walgreens scam

Notice:Walgreens Points for elamb.security are expiring soon scam

Notice:Walgreens Points for YOUR EMAIL are expiring soon scam

Your Walgreens-Points are expiring. You have accumulated $50 in Walgreens Rewards. You must claim by January 31, 2016.

Your Redemption Code: #R561875


virusTotal detects possible malware:

URL Scanner Result
BitDefender Phishing site
ADMINUSLabs Clean site
lottery scam


Here is a classic scam.  There are so many of these Internet Lottery scams:

We happily announce to you the draw of the USA INTERNATIONAL LOTTERY, online Sweepstakes promotion held in United States of America on Saturday 16th Jan. 2016. You have been allocated to claim a total sum of £520,731.00 (Five Hundred and Twenty Thousand, Seven Hundred and Thirty One British Pounds) with ticket number: B55607545 4152 with reference number USA/JA2C110P5 and Serial number ZA5365/3 ,Batch number XA87-2PY,drew the lucky numbers: 06 14 32 35 41 Bonus 43. Contact our Fiduciary agents immediately to commence release of your lottery prize by providing details as listed below. 1. Full Name: 2. Email Address: 3. Age/Occupation: 4. Reference Number/Ticket Number 5. Phone Number: 6. Country: 7. Date of draw To file for your claim, please contact our fiduciary agent and provide them with your winning email and details as above. USA Lottery Fiduciary Agents: Mr. Phil Langa Foreign Service Manager E-mail: phil.langa@aol.com Yours faithfully, Teresa Marie Roberts. Online coordinator USA INTERNATIONAL LOTTERY

WordPress hack plugin GroupDocs

One of my wordpress blogs got hacked.  I was notified by google

I was apprehensive about accessing the site from my computer so i checked it out from my smartphone.  I figured most current malware attempts to download and install on windows systems, but are usually not smart enough to infect two different platforms (windows AND android).  The site seemed fine, but I am sure there is something wrong.  So I logged into the server.  The dates look a little suspcious but I the actual php files looked find.

I noticed a pattern with the dates that the files were access.  I am seeing scores of files/folders that have been “touched” and have the same date/time stamp Nov 22, 2015 12:00.  You only see that many files changed at once when a script does it.  I focused on those files and I can see that MOST of the Nov 22 1200 date/time stamps are on ONE plugin:   plugin GroupDocs.  I look at the error log:

INFO Started brute forcing.

INFO checking: drinkmusiccity.com, david, david
INFO checking: farmofpeace.com, salima, salima
INFO checking: fayjames.com, fay, fay
INFO checking: fantasyassembly.com, kevin-j, kevin-j
INFO checking: fionaraven.com, fiona, fiona
INFO checking: fishinglakes.com, Colby, Colby
INFO checking: firetown.com, firetown, firetown
INFO checking: fontainetours.com, claudia, claudia
INFO checking: foreverboundadoption.org, designteam, designteam
INFO checking: fotoparisberlin.com, amelie, amelie
INFO checking: frabonisdeli.com, bennett-fraboni, bennett-fraboni
INFO checking: freeloveforum.com, anne, anne
INFO checking: funkatech.com, incyte, incyte
INFO checking: futurist.com, brenda-cooper, brenda-cooper
INFO checking: futebolnas4linhas.com, ingrid-carvalho, ingrid-carvalho
INFO checking: freedomnewton.com, pastorc, pastorc
INFO checking: k-bell.co.jp, kohei, kohei
INFO checking: katrinakaif.co.uk, harish, harish
INFO checking: kcfw.de, c-mohr, c-mohr
INFO checking: kazu.co.nz, staff, staff
INFO checking: keneally.com, samcniotktaetl, samcniotktaetl
INFO checking: keratoconus.com.au, jim, jim
INFO checking: fundacjadantian.com, fundacjadantian, fundacjadantian
INFO checking: kibi-group.com, kibi, kibi

I look up the plugin GroupDocs.  I has had a MAJOR compromise:


It is being used as a backdoor into WordPress.  Honestly, I don’t remember even installing it.  I am not sure if it came with the theme I installed or what.  I start checking all more other blog’s plugins.  I don’t see it any where else.  Upon further inspection of the plugin, I can clearly see the PHP backdoor code:

sending: {
  "type" : "WPBF_RESPONSE",
  "linkPasses" : [
      "site" : "farmofpeace.com",
      "user" : "salima",
      "pass" : "salima"

      "site" : "i-entertainment.co.uk",
      "user" : "nicolai2014",
      "pass" : "nicolai2014"

      "site" : "020haopai.com",
      "user" : "siteadmin",
      "pass" : "siteadmin"

      "site" : "zargarcarpet.com",
      "user" : "akeel",
      "pass" : "akeel"

      "site" : "haubstadtsommerfest.com",
      "user" : "joeyconti",
      "pass" : "joeyconti"

Starting brute forcing WordPress
CURRENT TIME: 2015-11-20 15:47:06
CURRENT TIME: 2015-11-20 15:47:37
CURRENT TIME: 2015-11-20 15:48:08
CURRENT TIME: 2015-11-20 15:48:39
Child dead. Reading response: 
Done. read: 0 bytes

The Fix Action:

Warning fake google chrome update

**Sent from a subscriber**

I was surfing the Internet and I found following bad link: http://www.1zoom.net/ Cities /wallpaper/306150/z904/


As I was trying to move my cursor to get out of the site, another tab popped up saying that I must update my google chrome.  I closed it.  internet-fraud-2

I tried opening the tabs once more with the website to confirm if my suspicion was right.  It led me to another tab that was asking me to download a software in my toolbar.  I have not taken the screenshot on that one.  I went back to my computer history to search for that specific link and it was not there anymore.  A warning of a virus appeared in my screen. That is really scary. Always be cautious and careful while browsing online.


Reporting mail fraud : Corporate Controllers Unit

Years ago, I started a small business under a corporation for my websites. mail-fraud I received a letter twice from “Corporate Controllers Unit”. They were charging us $225.00 charges for annual corporate fees.  Just a few minutes of research revealed that this is a scam.

The letter threatens that if you don’t pay “Delinquent” but at the end of the letter they state that do not represent any branches of the government:

“This product or service has not been approved or endorsed by any Government Agency and this offer is not being made by an agency of the Government. U.S.C.39.6.3001(d). This is a solicitation for the order of services, and not a bill, invoice , or a statement of acocunt due. You are under no obligation to make any payments on account of this offer.”mail-fraud

shipping.com Extra Fee

Months ago, I was doing some shopping in burlingtoncoatfactory.com. They had a sale and had so many items with quality. I finally decided to give a try and ordered a dress. I paid $32.00 for it.

Just like any other purchase, during check out, I had place my credit card information, shipping address and billing information.  I placed the order, paid it and I got my order confirmation.  After that, I seen this message saying the order qualifies for a cash back! This SOUNDS good, but when you take a closer look there is a not so hidden fee.










So I clicked on the link that says Cash back and it took me to another page.  So I signed up for a cash back and I had put my personal information sent to “shipping.com”.

I checked my mail to see if there was anything about the “cash back”.  I got suspicious when nothing came.  I went to google to find a review about the $15.00 cash back by shipping.com.   I realized that they are going to charge me monthly and has a 30 day trial period.  I was not aware of it because it does not say anything like that while you are signing up or maybe that is in very small print.

I immediately went back to shipping.com and cancelled it.

I don’t think that the shipping.com “cash back” deal is necessarily is a scam, but I think they should be more transparent about the monthly charge.

Mbayi Ambo Visa Scam Facebook groups

Scam Alert!

Mbayi Ambo is offering members of facebook group a passport for $150.00. For $150 dollars she claims that she can get an exemptions from the medical at St Lukes AND exemption from appearing of the US embassy interview.


This is not possible. It is a scam for sure. Even if you get a fake visa/passport and bypass the medical and Interview, the US Customs Border Protection requires a package that you can only get from the Embassy.

One thing to keep in mind is that it sounds too good to be true, it probably is. ALWAYS double check and verify all offers and information you get online.. including the information on this group.

She claims that she is from New York but her profile says Ontario,Canada. She is also using fake photos in her profile in Facebook.


Fw: Re: Payment Fax *scam*

Be careful with this message. Similar messages were used to steal people’s personal information. Unless you trust the sender, don’t click links or reply with personal information.
from: Pennapa <Pennapa@126.net>
date: Tue, Jun 30, 2015 at 9:58 AM
subject: Fw: Re: Payment Fax
Hope you are fine,
a payment we transferred to your account, has returned to our account due to incorrect details as informed by our bank.Please can you check the attached fax we received from our bank and correct the error, so that we can transfer the payment again.Best regards,
Ms. Pennapa | Director
Yancheng Xingtai Equipment Co.,Ltd.
Xingtai Industrial Group.
No. 29, Xindu Western Rd, Yancheng, Jiangsu, P.R.China 224001
Tel: +86-515-8869 2222 | Direct-line +86-515-6997 9993
Fax: +86-515-6997 9992 | Phone +86-187 0511 8932

This letter came with an attachment document saying ”SWIFT,pdf.z.

1 2 3 4 126