone named “Fred Jenkins” of the company FJ Appliances in Goldsboro, North Carolina.  Curiouser and curiouser…  We used Google to look up Fred Jenkins and FJ Appliances and found nothing.  We couldn’t even find any business in North Carolina or anywhere in the U.S. called “FJ Appliances.”  The address registered for the domain issue1withn.pw is a house listed for sale by owner on Zillow.com.  According to DomainBigData.com the email address registered with the domain has also been used to register 25 other domains during the last few years, none of which have anything to do with GiftCardChief.com, but  they sure seem strange like these two:

Myjesustea.com       Popacheese.com     

Now we were really suspicious so we headed to our usual tool kit and asked the Zulu URL Risk Analyzer to look at the link we were asked to click.  Surprisingly, Zulu told us that it was completely without risk.  Harmless. BUT HOLD ON…. Zulu also told us that this safe website in Palau contained a redirect to another website we’ve seen before called sweeterfaster.com.


We reported in our September 7 newsletter  that sweeterfaster.com was identified as hosting malware in the Netherlands and severely malicious.  We then checked VirusTotal.com and it informed us that the online virus scan tool known as ESET has also identified sweeterfaster.com as a phishing site.


Back to our point… While it may have been overreaching to ask “can 2 letters save your life,” it hits the digital equivalent.  A malware infection caused by clicking the link in the email Will Trump win? can cause serious harm impacting your digital life and personal accounts including banking, email, credit cards and social media.  This could be a nightmare waiting to happen. For us, those 2-letter country codes are enough to catapult us to the delete key.


FOR YOUR SAFETY:  Problem with Parcel Shipping; Unable to Deliver

Many of the emails we found trying to deliver malware right to your desktop were disguised as notices about shipments that could not be made… Like these two.  By looking at the from address, can you tell which one of them was sent from Brazil?







ON THE LIGHTER SIDE: International Monetary Fund Delivers Our Money!

We wonder how Mrs. Lagarde of the International Monetary Fund knew that we misplaced that $21 million dollars!  For the life of us, we couldn’t remember where we had put it down. Chalk it up to age.  Thank goodness for honest folks like Tommy Milton John Dismas…or whatever his name is.

From:  miltondismas47@gmail.com
Time:  2016-10-15 05:26:10
Subject: URGENT

I am Tommy Milton John Dismas Malaysian assigned delivery diplomat  working with the IMF Diplomatic council and I am contacting you here  from the London Heathrow International Airport (LHR),   in respect of  (3)  three consignment boxes worth Twenty One Million United States  Dollars ($21,000,000.00 Million Usd) to which I have being assigned by  the head of the IMF Christine Lagarde to complete delivery to you.

The British Government and the IMF  Committee On Government
Compensation Unpaid/Contract/ Donation released these boxes today for  delivery to their respective beneficiaries,Your Name was Tagged to this  (3) three boxes as the Beneficiary/Receiver. It is in this regard that I  was appointed to make delivery of your boxes after they where released for delivery.

I am contacting you now because you have to pick me up, at your airport to your destination to complete my delivery to you!! I do have all the ,clearance documentation which was used to clear the boxes presently at London Heathrow International Airport (LHR).I will need your information to confirm with the information i have on,file for these boxes after which i will book a flight to meet with you in your closest airport at your destination, below are the information requested:

Reconfirm your details.
1. Full Name:
2. House Address:
3. Phone Number:
4. Closest Airport to your destination.
5. Copy of your Drivers /passport for your identification.

I will wait your swift response. For your convenience I have attached here within a copy of my International passport.

Tommy Milton John Dismas
IMF Senior Diplomat
Phone: +441163261086


Until next week, surf safely.