Tag Archives: Phishing

Nigerian 419 Scam: “Your Bank Draft”

Often, phishing emails are tricky because they contain an offer that many people would find tempting. This one I received over the weekend does not have that problem:

From: Dr Lawrence Burns <test@mir-grp.com>
To: ss@yahoo.com
Subject: YOUR BANK DRAFT

Dear Friend,

It is my pleasure to let you know about my success in getting those fund transferred under the cooperation of a new Partner from Greece. I didn’t forget your past efforts to assist me in transferring those funds.

Now contact my secretary Mr. Goodluck Okeke his email is (good_okeke@w.cn) ask him to send you the total $3.2 certified bank draft which I raised for your compensation so feel free and get in touched with him and give him your Address such as Full name Home address direct phone number where to send the draft.

Let me know immediately you receive it for us to share the joy. I am very busy here with investment projects which I am having at hand, finally, I left instruction to the secretary on your behalf, so feel free to get in touch with him.

Best regards,
Dr Lawrence Burns

$3.2? As in three dollars and twenty cents?

I don’t want to come off as some kinda spoiled, complacent jerkface here, Doctor Larry, but that seems like an awful lot of work for $3.20.

Obviously, they left out the word “million” and I’m just being snarky here, but there are some interesting things. We’ve got the usual email-address-salad going on here, with the mysterious “mir-grp.com” domain, the China-based “w.cn,” and someone at yahoo.com. We’ve also got a mention of someone named “Goodluck,” which is apparently a popular first name in (wait for it…) Nigeria.

In other words, all the evidence of a Nigerian 419 scam is present and accounted for.

Craigslist phishing

I got this lovely message just the other day:

From: notice@craigslist.org
Subject: Confirmation for Posting ID #981651681

Confirmation for Posting ID #981651681

Your ad, titled “SONY PLAYSTATION 3 METAL GEAR SOLID 4 PS3 80GB BUNDLE!”, has been posted as follows:

http://singapore.craigslist.org/ele/981651681.html (electronics)

Posts will appear in the list of postings and in search results in about 15 minutes. If you are trouble finding them,
please check our help page at http://www.craigslist.org/about/help/where.html

Please login into your account if you need to edit of delete your posting:
http://accounts.craigslist.org/login

If you did not post this ad please change your account password asap:
http://accounts.craigslist.org/login/chgpwd

For your protection please check our list of common scams: htttp://www.craigslist.org/about/scams.html

Thanks for using craigslist!

The only problem is, all the links are disguised; they actually lead to a site hosted at cen.thegigabit.com. I guess you’re supposed to go, “Whoa! I’m not selling a Playstation! I gotta fix this now!” and start clicking.

Here’s the thing I don’t get: why are they trying to steal Craigslist passwords? To my knowledge, Craigslist isn’t like eBay where you pay through the site itself; don’t Craigslist buyers just contact the seller and arrange for payments on their own? Is it that difficult to just create a fake Craigslist account from which to run your cashier’s check and wire transfer scams?

I just don’t get it. Somebody fill me in if I’m wrong about this; I don’t use online classifieds at all, so I don’t know firsthand how it works.

Dumb Spam Time: Deactivation of Your Email Address

Here’s a message I got just the other day. It’s pretty goofy.

From: Tom Lavigne
To:  [blank]
Date: Wednesday, June 08, 2011 9:27:37 AM 
Subject: Deactivation of Your Email Address

THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM This message is sent automatically by the computer. If you are receiving this message it means that your email address has been queued for deactivation; this was as a result of a continuous error script (code:505)receiving from this email address. Click here and fill out the required field to resolve this problem Note: Failure to reset your email by ignoring this message or inputting wrong information will result to instant deactivation of this email address

Normally I include the email address when I paste these, but apparently Tom is a real person whose email address has been used without his authorization. I don’t want to make it look like some YMCA in Massachusetts is running a phishing scheme.

Anyway, let’s poke holes in it!

  1. Execrable grammar and usage. It used to be that tech people weren’t always the best writers (see also: any software manual written between 1980 and 1995 or so), but “will result to instant deactivation?” No.
  2. “Click here” links to a TinyURL site. Yeah, no.
  3. “This message is sent automatically by the computer.” Yeah. THE COMPUTER. Really? Really? No technical support team would ever use that sentence, because it makes zero sense.
  4. “Reset your email” also makes no sense. How do you reset an email? (You can, however, declare email bankruptcy).
  5. It’s asking you to click a hidden link and provide personal information. It might as well said, “Hi. This is a phishing attack. Can we have your password?”

Facebook “check out your profile stalkers” scam

For what seems like the millionth time, a scam has made the rounds on Facebook purporting to reveal to users who has viewed their profiles, only to turn out to be yet another in a long line of malware attacks. Here’s the text of the wall post:

“OMG! Its unbelievable now you can get to know who views your profile. I can see my top profile visitors and I am so shocked that my ex is still creeping my profile every hour.”

If you click on it, it tells you to paste a line of code into the URL field…you know what? I’m not even going to go into it. Suffice it to say that it perpetuates the scam.

Here’s the thing: there is no way to see who has viewed your Facebook profile. There’s never going to BE a way to see who has viewed your Facebook profile. OMG! I KNOW, RIGHT?!

Here are the key takeaways from this information:

  • If you see a wall post claiming to link to an application or website that shows you who has viewed your profile, don’t even stop to wonder if it’s real. It’s not. It never has been, and it never will be.
  • You don’t NEED to see who has viewed your profile. What are you really going to do with that information? If you answer that question honestly, it’s “nothing positive.”
  • You also don’t NEED to see that, no, your ex is totally NOT “creeping” your profile “every hour,” because he actually couldn’t care less what you’re up to anymore. Just enjoy the (more than a little conceited) assumption that he’s pining for you, unable to sleep or eat, scrawling tortured poetry in a black notebook under a bare 40-watt light bulb. If that’s what it takes to get you through the day.
  • If you’re still worried about who is looking at your profile, set it to “private” already.
  • If you’re still still worried about who is looking at your profile, click the little X in the upper right corner of the screen (or wherever the X is on a Mac), shut down the computer completely and stand up. Put on some shoes. Now, walk out the front door of your house and look around. Go for a run. Or a walk. Or drive to the library. Call someone on the phone and talk. Arrange to meet and do something together. Repeat daily until you no longer care who is looking at your Facebook profile.

App Store Scam targets iPhone and iPad users

If you’re an Apple iPhone or iPad user, be on the lookout for a recently discovered phishing scam, reported by security firm F-Secure.

It seems users of these devices are receiving emails informing them that their recent App Store purchase has been successfully cancelled. There is a link for order information, but it actually takes users to one of those pharmacy websites where they try to mine personal information.

The above linked article tells you more about it, and they make an excellent point: while the emails currently direct you to a drugstore site, which most savvy Internet users will reject right away, what if they decide to build an App Store lookalike page? Lots more people will be tricked.

There was one part of that made me laugh, though:

[T]he phony Apple AppStore message appears in email inboxes immediately after you purchase an app from Apple’s legitimate App Store. F-Secure is not sure how the scammers know you just bought something from the App Store.

Oh, I can tell you right now how they know you just made an App Store purchase: people who have iPhones and iPad always just made an App Store purchase. Do you have one of these devices? You’ve been to the App Store today, haven’t you? Come on, admit it!

Maybe I’m just jealous of your neat-o phone. Or maybe I’m not. I’ll never tell. Welcome to the Fraud Prevention Unit: your source for ambiguous digs at vast swathes of popular culture.

Email links: perhaps I’ve been too alarmist

I have mixed feeling about something I heard about at the credit union recently. It seems that some of our members have taken my advice about links in email messages deeply to heart, to the point that they’re afraid to click a link in any message (even an expected, monthly newsletter from us!).

On one hand, I’m thrilled that some people are listening and learning. The vast majority of the traffic for this site comes from search engines (an unintended result; the original idea was to specifically reach people in our geographic area), so it’s good to know that local folks are getting hip to the fraud prevention tip as well.

On the other hand, perhaps I’m fomenting paranoia and fear with all the dire warnings.

Here’s the deal: if you’re getting a regular email communiqué, such as a monthly electronic newsletter, from a trusted source, it’s okay to use the links contained therein. No scammer is going to go through the trouble of creating a monthly newsletter, with constantly-changing articles about the latest promotions and happenings at a financial institution, and place low-pressure, soft-sell links at the bottom of the page (which is exactly what REGIONAL sends out during the first week of each month).

What you want to be wary of is those unexpected messages that try to jolt you into acting without thinking; “YOUR ACCOUNT HAS BEEN SUSPENDED!” screams the message. “CLICK HERE TO VERIFY YOUR ACCOUNT!”

That’s the stuff you need to avoid—the unexpected, urgent-sounding message that addresses you as “Dear Customer” or “Dead Cardholder” or that contains poor spelling and/or grammar, and that instructs you to verify your personal information. If you’ve got an account at a bank, credit union or creditor, they already have your personal information. If they didn’t, you wouldn’t have an account.

Adobe Reader phishing emails: this is not how Adobe sends updates

According to a recent alert, phishing emails regarding updates to the Adobe Reader have been making the rounds.

This is where knowing a little something about software can help you avoid a scam, because Adobe doesn’t send out update information via email. In fact, I can’t think of a software company that does. This is one of those cases where people who might otherwise never click a link in an unexpected email might let their guard down. Don’t do it. There’s a reason I always say “never”.

When a new security patch for the Reader, or a whole new version becomes available, the program itself will detect it automatically. Or, if you want to download it manually, you can visit http://get.adobe.com/reader/. I would uncheck that “Free McAfee Security Scan Plus” box on the right, though. I’m not a fan of “bonus” software like toolbars and other junk when you download things, so that’s sort of a matter of principle. Plus, if you’ve got a different brand of security software installed, the McAfee download might fight with it. Virus scanners always seem to detect each other as viruses.

There is a possible security issue with the Adobe Reader that you should know about. For some reason, they decided to add JavaScript functionality to the Reader. This was later shown to be an easy avenue for hackers to access your computer. I’m pretty sure the latest versions have fixed this issue, but I still turn it off just in case.

All you have to do is click “Edit” at the top of the screen, then select “Preferences…” Find “JavaScript” in the menu on your left. Click that, and there will be a box that says “Enable Acrobat JavaScript.” UNcheck it, click “OK”, and you’re done.

Another alternative is to just use a different software altogether, which is what I do. I like the Foxit Reader, but I disable JavaScript there as well.

Don’t get me wrong—I love most of Adobe’s other products (Illustrator and Photoshop in particular). I just don’t quite grok why they put this functionality into the Reader.

NACHA Phishing Email

History sure is repeating itself an awful lot lately. In a similar vein to the FDIC Phishing Emails I wrote about the other day, now there are malicious messages that claim to be from NACHA, which contain links to what is very likely some form of virus or spyware.

NACHA is the National Automated Clearing House Association (not to be confused with NACHO, a tasty corn chip-based snack). The organization is involved in networks that handle ACH transactions for financial institutions across the country. Much of what NACHA does is regulatory rather than operational in nature.

Here’s a sample of the email:

From: Information
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction

Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

Naturally, the link is fake. In this case it probably executes malicious code on your computer.

Add NACHA to the list with the FDIC and NCUA—none of these organizations ever contacts consumers directly. NACHA doesn’t even handle actual ACH transactions; they’re involved in the setup of the networks that handle them.

It’s important to get in the habit of ignoring email. Even when it’s not phishing or scams, ignoring email is a great way to save time (for example, I almost never open anything with “FW:” in the subject line, because they’re almost always dumb).

But when messages like this arrive, you must make sure to never click on the links, even “just to see.” While many phishing messages take you to pages designed to steal personal information, many (if not most) phishing websites now give you a one-two phishing/malware punch; if they can’t get you to enter your account numbers, at least they can hit your computer with some spyware, which will be loaded and executed before you can even blink.

Coca-Cola Scam on Facebook: what the heck is a ‘Coca-Cola Scam’?

Here’s the latest scam to make its home on Facebook.

A link shows up in one of your friends’ status that says, “I am part of the 98.3% of people that are NEVER gonna drink Coca Cola again after this HORRIFIC video.”

When you click the link, you are given the runaround (the video doesn’t exist at all) until finally you are taken to a poll that asks you to reveal personal information.

It’s almost as if the crooks have figured out how to make money off Facebook before Facebook did (Facebook has attracted billions from venture capitalists, but from what I’ve heard, they’ve yet to actually stumble upon a working business model).

When you’re on Facebook, you simply cannot implicitly trust links, even when posted by a friend. That goes double for links to ‘scandalous’ videos or images, such as the example here. Your friend’s account may have been compromised, or they might be posting links in an attempt to receive some form of payout or reward.

If you’re looking at a shortened URL (such as bit.ly), use a site like LongURL to preview it before you go. However, the URL might not necessarily be shortened (as in this case), although you can still use LongURL to preview most sites.

Another way to check is to google a phrase from the link, to see if news of a scam or phishing attack pops up. Again, though, if it’s brand new, the word might not have gotten out yet (and it takes time for things to appear in a Google search anyway).

Whatever you do, exercise caution at all times, and never enter personal information or passwords on any site that you arrived at via Facebook or Twitter. Once you’re logged in, there is no reason to log in again, and there is exactly zero reason to reveal nonpublic personal information.

FDIC Phishing Emails

This has happened before, and it’s happening once again now.

People are getting email messages that claim to be from the FDIC (Federal Deposit Insurance Corporation). This is the entity that watches over banks and makes sure you don’t lose your money if your bank would fold. The credit union version is called the NCUA (National Credit Union Administration). They both provide nearly identical services.

These emails inform the potential victim that their bank has failed, and that they need to “check [their] Deposit Insurance coverage” by clicking on a link within the message. Naturally, what happens next is that the scammers obtain your account number, password, and other personal information.

You can only use typography to convey emphasis to a certain extent without getting silly, so in lieu of typing the following in 72-point text, I’ll let bold italics do the job:

The FDIC (or NCUA) is never going to contact you via email for any reason, nor will they ever ask you for personal information, account numbers or passwords.

Got it? As Tom Hulce’s Mozart, on his deathbed, pressed F. Murray Abraham’s Salieri in Amadeus, “Do you have it? Do you have it?!

Good. If you get one of these messages, delete it immediately.