Here’s a screenshot of an email message I got the other day (click to enlarge):
There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:
The yellow “Accept” button
The white “Ignore Privately” button
“Marva Leonard”
“Unsubscribe”
“Learn why we included this”
Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):
I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.
If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.
Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:
Unless you know who the message is from and what it contains, never click on that box.
eFax® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.
* * *
eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?
By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.
In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!
You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”
Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.
Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.
Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.
This is the text of a spam/phishing email I received on January 3, 2012. It slipped right past the spam filters (my notes are bold and in brackets):
From: Fraud Monitoring
Subject: CRITICAL: There may be a change to your Experian credit-score
ALERT: There may have been a change to one of your 3 credit-scores!
Your Experian, Equifax & TransUnion Scores are your Ticket to a New car, Credit-cards, a Mortgage & more!
Poor 301-600
Good 600-700
Excellent 700-849
View Your Up-to-the-minute Credit-Scores Now, It’s On Us! Click here.
[note: there were about twenty blank lines here]
To no longer receive notifications and updates about this offer, please use this safe unsub link.
[note: the following was in tiny white text, which made it invisible until you highlighted it]
Zuzim in which he would hardly with great deep sleep to Simeon and found there. And planted a mixed multitude of the man, and he can bear. Behold, to us, and I will send thee will harden the Egyptians in the daughters of Zibeon and kissed him, and thou art gone out to see the Red Sea; there is better that shall be buried him the children, or bad. And Jehovah went down, and thy hand of the people go, that my venison, and tarried there was dead, and go in the seven ears, withered, thin, well favored. Haste ye, and the men into the goats: and bring it was returned in them, and begat Lamech. And the land of Rebekah said unto the king of the righteous with the nakedness of the sheep, and begat a dream, and, behold, his sons, Shem, and ye to Paddan-aram. And Noah were both the sword. And when he made me in the thing was grain which he believed in blessing I pray you, and our God, the third stories shalt keep it; and will not who knew not regard not so to my signs in our land was good. And chose him for an officer of the children of the children of the generations ye shall eat every tree or not. And it unto him, Abraham. And he had, in at the water in the sons of the first-born. And he said, Behold now, Jehovah came in the same is the windows of thee. And God called Esau her son, while he did eat their generations. And he begat Enoch was wroth with us: and the land ye shall his bosom, behold, his beasts, and Shaul the money, they have sent them up on me unto Jehovah said, Now therefore he-asses, and the land of Salem brought them against the Hivite, the greatness of white with the same is Edom. And he had done this place. And Joseph said when we found: know him. And she said, Unto their daughters with him that his army, and two years, and wise know how thy rod, wherewith thou hast led the damsel. And when I buried Sarah shall say unto me; and he said, Surely thou standest is about three baskets of his cattle that which thou hast showed him to the kids of Egypt, the garden in the prison; and Kedar, the water which Lot journeyed to me, and he put upon him. And the Hebrews’ children. And he lifted up early in the earth, and said unto thee into the men of Israel his brother’s name of Israel to slay thy father, and I give ear to pass, when they bosom; and he gathered together within his daughter ye done in the eyes and went in, and wise men have accepted thee and daughters: and Magog, and Joseph spake all their names: chief Zepho, and cause frogs be stronger of Egypt were ceased, he put it shall be buried couched as though it came unto him, into my lord. And he dwelt then ye shall be thy servant of Israel said, Let there all the lord knoweth that he fell there, and filled the earth: and the birds multiply thy she-goats have said, What is it came to sojourn in Paddan-aram, and was all his people, that no uncircumcised person shall be the years of Canaan, the lodging-place, that is in the thigh of land of a husbandman, and come seven hundred sixty and the ground after these are the bracelets for out of Egypt. Then Joseph understood them;
[note: the following was fully visible text]
All of a sudden, I was hearing stories about how difficult I was to work with, ridiculous rumors about drugs and what a diva I was. I never had to go to rehab or a program.
[note: it concluded with this footer image]
I thought it might be useful to point out a few things about this message.
First, you should never, ever respond to an email like this in any way, shape or form. I’m not sure what it leads to—it could be a site that attempts to steal personal information, a rogue online pharmacy or some combination of the two. Even clicking the “safe unsub link” could lead to problems.
Second, the “from” information, the link to (allegedly) view your credit score and the “unsub” link all use the exact same host: doragreyliteracyfoundation.com.
I did a “whois” on this URL and found that it was registered on December 23, 2011, using a registrar called eNom, Inc. Four things about this fun fact:
The website was registered eleven days before the message was sent, yet they somehow already had my email address.
The Dora Grey Literacy Foundation, as far as I can tell from a web search, does not exist.
They registered the domain name for only one year, which isn’t necessarily a sign of fraud, but know this: registering a domain name for only one year is a pattern with fraudulent websites.
Third, that huge block of (religious, in this case) word salad would have no reason to exist in a legitimate email message.
Fourth, neither would that business about being a “diva” after the word salad. I looked it up; it’s a quote from Irene Cara. Yeah, the person who sang “Fame” and played Coco Hernandez.
Finally, regarding that footer image, there is neither a Dora Grey Literacy Foundation nor a Facio & Associates at that address. “PMB” indicates the address is a commercial mail drop business, which is a mainstay of con artists.
Amazing what you can learn with a little research, isn’t it?
Note: for maximum atmosphere, first scroll to the bottom of this post and play the YouTube video, and listen to the music while you read.
The night meowed at the window of the dingy third-floor office on the wrong side of town like a housecat left out in the rain, trying to draw my gaze from the hand of solitaire laid out on the desk between half-empty cups of cold coffee, old newspapers and an ashtray spilling over with stale butts. I glanced at the window and shuddered for some reason, then wondered who left all the spent Chesterfields there, seeing as how I don’t smoke. They made a good prop, though, so I returned to my cards. If I could just find the other red queen, I was set.
It was the kind of night that slithers through the gutters and alleyways, around garbage cans and dumpsters, up fire escapes and into the ventilation. It always finds a way in, always creeps up behind you, always gets you in the end. There was a knock at the door, and a woman entered.
She was one sad-luck dame by the look of her, all switchblade sadness and razor gloom, whatever that means. She was carrying a laptop computer (which seemed anachronistic given the setting, but this was the Fraud Prevention Unit, and these newfangled bean-counters were the rule these days).
She just stood there for a minute and looked unsure. “Are…are you the one they call ‘Sledge?’”
“That’s me,” I said. “Hank Sledge, Private Fraud Investigator.”
“Oh. I…oh.” She swayed on the spot, as if trying to decide something.
“C’mon, spill it, sister,” I spat.
“Well, it’s just…I got this email the other day and I don’t know what to do.”
I looked at the gray computer tucked under her arm. “And you figure some mug’s got you pegged as an easy mark? Toss that mill up here on the table. Let’s see what we got.”
She placed the laptop on the desk and hit the power button. It took a minute to start up, and the awkwardness hung in the air like burnt toast. “So…um…read any good books lately?” I started to say, but the machine was ready.
“This one right here,” she said, and I read the email.
The message said it was from Facebook, and if it was a ringer it was a darn good one. It went like this:
From: Facebook <notification+tnejvqakyz@notifierfacebook.com> Subject: You have 3 lost messages on Facebook…
At the bottom was a green button that said “Frequently Asked Questions.”
“Did you click on anything in this mess?” I said.
“No, I don’t think so.”
“You can’t think so. You either clicked or you didn’t. Think hard.”
“No, I didn’t. Jeez. Jerk.”
“Sorry ma’am. Hardboiled crime fiction. I have to talk to everybody that way.”
“Oh.’”
“Anyway,” I continued, “it’s good you didn’t click. This is a swindle through and through. See this?” I showed her the message header. “If it was from Facebook, it wouldn’t be coming from some ‘notifierfacebook.com’ domain.”
“And check this out.” I moused over the link. “It says ‘facebook.com,’ but it’s disguised. Every link in the message takes you to this weird ‘winesofworld.org’ website. Classic phishing message. These punks either want to infect your computer with malware or steal your password. There’s also the crummy English; see where it says, ‘to recover a messages?’ Makes no sense. Finally, there’s no such thing as ‘lost’ messages on Facebook.”
Her eyes were dinner plates. “So what do I do with it?”
“If I was you, lady, I’d drill it with my heater,” I spat.
“What?”
“Just delete it.”
“Oh,” she said, and snapped the laptop shut. “Okay, cool. Thanks. Nice hat, by the way.”
I nodded thanks as she disappeared out the door and went back to my game. Black eight to red nine. The card underneath was the queen of diamonds. “There’s my lady,” I murmured over the lonesome wail of a siren echoing across the night.
Often, phishing emails are tricky because they contain an offer that many people would find tempting. This one I received over the weekend does not have that problem:
From: Dr Lawrence Burns <test@mir-grp.com>
To: ss@yahoo.com
Subject: YOUR BANK DRAFT
Dear Friend,
It is my pleasure to let you know about my success in getting those fund transferred under the cooperation of a new Partner from Greece. I didn’t forget your past efforts to assist me in transferring those funds.
Now contact my secretary Mr. Goodluck Okeke his email is (good_okeke@w.cn) ask him to send you the total $3.2 certified bank draft which I raised for your compensation so feel free and get in touched with him and give him your Address such as Full name Home address direct phone number where to send the draft.
Let me know immediately you receive it for us to share the joy. I am very busy here with investment projects which I am having at hand, finally, I left instruction to the secretary on your behalf, so feel free to get in touch with him.
Best regards,
Dr Lawrence Burns
$3.2? As in three dollars and twenty cents?
I don’t want to come off as some kinda spoiled, complacent jerkface here, Doctor Larry, but that seems like an awful lot of work for $3.20.
Obviously, they left out the word “million” and I’m just being snarky here, but there are some interesting things. We’ve got the usual email-address-salad going on here, with the mysterious “mir-grp.com” domain, the China-based “w.cn,” and someone at yahoo.com. We’ve also got a mention of someone named “Goodluck,” which is apparently a popular first name in (wait for it…) Nigeria.
In other words, all the evidence of a Nigerian 419 scam is present and accounted for.
Posted by Clint 
