Tag Archives: Malware

Bride of Ridiculous Spam Friday

Hey, why not make “Ridiculous Spam Friday” a running gag? Here’s the best junk email from the past couple weeks. There are URLs displayed within the text of some of these—do not, under any circumstances, attempt to visit these websites.

Bachelor #1:

From: Blueprint Profits Fast Cash
Date: Monday, March 01, 2010 6:44 AM
To: [email address]
Subject: Learn Blueprint Profits and….Make Money

Blueprint for Profits   
Have you Heard? Millions of People are Making Money from Home!   
Hurry, Act Now and get Instant Access!   
Earn Money working from Home   
with Blueprint for Profits!   
Sign up today and qualify instantly!

Online Marketing Resources Care of Customer Service Center    
Unit 0480 PO Box 6945    
London W1A 6US United Kingdom   
If you’d prefer not to receive future emails from us
click here http://secreteconomy1.com/u/R7BHTH8t7bMuv6L2GVcOrw.html
or write to:
PO Box 85073 # 75575
Richmond, VA 23285-5073

I believe we can file this one under “B” for “Blatant Scam.” Yeah, I’ll bet it’s a “secret economy.” Secret as in “a criminal organization is behind this.” This is a great example of “unsubscribe” links to not click on. You do not want to tell these people they’ve hit a valid email address. Bachelor #2:

From: order-update@amazon.com
Date: Friday, March 05, 2010 8:28 AM
To: [email address]
Subject: Amazon.com – Your Cancellation (476-381899-389120)

Dear Customer,

Your order has been successfully canceled. For your reference, here`s a summary of your order:

You just canceled order #303-094123-63755



Sold by: Amazon.com, LLC


Because you only pay for items when we ship them to you, you won`t be charged for any items that you cancel.

Thank you for visiting Amazon.com!

Earth`s Biggest Selection

What was interesting here is that the second link to Amazon was a valid link. However, the words “ORDER INFORMATION” linked to a website hosted in the Philippines. I guess the idea here is to trick you into thinking a real Amazon order has been cancelled. Are they assuming that everyone always has an Amazon order pending at all times? It’s hard to tell.

This last one may be an all-time classic. Bachelor #3:

From: Dr rachel joel <michael_steven00668288383733664@yahoo.co.jp>
Date: Thursday, March 11, 2010 3:09 AM
To: [email address]
Subject: I am presently at JFK International Airport


新しいメールアドレス: michael_steven00668288383733664@yahoo.co.jp


I am a Diplomat named Dr Rachel Joel sent to deliver your contract/inheritance fund of$8.3M to you. I’m presently in JFK international airport. You have to reconfirm your details, name,address,phone,occupation,identification. Call me on 718-690-9783

Dr Rachel Joel.

– Dr rachel joel

Wow. Dude is just sitting in an airport, hoping this email gets to the right person? What’s doubly weird is that, if you Google a few phrases from this message, there appears to be a whole hoard of these guys wandering around JFK, waiting to give millions of dollars away to strangers. And why would Dr. Rachel Joel’s email address be “Michael Steven?” Actually, just look at all the numbers in that address; must take Dude forever to log in (which can’t be all that easy when you’ve been living in an airport for months).

Today’s examples are all pretty obvious scams. In order, I’m guessing they are:

  1. Fake money-making “system” that just charges you $70 per month for nothing (think “Google Works,” etc.)
  2. Malware site that installs keyloggers or gains control of your PC
  3. Nigerian 419 scam that will end with the victim wiring thousands of dollars overseas.

If you’ve received one of these messages or something similar (and you don’t run a blog about scams and fraud), the only way to respond to them is to delete them.

Ridiculous Spam Friday II: The Squeakquel.

The ludicrous spam just keeps on rolling in! I decided to run a second installment of Ridiculous Spam Friday this week.

No, I am not paying tribute to the Alvin and the Chipmunks movies with the title of today’s post. They’re terrible. I now tack the words “The Squeakquel” onto everything that’s a “part two” in a series because it cracks me up. Rocky II: The Squeakquel. See? Hilarious.

Anyway, here are three more examples of spam I received this past week. The crooks in this first case are hardly trying. Just like the people who made the Alvin and the Chipmunks movies. Ba-zing!

From: Support <Laura.Ferelli@service.amazon.com>
Date: Sunday, February 28, 2010 1:31 PM
To: <email address>
Subject: Confirm Order #05830659

Your Order Id:153517648031959 Accepted.

Thank you.
Amazon.com Customer Service

The word “Details” was linked to a website in Romania. I’m no expert on Amazon’s server setup, but I’m pretty sure their website isn’t hosted in Romania. I’m also completely certain it will have the word “Amazon” in the URL, no matter where it is hosted.

Here’s one that uses a real name and email address from Rady Children’s Hospital in San Diego. Everything else about it is fake:

From: Nespeca, Mark MD
Date: Monday, March 01, 2010 3:26 AM
To: chan@hotmail.com
Subject: You Have A Pick Up


You have a consignment containing a bank draft of 450,000.00 United States Dollars and gift items which await an outstanding payment of $240 .

For claims, Please confirm your ful name, home address, and telephone number with Mr. Garry Moore. Contact email and phone number are

tnt-services@admin.in.th and (+234) 802 378 8093 respectively.

Thank you.

Miss Margaret Hagopian

Of course, this is a pretty typical “Lottery Scam” setup. As often happens, there is some disagreement about who is sending the message. Is it Mark Nespeca (who apparently is a real doctor)? Is it Gary Moore? Miss Margaret Hagopian? Also, why would you be contacting a company in Thailand (.th) for something involving a hospital in San Diego? Nothing here makes sense at all. I’m sure $240 is just the tip of the iceberg. By the time you wired $8,000 overseas, you’d probably begin to suspect something.

I’ve noticed more scams and spam using real names and email addresses from real businesses lately. The thing is, their choices seldom make any sense. Why would a children’s hospital be giving you nearly half a million dollars out of the blue?

Our final contestant today is doing the exact same thing with another healthcare-related business (this time with Continuum Health Partners, based in New York, I believe). This time, it’s Nicholas “Patrick Chan” Romas, MD, Director of Hang Sang Bank. The offer isn’t some crummy $450,000, though:

From: Nicholas Romas, MD
Date: Tuesday, March 02, 2010 1:31 AM
To: chan45@8u8.com

Dear friend,

Greetings to you.

I’m Mr.Patrick Chan, Director of Hang Seng Bank.  I am contacting you because I have a 42 million

dollars business proposal for you. For details, contact me confidentailly at  p.chan45@8u8.com

Thank you

Mr. Patrick Chan

Business Proposal

This message and any attachments are confidential and intended solely for the use of the individual or entity to which they are addressed.  If you are not the intended recipient, you are prohibited from printing, copying, forwarding, saving, or otherwise using or relying upon them in any manner.  Please notify the sender immediately if you have received this message by mistake and delete it from your system.

Name confusion, geographic confusion, it’s all here. The confidentiality notice at the bottom is a cute touch, too. It makes it look like you’re getting some kind of secret information that’s going to help you get your mitts on $42 million.

All three of these are similar, insofar as they’re using the names of real companies to lure victims. I’ll also bet you a buck fifty those last two come from the same person or persons. One has chan@hotmail.com in the recipient line and the other has chan45@8u8.com. Too similar to be a coincidence.

I don’t know exactly what these people are trying to accomplish with these messages. The first one looks like a malware attempt, and the other two are lottery-style scams. I’m not pursuing them to find out! As always, delete with extreme prejudice.

Chile Earthquake Scams: yet another preemptive strike.

I don’t think you’d need to be a rocket surgeon to guess that Chile Earthquake Scams are already well underway. I once posed the hypothetical, “How long does it take a crook to turn something into a scam, four minutes?”

Turns out I wasn’t giving the con artists enough credit. My new estimate is 30 seconds.

The same rules apply here as when dealing with possible Haiti Earthquake Scams. Be extremely wary of unsolicited charity donations. The best way to help is to contact your favorite organization first and turn down all other requests.

There is a short article on the topic at Scambusters that identifies a couple additional threats beyond fake charities, and both involve malware.

Basically, if a stranger sends you alleged photos of the earthquake damage, do not open these attachments because they are infected with a virus. In fact, don’t even open the message at all. There is plenty of footage coming in through official news sources.

Also, beware of fake news stories that come up in search engines. These can lead to websites that are infected with malware as well. According to the Scambusters article, these sites were up within hours of the earthquake. Just go directly to your favorite news source’s website and get your information from there. Many will even have a list of trustworthy resources if you want to donate to relief efforts.

Online security: teach your children well.

I don’t have any kids yet, but I know a few people who do.

Okay, so I know more than a few. I know many, and almost all of them have something in common: their computers are constantly being infected with viruses, trojans and other types of malware. I’m not talking about the occasional adware popup or tracking cookie—these machines are usually just crawling with malicious software.

There’s sort of an old myth that your twelve year old is always going to know more about the computer than you. Perhaps this is true when it comes to first-person shooters and making goofy videos, but kids don’t know everything about computers, and security is one of those areas where they generally seem to lack the fundamentals.

Of course, they’re invincible, too. There’s always that. Ask them sometime; “Is it even possible that you might run into a virus on the Internet?” They’ll probably look at you like you’re an idiot. Again.

But it happens, and it seems to happen a lot. You’ve got to educate your kids about malicious software, because a keylogger doesn’t care who downloads itself; it’s going to send login and password information, whether it’s to a Facebook profile (bad news) or your financial accounts (worse).

First, if you’ve got kids using the Internet, try to keep an eye on them at least some of the time. Since this is impossible, though, make sure you’re using Firefox with the NoScript plug-in. No Internet Explorer! There are more holes in that browser than a hunk of Swiss.

Secondly, learn about the various dangers yourself, and make sure you warn your kids. No kid is going to be able to resist “lol is this you?” or “lol funny video” followed by a shortened URL, unless someone tells him that such links lead only to malware.

Thirdly, obtain the burliest antivirus and firewall software you can afford, and pay the money to keep it updated. This is vital anyway, but if you’ve got kids clicking a mile a minute on Facebook and Twitter, you really need to take maximum precautions.

I suppose you could try to limit your kids’ access to the Internet, but you could also try to wrestle a grizzly bear while you’re at it. Good luck with that one.

Finally, consider getting your own computer or laptop that the kids aren’t allowed to even touch, and use that one for business and banking. At least your accounts will be safe(r), assuming you’re taking the necessary precautions on this computer as well.

Okay, does this post officially put me in the “old person complaining about young people” camp? It does sort of have that “I tell ya, the kids today, with their Facebooks and their Twitters,” flavor doesn’t it?

I don’t know, but I know it’s important to get your kids hip to the dangers of malware as soon as you can. Your own financial security may depend on it.

Ridiculous Spam Friday

I’ve been getting a lot of really ludicrous spam lately. Below are three examples. This first one was barely even trying:

From: sgh12345@sg1es.tnc.edu.tw
Date: Monday, February 15, 2010 8:49 AM
To: undisclosed-recipients:
Subject: You’ve Won

You’ve been awarded (500,000.00GBP) from microsoft lottery for claims send info:full name, address, age, country,to mr stephen scott via email to msnclaim@movmail.com

Interesting that someone from Taiwan (.tw) would be sending a message to an American about a prize of British Pounds. Also weird how an alleged representative of Microsoft would forget to capitalize the company name, not to mention direct you to a non-Microsoft website.

Next up, an exciting offer from Robert “Sgt. Lee Johnson” Brhel, who is either in Hong Kong (.hk) or Iraq, he’s not quite sure:

From: Robert Brhel
Date: Friday, February 12, 2010 6:47 PM
To: none
Subject: Please send your reply to this E-mail address:  sgtlee1971@yahoo.com.hk

My name is Sgt. Lee Johnson, a member of the U.S. ARMY USARPAC Medical Team, which was deployed to Iraq in the beginning of the war in Iraq. Please do visit the BBC website stated below to enable you have insight as to what I’m intending to share with you, believing that it would be of your desired interest one-way or the other.
     Also, could you get back to me having visited the above website to enable us discuss in a more clarifying manner to the best of your understanding. Please send your reply to this E-mail address:  sgtlee1971@yahoo.com.hk
Sgt. Lee Johnson.

I left the link intact in this one because it leads to a legitimate news story. From seven years ago. Even if this message was real (which it’s not), I’m pretty sure somebody has found a home for that cash by now.

This is actually a pretty common variation on the old Nigerian 419 scheme. This time, it’s “I’m a soldier and I found a pile of money in whatever-country-I’m-fighting-in,” which inevitably leads to, “Hey person-I’ve-never-met, want to share it with me? Just wire me some money first.” As always, the “delete” key is your friend.

Finally, an attempt to infect you computer (and probably add it to some malicious botnet), wrapped up in a fake message from a real anti-fraud organization:

From: “National Health Anti-Fraud Association” <admin@nhcaa.org>
Sent 2/13/2010 1:39:53 AM
To: [removed]
Subject: Complaint registered against you

We have received a complaint regardding transaction No: 8711322 dated 01/28
/2010 in value of $ 2.871,00 representing the check issued by your company
to Fillmore Inc that was later deposited in the companies bank account.
If you feel this is an error please review the attached complaint document and contact us imediatly with proof to clear out this situation.
The copy of the check issued to your name is attached to this email as well as the original complaint.
Please call at 800-2661-7711 to sort out this situation. Your email was pro vided by the persson that filed the complaint.
You can also get in touch with our staff using the information on our websi

NHCAA – National Health Anti-Fraud Association

This one contained a virus-infected attachment. The clever part here is that they used a real website…that deals with fraud prevention. Gutsy, although I’d posit that most legit messages aren’t going to contain mangled spelling like ”imediatly.” I mean, that’s not even close, is it?

NHCAA.org is already aware of this message; there’s a warning on their front page. Attempts to scare people into opening attachments seem to be the flavor of the month. Any time you get an urgent message accusing you of something and instructing you to open a file, you can assume it’s fake. Whatever you do, leave those attachments alone.

Virus Alert: “Your internet access is going to get suspended.” (ICS Monitoring Team)

This email has been around for at least a couple years. Full text:

From: ICS Monitoring Team
Sent: Tuesday, February 09, 2010 2:48 AM
To: [email address]
Subject: Your internet access is going to get suspended

Attachment: report.zip

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

ICS Monitoring Team

If you get this message, or anything similar, delete it immediately, and whatever you do, don’t open that attachment. It’s a virus.

I don’t know exactly what sort of malware is attached, but if I had to guess, I would assume it contained some form software that could be used to remotely gain control of your computer. These “zombie computers” can then be used as part of a “botnet” to commit other crimes. In fact, a search for “ICS Monitoring Team” returned at least one link that appeared to be software that would allow you to remotely control other computers on a network.

They were really going for the jugular with this one, weren’t they? The fact is, a lot of people download copyrighted material, so they’ve got a lot of potential victims. Your first reaction upon reading something like this would probably be a small jolt of panic, whether you’ve been downloading stuff or not. The social engineering angle here is as brilliant as the grammar and spelling are execrable. “Consorcium?” Really?

Whatever you’ve been getting up to online, this message isn’t related to it. It’s just another attempt to infect computers with some kind of bad juju. I’m not saying you should keep ripping off copyright holders. Sometimes those BitTorrents are infected with stuff, too. And remember that one kid the entire music industry practically wanted to execute nine or ten years ago? People run into trouble that way.

However, if you do get caught, most likely your Internet service provider will just shut you down with very little explanation beyond “terms of service violations.” Some third party isn’t going to be given that power, at least not in the run-of-the-mill instances.

Ransomware: It’s a fake virus scanner, only more violent.

Last September, I wrote about fake virus scan pop-ups that you sometimes encounter while using a web browser, sometimes known as “scareware.”

What I didn’t cover was a class of malicious software known as “ransomware,” the fake virus scanner’s more violent cousin. The difference?

  • Scareware: tries to trick you into purchasing useless software and probably installs spyware, adware and other malware.
  • Ransomware: poses as a virus scanner, but locks up your computer and forces you to purchase useless software to unlock your computer. Also likely installs a bunch of other malware, in addition to the fact that you’ve just given criminals your credit card number.

It’s kind of the difference between a con artist and a mugger, I guess.

There’s no real way to tell offhand whether a fake virus scan pop-up window is scareware or ransomware. It doesn’t really matter—you don’t want it either way. The same rules for prevention apply in both cases.

Both start the same way: you visit a website and a window pops up that tells you your computer is infected with a virus. The pop-up almost always has an “OK” and a “Cancel” button. Do not click on either of these, because they both install the malware.

You can click on the “X” in the upper-right corner of the window, but I don’t even like to do that. I use “CTRL-ALT-DEL” to force the browser to close. I think the Mac version of “CTRL-ALT-DEL” is “Command-Option-Escape.”

After I’ve shut down the browser, I run a virus scan and a spyware scan. It’s sort of a pain and it takes a while, but too many people value convenience over security, and they end up paying for it. There are very few instances in which it’s not possible to find something else to do while your virus scanner runs. You don’t have to be on the Internet 24/7, you know.

Now, I’m not one to tell anybody what brand of web browser to use, but I will say one thing on the topic: since I switched from Internet Explorer to Firefox with the NoScript plug-in, I haven’t had a single scareware window pop up. I’m not telling you what to do. I’m just sayin’.

Also, I know it costs money, but you cannot afford not to do it: install some good antivirus software, keep it updated and keep your subscription current. Norton, McAfee, Kaspersky; I don’t care which one you use, just use something. No, it’s not super cheap, but if you’d rather shell out $79 to unlock ransomware than spend $69 on actual protection…well, in that case I think there’s just something the matter with you.

Finally, for an extra level of protection, install the excellent (and free!) Spybot Search & Destroy. Yes, right now. There is one annoying thing about this software, though, and it’s Microsoft’s fault: in Windows Vista and Windows 7, in order to run S&D properly, you can’t just click on the icon. You have to right-click the icon and select “Run as administrator.” You won’t be able to actually remove anything if you skip this step.

There’s a recent story about ransomware at MSNBC, with a video that shows the malware in action (and actually shows you how to unlock it with hacked registration codes).

Fraudulent Facebook email contains malware attachment.

There’s a new fake email message making its way around the web the last few months. This time, it targets Facebook users.

The messages all have something to do with your Facebook password, using subject lines such as “Password Reset Confirmation Email.” They contain an attachment that is supposed to be your new password, but is actually a pretty nasty Trojan horse program that opens your computer up to a variety of attacks. One of these programs is known as Bredolab, and it’s just bad news all around. Below is the text of an example message from “The Facebook Team:”

Because of the measures taken to provide safety to our clients your password has been changed. You can find your new password in attached document.


The Facebook Team

There are other fake Facebook messages that try to lure victims with a “New Login System” message and contain a disguised link. In this case, it seems to be a pretty standard password-stealing attempt, but given the amount of malware that can be spread and the fraud that can be committed with a hacked Facebook account, it could lead to much worse problems than someone just messing with your Facebook page.

Facebook is never going to send you an email message with your password as an attachment. In fact, they’re never going to send you an attachment at all. If you get one of these messages, hold your cursor over the link (DO NOT CLICK) and you’ll see that the message actually takes you to a non-Facebook website (most likely hosted overseas).

Furthermore, Facebook isn’t going to “confirm” your request for a password reset unless you’ve actually requested it, and any links contained in these messages will be hosted at Facebook.com, not a website with just an IP address (numbers separated by periods, as in “123.45.678.90”), and not a website hosted overseas.

Once again, a new threat just goes to reinforce the old rules of thumb: never open an attachment in an email message you weren’t expecting, and never click on links in an unsolicited email message without verifying first that the message is legitimate.

What is the deal with Facebook and Twitter lately? It seems like they’ve both been targets of an awful lot of phishing, fraud and malware activity these past few months.

Both sites have astounding numbers of users—I recently heard that if Facebook was a country, it would be the fourth most populous in the world, just behind the U.S.—so I imagine it has to do with the sheer numbers involved. When you’ve got over 300 million potential victims, even a 0.1% success rate (1 in 1,000) is a pretty large number of people.

Fraud/Malware Alert: Intelligence Bulletin No. 267

Here is some text from a fraudulent email that’s been popping up lately:

Title: New Patterns in Al-Qaeda Financing
Date: August 15, 2009


HANDLING NOTICE: Recipients are reminded that FBI Intelligence Bulletins =ontain sensitive terrorism and counterterrorism information meant for us= primarily within the law enforcement community. Such bulletins are not =o be released either in written or oral form to the media, the general p=blic, or other personnel who do not have a valid ?eed-to-know?with=ut prior approval from an authorized FBI official, as such release could jeopardize national security

All the spelling errors and odd characters are exactly as they appear in the message.

Do I even need to tell you this one is fraudulent?

If so, it is.

Furthermore, the message often contains a file named “bulletin.exe.” If you open this file, it will install malicious software on your computer, which can lead to serious problems (like fraud and identity theft).

The FBI does not email official reports, nor does it send unsolicited email messages. If a document is confidential, they’re going to keep it that way.

Whenever you get an email message you weren’t expecting, from someone you don’t know, use extreme caution when dealing with it. My advice is to not even open unsolicited messages, and delete them right away. However, at the very least, never click on links or open attachments in emails unless you already know what the file (or link) is, why it’s being sent to you, and who sent it.

How phishing and work-at-home schemes work together

I just read a really eye-opening report from the Internet Crime Complaint Center (IC3) about how phishing emails, fraudulent ACH transactions and work-at-home schemes can be connected.

It starts with a “spear-phishing” message. Spear-phishing is a targeting form of phishing, made to look like it comes from someone you know, possibly a friend or employer. This message, rather than the usual phishing angle (“click this link to verify your account information”) will either contain a malware-infected attachment, or will link to a website that infects the user’s computer with malware.

This malware includes a keylogger program, which sends a record of keystrokes back to whoever originated the scheme. Once the victim logs into one of their financial institution accounts, this information is relayed back to the crooks.

At this point, the crooks will use either wire or ACH transfers to remove money from the victim’s account. However, it doesn’t end here.

The next victims in the process are those who have fallen for some form of work-at-home scheme (usually “processing payments” or similar). The money stolen from the first victim is wired into an account held by the next victim, who then transfers it back to the criminals, thinking they are actually processing a “payment” from the original victim.

So, they’re not just logging keystrokes to steal money from one group, they’re using a second set of victims to launder the money for them.

It would be brilliant if it weren’t so slimy.

This got me thinking about US Surveys, Inc., whom I wrote about a couple months ago. In doing research on this obvious mystery shopper scam, I actually came across a few victims who, at least for their first “assignment,” had actually made around $100. “They wired $900 into my Citibank account, then had me wire $800 back to them.” It was only on their second “assignment,” when they were asked to wire their own money first, that they began to wise up.

I thought that was kind of weird at the time. Were they actually paying you the first time just to earn your trust? It seemed like an awfully big gamble, since people were realizing that it was a scam soon afterwards (not to mention the risk of someone just taking the $900 and running).

Now it makes sense. The initial $900 was probably money stolen from a spear-phishing victim. That $100 these people had made was their payoff for helping someone launder money. They weren’t being ripped off initially, but they were helping a criminal conceal the source of funds.

The second, “Now wire us your money first” assignment was probably just an attempt at an extra payoff on their way out the door; by that point, the original victim (whose money was being laundered in the first transaction) had most likely discovered the fraud and locked the account. Thieves have to move quickly from victim to victim these days.

What all this leads me to is the following:

  1. Keep your virus protection up-to-date
  2. Learn about different types of scams so you’ll know what to watch for
  3. Do not become involved in work-at-home schemes that involve “processing payments” or wire transfers; these are money laundering schemes; the only real ways to legitimately work at home are to start your own business, or to work for a company that allows telecommuting
  4. The multi-level integration of these different types of fraud is terribly sophisticated; this is organized crime
  5. Because of #4 above, your best bet is just to avoid, avoid, avoid. Lose any big ideas you might have about trying to “scam the scammers”
  6. If you are a victim of this type of crime, in addition to the standard credit locks and police reports, file a complaint with the IC3; your information could help federal law enforcement stop this type of crime in the future.