Select Page
Weekly Alert  |  October 27, 2021

The 2nd Global Online Scam Summit will be November 3rd & 4th!Please join us for the second edition of the Global Online Scam Summit (GOSS) taking place on 3rd and 4th November 2021. The event, organized in association with APWG and the Global Cyber Alliance, is a platform for sharing knowledge and insights on how to fight online scams and fraud worldwide.  Last year more than 425 representatives joined the 1st Global Online Scam Summit virtually. This year we hope to make the event even bigger by expanding to two days and adding more inspirational speakers but also more possibilities to network and share insights one to one.

Do you think you can spot scams with your eagle eyes? Check out this “Spot the Scam” article from Trend Micro posted on!  Good luck!

Targeting Halloween Candy and Interesting ClickbaitAccording to many sources, most ransomware attacks come from Russian cybercriminals. (e.g. We’re terribly sad to report that one of the latest victims is going to have an impact on Halloween celebrations across the United States, and perhaps the world!  The largest candy corn manufacturer in the US was hacked by a ransomware gang before Halloween! This is bad for those who’ve enjoyed this traditional halloween candy! has an excellent article about the threat of ransomware and why it is so deadly.

Some cybercriminal gangs are very clever. (as you’ll see in our Top Story below) They will take advantage of every opportunity to target potential victims, such as using content about the COVID virus and life-saving vaccinations. Check out this “Moderna Treatment Survey” email below. It was delivered from a domain called recreases[.]com and contains links to another domain called twevere[.]com.  This latter domain was registered in Iceland through the service NameCheap.  Iceland has been a favorite location for registered domains from a particular cybercriminal gang! There is NOTHING about this survey that is legitimate. For example, at the very bottom of this email you’re told that this offer was brought to you by someone named “Kaitlynn Terry” from 607 North Glenholme Drive in Merrillville, Indiana. However, according to Google, there is no such address in Merrillville, IN or anywhere else in Indiana! A visit to twevere[.]com shows a simple web page titled increment[.]com and says “Submit Your Application Now!” along with a spot to enter an email address and an “Unsubscribe” button.  Does any of this sound like a legitimate survey about the Moderna vaccine?  This is just malicious clickbait!

If you are a website owner, like us at The Daily Scam and Scamadviser, you likely get bombarded by random solicitations and requests.  Many of these are actually malicious clickbait. Nearly every week, The Daily Scam receives an email from someone offering to “contribute quality content” as a guest post, like this recent email from McKenzie Wilson…. Or is it from Heeral Mehta?  The very next day, we received a nearly identical email from “Anita Gro.”  Just for fun, we sometimes respond to these emails and tell the sender how excited we are to hear from them.  We ask to schedule a video conference to discuss next steps.  NO ONE has ever agreed to speak to us via video.  Boo hoo! I guess we’ll never know how good their contributions could be!

We also receive lots of offers from marketing companies, like this one offering us money to post links on our website. (We NEVER accept content from anyone, for any reason UNLESS they are a demonstrated expert in a way that can help people reduce their online risks!) According to our favorite WHOIS, headsupmarketing[.]online was registered at the end of July, 2021.  Deeeeleeeeete!

Apple ID, Amazon & Norton LifelockWhy should an email from Apple about your payment method come from This makes no sense. A closer look at the mouse-over of the link reveals this fraud!  The link points to disq[.]us but you’ll be redirected to a website hosted in Tonga called bom[.]to.  There’s NO PROBLEM with your payment method. Lunge for the delete key!

Our readers sent us lots of Amazon phish last week! (Thank you!) This first one came from a Gmail account, not, and contained a pdf file.  The REAL Amazon doesn’t send pdf receipts like this! Like so many of these phish, this pdf file wants you to think that you ordered a $1200 iPhone 12 Pro Max but it was sent to the wrong address! If this troubles you, you can call these scammers at 888-684-2692! As if this isn’t bad enough, we know that these phisherman have been using this type of scam since October, 2017. PDF files retain basic information hidden in the Inspector source, such as the date they were created.  Look below and you can see what we mean!

“Greetings from Amazon, We have locked your Amazon account and all pending orders” says this email from agentofficemail[.]com. The link to “Check Now” points to a website in Japan! Not exactly what you would expect from Amazon!

This final Amazon phish says that “our services has protected your account…”  Notice the grammatical error!  English is not the primary language of most cybercriminals and sometimes you’ll see subtle mistakes that make this clear.

Cybercriminals love to stick it to the very security services that try to protect us from them! Like this email that came from “ordertaobaodn[,]com” but claims to be from Norton LifeLock. Lunge for the delete key!

Collect Your Found Money!Many governments across the world will inform their citizens if there are unclaimed funds or estates left in their names. For example, this official UK Government site makes it possible to make a claim on a deceased relative’s unclaimed estate.  This official U.S. government website makes it possible for U.S. citizens to search for unclaimed funds known to U.S. Federal or State governments. They also make it clear that you don’t have to hire a company to locate and claim such funds! There is even a National Association of Unclaimed Property Administrators in the U.S. devoted to helping people recover unclaimed/lost funds without any fees.

We mention this because one of our newsletter readers has been periodically getting emails from the domain PatentFoundMoneyGuide[.]com, claiming that a “payment may have come in for you.”

This particular email may or may not be legitimate but it is very deceptive.  Here’s why….

  • There is a service called FoundMoneyGuide[.]com that helps people find unclaimed money but requires users to Opt-in to receive advertising and 3rd party marketing messages as their model to support their effort, even though there are many free state and federal websites that do the same thing. 
  • The email above came from the domain PatentFoundMoneyGuide[.]com which, according to our favorite WHOIS, was registered to FoundMoneyGuide[.]com back in April, 2019.
  • The link in this email doesn’t point directly to FoundMoneyGuide[.]com but instead points to the oddball domain called unlimited-chronicletoseetoday[.]info which will then redirect visitors to FoundMoneyGuide[.]com.  

Does this make any sense at all? We don’t think so.  At best, it feels deceptive and full of misdirection, starting with the fact that the recipient may not have ANY unclaimed funds in her name, but can easily find out through several state and federal websites!  Below is another email our reader received. Notice the clever language used to entice people to enroll in this website, and consequently receive advertising and marketing emails. Oh, and you “may be owed a check.” Gee, thanks but no thanks.  

Note: This same reader was hit with multiple similar emails back in early August and we reported on August 11 about this possible threat at that time because a security service found one of the links in the email to be malicious.  Read One Woman’s Free Money Story.

Targeting the Elderly Again! – One thing has always been very clear to us about cybercriminals… They have no shame and will purposely target the most vulnerable people in their effort to steal money! And that is why they will often target elderly people. Afterall, one might argue that the elderly, as a group, are not very sophisticated about life in the digital world. We shared a very sad example of this a few years ago when we interviewed an 80-year old man and his family after he was successfully targeted by cybercriminals. This week we wanted to share another example of this shameful effort by cybercriminals and it concerns Medicare.

Medicare is a National health insurance program in the United States, but only available to seniors age 65 and older. The best source of information about Medicare is directly from the U.S. Government’s website, There you’ll see that the open enrollment period to join or modify your plan began on October 15 and runs until December 7. And so it was on October 17 that malicious clickbait disguised as Medicare ads began to pour into our honeypot email accounts.  Check out this email pretending to represent a service called MedicarePlan[.]com. It contains at least 5 important “poker tells” that should make recipients VERY SUSPICIOUS that it isn’t what it claims to be.  We’ve put red arrows on 2 of them but another one cannot be seen in our screenshot. Can you spot 2 more?

    1. The subject line of this email says “Welcome ToMedicare 2 0_22” which is grammatically incorrect and poorly written. Cybercriminals do this on purpose to try to trick antispam servers from evaluating the content of the email.

    2. What readers could not see is that the entire contents of the email, including all the text, is one large graphic image.  Again, this is done to make it harder for antispam servers from evaluating the contents of an email.  Several Cybercriminals gangs ROUTINELY do this and if you ever notice that your computer mouse shows you that the entire contents of an email is clickable, then the odds are very high that the email is malicious!

    3. At the top of the email, locate the <> brackets of the FROM address and look to see what follows the @ symbol. There you’ll find the oddball domain called dzm0q[.]org.  A WHOIS lookup of this domain will tell you that it has never been registered and doesn’t exist!  This FROM address was completely spoofed and is fake.
    4. Cybercriminals frequently reuse email templates from one scam for another and just swap out content. This means that they don’t always pay attention to details and replace everything. At the bottom of the email we’ve pointed out with red question marks that this email says it is connected to “Best Luxury Break” and lists an address in Chicago, Illinois.  NO SUCH BUSINESS EXISTS ANYWHERE IN ILLINOIS, according to Google.

    Finally, though the email claims to represent medicareplan[.]com, the links don’t point to that website but instead point to a service operated by Windows on the server commonly known as Azure Blog storage. This service has been misused many times by cybercriminals in the last few years! Articles about some past misuse can be found on ZScaler Threat Lab and DO NOT trust a link just because you see it points to!

      Here’s another example targeting seniors and sent 3 days after the first email, but from another oddball domain called kkobn[.]org that ALSO DOESN’T EXIST! In it, you’ll find most of the same types of Poker Tells as the previous email, including a reference to an “Auto Insurance Guide!”

        In our final example of this malicious clickbait, we want to remind readers that it is NEVER safe to click “unsubscribe” in suspicious emails!  Cybercriminals count on it as a way to trick a small percentage of recipients. Like the above emails, this one also claims to have come from a domain that was never registered. (oazbkhsu[.]us)  However, the links in this clickbait point to a misused service on Google. (In July, published an article on how to remove a virus that was transmitted through this Google service, thus showing you that you cannot trust services just because they have familiar names!)

          It’s important to look at details, including the links that appear when you mouse-over links (BUT DO NOT CLICK!)  The link in the above “Medicare Benefits” email points to a webpage named “shipblouseeE.”  Does this sound like a legitimate Medicare webpage to you? 

          Do you know any seniors who have email accounts but may not be very tech savvy? Do them a favor and talk to them about the malicious emails that will likely land in their inbox!

          A Malicious Apology? –Last week we found something in one of our honeypot accounts that we’ve never seen before and it was quite clever.  Rather than malicious clickbait as simply an unsolicited email, this email arrived as an apology from a known service called TedsWoodworking[.]com. But this clickbait came from another oddball domain called druconet[.]today and NOT from tedswoodworking[.]com!  This malicious domain was registered in India in late March, 2021 and has NO WEBSITE on it.  Step away from this ledge…

          Until next week, surf safely!

          Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
          have subscribed to it via or

          Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

          Contact Webmaster