Select Page
Weekly Alert  |  November 10, 2021

Scammers Reuse the Same Content Over and Over –  Our readers provide us with a unique perspective about the work of cybercriminals because they send us their suspicious and malicious texts, emails and social media posts from all over the world. We never delete them! Instead we organize them into a searchable catalog, like a giant digital rolodex.  What we learned a long time ago is that some very active cybercriminal gangs use the same content over and over. (They often forget to change all the text or names in their templates that were used in previous scams.) Sometimes they wait a year to re-release malicious clickbait disguised as a holiday related email, and sometimes they repurpose malicious clickbait and resend it just days later, such as this bogus email about a Moderna Vaccine Survey…

This survey came from a Microsoft account and contains links that point to a website hosted in Peru called “Peru-Retail.”  If you look back in our Newsletter from October 27, you’ll find a nearly identical example of this malicious clickbait.  But that one was called a “Moderna Treatment Survey” and used a different graphic below the big red button.  Same template, but different malicious links.

In our Top Story below, we offer a country quiz to readers. One of the malicious clickbait in our quiz is called “Crack the Egg” and claims to represent Kohl’s stores.  This “crack the egg” email template has been used for many years by the same cybercriminal gang. Can you guess the Spring holiday around which time this clickbait is most often re-released each year?  Yes, of course…Easter!

The primary goal of these types of malicious clickbait is to install malware on your device. Ultimately, installing malware on your device will cost YOU money and earn money for the scammers! Check out this excellent article on that describes the serious threat posed by Android Banking malware.  Or check out this superb article on that consolidates statistics about malware threats and the devices they target.  For example, did you know….

  • Well over half a million new forms of malware are detected every day
  • 7% of websites that Google tested had malware on them meant to attack visitors
  • 47% of all computers surveyed in China contained malware!
  • 47.15% of all infected devices are Android devices, while Apple’s iOS accounted for under 1% of infections
  • According to a 2020 Verizon report, 46% of hackers disseminating malware deliver it almost exclusively through email

By the way, we cannot emphasize enough how important it is to look carefully at ALL of the content of an email before deciding whether or not to click a link. If an email doesn’t pass the “smell test” then don’t click!  We’re here for you! Ask us to take a look by sending your suspicious content to us at  Now check out this lovely example from “FedEx” informing our reader that FedEx has sent him a reward. But FedEx DOESN’T send deliveries as “rewards.”

Footnote: Since our Top Story last week, several email accounts at are still being targeted. Most are the same exact emails we showed readers last week.  But check out this “Notification: account update!!!” that came from a previously identified malicious website called “winaico[.]com.” By the way, legitimate email services don’t end subject lines with 3 exclamation points!!! It is incorrect punctuation!!!

UPS Delivery, Amazon Shipment, Apple ID and Geek SquadThis first phish was interesting because we thought it was just malicious clickbait linked to malware, and perhaps it is.  However, the link to view the attached eReceipt actually pointed to a phishing page created on the free web service called This email obviously didn’t come from UPS but came from a personal email account at Deeeeleeeete!

Here we go again! Another phish targeting Amazon account holders! You purchased an Apple iPhone XR for $780 and it is being sent to Loganville, Georgia.  No street address, just a town in Georgia. But wait… you can call these scammers and complain that this isn’t your order. Just dial 877-694-0261 and they’ll want to know your credit card information so they can really charge something to you, er… we mean “credit your account.”

Oh No! Cybercriminals brushed off an Apple phishing scam and reused it again! It was last used….2 weeks ago! Look CAREFULLY at the link revealed by mousing over the Apple link in this email and look where our arrow points.  You’ll see that this link actually contains a redirect embedded in it. It is disguised through “% encoding” (also called URL encoding” but you can certainly recognize another “https” embedded in this link.  The website to which you’ll be forwarded is under our arrow and called lmy[.]de in Germany. (“.de” is the 2-letter country code for Deutschland = Germany) Deeeleeeete!

This final smelly phish did NOT come from Geek Squad and the phone number contained in it is NOT for Geek Squad!  Lunge for the delete key!

Approved for Surge Mastercard, Perfect Holiday Gifts, and Kohls Exclusive OfferA fairly common form of malicious clickbait are invitations to apply for credit cards for which you are already “approved.”  How lovely. Though there is such a product as a Surge Credit Card, this email is fraudulent! It appears to have cme from a domain that was never registered and doesn’t exist, according to Google and our favorite WHOIS tool.  The links in this clickbait all point to a crap domain called promotionnow[.]site. (We especially loved that sweet touch telling you that this email was sent from a “trusted sender.” Hogwash!) You can see in our screenshot below that this self-promoting domain was registered in Iceland and is hosted on a server in Paris, France. Delete!

With the winter holidays just weeks away, our readers should expect to see LOTS of scams disguised as holiday promotions, Christmas gifts, and the like.  Here’s the first one of the season we’ve seen. “20 Perfect Holiday Gifts That Will Knock Their Socks Off!” Except that this crap didn’t come from Gadget’s Laboratory, as advertised.  And the link contained a redirect to  This tinyurl link was found to be malicious by a security service! There’s NOTHING perfect about this holiday gift! (How careful a reader are you? Can you find in this email where it still says “Local Broadband Deals” because the cybercriminals who sent it didn’t care to change that text from the last time this template was used?)

    And finally, here’s another “exclusive offer” that appears to have come from Kohl’s stores.  But it didn’t, of course. It came from a generic Gmail account and the link to “Start Now” points to a link-shortening service called qoo[.]ly.  When we unshortened that link we discovered that you’ll be sent to the website in Russia called “A tad behind work” (attadbehind[.]work). We reported this malicious website in our November 3 newsletter when it was used in a scary CVS email for Halloween!

      Country Quiz: Scams from Around the World –  We thought it might be fun for readers to test their knowledge of countries around the world while also learning how to spot scams connected to various countries. An important key to recognizing online fraud is understanding that many websites and emails contain 2-letter country codes in their domain names.  These two letters ALWAYS appear at the end of the domain of an email address or, if in a link, just before the first single forward slash.  If you need some help to identify a country code, you are welcome to use this link to

      Let’s start with this inviting email for a $50 Ace Hardware Promotion.  Look at the last 2 letters of the FROM address. Since Ace Hardware is an American retail store headquartered in Illinois, it is extremely suspicious that the email should come from this country.  Answer is below.

        We’ll bet that many of you guessed “Chile” as the country represented by the code “ch.”  Congratulations! Now let’s take a deeper look at malicious tricks used by cybercriminals.  Here is a recent email pretending to be a “Crack the Egg” offer for Kohl’s Department Stores. “Will You Be The Next Recipient ?!” Mousing over any of the links in this clickbait show a long string of characters. But early in this string can be seen “url=https,” meaning that there is a redirect that follows. The cybercriminals obfuscated the redirect by using “% encoding” that few people can read or understand.  Fortunately the online tool at decodes this type of coding and replaces it with something more commonly seen. After decoding this crazy link, we can see that visitors will be redirected to a secure (https) website found at 85r[.]irWhat country is this website located in?

          By the way, the malicious domain 85r[.]ir was also used in this malicious clickbait last week pretending to be a $100 T-Mobile Gift Card.  Think you’ve figured it out yet?  Look below…

            Visitors clicking these links to 85r[.]ir will discover that they just took a quick trip to Iran!  We hope you’ve been vaccinated! …against malware we mean!

            Our final quiz question is of a different kind.  Check out this portion of an exciting email that Rob, Mr. Professional Scam-Baiter, sent us last week. He was told by someone at HSBC Bank of Malaysia that he had more than $85 Million dollars waiting for him, if only he paid the discounted account fees. The email came from the Bank’s domain shown in the FROM address as InfoHSBC[.]net.  But is that the real and legitimate domain for the HSBC Bank of Malaysia?  This time, your quiz question is to open a new tab and visit Google. Can you use Google to discover the legitimate domain name for this bank and see that it contains the correct 2-letter country code for Malaysia?  Good luck!  Answer is below.

              However, if you entered something like “HSBC Bank Malaysia” into a Google search field, you would have discovered that the legitimate HSBC Malaysia Bank uses the domain and the 2-letter country code for Malaysia is obviously “.my!”  Congrats to all those who scored 3 out of 3!

              Someone Conducted a Background Check About You! –A “gold standard” for lots of scams is to create content that grabs the recipient’s attention so strongly that it triggers an emotional response resulting in a click. The last thing scammers want is for recipients to read carefully or think critically about the projectiles targeting them! Here is a perfect example that we haven’t seen in a long while. “Someone may have run a background check on you [email name]!” And then “(2) Negative items may have been added.” This poppycock is fabricated clickbait but is often effective. It doesn’t take a brain surgeon to figure out that malware waits for you at the other end of those links!

              Until next week, surf safely!

              Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
              have subscribed to it via or

              Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

              Contact Webmaster