Tag Archives: Spam

Ridiculous Spam Friday II: The Squeakquel.

The ludicrous spam just keeps on rolling in! I decided to run a second installment of Ridiculous Spam Friday this week.

No, I am not paying tribute to the Alvin and the Chipmunks movies with the title of today’s post. They’re terrible. I now tack the words “The Squeakquel” onto everything that’s a “part two” in a series because it cracks me up. Rocky II: The Squeakquel. See? Hilarious.

Anyway, here are three more examples of spam I received this past week. The crooks in this first case are hardly trying. Just like the people who made the Alvin and the Chipmunks movies. Ba-zing!

From: Support <Laura.Ferelli@service.amazon.com>
Date: Sunday, February 28, 2010 1:31 PM
To: <email address>
Subject: Confirm Order #05830659

Your Order Id:153517648031959 Accepted.

Thank you.
Amazon.com Customer Service

The word “Details” was linked to a website in Romania. I’m no expert on Amazon’s server setup, but I’m pretty sure their website isn’t hosted in Romania. I’m also completely certain it will have the word “Amazon” in the URL, no matter where it is hosted.

Here’s one that uses a real name and email address from Rady Children’s Hospital in San Diego. Everything else about it is fake:

From: Nespeca, Mark MD
Date: Monday, March 01, 2010 3:26 AM
To: chan@hotmail.com
Subject: You Have A Pick Up


You have a consignment containing a bank draft of 450,000.00 United States Dollars and gift items which await an outstanding payment of $240 .

For claims, Please confirm your ful name, home address, and telephone number with Mr. Garry Moore. Contact email and phone number are

tnt-services@admin.in.th and (+234) 802 378 8093 respectively.

Thank you.

Miss Margaret Hagopian

Of course, this is a pretty typical “Lottery Scam” setup. As often happens, there is some disagreement about who is sending the message. Is it Mark Nespeca (who apparently is a real doctor)? Is it Gary Moore? Miss Margaret Hagopian? Also, why would you be contacting a company in Thailand (.th) for something involving a hospital in San Diego? Nothing here makes sense at all. I’m sure $240 is just the tip of the iceberg. By the time you wired $8,000 overseas, you’d probably begin to suspect something.

I’ve noticed more scams and spam using real names and email addresses from real businesses lately. The thing is, their choices seldom make any sense. Why would a children’s hospital be giving you nearly half a million dollars out of the blue?

Our final contestant today is doing the exact same thing with another healthcare-related business (this time with Continuum Health Partners, based in New York, I believe). This time, it’s Nicholas “Patrick Chan” Romas, MD, Director of Hang Sang Bank. The offer isn’t some crummy $450,000, though:

From: Nicholas Romas, MD
Date: Tuesday, March 02, 2010 1:31 AM
To: chan45@8u8.com

Dear friend,

Greetings to you.

I’m Mr.Patrick Chan, Director of Hang Seng Bank.  I am contacting you because I have a 42 million

dollars business proposal for you. For details, contact me confidentailly at  p.chan45@8u8.com

Thank you

Mr. Patrick Chan

Business Proposal

This message and any attachments are confidential and intended solely for the use of the individual or entity to which they are addressed.  If you are not the intended recipient, you are prohibited from printing, copying, forwarding, saving, or otherwise using or relying upon them in any manner.  Please notify the sender immediately if you have received this message by mistake and delete it from your system.

Name confusion, geographic confusion, it’s all here. The confidentiality notice at the bottom is a cute touch, too. It makes it look like you’re getting some kind of secret information that’s going to help you get your mitts on $42 million.

All three of these are similar, insofar as they’re using the names of real companies to lure victims. I’ll also bet you a buck fifty those last two come from the same person or persons. One has chan@hotmail.com in the recipient line and the other has chan45@8u8.com. Too similar to be a coincidence.

I don’t know exactly what these people are trying to accomplish with these messages. The first one looks like a malware attempt, and the other two are lottery-style scams. I’m not pursuing them to find out! As always, delete with extreme prejudice.

Ridiculous Spam Friday

I’ve been getting a lot of really ludicrous spam lately. Below are three examples. This first one was barely even trying:

From: sgh12345@sg1es.tnc.edu.tw
Date: Monday, February 15, 2010 8:49 AM
To: undisclosed-recipients:
Subject: You’ve Won

You’ve been awarded (500,000.00GBP) from microsoft lottery for claims send info:full name, address, age, country,to mr stephen scott via email to msnclaim@movmail.com

Interesting that someone from Taiwan (.tw) would be sending a message to an American about a prize of British Pounds. Also weird how an alleged representative of Microsoft would forget to capitalize the company name, not to mention direct you to a non-Microsoft website.

Next up, an exciting offer from Robert “Sgt. Lee Johnson” Brhel, who is either in Hong Kong (.hk) or Iraq, he’s not quite sure:

From: Robert Brhel
Date: Friday, February 12, 2010 6:47 PM
To: none
Subject: Please send your reply to this E-mail address:  sgtlee1971@yahoo.com.hk

My name is Sgt. Lee Johnson, a member of the U.S. ARMY USARPAC Medical Team, which was deployed to Iraq in the beginning of the war in Iraq. Please do visit the BBC website stated below to enable you have insight as to what I’m intending to share with you, believing that it would be of your desired interest one-way or the other.
     Also, could you get back to me having visited the above website to enable us discuss in a more clarifying manner to the best of your understanding. Please send your reply to this E-mail address:  sgtlee1971@yahoo.com.hk
Sgt. Lee Johnson.

I left the link intact in this one because it leads to a legitimate news story. From seven years ago. Even if this message was real (which it’s not), I’m pretty sure somebody has found a home for that cash by now.

This is actually a pretty common variation on the old Nigerian 419 scheme. This time, it’s “I’m a soldier and I found a pile of money in whatever-country-I’m-fighting-in,” which inevitably leads to, “Hey person-I’ve-never-met, want to share it with me? Just wire me some money first.” As always, the “delete” key is your friend.

Finally, an attempt to infect you computer (and probably add it to some malicious botnet), wrapped up in a fake message from a real anti-fraud organization:

From: “National Health Anti-Fraud Association” <admin@nhcaa.org>
Sent 2/13/2010 1:39:53 AM
To: [removed]
Subject: Complaint registered against you

We have received a complaint regardding transaction No: 8711322 dated 01/28
/2010 in value of $ 2.871,00 representing the check issued by your company
to Fillmore Inc that was later deposited in the companies bank account.
If you feel this is an error please review the attached complaint document and contact us imediatly with proof to clear out this situation.
The copy of the check issued to your name is attached to this email as well as the original complaint.
Please call at 800-2661-7711 to sort out this situation. Your email was pro vided by the persson that filed the complaint.
You can also get in touch with our staff using the information on our websi

NHCAA – National Health Anti-Fraud Association

This one contained a virus-infected attachment. The clever part here is that they used a real website…that deals with fraud prevention. Gutsy, although I’d posit that most legit messages aren’t going to contain mangled spelling like ”imediatly.” I mean, that’s not even close, is it?

NHCAA.org is already aware of this message; there’s a warning on their front page. Attempts to scare people into opening attachments seem to be the flavor of the month. Any time you get an urgent message accusing you of something and instructing you to open a file, you can assume it’s fake. Whatever you do, leave those attachments alone.


This one is just dandy:

From: MICROSOFT NATIONAL LOTTERY 2010 <info@postcode.com>
Date: Thursday, February 11, 2010 8:35 PM
To: undisclosed-recipients:
Subject: YOU HAVE WON (£ 500.000.00 GBP)

YOU HAVE WON (£ 500.000.00 GBP)

Email: claimsmicrosft_106@hotmail.com
 You are to Fill the below details…

5. OCCUPATION…………………6. SEX………..

Yours Sincerely,

Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

Do I even need to tell you this is a scam? Probably a 419-style setup; after you contact them, they’ll have you wiring money overseas to pay “fees” for a prize that will never arrive.

There are some things I really love about this:

  1. “Microsoft National Lottery.” I wasn’t aware Microsoft was its own nation. Facebook, on the other hand
  2. Scam emails usually have some clunky English, but the language is butchered beyond belief in this one. Whoever wrote this hasn’t even got the rudiments wired.
  3. “Mr. Alex Winter Fall.” A man for all seasons (or at least two of them).
  4. Isn’t Microsoft based in the United States? What would they be doing hosting lotteries in the UK and handing out British Pounds to random people?
  5. Hotmail is owned by Microsoft, so they somehow managed to get something almost right. However, a real email from the company would be hosted at Microsoft.com.
  6. Does anybody honestly believe that large corporations just give away millions of dollars to random people? They don’t. Not even the richest ones.
  7. I wonder why the virus scanning information at the bottom of the email would be in Spanish, if this were actually sent from the U.K. to a U.S. recipient.
  8. “Microsoft E-mail Award-Winning Draws.” Not a very snappy name, is it?

Jokes about linguistic butchery aside, I actually think this message isn’t targeted to native English speakers. These things go all over the world, and if you only know a little English (or none), you might not immediately realize how “off” the grammar and spelling are.

Virus Alert: “Your internet access is going to get suspended.” (ICS Monitoring Team)

This email has been around for at least a couple years. Full text:

From: ICS Monitoring Team
Sent: Tuesday, February 09, 2010 2:48 AM
To: [email address]
Subject: Your internet access is going to get suspended

Attachment: report.zip

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

ICS Monitoring Team

If you get this message, or anything similar, delete it immediately, and whatever you do, don’t open that attachment. It’s a virus.

I don’t know exactly what sort of malware is attached, but if I had to guess, I would assume it contained some form software that could be used to remotely gain control of your computer. These “zombie computers” can then be used as part of a “botnet” to commit other crimes. In fact, a search for “ICS Monitoring Team” returned at least one link that appeared to be software that would allow you to remotely control other computers on a network.

They were really going for the jugular with this one, weren’t they? The fact is, a lot of people download copyrighted material, so they’ve got a lot of potential victims. Your first reaction upon reading something like this would probably be a small jolt of panic, whether you’ve been downloading stuff or not. The social engineering angle here is as brilliant as the grammar and spelling are execrable. “Consorcium?” Really?

Whatever you’ve been getting up to online, this message isn’t related to it. It’s just another attempt to infect computers with some kind of bad juju. I’m not saying you should keep ripping off copyright holders. Sometimes those BitTorrents are infected with stuff, too. And remember that one kid the entire music industry practically wanted to execute nine or ten years ago? People run into trouble that way.

However, if you do get caught, most likely your Internet service provider will just shut you down with very little explanation beyond “terms of service violations.” Some third party isn’t going to be given that power, at least not in the run-of-the-mill instances.

Fraud Alert: The Internet Crime Complaint Center (IC3) warns of new fraudulent email

United States Attorney General Eric Holder’s name is being used in a new fraudulent email currently making the rounds. Below is an excerpt from the IC3 Intelligence Note:

The current spam alleges that the Department of Homeland Security and the Federal Bureau of Investigation were informed the e-mail recipient is allegedly involved in money laundering and terrorist-related activities. To avoid legal prosecution, the recipient must obtain a certificate from the Economic Financial Crimes Commission (EFCC) Chairman at a cost of $370. The spam provides the name of the EFCC Chairman and an e-mail address from which the recipient can obtain the required certificate.

The full text of the Note further explains that the government does not use email to contact people in this way. I would also add that the FBI and the DHS are not going to let people suspected of terrorism or money laundering buy their way out of trouble for $370.