Tag Archives: Phishing

Spam Dissection: There may be a change to your Experian credit-score

spam-lovelyThis is the text of a spam/phishing email I received on January 3, 2012. It slipped right past the spam filters (my notes are bold and in brackets):

From: Fraud Monitoring
Subject: CRITICAL: There may be a change to your Experian credit-score

ALERT: There may have been a change to one of your 3 credit-scores!

Your Experian, Equifax & TransUnion Scores are your Ticket to a New car, Credit-cards, a Mortgage & more!

Poor 301-600
Good 600-700
Excellent 700-849

View Your Up-to-the-minute Credit-Scores Now, It’s On Us! Click here.

[note: there were about twenty blank lines here]

To no longer receive notifications and updates about this offer, please use this safe unsub link.

[note: the following was in tiny white text, which made it invisible until you highlighted it]

Zuzim in which he would hardly with great deep sleep to Simeon and found there. And planted a mixed multitude of the man, and he can bear. Behold, to us, and I will send thee will harden the Egyptians in the daughters of Zibeon and kissed him, and thou art gone out to see the Red Sea; there is better that shall be buried him the children, or bad. And Jehovah went down, and thy hand of the people go, that my venison, and tarried there was dead, and go in the seven ears, withered, thin, well favored. Haste ye, and the men into the goats: and bring it was returned in them, and begat Lamech. And the land of Rebekah said unto the king of the righteous with the nakedness of the sheep, and begat a dream, and, behold, his sons, Shem, and ye to Paddan-aram. And Noah were both the sword. And when he made me in the thing was grain which he believed in blessing I pray you, and our God, the third stories shalt keep it; and will not who knew not regard not so to my signs in our land was good. And chose him for an officer of the children of the children of the generations ye shall eat every tree or not. And it unto him, Abraham. And he had, in at the water in the sons of the first-born. And he said, Behold now, Jehovah came in the same is the windows of thee. And God called Esau her son, while he did eat their generations. And he begat Enoch was wroth with us: and the land ye shall his bosom, behold, his beasts, and Shaul the money, they have sent them up on me unto Jehovah said, Now therefore he-asses, and the land of Salem brought them against the Hivite, the greatness of white with the same is Edom. And he had done this place. And Joseph said when we found: know him. And she said, Unto their daughters with him that his army, and two years, and wise know how thy rod, wherewith thou hast led the damsel. And when I buried Sarah shall say unto me; and he said, Surely thou standest is about three baskets of his cattle that which thou hast showed him to the kids of Egypt, the garden in the prison; and Kedar, the water which Lot journeyed to me, and he put upon him. And the Hebrews’ children. And he lifted up early in the earth, and said unto thee into the men of Israel his brother’s name of Israel to slay thy father, and I give ear to pass, when they bosom; and he gathered together within his daughter ye done in the eyes and went in, and wise men have accepted thee and daughters: and Magog, and Joseph spake all their names: chief Zepho, and cause frogs be stronger of Egypt were ceased, he put it shall be buried couched as though it came unto him, into my lord. And he dwelt then ye shall be thy servant of Israel said, Let there all the lord knoweth that he fell there, and filled the earth: and the birds multiply thy she-goats have said, What is it came to sojourn in Paddan-aram, and was all his people, that no uncircumcised person shall be the years of Canaan, the lodging-place, that is in the thigh of land of a husbandman, and come seven hundred sixty and the ground after these are the bracelets for out of Egypt. Then Joseph understood them;

[note: the following was fully visible text]

All of a sudden, I was hearing stories about how difficult I was to work with, ridiculous rumors about drugs and what a diva I was. I never had to go to rehab or a program.

[note: it concluded with this footer image]

Footer from spam message, 01/03/12

I thought it might be useful to point out a few things about this message.

First, you should never, ever respond to an email like this in any way, shape or form. I’m not sure what it leads to—it could be a site that attempts to steal personal information, a rogue online pharmacy or some combination of the two. Even clicking the “safe unsub link” could lead to problems.

Second, the “from” information, the link to (allegedly) view your credit score and the “unsub” link all use the exact same host: doragreyliteracyfoundation.com.

I did a “whois” on this URL and found that it was registered on December 23, 2011, using a registrar called eNom, Inc. Four things about this fun fact:

  1. The website was registered eleven days before the message was sent, yet they somehow already had my email address.
  2. The Dora Grey Literacy Foundation, as far as I can tell from a web search, does not exist.
  3. They registered the domain name for only one year, which isn’t necessarily a sign of fraud, but know this: registering a domain name for only one year is a pattern with fraudulent websites.
  4. As of October 2010, eNom, Inc. was the registrar for around 40% of rogue online pharmacy sites, according to a source cited at Krebsonsecurity.com.

Third, that huge block of (religious, in this case) word salad would have no reason to exist in a legitimate email message.

Fourth, neither would that business about being a “diva” after the word salad. I looked it up; it’s a quote from Irene Cara. Yeah, the person who sang “Fame” and played Coco Hernandez.

Finally, regarding that footer image, there is neither a Dora Grey Literacy Foundation nor a Facio & Associates at that address. “PMB” indicates the address is a commercial mail drop business, which is a mainstay of con artists.

Amazing what you can learn with a little research, isn’t it?

FPU Noir: The Lost Messages on Facebook

BigComboTrailerNote: for maximum atmosphere, first scroll to the bottom of this post and play the YouTube video, and listen to the music while you read.

The night meowed at the window of the dingy third-floor office on the wrong side of town like a housecat left out in the rain, trying to draw my gaze from the hand of solitaire laid out on the desk between half-empty cups of cold coffee, old newspapers and an ashtray spilling over with stale butts. I glanced at the window and shuddered for some reason, then wondered who left all the spent Chesterfields there, seeing as how I don’t smoke. They made a good prop, though, so I returned to my cards. If I could just find the other red queen, I was set.

It was the kind of night that slithers through the gutters and alleyways, around garbage cans and dumpsters, up fire escapes and into the ventilation. It always finds a way in, always creeps up behind you, always gets you in the end. There was a knock at the door, and a woman entered.

She was one sad-luck dame by the look of her, all switchblade sadness and razor gloom, whatever that means. She was carrying a laptop computer (which seemed anachronistic given the setting, but this was the Fraud Prevention Unit, and these newfangled bean-counters were the rule these days).

She just stood there for a minute and looked unsure. “Are…are you the one they call ‘Sledge?'”

“That’s me,” I said. “Hank Sledge, Private Fraud Investigator.”

“Oh. I…oh.” She swayed on the spot, as if trying to decide something.

“C’mon, spill it, sister,” I spat.

“Well, it’s just…I got this email the other day and I don’t know what to do.”

I looked at the gray computer tucked under her arm. “And you figure some mug’s got you pegged as an easy mark? Toss that mill up here on the table. Let’s see what we got.”

She placed the laptop on the desk and hit the power button. It took a minute to start up, and the awkwardness hung in the air like burnt toast. “So…um…read any good books lately?” I started to say, but the machine was ready.

“This one right here,” she said, and I read the email.

The message said it was from Facebook, and if it was a ringer it was a darn good one. It went like this:

From: Facebook <notification+tnejvqakyz@notifierfacebook.com>
Subject: You have 3 lost messages on Facebook…

Facebook sent you a notification

You have 3 lost messages on Facebook, to recover a messages please follow the link below: http://www.facebook.com/profile.php?recover.messages=563f03b5d6f9

How to get back your lost messages on Facebook

At the bottom was a green button that said “Frequently Asked Questions.”

“Did you click on anything in this mess?” I said.

“No, I don’t think so.”

“You can’t think so. You either clicked or you didn’t. Think hard.”

“No, I didn’t. Jeez. Jerk.”

“Sorry ma’am. Hardboiled crime fiction. I have to talk to everybody that way.”

“Oh.'”

“Anyway,” I continued, “it’s good you didn’t click. This is a swindle through and through. See this?” I showed her the message header. “If it was from Facebook, it wouldn’t be coming from some ‘notifierfacebook.com’ domain.”

“And check this out.” I moused over the link. “It says ‘facebook.com,’ but it’s disguised. Every link in the message takes you to this weird ‘winesofworld.org’ website. Classic phishing message. These punks either want to infect your computer with malware or steal your password. There’s also the crummy English; see where it says, ‘to recover a messages?’ Makes no sense. Finally, there’s no such thing as ‘lost’ messages on Facebook.”

Her eyes were dinner plates. “So what do I do with it?”

“If I was you, lady, I’d drill it with my heater,” I spat.

“What?”

“Just delete it.”

“Oh,” she said, and snapped the laptop shut. “Okay, cool. Thanks. Nice hat, by the way.”

I nodded thanks as she disappeared out the door and went back to my game. Black eight to red nine. The card underneath was the queen of diamonds. “There’s my lady,” I murmured over the lonesome wail of a siren echoing across the night.

Nigerian 419 Scam: “Your Bank Draft”

Often, phishing emails are tricky because they contain an offer that many people would find tempting. This one I received over the weekend does not have that problem:

From: Dr Lawrence Burns <test@mir-grp.com>
To: ss@yahoo.com
Subject: YOUR BANK DRAFT

Dear Friend,

It is my pleasure to let you know about my success in getting those fund transferred under the cooperation of a new Partner from Greece. I didn’t forget your past efforts to assist me in transferring those funds.

Now contact my secretary Mr. Goodluck Okeke his email is (good_okeke@w.cn) ask him to send you the total $3.2 certified bank draft which I raised for your compensation so feel free and get in touched with him and give him your Address such as Full name Home address direct phone number where to send the draft.

Let me know immediately you receive it for us to share the joy. I am very busy here with investment projects which I am having at hand, finally, I left instruction to the secretary on your behalf, so feel free to get in touch with him.

Best regards,
Dr Lawrence Burns

$3.2? As in three dollars and twenty cents?

I don’t want to come off as some kinda spoiled, complacent jerkface here, Doctor Larry, but that seems like an awful lot of work for $3.20.

Obviously, they left out the word “million” and I’m just being snarky here, but there are some interesting things. We’ve got the usual email-address-salad going on here, with the mysterious “mir-grp.com” domain, the China-based “w.cn,” and someone at yahoo.com. We’ve also got a mention of someone named “Goodluck,” which is apparently a popular first name in (wait for it…) Nigeria.

In other words, all the evidence of a Nigerian 419 scam is present and accounted for.

Craigslist phishing

I got this lovely message just the other day:

From: notice@craigslist.org
Subject: Confirmation for Posting ID #981651681

Confirmation for Posting ID #981651681

Your ad, titled “SONY PLAYSTATION 3 METAL GEAR SOLID 4 PS3 80GB BUNDLE!”, has been posted as follows:

http://singapore.craigslist.org/ele/981651681.html (electronics)

Posts will appear in the list of postings and in search results in about 15 minutes. If you are trouble finding them,
please check our help page at http://www.craigslist.org/about/help/where.html

Please login into your account if you need to edit of delete your posting:
http://accounts.craigslist.org/login

If you did not post this ad please change your account password asap:
http://accounts.craigslist.org/login/chgpwd

For your protection please check our list of common scams: htttp://www.craigslist.org/about/scams.html

Thanks for using craigslist!

The only problem is, all the links are disguised; they actually lead to a site hosted at cen.thegigabit.com. I guess you’re supposed to go, “Whoa! I’m not selling a Playstation! I gotta fix this now!” and start clicking.

Here’s the thing I don’t get: why are they trying to steal Craigslist passwords? To my knowledge, Craigslist isn’t like eBay where you pay through the site itself; don’t Craigslist buyers just contact the seller and arrange for payments on their own? Is it that difficult to just create a fake Craigslist account from which to run your cashier’s check and wire transfer scams?

I just don’t get it. Somebody fill me in if I’m wrong about this; I don’t use online classifieds at all, so I don’t know firsthand how it works.

Dumb Spam Time: Deactivation of Your Email Address

Here’s a message I got just the other day. It’s pretty goofy.

From: Tom Lavigne
To:  [blank]
Date: Wednesday, June 08, 2011 9:27:37 AM 
Subject: Deactivation of Your Email Address

THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM This message is sent automatically by the computer. If you are receiving this message it means that your email address has been queued for deactivation; this was as a result of a continuous error script (code:505)receiving from this email address. Click here and fill out the required field to resolve this problem Note: Failure to reset your email by ignoring this message or inputting wrong information will result to instant deactivation of this email address

Normally I include the email address when I paste these, but apparently Tom is a real person whose email address has been used without his authorization. I don’t want to make it look like some YMCA in Massachusetts is running a phishing scheme.

Anyway, let’s poke holes in it!

  1. Execrable grammar and usage. It used to be that tech people weren’t always the best writers (see also: any software manual written between 1980 and 1995 or so), but “will result to instant deactivation?” No.
  2. “Click here” links to a TinyURL site. Yeah, no.
  3. “This message is sent automatically by the computer.” Yeah. THE COMPUTER. Really? Really? No technical support team would ever use that sentence, because it makes zero sense.
  4. “Reset your email” also makes no sense. How do you reset an email? (You can, however, declare email bankruptcy).
  5. It’s asking you to click a hidden link and provide personal information. It might as well said, “Hi. This is a phishing attack. Can we have your password?”

Facebook “check out your profile stalkers” scam

For what seems like the millionth time, a scam has made the rounds on Facebook purporting to reveal to users who has viewed their profiles, only to turn out to be yet another in a long line of malware attacks. Here’s the text of the wall post:

“OMG! Its unbelievable now you can get to know who views your profile. I can see my top profile visitors and I am so shocked that my ex is still creeping my profile every hour.”

If you click on it, it tells you to paste a line of code into the URL field…you know what? I’m not even going to go into it. Suffice it to say that it perpetuates the scam.

Here’s the thing: there is no way to see who has viewed your Facebook profile. There’s never going to BE a way to see who has viewed your Facebook profile. OMG! I KNOW, RIGHT?!

Here are the key takeaways from this information:

  • If you see a wall post claiming to link to an application or website that shows you who has viewed your profile, don’t even stop to wonder if it’s real. It’s not. It never has been, and it never will be.
  • You don’t NEED to see who has viewed your profile. What are you really going to do with that information? If you answer that question honestly, it’s “nothing positive.”
  • You also don’t NEED to see that, no, your ex is totally NOT “creeping” your profile “every hour,” because he actually couldn’t care less what you’re up to anymore. Just enjoy the (more than a little conceited) assumption that he’s pining for you, unable to sleep or eat, scrawling tortured poetry in a black notebook under a bare 40-watt light bulb. If that’s what it takes to get you through the day.
  • If you’re still worried about who is looking at your profile, set it to “private” already.
  • If you’re still still worried about who is looking at your profile, click the little X in the upper right corner of the screen (or wherever the X is on a Mac), shut down the computer completely and stand up. Put on some shoes. Now, walk out the front door of your house and look around. Go for a run. Or a walk. Or drive to the library. Call someone on the phone and talk. Arrange to meet and do something together. Repeat daily until you no longer care who is looking at your Facebook profile.

App Store Scam targets iPhone and iPad users

If you’re an Apple iPhone or iPad user, be on the lookout for a recently discovered phishing scam, reported by security firm F-Secure.

It seems users of these devices are receiving emails informing them that their recent App Store purchase has been successfully cancelled. There is a link for order information, but it actually takes users to one of those pharmacy websites where they try to mine personal information.

The above linked article tells you more about it, and they make an excellent point: while the emails currently direct you to a drugstore site, which most savvy Internet users will reject right away, what if they decide to build an App Store lookalike page? Lots more people will be tricked.

There was one part of that made me laugh, though:

[T]he phony Apple AppStore message appears in email inboxes immediately after you purchase an app from Apple’s legitimate App Store. F-Secure is not sure how the scammers know you just bought something from the App Store.

Oh, I can tell you right now how they know you just made an App Store purchase: people who have iPhones and iPad always just made an App Store purchase. Do you have one of these devices? You’ve been to the App Store today, haven’t you? Come on, admit it!

Maybe I’m just jealous of your neat-o phone. Or maybe I’m not. I’ll never tell. Welcome to the Fraud Prevention Unit: your source for ambiguous digs at vast swathes of popular culture.

Email links: perhaps I’ve been too alarmist

I have mixed feeling about something I heard about at the credit union recently. It seems that some of our members have taken my advice about links in email messages deeply to heart, to the point that they’re afraid to click a link in any message (even an expected, monthly newsletter from us!).

On one hand, I’m thrilled that some people are listening and learning. The vast majority of the traffic for this site comes from search engines (an unintended result; the original idea was to specifically reach people in our geographic area), so it’s good to know that local folks are getting hip to the fraud prevention tip as well.

On the other hand, perhaps I’m fomenting paranoia and fear with all the dire warnings.

Here’s the deal: if you’re getting a regular email communiqué, such as a monthly electronic newsletter, from a trusted source, it’s okay to use the links contained therein. No scammer is going to go through the trouble of creating a monthly newsletter, with constantly-changing articles about the latest promotions and happenings at a financial institution, and place low-pressure, soft-sell links at the bottom of the page (which is exactly what REGIONAL sends out during the first week of each month).

What you want to be wary of is those unexpected messages that try to jolt you into acting without thinking; “YOUR ACCOUNT HAS BEEN SUSPENDED!” screams the message. “CLICK HERE TO VERIFY YOUR ACCOUNT!”

That’s the stuff you need to avoid—the unexpected, urgent-sounding message that addresses you as “Dear Customer” or “Dead Cardholder” or that contains poor spelling and/or grammar, and that instructs you to verify your personal information. If you’ve got an account at a bank, credit union or creditor, they already have your personal information. If they didn’t, you wouldn’t have an account.

Adobe Reader phishing emails: this is not how Adobe sends updates

According to a recent alert, phishing emails regarding updates to the Adobe Reader have been making the rounds.

This is where knowing a little something about software can help you avoid a scam, because Adobe doesn’t send out update information via email. In fact, I can’t think of a software company that does. This is one of those cases where people who might otherwise never click a link in an unexpected email might let their guard down. Don’t do it. There’s a reason I always say “never”.

When a new security patch for the Reader, or a whole new version becomes available, the program itself will detect it automatically. Or, if you want to download it manually, you can visit http://get.adobe.com/reader/. I would uncheck that “Free McAfee Security Scan Plus” box on the right, though. I’m not a fan of “bonus” software like toolbars and other junk when you download things, so that’s sort of a matter of principle. Plus, if you’ve got a different brand of security software installed, the McAfee download might fight with it. Virus scanners always seem to detect each other as viruses.

There is a possible security issue with the Adobe Reader that you should know about. For some reason, they decided to add JavaScript functionality to the Reader. This was later shown to be an easy avenue for hackers to access your computer. I’m pretty sure the latest versions have fixed this issue, but I still turn it off just in case.

All you have to do is click “Edit” at the top of the screen, then select “Preferences…” Find “JavaScript” in the menu on your left. Click that, and there will be a box that says “Enable Acrobat JavaScript.” UNcheck it, click “OK”, and you’re done.

Another alternative is to just use a different software altogether, which is what I do. I like the Foxit Reader, but I disable JavaScript there as well.

Don’t get me wrong—I love most of Adobe’s other products (Illustrator and Photoshop in particular). I just don’t quite grok why they put this functionality into the Reader.

NACHA Phishing Email

History sure is repeating itself an awful lot lately. In a similar vein to the FDIC Phishing Emails I wrote about the other day, now there are malicious messages that claim to be from NACHA, which contain links to what is very likely some form of virus or spyware.

NACHA is the National Automated Clearing House Association (not to be confused with NACHO, a tasty corn chip-based snack). The organization is involved in networks that handle ACH transactions for financial institutions across the country. Much of what NACHA does is regulatory rather than operational in nature.

Here’s a sample of the email:

From: Information
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction

Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

Naturally, the link is fake. In this case it probably executes malicious code on your computer.

Add NACHA to the list with the FDIC and NCUA—none of these organizations ever contacts consumers directly. NACHA doesn’t even handle actual ACH transactions; they’re involved in the setup of the networks that handle them.

It’s important to get in the habit of ignoring email. Even when it’s not phishing or scams, ignoring email is a great way to save time (for example, I almost never open anything with “FW:” in the subject line, because they’re almost always dumb).

But when messages like this arrive, you must make sure to never click on the links, even “just to see.” While many phishing messages take you to pages designed to steal personal information, many (if not most) phishing websites now give you a one-two phishing/malware punch; if they can’t get you to enter your account numbers, at least they can hit your computer with some spyware, which will be loaded and executed before you can even blink.