A Petty Blog

My account is being threatened because of a complaint received by “the Administration“.  I’m honored at the attention.

Your profile will be locked in response to a complaint received by the Administration

From: Administration hotpop.com <support-148@hotpop.com>
Date: Sat, Feb 27, 2010 at 8:02 AM
Subject: Your profile will be locked in response to a complaint received by the Administration
To: *****@hotpop.com

***This message was created automatically by mail-delivery software. Do not reply to this message.***

Hello!
Your profile will be locked in response to a complaint received by the Administration 29.01.2010 ã.
According to “paragraph 8 of the user agreement, hotpop.com reserves the right to suspend or terminate the provision of services hotpop.com, promptly notifying the user.

Refute the statement may be, following this link:
http://camedecide.com

If the application is not rejected within 7 days, your e-mail an account will be blocked.
It has a number 247939070296484.

In the near future we will contact you.
It takes up to 3 days to process your request.
Thank you!
——————————

–
Sincerely,
mail support service
hotpop.com

 If I refute the statement may be, hoping my application to be rejected in 7 days.

 

By the way, I do actually have a hotpop account, but I don’t use it any more.  This is a free service, and you get what you pay for — unexplained sporadic service outages and no customer support of any kind.  There’s an email address and submission form, but they’re black holes.

 

Not too long ago, I added a live traffic feed to this blog.  I was quite surprised to learn that Frogs in My Underpants is one of the most frequently visited posts, often from Google.  Closer examination shows that it’s no accident — people are actually searching for “and never find frogs in your underpants“.  Now why would they do that?

I’m not the only one getting spam like this (no surprise).  I’m also not the only one to read through it (surprise).   Dave Gooch also ponders the meaning of this junk email.

However, that’s not the real reason people are searching.  It appears that this catchy little line is part of an Irish Blessing.  I found this version at www.crash-debris.com and in an article titled Underpants and Frogs on Riverwest Currents.

May the light always find you on a dreary day.
When you need to be home, may you find a way.
May you always have courage to take a chance.
And never find frogs in your underpants.

I also found a discussion on Snopes that included this version:

May you walk with the sunshine on your face;
May your moments be filled with gentle grace;
May you always give life a second chance;
May you never find frogs in your underpants.

Finally, there’s a children’s CD by “Livimack” called Frogs in your Underpants.

There.  Crash Debris edged me out for the #7 spot in the Google search order in the time it took me to write this (OK, to get around to writing it).  This information dense article should definitely push me up the list for all the folks out there wondering about “and never find frogs in your underpants.”.

It’s nice to be good for something.

(more…)

I turned off all the anti-spam widgets on this site for about 2 days.  That’s quite long enough for a good sample.

In that time I got 106 comments with at least 5 links (and usually more).  I’m not allowed to view most of these at home and wouldn’t dare click them at the office.  Another dozen or so were realistic enough to get posted without requiring moderation.

All that for a tiny little blog with about 4 regular readers.

I think the point is not so much to be read as to affect search engine rankings.  The more links “out there” pointing back to your site, the more popular, and thus relevant, your content must be.

The filters are going back in…

I have a lot more visitors than comments.  I suppose that’s typical.

Nonetheless, I like comments.  I decided today to drop the bar on comment submission to see what will happen.  I took a look at my registered subscribers and got a shock.  I have 69 registered users!  Wow - I had no idea!

But wait a minute - take a look at the email addresses:

I don’t want to expose any sensitive data on a real user, so I posted this as an image and obscured any data that looked legitimate. If you’re a real person, let me know and I’ll scrub the image some more.

I’m expecting lots of comment spam followed by a policy change.

At this point, it’s more than a guess.  I consulted my oracle on a few of these addresses (including Mr. Obama’s) and get  hits at BotScout.com (”We catch bots so you don’t have to”) and Stop Forum Spam.

I had a rash of spam get through the filters at work today.  Supposedly, I need to click some links in an email to update my Facebook account — for “increased account security.”

This is actually one of the most convincing phishing attempts I have seen, but there are telltale clues:

1) I got three copies with two different subjects.  Sometimes it pays to procrastinate.

2) They don’t seem to know my name.

3) The return address looks fishy, and it is different in all three copies.

4) The URLs are just wrong.  Always check the URL before clicking.  I see “facebook.com.ppiof.eu”.  Remember that this really means whatever.ppiof.eu, and something.com.something_else is always the bad guys.

And the real giveaway:

5)  I don’t have a Facebook account.  If I did, this would be the wrong email address.

Now, if you do have a Facebook account, and if you only get one copy,  you can still spot the fakes pretty easily.  These phishing emails will go out to mailing lists and lots of users who pay attention to this sort of thing. When I get an interesting email, I will search for some of the text of the message on Google.  Generally, I find an article like this one.

Here’s the text of the email for the search engines.

Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
Click here to update your account online now.

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team

I got a surprising email this morning.  It is a dire warning from somebody in my new company’s corporate IT department.   I thought it looked unlikely, so I consulted my oracle about it.  Sure enough, it’s as unlikely as it sounds.  More importantly, this email has been circulating for over five years.  Someone in that position should know better.

While I was there, I saw that snopes also covers the IRS Notice of Underreported Income and Tax Refund letters I wrote about earlier.

From: xxxxxxx, xxxx
Sent: Thursday, September 24, 2009 7:57 AM
Subject: FW: Money Scam - Just passing this along

 

Passing on…

there is always someone thinking up a new scam.  Better watch this one!!!!   It happened to me at Wal-Mart (Supercenter Store #1279, 10411 N Freeway 45, Houston , TX 77037 ) a month ago.  I bought a bunch of stuff, over $150, & I glanced at my receipt as the cashier was handing me the bags.  I saw a cash-back of $40.  I told her I didn’t request a cash back & to delete it.  She said I’d have to take the $40 because she couldn’t delete it.  I told her to call a supervisor.  Supervisor came & said I’d have to take it.  I said NO!  Taking the $40 would be a cash advance against my Discover & I wasn’t paying interest on a cash advance!!!!!  If they couldn’t delete it then they would have to delete the whole order.  So the supervisor had the cashier delete the whole order & re-scan everything!  The second time I looked at the electronic pad before I signed & a cash-back of $20 popped up.  At that point I told the cashier & she deleted it.  The total came out right.  The cashier agreed that the electr onic pad must be defective.  Obviously the cashier knew the electronic pad was defective because she NEVER offered me the $40 at the beginning.  Can you imagine how many people went through before me & at the end of her shift how much money she pocketed? Just to alert everyone. My co worker went to Milford DE  Walmart last week. She had her items rung up by the cashier. The cashier hurried her along and didn’t give her a receipt. She asked the cashier for a receipt and the cashier was annoyed and gave it to her. My co worker didn’t look at her receipt until later that night. The receipt showed that she asked for $20 cash back. SHE DID NOT ASK FOR CASH BACK. My co worker called Walmart who investigated but could not see the cashier pocket the money. She then called her niece who works for the bank and her niece told her this. There is a scam going on. The cashier will ask for cash back and hand it to her friend who is the next person in line.  Please, Please, please check your receipts right away when using debit cards. The store has the cashier under investigation now. We can only pray that she is caught very soon. I am adding to this.  My husband and I were in WalMart North Salisbury and paying with credit card when my husband went to sign the credit card signer he just happen to notice there was a $20 cash back added.  He told the cashier that he did not ask nor want cash back and she said this machine has been messing up and she canceled it.  We really didn’t think anything of it until we read this email.  Please be aware

 

Since I’ve been on the subject of Phishing email, I decided to look into a balance transfer offer I got from Citibank.

While I was looking into it, I ran into an excellent explanation and example at PhishTank:

What to look for in a phishing email

1. Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like “First Generic Bank Customer” so they don’t have to type all recipients’ names out and send emails one-by-one. If you don’t see your name, be suspicious.
2. Forged link. Even if a link has a name you recognize somewhere in it, it doesn’t mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepency, don’t click on the link. Also, websites where it is safe to enter personal information begin with “https” — the “s” stands for secure. If you don’t see “https” do not proceed.
3. Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
4. Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.

 

Here is my email (without and with images), purportedly from Citibank, and potentially a Phishing attempt:

How does this “offer” stack up?

1. Generic greeting. Well, they address me by name and include the last four digits of my account.  That’s good.
   
2. Forged link. Not so good here.  I guess this will be the point of the post.
3. Requests personal information. Good here.  There is no request for information in the body of the email, but what about the links?
4. Sense of urgency. Good again.  My suspicious nature is soothed.  Somewhat.

The links

The links in this message  are really suspicious, IMHO.  Roll over any of the links, and for every one of them you see something like http://citibank.r.delivery.net/r?2.1.3L8.2ll.11q1vM.C3spKI..H.C%5ffI.3Cg.bW42MQ%5f%5fCTSMFNF0.  “something.Delivery.net” does not say “trusted bank” to me.  In fact, whois shows that delivery.net is registered to Acxiom Corporation, a leading provider of email marketing solutions.

I assume that the trailing garbage is encoded information that identifies me.  I tried to open several of the pages after changing a couple of bytes of the string, and every one of them took me to Citibank Japan.

Exploring the Site

I decided this was a legitmate offer with problems rather than a phish, so I clicked a link.

The links redirect, and I end up at https://www.accountonline.com.  That also does not look like Citibank.  However, there are clues that it is legitimate.  Second, the whois record does show that accountsonline.com is owned by CitiBank, N. A.

First, the address bar changes to HTTPS, and in Firefox, a green security indicator appears.

This indicates that the session is now secure, and that the securing certificate belongs to the entity shown in green.   Anyone can get a certificate and set up a secure site.  If the name doesn’t match, you may be getting conned. Click on the green area to get more information about the certificate.

What is this “Email Security Zone”?

The message has an Email Security Zone box at the top with some personal information.  This is enough to assure me that, if it is a scam, it is targeted directly to me.  Since I’m feeling egotistical and free to assume that they are out to get me, I’ll assume this is fake.  But, what is it?

I click on the text and get redirected to citicards.com.

The site contains these gems of wisdom:

Check Email for Security

 The best way to verify a Citi email is to look for the Email Security Zone header at the top of the email. Every Citi Cards email includes your first name, last name, and the last 4 digits of your card number.

Please note that Citi will never ask you for your PIN number, and will never include your full account number, password or social security number in an email–only the last four digits. If you receive an email claiming to be from Citi that includes or asks for your full account number, password or social security number, do not respond to it. Instead, forward it to spoof@citicorp.com.

Be careful - If I were a scammer, I would invent a security badge and give it to myself.  Then I would point out how that indicates how secure you are.  Note that it is the last four digits that are useful, not the first four.  Some scammers will try to lull you into a sense of safety by giving the first four digits, which are used to identify the bank or type of card and are very easy to guess.

Examples of Phishing Emails:

Your Citibank account was temporarily suspended

Protect Your Citibank Account

Citibank for Your Information

Citi Identity Theft Solutions

I love this part.  Every one of these examples has this to say at the top:

Below is a fraudulent email that was sent to a customer. Although it looks like it’s from Citibank, it is not. To visit us, always enter www.citicards.com.

Yet, their own email has clickable links and buttons that all go to citibank.r.delivery.net or get redirected to www.accountonline.com.  Come on, Citibank.

One more point to watch out for

Phishing email is often taken from real emails like this one and modified slightly.  All the images and wording come from the original, and often from the legitimate site itself.  Most of the links, such as “privacy”, “security”, “pay your bill”, “contact us”, will direct to the original, legitimate site.  Even if most of the links check out, there could still be a viper in the nest.

Call me easily amused, but it just boggles my mind that this kind of spam seems to work (or why would they keep doing it?).

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $376.44
Please click on the link to continue: http://ww1.irs.gov/refund/form?ssl=29lcszrOjdnnotthereallinkonOkhb
A refund can be delayed for a variety of reasons.
We apologize for the problems caused, and is very grateful for your collaboration.

Deliberate wrong inputs are criminally pursued and indicated.

Sincerely,
Quinton Kiah
Tax Refunds Department

Copyright © 2009 Internal Revenue Service U.S.A. All rights reserved.

Let’s see what’s wrong with this one.  How about going top to bottom?

1)  The alternate text on the image is ” Internal Revenue Service U.S.A. Homepage.”  (Mouse over the image to see it).  “Homepage”? We Americans are only concerned with the IRS of the United States - but we never mention the “U.S.A.” part.  That’s assumed, unless you live in Nigeria.

2)  This is obviously written by or for someone who does not do their own taxes.  The IRS does not perform “annual calculation” of our “fiscal activity.”  They check the “annual calculations” that we do ourselves and give to them.

3)  “Click on the link.”  Nope.  Hover over the link and look in the status bar to see where it goes - www4.irs.gov.6icmpsrvid.net.  Remember, that translates to something at 6icmpsrvid.net.  Not very governmental sounding.

4)  “We … is very grateful for your collaboration.”  Well, you be welcome then.

5) Be accurate, or be indicated.

6) Sincerely, Quinton Kiah.

Actually, I’d believe this one.  No con man makes up a name like that (for an American IRS representative).

7) “Copyright © 2009 Internal Revenue Service U.S.A. All rights reserved.”  Now the IRS is supposed to be copyrighting refund notices?  Maybe only the IRS of U.S.A.
So, what is left to be Right?

A refund can be delayed for a variety of reasons.
Tax Refunds Department

That, I can believe.

——————————————————————————————

Update:

This was so silly that I didn’t even try to look it up online.  However, I stumbled on the page at Snopes.com that covers this email.  They add the expected words straight from the IRS:

The IRS says about such e-mails that:

The IRS does not initiate taxpayer communications through e-mail. In addition, the IRS does not request detailed personal information through e-mail or ask taxpayers for the PIN numbers, passwords or similar secret access information for their credit card, bank or other financial accounts.

Do not open any attachments to questionable e-mails, which may contain malicious code that will infect your computer. Please be advised that the IRS does not initiate contact with taxpayers via e-mails.

The hyperlink above contains information about how to report phishing e-mails purporting to originate with the IRS.

Why do spammers think this approach will work?  Do they hope that when they send a million messages like this, some of the recipients will happen to have an old friend Roben with whom they used to have casual and unpunctuated conversations about online pharmacies?  Who else would take it seriously?

—–Original Message—–
From: robenheavens@verizon.net [mailto:robenheavens@verizon.net]
Sent: Tuesday, March 10, 2009 9:51 PM
To: Undisclosed recipients:
Subject: hey there

 

Hello,

hey where have you been recently ? I did not get any mail from you for a long time. Anyway, I found a very quality online pharmacy. I ordered some meds and I got them in 3 days. I remember last time you were asking for a cheap and quality pharmacy.here it is :

 

Their url : http://www.e-shellmust.com

 

 

—–Original Message—–
From: motion30@att.net [mailto:motion30@att.net]
Sent: Saturday, March 07, 2009 5:35 PM
Subject:

 

Hello,

 

hey how are you doing ? get back to me as soon as possible when you read my mail because i found a great offer on the internet and you should not miss this. I discovered a free medicine shop. I just paid for shipping and they sent my medicines in 3 days. You must check them out before this promotion ends.

Here is their address :

 

http://www.cuspfled.com

 

 

see you later

 

bye

I only see the rare spam that gets through all the filters on Gmail and my company’s Exchange server. This one gave me a start - I did have a complicated return last year, and this year will be even worse.

From: Internal Revenue Service [mailto:no-reply@irs.gov]
Sent: Tuesday, May 05, 2015 9:59 PM
To: Doe, John
Subject: Notice of Underreported Income

 

Taxpayer ID: john.doe-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: john.doe-00111174073547US

Internal Revenue Service

It startled me just for a second.  It has all the clues one needs to avoid being duped.

• It’s an email.  The IRS just doesn’t work that way.
• It’s an email to my company address.  The IRS doesn’t work that way.
• It wants me to click something.  No legitimate business works that way these days.

• As a bonus, check out the Sent date - apparently, I will be evading my taxes six years from now!

The URL is http://www.irs.gov.hyu11hep.eu/fraud_application/directory/statement.php?email=john.doe@company.com&tid=john.doe-00111174073547US

• This URL is clearly bogus.  Remember, addresses read right to left - top level domain (.com, .gov, etc) then domain. Everything else is optional and flexible.  So, this one is “stuff” at  hyu11hep.eu.  Again, not as expected for the IRS.
• Everything after the “?” is instructions to the program that renders the page.  The name, email, and supposed taxpayer id can all be echoed back to you.

As always, Google is your friend.  Search for a couple of key words “hyu11hep.eu fraud_application” and you get a telling scorecard - PhishTank, Malware Domain List, abuse.ch ZeuS Tracker.

Here’s a screenshot courtesy of PhishTank.  As a final insult, the instructions are to download and execute your tax return.