Category Archives: Phishing

Remember that Facebook phishing email? There’s a MySpace version, too.

We all knew it was coming. Below is the full text:

From: Manager Stephan Goldman
To: [incorrect email address] 
Date: Thursday, January 07, 2010 9:02:10 AM 
Subject: MySpace Password Reset Confirmation!

Hey [incorrect username] ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.

Attached was a file called “MySpace_document_49792.zip” that recipients would be advised to not touch with a thirty-nine-and-a-half-foot pole. Whatever’s in that ZIP file, you don’t want it. Trust me on this.

Once again, social networking sites are never going to email you a new password, and in general aren’t going to email you files at all.

Who the heck is “Manager Stephan Goldman?”

Anyway, delete this garbage if you receive it, okay?

Western Union phishing email: “Your Money Transfer Control Number: 590575482”

Here is the full text of an email message I received Wednesday morning:

From: westernunionresponse@mail.westernunion.com
To: [as usual, not my address] 
Sent: Wednesday, January 06, 2010 9:26 AM
Subject: Your Money Transfer Control Number: 590575482

Dear customer,

Thank you for using the Western Union Money Transfer®.

Your money transfer has been authorized and is now available for pick up by the receiver.

Transfers to certain destinations may be subject to further delay or additional restrictions.

TRANSACTION DETAILS:

Your Money Transfer Control Number [MTCN] is: 590575482

Please use this number for any inquiries.

Date of Order: Wed, 6 Jan 2010 16:26:48 +0100
Amount Sent: $94.50

You can cancel this transfer by using the hyperlink below:

http://wumt.westernunion.com/WUCOMWEB/transactions/HomePage/cancel.php?session=&mtcn=590575482&summ=94.50&date=Wed, 6 Jan 2010 16:26:48 +0100

Thank you for using Western Union!

————————————————————————–
DO NOT REPLY TO THIS EMAIL.

I knew right away this was a phishing email. If I didn’t have these articles to write, I would have deleted it without even looking at the message itself.

Usually, when we think of “phishing,” the first thing that comes to mind is an urgent message that appears to be from a financial institution, instructing us to visit a website and log in to “verify” our account information. This results in revealing personal and account information to someone who will use it for theft (financial, identity or both).

This is a different tactic: make the recipient think a withdrawal is about to be made from their account, and hope they panic and click the link to cancel the transaction.

There is a distinct advantage to this method: when you send a message that claims to come from a financial institution, you usually have to pick one, which limits your potential victims.

For example, if you send out a million messages that look like they came from Chase or HSBC, 90% of your potential victims don’t have accounts at the institution you picked. They recognize it as phishing right away (and will likely recognize your next attempt as such, even if you happen to pick an institution they have a relationship with).

With this Western Union attempt (and its direct ancestor, the PayPal Phishing Email), they take advantage of the fact that anyone can use Western Union. You don’t have to have an account with any particular institution to wire money this way.

Now, I’ve never used Western Union. In fact, at my previous job as a bank teller several years ago (!), I completely weaseled my way out of learning how to use their new Western Union machine, because it arrived during my last two weeks on the job and I didn’t feel like getting into it. Yes, I told them that.

However, a quick look at their website tells me you can wire money online, and I’d be willing to bet that the text of this phishing email is directly taken from a legitimate Western Union message. In fact, the text of the message uses a real website (wumt.westernunion.com).

The thing is, if you look at where the link actually takes you (it’s not the same as the text in the message), it’s a website hosted at “wumt.westernunion.com.yhe3essr.com.pl.” This is a classic phishing-style URL. Like I said, I’ve never used Western Union, and I don’t know much about them. However, I know this much: they’re not based out of Poland (.pl).

I wonder what happens if you follow that link—does it try to steal personal information, or does it install malicious software (or both)? I sort of wish I had a junk computer to try it out on. I’d probably just enter rude words in all the “name” and “address” fields.

I’m sure this message has been received by thousands of people already. It’s trickier than the usual “verify your information” attempt, and I’m sure the success rate will be much higher, unfortunately.

As usual, though, there are lots of telltale signs that something isn’t quite right. When you get these messages, just take a moment to relax and think about it, and you’ll be fine.

Fraudulent Facebook email contains malware attachment.

There’s a new fake email message making its way around the web the last few months. This time, it targets Facebook users.

The messages all have something to do with your Facebook password, using subject lines such as “Password Reset Confirmation Email.” They contain an attachment that is supposed to be your new password, but is actually a pretty nasty Trojan horse program that opens your computer up to a variety of attacks. One of these programs is known as Bredolab, and it’s just bad news all around. Below is the text of an example message from “The Facebook Team:”

Hey,
Because of the measures taken to provide safety to our clients your password has been changed. You can find your new password in attached document.

Thanks

The Facebook Team

There are other fake Facebook messages that try to lure victims with a “New Login System” message and contain a disguised link. In this case, it seems to be a pretty standard password-stealing attempt, but given the amount of malware that can be spread and the fraud that can be committed with a hacked Facebook account, it could lead to much worse problems than someone just messing with your Facebook page.

Facebook is never going to send you an email message with your password as an attachment. In fact, they’re never going to send you an attachment at all. If you get one of these messages, hold your cursor over the link (DO NOT CLICK) and you’ll see that the message actually takes you to a non-Facebook website (most likely hosted overseas).

Furthermore, Facebook isn’t going to “confirm” your request for a password reset unless you’ve actually requested it, and any links contained in these messages will be hosted at Facebook.com, not a website with just an IP address (numbers separated by periods, as in “123.45.678.90”), and not a website hosted overseas.

Once again, a new threat just goes to reinforce the old rules of thumb: never open an attachment in an email message you weren’t expecting, and never click on links in an unsolicited email message without verifying first that the message is legitimate.

What is the deal with Facebook and Twitter lately? It seems like they’ve both been targets of an awful lot of phishing, fraud and malware activity these past few months.

Both sites have astounding numbers of users—I recently heard that if Facebook was a country, it would be the fourth most populous in the world, just behind the U.S.—so I imagine it has to do with the sheer numbers involved. When you’ve got over 300 million potential victims, even a 0.1% success rate (1 in 1,000) is a pretty large number of people.

New phishing attempt: this one is just sort of pathetic.

I had two really sad phishing attempts in my inbox this morning, but just in case somebody out there isn’t sure, let me state this very clearly: these are fraudulent messages, and the only correct response is to delete them immediately.

Here is the full text of the first one:

From: Federal Credit Bureau
To: [not my email address]
Sent: Wednesday, December 23, 2009 10:00 AM
Subject: Your Credit Score has been decreased.

Your Credit Score has been decreased. You need to download your credit history file from Federal Credit Bureau website and carefully review it. Use your personal hyperlink.

==========================================
Federal Credit Bureau

And here’s attempt number two:

From: Federal Credit Bureau
To: [not my address again]
Sent: Wednesday, December 23, 2009 9:26 AM
Subject: You have some wrong items in your Credit Report.

You have some wrong items in your Credit Report. You need to download your credit history file from Federal Credit Bureau website and carefully review it. Use your personal hyperlink.

——————————————————————–
Federal Credit Bureau

In both cases, the word “hyperlink” contained a link to a website hosted at a “.co.uk” address.

The thing is, I know they’ll hook a few people with these messages, so let’s take a closer look.

For one thing, no federal entity is going to contact you via email, ever. Right away, you know this is a phishing attempt.

For another thing, federal entities (at least here in the U.S.) use a “.gov” domain. The “reply to” addresses for these were “information@fedcb.org” and files@fedcb.org.” That “.org” is a dead giveaway.

Finally, as stated above, the links contained in the messages took you to a “.co.uk” domain. For those of you who don’t know, that means a website hosted in the United Kingdom. The U.S. government doesn’t host its websites on overseas networks.

Of course, if you’re living in the U.K., this address might not immediately strike you as odd; but still, aren’t the British government’s websites hosted on “.gov.uk” domains, not commercial “.co.uk” sites?

As always, if you’ve received this message or anything similar, just delete it. That link takes you somewhere you do not want to visit, I guarantee it.

Identity Theft Alert: Fraudulent H1N1 vaccination email.

It looks like there’s a new H1N1 flu vaccination scam going around. The intent behind this one seems even worse than the fly-by-night “selling you garbage that does nothing to protect you” schemes; this one is designed to steal your identity.

People have reported receiving emails that claim to be from the Centers for Disease Control. The message instructs the potential victim to visit a website and create a “vaccination profile” (whatever that is). One version contains the subject line, “Creation of your personal Vaccination Profile.”

At any rate, it’s a phishing scam. If you click the link in the message, you will be taken to a page that looks like an official CDC website, but is just a decoy designed to persuade you to reveal personal information. I haven’t heard yet if anyone’s fallen for it, but I’m sure there have been a few victims.

For one thing, you don’t have to create a “vaccination profile” on any website to get an H1N1 vaccine. I’m pretty sure you just show up somewhere that has the vaccine, and they jab you in the arm. The CDC does not have your email address, and will never contact you in this way to obtain personal information.

This just goes to show how literally anything can be twisted for fraudulent purposes.

Indiana AG Scam Alert: Scam Artists Posing as Federal Agencies

Here’s the latest scam alert from the Indiana AG’s office:

Attorney General Greg Zoeller warns of phishing scams circulating in the form of requests for personal information from federal agencies including the IRS, Social Security Administration, Medicare, Medicaid and the Census Bureau. Scam artists are calling, emailing and sending letters that sound and look official requesting your social security numbers, birthdates and account numbers. These are phishing scams and they are designed to steal your identity.

You should also be cautioned of requests from “federal authorities” stating that money needs to be returned due to an over-payment as this is also a scam.

Anyone with concerns or doubts should verify the legitimacy of a request by calling a trusted phone number – not one provided in the email, letter or call.

It just never stops with the “posing as a government agent,” does it?

Usually this is the part where I reiterate that you should never give personal information to anyone unless you can verify who they are and why they need it, and I’m going to do that (actually, I just did), but there’s another bit of knowledge that’s easy to forget, but obvious when you think about it:

The government, whether federal, state or local, already knows your name, date of birth, Social Security number and other information.

If you just remember that fact, you’ll see through every one of these scams.

When you pay your taxes or get your license renewed, they’re not asking for your information because they don’t know it. They’re asking for it to help verify that you are who you claim to be. If something doesn’t match up, that means you’re either a victim of identity theft or are possibly committing a crime yourself. Unless there’s just an error, which does occasionally happen.

The difference in these situations is that you are initiating the transaction; you show up at the license branch to renew, you submit your tax returns, you apply for Medicare benefits, and so on.

No government agency is going to send you letters, email you, call you or show up at your door asking to verify your personal information. They have it. They only ask for it when you contact them first, asking for something in return.

By the way, sign up for these alerts from the Indiana Attorney General, if you haven’t already done so.

How phishing and work-at-home schemes work together

I just read a really eye-opening report from the Internet Crime Complaint Center (IC3) about how phishing emails, fraudulent ACH transactions and work-at-home schemes can be connected.

It starts with a “spear-phishing” message. Spear-phishing is a targeting form of phishing, made to look like it comes from someone you know, possibly a friend or employer. This message, rather than the usual phishing angle (“click this link to verify your account information”) will either contain a malware-infected attachment, or will link to a website that infects the user’s computer with malware.

This malware includes a keylogger program, which sends a record of keystrokes back to whoever originated the scheme. Once the victim logs into one of their financial institution accounts, this information is relayed back to the crooks.

At this point, the crooks will use either wire or ACH transfers to remove money from the victim’s account. However, it doesn’t end here.

The next victims in the process are those who have fallen for some form of work-at-home scheme (usually “processing payments” or similar). The money stolen from the first victim is wired into an account held by the next victim, who then transfers it back to the criminals, thinking they are actually processing a “payment” from the original victim.

So, they’re not just logging keystrokes to steal money from one group, they’re using a second set of victims to launder the money for them.

It would be brilliant if it weren’t so slimy.

This got me thinking about US Surveys, Inc., whom I wrote about a couple months ago. In doing research on this obvious mystery shopper scam, I actually came across a few victims who, at least for their first “assignment,” had actually made around $100. “They wired $900 into my Citibank account, then had me wire $800 back to them.” It was only on their second “assignment,” when they were asked to wire their own money first, that they began to wise up.

I thought that was kind of weird at the time. Were they actually paying you the first time just to earn your trust? It seemed like an awfully big gamble, since people were realizing that it was a scam soon afterwards (not to mention the risk of someone just taking the $900 and running).

Now it makes sense. The initial $900 was probably money stolen from a spear-phishing victim. That $100 these people had made was their payoff for helping someone launder money. They weren’t being ripped off initially, but they were helping a criminal conceal the source of funds.

The second, “Now wire us your money first” assignment was probably just an attempt at an extra payoff on their way out the door; by that point, the original victim (whose money was being laundered in the first transaction) had most likely discovered the fraud and locked the account. Thieves have to move quickly from victim to victim these days.

What all this leads me to is the following:

  1. Keep your virus protection up-to-date
  2. Learn about different types of scams so you’ll know what to watch for
  3. Do not become involved in work-at-home schemes that involve “processing payments” or wire transfers; these are money laundering schemes; the only real ways to legitimately work at home are to start your own business, or to work for a company that allows telecommuting
  4. The multi-level integration of these different types of fraud is terribly sophisticated; this is organized crime
  5. Because of #4 above, your best bet is just to avoid, avoid, avoid. Lose any big ideas you might have about trying to “scam the scammers”
  6. If you are a victim of this type of crime, in addition to the standard credit locks and police reports, file a complaint with the IC3; your information could help federal law enforcement stop this type of crime in the future.

Stimulus Scams: Information from the FTC

I could have told you the minute the U.S. Government announced those $600/person stimulus checks back in 2007: somebody is going to find a way to turn this into a scam.

Boy, was I ever right.

Almost immediately, there was a spate of people using phone calls and email to trick people into revealing personal information. “You have to verify this information to get your check,” the messages said. Of course, if you were eligible for the rebate (i.e., if you had done your taxes for the previous year), the IRS already had this information. Identities were stolen and money was lost.

Then, in 2008, you started hearing about the Economic Stimulus Package. Again, I could have told you what was going to happen. I don’t want to come off as a curmudgeon with statements like, “People never pay any dang attention!” here, but the fact is that an awful lot of people don’t pay enough attention to certain things. They heard the word “stimulus” and immediately assumed that it meant, “I’m’onna get me another check in the mail.”

Once again, the phishing emails and phone calls appeared and a new group of people learned something the hard way. Never mind that, in this context, “Economic Stimulus Package” had nothing to do with rebate checks for individuals.

Well, it’s still happening. Now people are getting letters instructing people to submit personal information in order to access federal stimulus dollars. I hate to be redundant, but everyone needs to understand this: they’re not handing out pocket money to individuals, and there are no “programs” that can be loopholed into doing so. Anybody who contacts you about federal stimulus dollars, whether by mail, email, telephone, fax or two-cans-on-a-string, asking you to fill out forms or submit information of any kind, is attempting to commit fraud.

The FTC has a good article called “Seeing Through Stimulus Scams” that dates back to February 2009, but it’s still relevant reading. There’s also a short video at CNN featuring Clark Howard from just a couple days ago. Check them both out, and please don’t assume that every time the government says “stimulus” it means you’re getting a direct payment.

Fraud Alert: FDIC warns of fraudulent emails

The following is the full text of an alert from the Federal Deposit Insurance Corporation (FDIC):

E-mail Claiming to Be From the FDIC – October 26, 2009

The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC.

The subject line of the e-mail states: “check your Bank Deposit Insurance Coverage.” The e-mail tells recipients that, “You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.”

The e-mail then asks recipients to “visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage” (a fraudulent link is provided). It then instructs recipients to “download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage.”

This e-mail and associated Web site are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft.

The FDIC does not issue unsolicited e-mails to consumers. Financial institutions and consumers should NOT follow the link in the fraudulent e-mail.

Yet another reminder that you should never follow links in unsolicited email messages, especially those telling you to log in to something. Even if you had an account at a failed bank, the FDIC would have no way of knowing your email address.

Not even the FBI Director is above falling for a phishing scam

I spend a lot of time on this site repeating (explicitly or implicitly) these two ideas:

  1. You can take steps to vastly reduce your chances of becoming a victim of fraud or identity theft
  2. That said, nobody is ever 100% safe, and nobody is “too smart” to walk right into a scam

The following is an excerpt from a recent speech by FBI Director Robert S. Mueller, III:

Most of us assume we will not be targets of cyber crime. We are not as careful as we know we should be.  Let me give you an example.

Not long ago, the head one of our nation’s domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea.

It turned out that he was just a few clicks away from falling into a classic Internet “phishing” scam—“phishing” with a “P-H.” This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time.

He definitely should have known better. I can say this with certainty, because it was me.

After changing all our passwords, I tried to pass the incident off to my wife as a “teachable moment.” To which she replied: “It is not my teachable moment. However, it is our money. No more Internet banking for you!”

If I didn’t dislike vapid clichés like “it really makes you think” so much, I’d probably say that right now. I mean, it would be funny (but not ha-ha funny) enough if someone like myself fell for a phishing email, but the FBI Director?

I think the Soup Nazi-esque “no online banking for you!” response is extreme, although I can see how a high-profile figure like Mueller could have his reasons beyond just his own personal finances for going offline—namely, his very credibility.

For the rest of us, though, online banking and bill payment is still very safe, as long as you’re informed when it comes to the dangers. If you get an email that appears to be from a financial institution, don’t click on any links within that message. Go directly to that bank, credit union or credit card company’s website by typing the URL manually, or by running a search on Google, and log in from there. Of course, if it’s from an institution you don’t even have a relationship with, you’re pretty safe in assuming it’s phony.

The full text of Mueller’s speech is an interesting read, if you have a few minutes, by the way.