September 11, 2019


In last week’s Your Money column we exposed a bogus offer to purchase 5 Dr. Seuss children’s books for $5.95 as malicious clickbait.  The domain hosting the malware was drsasuues[.]pro.  The people who created this pestilent, poisonous and pernicious pustule produced another identical deadly email again last week.  The destructive and damaging domain is seussbooks[.]pro.  If you click that link “Oh! The places you’ll go!” I would not click that link here or there, I would not click that link anywhere!



What a deluge our readers suffered!  One woman forwarded 21 malicious emails to us during three days! (We really miss August!) As always, we encourage all our readers to forward your malicious, suspicious and weird emails, texts and screenshots to us, like this “shocking discovery by a Texas doctor!” “Doctors are urging every American with diabetes to watch this trending news story.”  NO THEY AREN’T! This is just malicious clickbait targeting people who suffer from diabetes or know someone with diabetes. (As if having diabetes isn’t bad enough!) Look at the “FROM” address… “.eu” is one of the few exceptions for the 2-letter country code. It is the 2-letter code for the European Union.




Phish NETS: Discover Card

What does Discover Card have in common with an automobile collision center?  The obvious answer is that you can use your Discover Card to pay and have your car fixed.  However, in this case it means that the domain HollisterCollision[.]com has been completely hacked, taken over (Chinese characters fill the top page), and it also hosts a Discover Card phishing scam!  One of our TDS readers sent us the email below, saying she doesn’t have a Discover Card, making this phish easy to spot. Look below at the screenshot of the phishing page.  It sure looks like you are on the Discover Card web page!






YOUR MONEY:  Costco Shopper Deals and Vouchers

They’re baaaack!  The $50 coupon vouchers that are meant to engineer your clicking behavior!  For years these fake vouchers have been a staple of a particular cybercrime gang and we’ve documented dozens in our newsletters as they pretend to be from Walgreens, Amazon, CVS, and others.  They dried up during the summer months but that respite is over. This clickbait is identical to several we found last Fall and Spring. (For example, September 5, 2018 and  May 15 and March 6, 2019)  They must be effective, or these criminals would not continue to use them.

This particular email came from a server in the UK and the links point to the oddball domain anthropologyfeet[.]site, hosted in Amsterdam.  Hopefully it is obvious to our readers, but just in case… NEVER click “unsubscribe” at the bottom of suspicious emails like this.  It is just another manipulation leading to a computer infection.



Here is another clickbait disguised as a $50 Costco Rewards shopper deal.  Just “Take Survey.” This email also came from a server in the UK. The links in it lead to a website at the domain vehiclesservices[.]im.  Can you guess the country represented by the 2-letter country code “.im”?  We had no idea and had to look it up. Even after learning the name we didn’t know where on earth it was.  You can look it up on this Wikipedia page.  The only hint we’ll give you is that the location is in the Irish Sea, between England and Ireland, and known for its medieval castles.




TOP STORY: One Malicious Domain to Rule Them All

Cybercrime is a multi-billion dollar business for sure.  The most prolific gangs seem to operate with impunity, often because the governments in the countries where they are located simply don’t seem to care or, in fact, support their efforts tacitly or otherwise.  Steve Ranger published an excellent article (December 3, 2018) on ZDnet about the many cybercriminal players around the world, including cybercrime gangs. The article is titled “Cybercrime and cyberwar: A Spotter’s guide to the groups that are out to get you.” We mention this because sometimes the players who target people make it exceptionally easy to see that a broad variety of malicious emails are all created by the same cybercriminal group.

We saw this last week with the use of a malicious domain called readowne[.]com.  If you go back to our opening “shocking discovery” email and look at the domain displayed at the bottom when we moused over any link, you’ll see that it points to this domain…. readowne[.]com. So, too, does this email intended to attract gun enthusiasts, with the subject line “Qualify to Carry a Gun Legally. Start your FREE Course Today!”  Though the sender’s domain source is withopod[.]com, registered last February and hosted in France, all links point to  readowne[.]com.  This email claims to represent the “National Concealed Academy” (which is a questionable group with a 1.4 star rating on Facebook as of this publication date) but, as is typical for cybercriminals, the claim is malarky.


Again, in this next malicious email, the sender’s address is from withopod[.]com and all links point to readowne[.]com.  The email is about a “thyroid health scare.”  “Is Your Thyroid Damaged?” We couldn’t help but notice how odd it was to show an image from a Youtube video of Coca-cola being spilled down a bathtub drain.  What did this have to do with thyroid damage? It took us less than 30 seconds to find the original Youtube video from which this screenshot was taken. And guess what?! It has nothing to do with the thyroid, healthy or otherwise!  It is part of a 17+ minute video about using Coca-cola to fix a plumbing issue in the tub!  

(Sometimes we like to get inside the head of cybercriminals and wonder… What were they thinking?!  “Hey Boris, I want to make email to point to our malware using health scare to trick stupid Americans. Do you have idea?” “Sure Yevgeni.  Every American drinks Coke, da? I find you video with Coke in it. All stupid Americans will click link. Now give me another piece vatrushka!”)




What do we know about the “all roads lead to Rome” domain readowne[.]com?  You’ll love this!  It was registered by “Dimple Jiggetts” (We don’t make this stuff up, people!) Now THAT’S A UNIQUE NAME!  Do you think it could be fictitious? Dimple says he lives on “Marsh Lane, Winter Haven, Florida” and Google says that this street doesn’t exist in Winter Haven, Florida.  By the way, Dimple is hosting his website, readowne[.]com, on a server in Denizli, an industrial city in southwest Turkey.  Dimple posted his email address on the WHOIS registry as contactus@chistotle[.]com.  Chistotle[.]com was, in turn, registered to someone named Eldridge Engels and sits on a server in Bucharest. (Maybe some of these criminals have a really good laugh trying to think of silly names for Americans?)

So, if you wonder what other malicious emails did Dimple use to target us with here are three more…

  • Get your free bottle of CBD hemp oil today!
  • Stop paying for Cable!
  • Amazing Sale! Get This Diet Product for a Huge Discount… (Unbelievable Results.)


At least knew that readowne[.]com has been found to be malicious by the security service Forcepoint!





FOR YOUR SAFETY: Someone is trying to hide where that links points to

An “IP address” refers to the number system that underlies all devices connected to the Internet..  DNS, or Domain Name System, is the set of instructions that enables us to type something like into a web browser instead of having to know the IP address of the server that hosts our website.  And so, if you see that a link DOESN’T show a domain name, but instead shows an IP address, it usually means that someone is trying to hide where that link points to.  Like in this next email. The links point to the IP address that begins 176.113. Where is that computer hiding? In Russia, of course! (We used to find the location of that IP address.)  If you want to learn more about IP sleuthing to expose online fraud, watch our 3 minute video!



Until next week, surf safely!