Beware new malware scheme

by Fred Showker
DO NOT CLICKWe've known for several years that the U.S. internet is under insidious, perpetual and relentless attack by organized cybercrime all over the world, particularly China, Korea, Russia, Pakistan, Brazil, Nigeria; and even from within the U.S. Now we've seen a clever new scheme employed by these cyber criminals to compromise your computer and steal your identity. This new scheme began appearing in my mailbox over the last 36 hours. I received another half dozen in the mail this morning -- all hoping I would fall for the realistic URLs (links) in the email. This is going to trap many, many people.

The old rule "Never Click Unless you Know the Sender" has become unreliable. In these cases, the malware spam came from a "known" system and referred to "known" individual -- ME! The new RULE is "Just Don't Click" period -- at least until you've validated where the link will take you. See important tips below.

The spammers and cyber criminals inform you that there's a 'problem' in your mail server, and that you need to install a patch. They use your email address and your system, and even configure the domain links to look authentic. Many people will fall for this immediately because they do not know all of the users in their system. The system only has a few addresses, and all but one are spam honey pots.*

malware email

Notice that the criminal actually embedded our site's URL and one of my email addresses into the link.

The domain name, 1SSL-CERTS.COM, actually has nothing to do with the UGN site, but is owned by someone who forged the Whois owner to be Irina V Sugakova in Morozova, Russia. The compromised server IP is actually at Hetzner Online AG in Gunzenhausen, Germany.

The results of the link would have attempted to load a botnet* malware* onto my computer -- and it may have been one of those bounty Trojan worms* I wrote about a couple of weeks ago in this article.

Today, these email entries appeared:

addresses of spam to malware

These guys are fine-tuning their scheme to include MY address, and more realistic domains.


My first immediate tip-off is there has never been a "ble" user email address on UGN. While the link in the email looks totally authentic -- giving me a brief startle -- SpamCop's special interface alerts me that there are embedded files and code in the email. So I went and selected "View Source"...

malware spam embedded code

This time the criminal's domain is, they set up "user-groups" as a sub domain. This domain was registered using a rogue registrar with a forged Whois* entry: Melissa Mohr, Fargo, Belgium. But the real IP address for the malware site is located in the Gansu province network of China Telecom, based in Beijing, China.

Several others today had totally different domains with different forged owners, but all had NS servers and IP addresses located on China Telecom.

Protect yourself from invasion

  • Read suspicious mail starting with who it's to and who it's from
  • Do not click any link until you're sure where it goes
  • Do not click images - their links cannot easily be seen
  • Do not reply
  • Delete the email, or forward to spam authorities

Link, domain, URL anatomy

anatomy of the url
The main element of the URL or "link" is the word-with-extension appearing just before the first slash in the URL, or domain.
Tip: go to the first single slash and back up. There will be a 1, 2, or 3 character extension, a dot, and the actual domain name. That's where the link goes.

Many people subscribe to "disposable" email addresses, so they can switch once it becomes loaded with spam. The story above is another good reason to switch from gmail, yahoomail, or any other "disposable" address you may be using and invest in a SpamCop address. I use the account to keep the "Showker" pure -- and all my other Showker addresses are all filtered through SpamCop, so I can report all the spam anyone attempts to send to any of my email addresses. Pure and simple, plus, I get to KEEP my email addresses I've had since the late 1980s.

Your email will be filtered by the most up to date spam rules in the industry and moved into a "held" folder. Then you can REPORT those spams, adding them to the global black list to protect email users all over the world. Thirty bucks a year is a very small price to pay for reliability and enforceability. Get your account at

Thanks for reading

Fred Showker

Don't forget ... we encourage you to share your discoveries about favorite or famous graphic designers and illustrators with other readers. Just comment below, contact me here, or just give me a tweet at Twitter/DTG_Magazine

Further Reading:



27th Anniversary for DTG Magazine


On June 29th, Fred Homer said:

The term "Web 2.0" is commonly associated with web applications that facilitate interactive information sharing, interoperability, user-centered design,and collaboration on the World Wide Web.

On June 11th, Forever said:

At last! Someone who understands! Thanks for ptoisng!

On June 12th, Veanna said:

Whew... you've covered all the bases with this article...
isn't it a shame these people have to continue
their online crime. They make it bad for all the honest
people online!


Post new comment

The content of this field is kept private and will not be shown publicly.

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.