Tag Archives: scam

An uncommonly convoluted con

They say brevity is the soul of wit, but it’s apparently not the soul of spam. I received this in my inbox not too long ago:

From: IMF ADMIN <admin@imfpaymentcenter.com>
Subject: May Good Decision

INTERNATIONAL MONETARY FUND (IMF)
DEPT: WORLD DEBT RECONCILIATION AGENCIES.
ADVISE: YOUR OUTSTANDING PAYMENT NOTIFICATION

Attention Wing Chan

A power of attorney was forwarded to our office this morning by two gentle men, one of them is an American national and he is MR DAVID DEANE by name while the other person is MR… JACK MORGAN by name a CANADIAN national.

This gentlemen claimed to be your representative, and this power of attorney stated that you are dead, they brought an account to replace your information in other to claim your fund of $12.5 Million Usd which is now lying DORMANT and UNCLAIMED, below is the new account they have submitted:

BANK.-HSBC CANADA
Vancouver, CANADA
ACCOUNT NO. 2984-0008-66

Be further informed that this power of attorney also stated that you suffered and died of throat cancer. You are therefore given 24hrs to confirm the truth in this information, If you are still alive, You are to contact us back immediately, Because we work 24 hrs just to ensure that we monitor all the activities going on in regards to the transfer of beneficiaries inheritance and contract payment.

You are to call this office +44(0)7778022499 immediately for clarifications on this matter as we shall be available 24 hrs to speak with you and give you the necessary guidelines on how to ensure that your payment is wired to you immediately.

I have attached a copy of the last part payment of $500,000.00 which was paid into your provided account last week, please check is this is the same account submitted by this two men who claimed to be your representative. Reply this email to [redacted]

Kindly reply

Rev. David Churchman
International Monetary Funds Agents

I get what they’re trying to do here. The victim is supposed to think they got a message intended for someone else (“Wing Chan”) who has a whole lot of money tied up in some account, but they think Wing Chan is dead and would he please confirm that? I assume that the victim is supposed to decide to commit a little fraud himself and reply, “No, I’m Wing Chan and I’m totally alive so give me all that money now please,” followed by the usual, “But wait…you have to wire us a bunch of money first.”

But what a twisty, turny, tricksy route they take to get there. It’s a real adventure, what with the two “gentle men,” the throat cancer and the involvement of the International Monetary Fund.

Here’s the thing about the IMF: I’m fairly certain they don’t handle individual estate accounts for anyone living or dead or allegedly dead. They don’t mention it on their own website.  They deal with financial situations in and between nations. $12.5 million is a lot of money to most individual people. To the IMF, it’s like a nickel dropped down a storm drain. They’re not going to get involved.

So yes, this is an obvious example of spam. I wanted to show it to you, though, because it’s kind of weird. As always, “do this to claim your free money” is forever a scam and always has been.

Nigerian 419 email scams live on

I saw this one just today. It’s a doozy:

From: The Desk Of Mr. James Dike
Reference: GTBank Plc.
Address: 402, Lagos-Abeokuta Expressway, Abule-Egba, Lagos State, Nigeria.

Attention: $10.5M ATM Fund Beneficiary,

I am Mr. James Dike, the new appointed ATM Head of Operation Department Guaranty Trust Bank Nigeria PLC, I resumed to this office on the 1st of this month and For your information i have been empowered and instructed by the new elected President Federal Republic of Nigeria Gen. Muhammadu Buhari to pay all outstanding debt payment to the rightful beneficiaries and summit my payment report to his office with immediate effect and any payment that is not paid before the end of this month will be cancelled and the fund will be returned to the Federal Reserve Oil Account.

So, during my official research last week I discovered an abandoned ATM Master card valued sum of $10.5Million with card number 5321452123409380 belonging to you as the rightfully intimate beneficiary. I tried to know why this card have not been released to you but I was told that the formal ATM head of operation who left this office two months ago withhold your card for his own personal use without knowing that I will not approve or support him to take your card.

Now that your ATM Master card is still available for you to pick it up here in our bank. I want to know how you wish to receive your ATM card along with your four digits pin code number. You can come down here in our bank to pick up your card direct from my office or alternatively it can be send to your address through any registered reliable courier service company that you will take care of the courier charge. I don’t know the cost of shipping the card to you but if you permit me I can make an inquiry from the courier shipment company to find out the cost, but in that case you will be required to forward to me your shipment address to enable me find out the shipment cost to your location.

Your direct telephone number and address will be needed and more details of your ATM Master card payment will be made known to you as soon as I receive your swift positive response, to enable you know the amount programmed for your ATM Master Card daily withdrawal.I will send your ATM master card information including your Card Pin Code as soon as you declare your choice of receiving your ATM card so as to enable you receive your card and start making use of it to withdraw at any ATM card machine all over the world as programmed.

Do not hesitate to call me on +234 802-850-0459 as soon as you read this mail.

Thanks for your co-operation.

Yours Faithfully,
Mr. James Dike
ATM Head of Operation Department
Guaranty Trust Bank Nigeria Plc.
Tel: +234 802-850-0459.

A lot of us have become jaded when it comes to the old Nigerian 419 scam. Even though this one takes a different angle and doesn’t mention an exiled prince, for many of us, it’s easy to see through. We probably wouldn’t even read it…”$10.5M” in the subject line would be enough to trigger our “delete” reflex.

But somebody still falls for it. If they didn’t, these emails wouldn’t happen anymore. So while you may have become almost flippant about the Nigerian 419 scam, remember that there are still people who haven’t heard about it yet. If someone you know starts talking about an impending payout from a mysterious source, or mentions their plans to wire money overseas, it might be time to educate him or her.

Free Disney Vacation Scam Alert

If you haven’t already, at some point very soon you are going to see this image on Facebook:

2015-07-17-disney-scam

The hook is this: like the photo, share it, then visit a website to enter a contest for a free Disney World vacation.

Here’s the problem: the Facebook page this image resides on is NOT the official Disney World page. It is an impostor designed to trick users into liking the page. Once enough people have done so, the page content will be changed to push other scams into the news feeds of the people who liked the Disney page.

Now, why am I such a downer? Why am I trying so hard to make people sad? How do I know it’s a fake Disney page?

Well, look at this screenshot for a moment (click to see it full-size):

2015-07-17-disney-scam-02

Do you see what it says next to the profile picture? I’ll zoom in a little so you can read it better (click for full size):

2015-07-17-disney-scam-02a

It says “Walt Disney-World.”.

Notice the dash.

Notice the period.

Notice the category: “Transport/Freight.”

Notice the lack of the blue “Verified Page” checkmark next to the name.

Do you think for one moment that a company the size of Disney would have ITS OWN NAME written incorrectly on its own Facebook page? Look at any official Disney website or product. Do you see “Walt Disney-World.” anywhere?

Do you see Walt Disney World train cars and semi trailers all over America’s railroad tracks and roadways, delivering jars of pickle relish and car parts and textiles? No? That’s because Disney World is a theme park, not a transportation and freight business.

Do you believe Disney World’s official Facebook page would have 20,000 likes (as of today) and ONE lousy post? And no link to the official Disney World website?

These, and a dozen other points, are your free ticket to knowing that this Facebook page and offer are a scam.

Go look at Walt Disney World’s official Facebook page. Notice:

  • 14 million likes
  • The name is correctly punctuated (which is to say there is NO punctuation)
  • The category is listed as “Theme Park,” which is correct
  • The checkmark next to “Walt Disney World.” This means Facebook has verified that the page is official. You can hold your mouse over the checkmark and a little window will pop up that says “Verified Page”
  • Posts going back to 2009
  • Multiple posts, pretty much every day

I’m taking a pretty emphatic tone because I want people to stop falling for fake Facebook pages. I’m tired of seeing people I know get taken in by this stuff because it helps crooks spread spam and fraud to millions of people. If you see this photo and post in your Facebook newsfeed, please do the following:

  • DO NOT SHARE, LIKE OR COMMENT ON the page yourself
  • Tell whoever shared it or posted it that it is a scam and that they need to unlike the page right away; point them to the real Disney World page if they don’t believe you
  • Go to the fake page and Report it as fraudulent to Facebook
  • Share this article, or this one from the Consumerist if you can’t bring yourself to take my word for it

I don’t Facebook much anymore, but I’ve always lived by an “If it’s being shared a lot on Facebook, it’s probably not true” code. It’s a pretty accurate rule, and the stuff that IS true you’ll hear from credible sources eventually anyway.

 

 

Heartbleed is the name of a bug, not a virus

The Heartbleed Bug was a major story not that long ago. Lists of affected websites circulated with instructions to change your passwords if you had accounts at those websites.

In the whirlwind of online news articles, a lot of jargon got tossed around that the average computer user may not be familiar with, and any time there is a knowledge gap, scammers can and do take advantage of it. Spam emails began to circulate claiming to include a Heartbleed removal tool that was, naturally, a malicious program itself. The attachment, if opened, installed a keylogger on victims’ computers, which could transmit sensitive information to criminals. Symantec has a fine article about this particular attack.

Of course, if you’re an old hack hand at Computer Stuff like myself, you already knew that Heartbleed was a bug affecting servers, not a virus. But not everybody is familiar with all these terms, so I decided it would be useful to explain some of these concepts in layman’s terms.

DATA is digital information. If you’re looking at a website, your computer is taking data and presenting it in a readable, watchable, or listenable way. You’re looking at data, which happens to be mostly in text form, right now. When you have an account at Amazon or Facebook (for example), your username and password are part of your personal data, which is the stuff you don’t want being accessed by anyone but yourself. Websites keep this kind of data on servers that use various software to make it (hopefully) impossible to access by unauthorized people.

SERVER is a big computer where data is stored. When you watch a video on YouTube, the digital information that makes up that video is stored on an incredibly large computer, which transmits that data to your computer, which turns it into a video you can watch. Companies such as Facebook and Google have multiple servers that fill entire buildings. Your employer may have a smaller server that looks like a regular desktop computer, which hold all the business’s customer data, and only employees have access to it. Same concept, different scale.

OpenSSL is a particular type of server software that was affected by the Heartbleed bug. You know how your desktop computer runs Windows or MacOS, and your phone runs Android or iOS? OpenSSL is pretty much the same type of thing for servers. Your home computer uses Windows or MacOS to do home computer things, some (but not all) servers use OpenSSL to do server things, like store huge customer databases.

BUG is a flaw in a piece of software. You know how sometimes you download some goofy free app on your phone, and it works for a few seconds then crashes? That app has a bug that makes it function improperly. In the case of Heartbleed, the bug was a security flaw that potentially opened up account information (such as encrypted passwords) to hackers.

ENCRYPTED data has been scrambled in a way that unauthorized persons cannot access it. Servers don’t just store your username and password in text form because it would be too easy for someone to just steal the file and open it. They use complicated methods to make sure that, even if someone got the file, they wouldn’t be able to read it. (At least, this is how it would always work in a world without security bugs like Heartbleed; this is why you had to change your passwords at affected sites after the bug was fixed.)

HACKER: a person who breaks into computer networks. This in and of itself does not make them bad…many are actually hired to break in, in order to highlight security flaws so they can be fixed. Some use their skill for criminal purposes.

These are pretty simplistic explanations, but I think it’s important to at least have a concept of what these terms mean, so that when you read an article that says “security bug affecting servers running OpenSSL versions etc…” you can at least understand that they’re talking about software you’re NOT running on your home computer, and to ignore any emails offering a fix because Heartbleed wasn’t a virus in the first place.

But you’re not going to open attachments in any unsolicited emails, anyway, are you? If nothing else, remember this First Principle: “If you didn’t ask for it, don’t click on it.”

Credit Card Scam Alert: Ignore that offer from AmTrade International Bank

There is a new scam showing up in mailboxes.

It takes the form of an offer for a “secure” credit card, and it targets people with low credit scores or other financial issues.

A “secure” credit card is a credit card where the cardholder puts up some of their own money as collateral against the credit line. It allows lenders to extend credit to higher-risk consumers at a lower annual percentage rate, and can actually be a good tool for rebuilding credit (timely payment of debts makes up a large portion of your credit score). We actually offer a secured credit card here at REGIONAL. They’re a legitimate financial tool.

Except for when they’re used as the basis for a scam.

This one comes from AmTrade International Bank, with an implied connection to Credit One Bank, N.A. (there is none). Victims select a card with either a $1,500 or $3,600 credit limit, and then send in $500 or $900 (respectively) as “collateral” for the credit lines.

And the credit cards never arrive. At its core, this is the simplest form of scam: take money, disappear.

This exact same scam showed up earlier in the year, from Freedom 1st National Bank, which also implied a link to Credit One. In both cases, victims instantly found themselves robbed of either $500 or $900.

If you get offers for pre-approved credit cards in the mail, it is vital to verify all claims before making a purchase decision and sending personal information and money.

In fact, I’ll just put it out there now: don’t respond to unsolicited pre-approved offers for “secure” credit cards, at all.

Also, never just send money to an unknown entity, for any reason.

This scam is going to keep popping up, with different fake banks running it each time, and law enforcement is going be playing whack-a-mole for quite some time. In the meantime, it’s on each of us to look out for ourselves.

Read more:

 

Let’s kick off the long weekend with a derpy lottery scam

Many of us (here in the States, anyway) will spend today looking forward to a nice three-day weekend, visions of grilled meat, open-wheel race cars and (if you’re like me) binge-watching the entire fourth season of Arrested Development on Netflix dancing in their heads.

Seems like a good time for a “fun” sort of post, so let’s snark at a bad lottery scam email I received this morning:

From: [redacted]@co.pg.md.us
Subject: ! Are You Aware!!

Your email has been announced the winner of the Microsoft E-mail Sweepstakes of 5.6, Million Pounds. Please send these informations:
Full Name:
Address:
Tel / Mobile No.:
Country:
Occupation:
Sex / Age:
Alternative E-mail:
Contact Mrs. Kathrin Rogers: { Kath.rogers@msn.com<mailto:kath.rogers@msn.com> } OR { Kath.rogers@rogers.com<mailto:kath.rogers@rogers.com> } with details. Sincerely, Josphine B. Clay
(Microsoft Management Board, Copyright 1991-2013)

—————————————————————————————

This E-mail and any of its attachments may contain Prince George’s
County Government or Prince George’s County 7th Judicial Circuit
Court proprietary information or Protected Health Information,
which is privileged and confidential. This E-mail is intended
solely for the use of the individual or entity to which it is
addressed. If you are not the intended recipient of this E-mail,
you are hereby notified that any dissemination, distribution,
copying, or action taken in relation to the contents of and
attachments to this E-mail is strictly prohibited by federal law
and may expose you to civil and/or criminal penalties. If you have
received this E-mail in error, please notify the sender immediately
and permanently delete the original and any copy of this E-mail and
any printout.

Oh, where to even begin?

For one thing, it doesn’t say I won anything. My email, on the other had, has won 5.6 million pounds. Fat lot of good it will do.

Also: pounds? Microsoft, based in Redmond, Washington, conducts business in pounds? Sure. Whatever.

“Please send these informations.” Uh-huh. Because Microsoft doesn’t have enough money to hire people who use proper grammar.

! Are You Aware!! Um, ?No I’m Am Not ! !!

Why would a message about a Microsoft sweepstakes come from a Prince George’s County, Maryland email address?

Why would the disclaimer refer to said county, and not, oh…I don’t know…maybe Microsoft?

Finally: there is absolutely no such thing as a Microsoft E-Mail Sweepstakes, nor has there ever been, and nor will there ever be. But if you’ve been reading this site for a while, you already knew that one, didn’t you?

Have a good weekend. Stay vigilant. (Also, try grilling corn with garlic butter and without wrapping it in foil if you’re cooking out this weekend. You have to move it around a lot to avoid flare-ups and burnt corn, but dude…seriously, you’ll never do it the old way again.)

Email Scam/Malware Alert: “Corporate eFax message”

I received this message yesterday afternoon (links have been removed, but are shown in blue):

*   *   *

From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages

Fax Message [Caller-ID: 680-973-3656]

You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.

* The reference number for this fax is min1_20121003222219.1055179.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home | Contact | Login

© 2011 j2 Global Communications, Inc. All rights reserved.

eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

*   *   *

eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?

By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.

In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!

  1. min1_20121003222219.1055179: www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
  2. Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
  3. www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
  4. Home: egelisanfen.com/v2WPTAhV/index.html
  5. Contact: christianharfouche.net/Q1uRBnn/index.html
  6. Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
  7. eFax® Customer Agreement: happlications.com/phjbPEB/index.html

You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”

Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.

Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.

Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.

IC3 Scam Alerts

The latest batch of scam alerts from the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) came out yesterday, and there are some interesting things going on out there.

I won’t past the entire text here, but the “Triangle Credit Card Fraud” was a new one to me. It works this way:

The first party is the fraudster who acts as a seller on a popular auction or marketplace site. The fraudster “sells” a product to the second party, the buyer that knows nothing about the scam. The buyer pays the seller for the product or service. The seller then needs to deliver the product or service to the buyer and does so by placing an order with the manufacturer of the product or service to the buyer and does so by placing an order with the manufacturer of the product or service, the third party. That order will contain the buyer’s information for shipping and stolen credit card information for billing. When the company receives the order, the billing and shipping information is all legitimate, thus it looks like an order being placed as a gift, so the company delivers the product or service.

That’s a big ball of text that takes a minute to decipher (and it seems to repeat itself at least once, but the underlying message is clear: you have to be really, really cautious when buying things from online auction sites.

The alerts also point out a new take on the old work-at-home scheme. This time, crooks are telling victims they submitted a resume online and using the names of well-known financial institutions and agencies (instead of the usual out-of-the-blue offer for mystery shopper work), then sending victims a fraudulent cashier’s check to purchase software or other supplies. Naturally, the victim then wires back the overage and ends up losing money. This time they’re finding victims because a vast number of people have been submitting resumes online, and I can tell you from experience: unless you’re a record-keeping ninja, it can get hard to keep track of what jobs you’ve applied for.