Computer Support The sircles IT support & solutions blog | Fraud

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service   

Spam Warning: You received notification from DocuSign Signature Service 


You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.





From:                                                       DocuSign Signature  Service <>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service








Review and sign this document.


Dear Receiver,

Please review this invoice
It is an automatically generated invoice.


This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.



 The 'view invoice' link actually points at: which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: S being used by the same email.
The 'review invoice' link at the bottom points to: which also appears to have been shut down.
Report any senders of this email, the domain does not seem to function either.

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

1. August 2018 12:35 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes. &amp;nbsp; This email has been rec

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.


This email has been received this week at sircles spam catcher:

From:                                                       TaxesGreat-Britain <>

Sent:                                                         Wednesday, August 1, 2018 9:26 AM

To:                                                            Support

Subject:                                                   (1) New message from GB Revenue and Taxes.




Taxes&Revenue have detected that you have paid too much tax in the past


* Therefore we applied P800WForm to issue a reimbursment.

--we tried to send it to you automatically.

--we don't have your card details on file.

--have your credit/debit card ready

Reimbursement Information

* We applied P800WForm to issue a reimbursment.

* Receipt date : 01 August 2018.

* Amount: 670.25 GB P.


Card Type:


Credit Card:




Transaction Date:


Transaction #:





670.25   GB P



As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
The 'Claim Funds' link points to: which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
The actual site:
Once you choose your wishes they take you to:
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like with nothing following it unless after a /
Report this email and report the website.
Be safe!!!

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment &amp;nbsp; Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment


Watch out for this email doing the rounds this week:


From:                                                       Tracy Turner <>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs



Secured ShareFile Attachment

Expires July 20, 2018


568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.



If you need any further assistance, then do not hesitate to contact me.


Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446


The 'Review Documents' link actually points at*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 


So be careful here - this is a fully secured SSL site with an SSL certificate:



The domain appears to be running on a CPanel server with a certificate from:



Comodo for CPanel. 


From the look of the site: 



They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.


The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.


If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html




Which is again a convincing looking site using the same certificate.


The IP address gives this data:

% Information related to ' -'

% Abuse contact for ' -' is ''

inetnum: -
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to ''

descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE


We will email the abuse address to report these sites...

SECURITY ALERT - Tesco Bank Spam Scam

12. June 2018 07:33 by sirclesadmin in Fraud, Online Fraud, SPAM
SECURITY ALERT - Tesco Bank Spam Scam &amp;nbsp; Beware of these fake Tesco spam emails: &amp;nbsp; v\:*

SECURITY ALERT - Tesco Bank Spam Scam


Beware of these fake Tesco spam emails:



Sent:                                           11 June 2018 16:24

To:                                               Recipient

Subject:                                     SECURITY ALERT




You are receiving this email because we noticed an attempt to sign in to your account from an unrecognised device. Our system has blocked this sign in attempt as a security measure. 

In order to safeguard your account information we have temporarily restricted your access to certain features within our online banking system. To restore full access please click the link below to validate your account information.

Please note:
 Failure to restore full access can lead to permanent suspension of access to our online banking service.

Get Started ⇨

Best regards,

Tesco  Online Banking Team


The 'Get Started' link actually takes you to:

Cloud Flare have already labelled this site as phishing:




🤖 Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!!!

29. May 2018 15:36 by sirclesadmin in Fraud, Online Fraud
&#129302; Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!! &amp;nbsp; Beware of the latest brand

🤖 Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!!


Beware of the latest brand of spammers who bring together two elements of the modern financial world - Cryptocurrency and Artificial Intelligence.

They claim to have AI computers that deal in cryptocurrency on your behalf and so make you huge sums of money.

These supposed companies - invariably they are registered on an island in the Caribbean - offer to get these computers to deal on your behalf day and night in order to increase your capital.

Before you invest with anyone, get opinions from a finance professional so that you can be sure that you are not about to be ripped-off.

If we take a look at this con, we can see a few elements that are typical in their setup.

First they use email to entrap - 



As you can see the email arrives from: 

Cryptocurrency Robot Augustine <>

And the email reads:


* Beta Test Invitation *

 Your invitation code: DFlgiYtv4216

 This amazing Cryptocurrency AUTO TRADING robot can make you rich!

 Do you know Bitcoin? Ethereum? Ever heard about Ripple? Cryptocurrencies is the future! While the market is growing fast, this is the best opportunity to take advantage and earn a million or two this year!

Auto Trading software utilizes special alghoritms and artificial intelligence to trade cryptocurrencies while you sleep!

Just imagine waking up every day and see 2-3k GBP on your account!

 First results are amazing - join us while registration is still open!

 Auto Trading is a way to get rich in 2018!

 Use the invitation code above to receive an extra 1,000 GBP after registration!

Click this link to start trading:


Don't wait before it's too late!

You will thank me later!







This message has been sent automatically because has requested us to send you this invitation.

Sender IP address:


The country code CF is for the Central African Republic and is not a likely source for someone recommending crypto-currency trading in the UK.

Now let's have a look at the site itself from 

We appear to have been forwarded to which is obviously a way of making you think you are still looking at a company in your own country.

If we run a to lookup who owns this site we see:

Registrant CountryCN
IANA ID: 1868 
Whois Server: 
Registrar StatusserverTransferProhibited, clientTransferProhibited
Dates29 days old
Created on 2018-04-30
Expires on 2019-04-30
Updated on 2018-05-05
Name ServersANDY.NS.CLOUDFLARE.COM (has 7,758,752 domains)
ZITA.NS.CLOUDFLARE.COM (has 7,758,752 domains)
Tech Contact
IP Address77.87.77.124 - 4 other sites hosted on this server
IP LocationPoland - Lodzkie - Radomsko - Euronet S.c. Jacek Majak Aleksandra Kuc
ASNPoland AS197226 SPRINT-SDC, PL (registered Aug 17, 2010)
Website TitleNone given.
Server Typenginx
Whois Record ( last updated on 2018-05-29 )
Cloudflare do not officially host anything - they are an intermediary for data flow.
So here is the site:



So immediately we notice that this site has been thrown together using a simple template and they haven't even bothered changing most of the icons and photo before publishing. Whoever Derrick Simmons CEO is, his photo and name are undoubtedly a fake.

If we look further down the page:



This site is not affiliated in any way with Time Magazine, Forbes or CNN - be extremely careful of any site that you arrive at from email.

No one has just 'won' $4576 USD - this site is not even offering a lottery.

Notice it is a secured version of the site at: is a secure site, so it is obviously an improvement of the above site...

If we enter our details in one of the endless pop-up requests for our email and name, we are taken to: 

Now this is a website requesting money to be deposited which means that it is extremely dangerous and you should not enter any personal or banking details at any time. 

The company is registered in Bulgaria, at R.A. Hadzhi Dimitar bl., 113., en A., fl. 4, app 8, Sofia 1510, Bulgaria but their live chat is not functioning now - 5pm their time - in the working week.

There is a phone number in Bulgaria which I will not call but these are required to keep the website open under EU and Bulgarian law.

If we look at the security of this secured site - It is a Cloudflare SSL certificate with as it's actual name. Then the following sites are added as an alternative name:


All of these sites will reside on the same server in order to use the same certificate for security.

Reporting Fraudulent Websites with your Browser

17. May 2018 07:39 by sirclesadmin in Internet Security, Fraud, Phishing
Reporting Fraudulent Websites with your Browser &amp;nbsp;

Reporting Fraudulent Websites with your Browser


When you receive an email that has links to a fraudulent site, you should report that site, to your browser provider so that other users can be saved from falling into the intended trap.

When you are sent to a site that the email tells you is giving you something, and when you arrive you are asked to make a payment, that is a form of misrepresentation; which is phishing. You should report phishing sites to Google:

The advantage of reporting to Google is that they will adjust Google Chrome to warn people, and that is currently the most popular browser on Earth.

If the site you are sent to by a suspicious email tries to download a file to your computer (no matter what the file pertains to be) then it is most likely a malicious software site. These pages should be reported by pasting the URL in the browser address bar into the following Google page for malicious software sites:

You can also read about Google's preventative measures programme against harmful internet use here:

If you are using Microsoft Edge or Internet Explorer, you can also report fraudulent sites. 

You can open the old style Internet Explorer by pressing the Windows Button + R and entering iexplore and pressing OK.

From the Safety menu, point to SmartScreen Filter, then click Report Unsafe Website.

Select one or both of the following check boxes you feel to be appropriate:

  • I think this is a phishing website
  • I think this website contains malicious software

If you are using Firefox, or if you wish to report the site to Mozilla to help more people, you can report fraudulent sites to Mozilla here:

Here you can choose from:

  • Domain name
  • Collecting personal information
  • Charging for software
  • Logo misuse (phishing)
  • Distributing modified Mozilla/Malware

And choose which products are affected.

In general it is always worth checking that the site is secured - by seeing if there is a padlock in the browser address bar or that the https has gone green etc. - and that the domain is correct. The domain must be the last item in the address bar before the first / (forward slash) as many fraudulent domains trick us by using or similar. Notice that the is followed by a hyphen or a dot instead of the forward slash / that represents the end of the domain.


💸 Incoming BitCoin Transfer - You received 0.881110 BTC!

17. May 2018 07:24 by sirclesadmin in Internet Security, Fraud, SPAM, Phishing
&#128184; Incoming BitCoin Transfer - You received 0.881110 BTC! &amp;nbsp; The following email has been report

💸 Incoming BitCoin Transfer - You received 0.881110 BTC!


The following email has been reported as currently active:



You just received 0.881110 BitCoin incoming transfer from Info.


Receiver: recipient email

Amount: 0.881110 BTC

Deadline: 23-05-2018 13:19:28

Transfer has been made from account holder:


Accept the transfer now:

Only 7 days remaining to accept your BitCoin transfer! If you do not accept this transfer, the money will be returned to sender.

To claim your BitCoin please visit the link below:

Best regards,

Roxana Rigby

Bitcoin Account Manager

The link forwards you to:

Whenever there is a supposed quick way to increase capital, con-people quickly associate themselves with the name in the hope of riding the excitement in order to rip people off. Any crypto currency such as Bitcoin is a huge risk to invest in and should be treated with EXTREME caution. This website is not an investment site, but an attempt at taking money based on the reputation of Bitcoin - do not enter your name, report this site as fraudulent using your browser, and mark this email as spam and/or phishing.

The intent of this email is fraudulent, and so it is safe to assume that the website is fraudulent also. Any testimonials are contrived and should not be believed.

You can report fraudulent websites with the help of this page which tells you how to report fraudulent or malware websites.

Natwest Spam: Incomplete Security Information

Natwest Spam: Incomplete Security Information &amp;nbsp; &amp;nbsp;

Natwest Spam: Incomplete Security Information


You may receive the following message, purporting to be from Natwest:


From:                                                       NatWest <>

Sent:                                                        Date

To:                                                            Recipient

Subject:                                                   Incomplete Security Information









Incomplete Security Information







Information we use to determine the security of your account is missing we need you to confirm as soon as possible.


You are required to review and update missing information*

We have temporarily suspended your online access to prevent any loss to your balance until you securely submit missing information: Click below to continue




Thank You,
The NatWest Accounts team


*The location is approximate and determined by the IP address it was coming from.

This email can't receive replies. For more information, visit the NatWest Accounts Help Center.





You received this mandatory email service announcement to update you about important changes to your NatWest product or account.

© 2018 NatWest Inc.,



The link in the message tries to take you to:
Please mark as spam - the website appears to have already been fixed and the bad content removed... :)

Disability Action Alliance - DAA Receipt#

Disability Action Alliance - DAA Receipt# &amp;nbsp;

Disability Action Alliance - DAA Receipt#



From:                                               on behalf of Disability Action Alliance – DAA <>

Sent:                                                         Date

To:                                                             Recipent

Subject:                                                     Receipt # 8453985   Receipt # 9599113



Payment Receipt


Your payment has been received, please find attached your PDF invoice.


Spam: Receipt # 255247

Spam:&amp;nbsp;Receipt # 255247 &amp;nbsp; Beware of these fake receipts: Payment Receipt YOUR PAYMENT HAS B

Spam: Receipt # 255247


Beware of these fake receipts:

Payment Receipt


We send  Google.Docs document.

Link points to:

Which obviously downloads a inv file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.