Computer Support The sircles IT support & solutions blog | Online Fraud

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

9. August 2018 07:19 by sirclesadmin in Internet Security, Online Fraud, SPAM
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent    

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent


This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.


From:                                                       Direct <>

Sent:                                                         Thursday, August 9, 2018 6:35 AM

To:                                                            Receipent

Subject:                                                   Your Name, Pack(50RM_84248) confirmed: 7 items sent



Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!


Billing Address:
Your Name 
Your Telephone Number Postcode 

Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.

The hyperlink 'Your Order 50RM_84248 available here' actually links to: which is presumably a genuine website as it has a certificate but it simply forwards you to: which is presumably not an association that Microsoft enjoy. 
The actual link downloads a zip file:
The contents of the zip file are as follows:
And when extracted, reveal:
The image just being a Google Pay image:
And the shortcut linking to:
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string fildunare  with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - - does not seem to be a website either so block that domain from your email server.

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service&amp;nbsp; &amp;nbsp;

Spam Warning: You received notification from DocuSign Signature Service 


You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.





From:                                                       DocuSign Signature  Service <>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service








Review and sign this document.


Dear Receiver,

Please review this invoice
It is an automatically generated invoice.


This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.



 The 'view invoice' link actually points at: which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: S being used by the same email.
The 'review invoice' link at the bottom points to: which also appears to have been shut down.
Report any senders of this email, the domain does not seem to function either.

Internal Revenue Service - Spam Warning !

1. August 2018 13:29 by sirclesadmin in Internet Security, Online Fraud, SPAM
Internal Revenue Service - Spam Warning ! Watch out for more free money! This email has been receive

Internal Revenue Service - Spam Warning !

Watch out for more free money!

This email has been received this week:



From:                                                       Internal Revenue Service <>

Sent:                                                         Tuesday, July 31, 2018 6:16 PM

To:                                                            Recipient

Subject:                                                   Internal Revenue Service Banner

Internal Revenue Service

IRS services     Account Balance communication TP95


Final reminder: Notice of Intent to seize (levy) your current income tax refund.


promptly: $449.20

Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.

Download your payment Invoice 

You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.

 If you no more want to get warnings, please log in to your Internal revenue service account  to temporarily disable or completely delete these types of signals.

The following alert is sent to you automatically from the IRS services. Make sure you do not Write back.

Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.

If you have inquiries or problems with the service, be sure to contact

This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.

Powered by GovDelivery


As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
The link 'Download yoru Payment Invoice' points to:
Which has already been taken down - well done for spotting that whoever the owner is...
Anyway report this email as spam and stay vigilant!

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

1. August 2018 12:35 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes. &amp;nbsp; This email has been rec

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.


This email has been received this week at sircles spam catcher:

From:                                                       TaxesGreat-Britain <>

Sent:                                                         Wednesday, August 1, 2018 9:26 AM

To:                                                            Support

Subject:                                                   (1) New message from GB Revenue and Taxes.




Taxes&Revenue have detected that you have paid too much tax in the past


* Therefore we applied P800WForm to issue a reimbursment.

--we tried to send it to you automatically.

--we don't have your card details on file.

--have your credit/debit card ready

Reimbursement Information

* We applied P800WForm to issue a reimbursment.

* Receipt date : 01 August 2018.

* Amount: 670.25 GB P.


Card Type:


Credit Card:




Transaction Date:


Transaction #:





670.25   GB P



As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
The 'Claim Funds' link points to: which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
The actual site:
Once you choose your wishes they take you to:
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like with nothing following it unless after a /
Report this email and report the website.
Be safe!!!

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment &amp;nbsp; Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment


Watch out for this email doing the rounds this week:


From:                                                       Tracy Turner <>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs



Secured ShareFile Attachment

Expires July 20, 2018


568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.



If you need any further assistance, then do not hesitate to contact me.


Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446


The 'Review Documents' link actually points at*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 


So be careful here - this is a fully secured SSL site with an SSL certificate:



The domain appears to be running on a CPanel server with a certificate from:



Comodo for CPanel. 


From the look of the site: 



They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.


The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.


If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html




Which is again a convincing looking site using the same certificate.


The IP address gives this data:

% Information related to ' -'

% Abuse contact for ' -' is ''

inetnum: -
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to ''

descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE


We will email the abuse address to report these sites...

Amazon Spam Warning - Authorization of Account Details

27. June 2018 13:59 by sirclesadmin in Internet Security, Online Fraud
Amazon Spam Warning - Authorization of Account Details &amp;nbsp; We have seen this email passing&amp;nbsp;t

Amazon Spam Warning - Authorization of Account Details


We have seen this email passing through htomail and outlook defences:


From:                                                       Αmаzоn.соm <>

Sent:                                                         Saturday, June 23, 2018 1:58 AM

To:                                                            recipient email address

Subject:                                                   Authorization of Account Details




Authorization of Account Details




Validation of billing details in your account

June 22, 2018

Dear recipient

We need to validate your billing information you entered, which may not match with your Credit card's issuing bank. Please get these to us before June 29, 2018 to ensure that the services related to your account will not be suspended. We may contact you for additional information as part of the verification process.


You can start your verification process by clicking on Here


We hope to see you again soon.



<![if !vml]>Image result for Amazon Logo Icon<![endif]>


 Privacy Policy


Copyright © 2018
All rights reserved


This email sent to recipient email address

Email ID: 122744Px690808054Fw90f4v6nJK9o408488ef019626

The link points to a site which has already been dismantled and Google Chrome already listed the site as fraudulent so we will not post it here..
Do mark this email as spam though as it is breaking through email defenses...

SPAM: Final Extension

19. June 2018 10:14 by sirclesadmin in Online Fraud, SPAM
SPAM: Final Extension &amp;nbsp; Another domain renewal scam is circulating this week. Th

SPAM: Final Extension


Another domain renewal scam is circulating this week.

The format is the same as usual - danger, danger danger, about to expire, your domain, final warning etc.

Then right at the bottom it says something like:

Failure to make payment may result in account closing (making it difficult for your customers and your friends to locate you, using search engines on the web).

So it is actually a service to submit you to search engines.


Well there is only really one search engine unfortunately, although Ecosia's plan is a good one, so there is no need to pay someone to submit your pages. Google are quite capable of finding you themselves.


The email arrives as:






Final Extension



Notice#: 049436077

your domain

Date: 06.19.2018


DOMAIN: yourdomain.suffix











Your Name



Region, Post Code, Country


Domain Name:

Registration Period:




Today to One year away


1 Year











Dear Your Name,

This is the final billing notice to complete this order by 1 Week failure to make payment may result in account closing (making it difficult for your customers and your friends to locate you, using search engines on the web).




This Email contains information intended only for the individuals or entities to which it is addressed. If you are not the intended recipient or the agent responsible for delivering it to the intended recipient, or have received this Email in error, please notify immediately the sender of this Email and then completely delete it (including any attachments). Any other action taken in reliance upon this Email is strictly prohibited, including but not limited to unauthorized copying, printing, disclosure, or distribution. The sender bears no responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in, or transmitted with, this Email. Any views expressed are personal unless otherwise stated. unlike here Providing false information will result in suspension of the customer's account.Thank you for your cooperation.





The unsubscribe link points to:

The secure payment link links to:

Report the website as spam and the website it takes you to: should be reported as a phishing site.

Report the email as spam.

Many thanks.




SECURITY ALERT - Tesco Bank Spam Scam

12. June 2018 07:33 by sirclesadmin in Fraud, Online Fraud, SPAM
SECURITY ALERT - Tesco Bank Spam Scam &amp;nbsp; Beware of these fake Tesco spam emails: &amp;nbsp; v\:*

SECURITY ALERT - Tesco Bank Spam Scam


Beware of these fake Tesco spam emails:



Sent:                                           11 June 2018 16:24

To:                                               Recipient

Subject:                                     SECURITY ALERT




You are receiving this email because we noticed an attempt to sign in to your account from an unrecognised device. Our system has blocked this sign in attempt as a security measure. 

In order to safeguard your account information we have temporarily restricted your access to certain features within our online banking system. To restore full access please click the link below to validate your account information.

Please note:
 Failure to restore full access can lead to permanent suspension of access to our online banking service.

Get Started ⇨

Best regards,

Tesco  Online Banking Team


The 'Get Started' link actually takes you to:

Cloud Flare have already labelled this site as phishing:




Electronic Intuit Message - Spam Alert!

6. June 2018 17:06 by sirclesadmin in Online Fraud, SPAM, Phishing
Electronic Intuit&amp;nbsp; Message - Spam Alert! &amp;nbsp; watch out for this spam QuickBooks message: &amp;n

Electronic Intuit  Message - Spam Alert!


watch out for this spam QuickBooks message:



From:                                         Intuit Inc. <>

Sent:                                           Wednesday, June 6, 2018 5:02 PM

To:                                               Accounts Team

Subject:                                     Electronic Intuit  Message









Payment Due Date




Dear Customer,

This bill notice is being provided to you by Intuit Inc. from Veri Facts Inc. Please click the button above to find an invoice


intuit test

Intuit, Inc. 2014-2018 All rights reserved. TurboTax and Mint are registered brand names and trademarks of Intuit Inc. Conditions, support and service are subject to modification with out notice  Privacy Terms

The 'Pay Here' link actually points to: which has already been shut down so no need to report this site.

Do report this email as spam to your email provider though and keep vigilant.

🤖 Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!!!

29. May 2018 15:36 by sirclesadmin in Fraud, Online Fraud
&#129302; Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!! &amp;nbsp; Beware of the latest brand

🤖 Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!!


Beware of the latest brand of spammers who bring together two elements of the modern financial world - Cryptocurrency and Artificial Intelligence.

They claim to have AI computers that deal in cryptocurrency on your behalf and so make you huge sums of money.

These supposed companies - invariably they are registered on an island in the Caribbean - offer to get these computers to deal on your behalf day and night in order to increase your capital.

Before you invest with anyone, get opinions from a finance professional so that you can be sure that you are not about to be ripped-off.

If we take a look at this con, we can see a few elements that are typical in their setup.

First they use email to entrap - 



As you can see the email arrives from: 

Cryptocurrency Robot Augustine <>

And the email reads:


* Beta Test Invitation *

 Your invitation code: DFlgiYtv4216

 This amazing Cryptocurrency AUTO TRADING robot can make you rich!

 Do you know Bitcoin? Ethereum? Ever heard about Ripple? Cryptocurrencies is the future! While the market is growing fast, this is the best opportunity to take advantage and earn a million or two this year!

Auto Trading software utilizes special alghoritms and artificial intelligence to trade cryptocurrencies while you sleep!

Just imagine waking up every day and see 2-3k GBP on your account!

 First results are amazing - join us while registration is still open!

 Auto Trading is a way to get rich in 2018!

 Use the invitation code above to receive an extra 1,000 GBP after registration!

Click this link to start trading:


Don't wait before it's too late!

You will thank me later!







This message has been sent automatically because has requested us to send you this invitation.

Sender IP address:


The country code CF is for the Central African Republic and is not a likely source for someone recommending crypto-currency trading in the UK.

Now let's have a look at the site itself from 

We appear to have been forwarded to which is obviously a way of making you think you are still looking at a company in your own country.

If we run a to lookup who owns this site we see:

Registrant CountryCN
IANA ID: 1868 
Whois Server: 
Registrar StatusserverTransferProhibited, clientTransferProhibited
Dates29 days old
Created on 2018-04-30
Expires on 2019-04-30
Updated on 2018-05-05
Name ServersANDY.NS.CLOUDFLARE.COM (has 7,758,752 domains)
ZITA.NS.CLOUDFLARE.COM (has 7,758,752 domains)
Tech Contact
IP Address77.87.77.124 - 4 other sites hosted on this server
IP LocationPoland - Lodzkie - Radomsko - Euronet S.c. Jacek Majak Aleksandra Kuc
ASNPoland AS197226 SPRINT-SDC, PL (registered Aug 17, 2010)
Website TitleNone given.
Server Typenginx
Whois Record ( last updated on 2018-05-29 )
Cloudflare do not officially host anything - they are an intermediary for data flow.
So here is the site:



So immediately we notice that this site has been thrown together using a simple template and they haven't even bothered changing most of the icons and photo before publishing. Whoever Derrick Simmons CEO is, his photo and name are undoubtedly a fake.

If we look further down the page:



This site is not affiliated in any way with Time Magazine, Forbes or CNN - be extremely careful of any site that you arrive at from email.

No one has just 'won' $4576 USD - this site is not even offering a lottery.

Notice it is a secured version of the site at: is a secure site, so it is obviously an improvement of the above site...

If we enter our details in one of the endless pop-up requests for our email and name, we are taken to: 

Now this is a website requesting money to be deposited which means that it is extremely dangerous and you should not enter any personal or banking details at any time. 

The company is registered in Bulgaria, at R.A. Hadzhi Dimitar bl., 113., en A., fl. 4, app 8, Sofia 1510, Bulgaria but their live chat is not functioning now - 5pm their time - in the working week.

There is a phone number in Bulgaria which I will not call but these are required to keep the website open under EU and Bulgarian law.

If we look at the security of this secured site - It is a Cloudflare SSL certificate with as it's actual name. Then the following sites are added as an alternative name:


All of these sites will reside on the same server in order to use the same certificate for security.