Archive for the ‘Spam’ Category

Phish: Facebook Update Tool aka Facebook Account Update

Tuesday, November 3rd, 2009

I had a rash of spam get through the filters at work today.  Supposedly, I need to click some links in an email to update my Facebook account — for “increased account security.”

facebook4.png

This is actually one of the most convincing phishing attempts I have seen, but there are telltale clues:

1) I got three copies with two different subjects.  Sometimes it pays to procrastinate.

2) They don’t seem to know my name.

3) The return address looks fishy, and it is different in all three copies.

4) The URLs are just wrong.  Always check the URL before clicking.  I see “facebook.com.ppiof.eu”.  Remember that this really means whatever.ppiof.eu, and something.com.something_else is always the bad guys.

And the real giveaway:

5)  I don’t have a Facebook account.  If I did, this would be the wrong email address.

facebook1.PNG

Now, if you do have a Facebook account, and if you only get one copy,  you can still spot the fakes pretty easily.  These phishing emails will go out to mailing lists and lots of users who pay attention to this sort of thing. When I get an interesting email, I will search for some of the text of the message on Google.  Generally, I find an article like this one.

Here’s the text of the email for the search engines.

Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
Click here to update your account online now.

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team

Look before you leap: using snopes.com

Friday, September 25th, 2009

I got a surprising email this morning.  It is a dire warning from somebody in my new company’s corporate IT department.   I thought it looked unlikely, so I consulted my oracle about it.  Sure enough, it’s as unlikely as it sounds.  More importantly, this email has been circulating for over five years.  Someone in that position should know better.

While I was there, I saw that snopes also covers the IRS Notice of Underreported Income and Tax Refund letters I wrote about earlier.

From: xxxxxxx, xxxx
Sent: Thursday, September 24, 2009 7:57 AM
Subject: FW: Money Scam – Just passing this along

 

Passing on…

there is always someone thinking up a new scam.  Better watch this one!!!!

  It happened to me at Wal-Mart (Supercenter Store #1279, 10411 N Freeway 45, Houston , TX 77037 ) a month ago.  I bought a bunch of stuff, over $150, & I glanced at my receipt as the cashier was handing me the bags.  I saw a cash-back of $40.  I told her I didn’t request a cash back & to delete it.  She said I’d have to take the $40 because she couldn’t delete it.  I told her to call a supervisor.  Supervisor came & said I’d have to take it.  I said NO!  Taking the $40 would be a cash advance against my Discover & I wasn’t paying interest on a cash advance!!!!!  If they couldn’t delete it then they would have to delete the whole order.  So the supervisor had the cashier delete the whole order & re-scan everything!  The second time I looked at the electronic pad before I signed & a cash-back of $20 popped up.  At that point I told the cashier & she deleted it.  The total came out right.  The cashier agreed that the electr onic pad must be defective.  Obviously the cashier knew the electronic pad was defective because she NEVER offered me the $40 at the beginning.  Can you imagine how many people went through before me & at the end of her shift how much money she pocketed?


Just to alert everyone. My co worker went to Milford DE  Walmart last week. She had her items rung up by the cashier. The cashier hurried her along and didn’t give her a receipt. She asked the cashier for a receipt and the cashier was annoyed and gave it to her. My co worker didn’t look at her receipt until later that night. The receipt showed that she asked for $20 cash back. SHE DID NOT ASK FOR CASH BACK. My co worker called Walmart who investigated but could not see the cashier pocket the money. She then called her niece who works for the bank and her niece told her this. There is a scam going on. The cashier will ask for cash back and hand it to her friend who is the next person in line.  Please, Please, please check your receipts right away when using debit cards. The store has the cashier under investigation now. We can only pray that she is caught very soon.

I am adding to this.  My husband and I were in WalMart North Salisbury and paying with credit card when my husband went to sign the credit card signer he just happen to notice there was a $20 cash back added.  He told the cashier that he did not ask nor want cash back and she said this machine has been messing up and she canceled it.  We really didn’t think anything of it until we read this email.  Please be aware

 

What is phishing?

Thursday, September 17th, 2009

Since I’ve been on the subject of Phishing email, I decided to look into a balance transfer offer I got from Citibank.

While I was looking into it, I ran into an excellent explanation and example at PhishTank:

What to look for in a phishing email

  1. Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like “First Generic Bank Customer” so they don’t have to type all recipients’ names out and send emails one-by-one. If you don’t see your name, be suspicious.
  2. Forged link. Even if a link has a name you recognize somewhere in it, it doesn’t mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepency, don’t click on the link. Also, websites where it is safe to enter personal information begin with “https” — the “s” stands for secure. If you don’t see “https” do not proceed.
  3. Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
  4. Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.

 Phish Annotated

Here is my email (without and with images), purportedly from Citibank, and potentially a Phishing attempt:

citi_nopictures.pngciti.png

How does this “offer” stack up?

  1. Generic greeting. Well, they address me by name and include the last four digits of my account.  That’s good.
  2. Forged link. Not so good here.  I guess this will be the point of the post.
  3. Requests personal information. Good here.  There is no request for information in the body of the email, but what about the links?
  4. Sense of urgency. Good again.  My suspicious nature is soothed.  Somewhat.

The links

The links in this message  are really suspicious, IMHO.  Roll over any of the links, and for every one of them you see something like http://citibank.r.delivery.net/r?2.1.3L8.2ll.11q1vM.C3spKI..H.C%5ffI.3Cg.bW42MQ%5f%5fCTSMFNF0.  “something.Delivery.net” does not say “trusted bank” to me.  In fact, whois shows that delivery.net is registered to Acxiom Corporation, a leading provider of email marketing solutions.

Acxiom Corporation

I assume that the trailing garbage is encoded information that identifies me.  I tried to open several of the pages after changing a couple of bytes of the string, and every one of them took me to Citibank Japan.

Exploring the Site

I decided this was a legitmate offer with problems rather than a phish, so I clicked a link.

The links redirect, and I end up at https://www.accountonline.com.  That also does not look like Citibank.  However, there are clues that it is legitimate.  Second, the whois record does show that accountsonline.com is owned by CitiBank, N. A.

First, the address bar changes to HTTPS, and in Firefox, a green security indicator appears.

Firefox Security bar

This indicates that the session is now secure, and that the securing certificate belongs to the entity shown in green.   Anyone can get a certificate and set up a secure site.  If the name doesn’t match, you may be getting conned. Click on the green area to get more information about the certificate.

Certificate Details

What is this “Email Security Zone”?

The message has an Email Security Zone box at the top with some personal information.  This is enough to assure me that, if it is a scam, it is targeted directly to me.  Since I’m feeling egotistical and free to assume that they are out to get me, I’ll assume this is fake.  But, what is it?

I click on the text and get redirected to citicards.com.

The site contains these gems of wisdom:

Check Email for Security

 The best way to verify a Citi email is to look for the Email Security Zone header at the top of the email. Every Citi Cards email includes your first name, last name, and the last 4 digits of your card number.

Please note that Citi will never ask you for your PIN number, and will never include your full account number, password or social security number in an email–only the last four digits. If you receive an email claiming to be from Citi that includes or asks for your full account number, password or social security number, do not respond to it. Instead, forward it to spoof@citicorp.com.

Be careful – If I were a scammer, I would invent a security badge and give it to myself.  Then I would point out how that indicates how secure you are.  Note that it is the last four digits that are useful, not the first four.  Some scammers will try to lull you into a sense of safety by giving the first four digits, which are used to identify the bank or type of card and are very easy to guess.

Examples of Phishing Emails:

Your Citibank account was temporarily suspended

Protect Your Citibank Account

Citibank for Your Information

Citi Identity Theft Solutions

I love this part.  Every one of these examples has this to say at the top:

Below is a fraudulent email that was sent to a customer. Although it looks like it’s from Citibank, it is not. To visit us, always enter www.citicards.com.

Yet, their own email has clickable links and buttons that all go to citibank.r.delivery.net or get redirected to www.accountonline.com.  Come on, Citibank.

One more point to watch out for

Phishing email is often taken from real emails like this one and modified slightly.  All the images and wording come from the original, and often from the legitimate site itself.  Most of the links, such as “privacy”, “security”, “pay your bill”, “contact us”, will direct to the original, legitimate site.  Even if most of the links check out, there could still be a viper in the nest.

tax refund

Tuesday, September 15th, 2009

Call me easily amused, but it just boggles my mind that this kind of spam seems to work (or why would they keep doing it?).

Internal Revenue Service U.S.A. Homepage

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $376.44
Please click on the link to continue: http://ww1.irs.gov/refund/form?ssl=29lcszrOjdnnotthereallinkonOkhb
A refund can be delayed for a variety of reasons.
We apologize for the problems caused, and is very grateful for your collaboration.

Deliberate wrong inputs are criminally pursued and indicated.

Sincerely,
Quinton Kiah
Tax Refunds Department

Copyright © 2009 Internal Revenue Service U.S.A. All rights reserved.

Let’s see what’s wrong with this one.  How about going top to bottom?

1)  The alternate text on the image is ” Internal Revenue Service U.S.A. Homepage.”  (Mouse over the image to see it).  “Homepage”? We Americans are only concerned with the IRS of the United States – but we never mention the “U.S.A.” part.  That’s assumed, unless you live in Nigeria.

2)  This is obviously written by or for someone who does not do their own taxes.  The IRS does not perform “annual calculation” of our “fiscal activity.”  They check the “annual calculations” that we do ourselves and give to them.

3)  “Click on the link.”  Nope.  Hover over the link and look in the status bar to see where it goes – www4.irs.gov.6icmpsrvid.net.  Remember, that translates to something at 6icmpsrvid.net.  Not very governmental sounding.

4)  “We … is very grateful for your collaboration.”  Well, you be welcome then.

5) Be accurate, or be indicated.

6) Sincerely, Quinton Kiah.

Actually, I’d believe this one.  No con man makes up a name like that (for an American IRS representative).

7) “Copyright © 2009 Internal Revenue Service U.S.A. All rights reserved.”  Now the IRS is supposed to be copyrighting refund notices?  Maybe only the IRS of U.S.A.
So, what is left to be Right?

A refund can be delayed for a variety of reasons.
Tax Refunds Department

That, I can believe.

——————————————————————————————

Update:

This was so silly that I didn’t even try to look it up online.  However, I stumbled on the page at Snopes.com that covers this email.  They add the expected words straight from the IRS:

The IRS says about such e-mails that:

The IRS does not initiate taxpayer communications through e-mail. In addition, the IRS does not request detailed personal information through e-mail or ask taxpayers for the PIN numbers, passwords or similar secret access information for their credit card, bank or other financial accounts.

Do not open any attachments to questionable e-mails, which may contain malicious code that will infect your computer. Please be advised that the IRS does not initiate contact with taxpayers via e-mails.

The hyperlink above contains information about how to report phishing e-mails purporting to originate with the IRS.

hey there (spam)

Friday, September 11th, 2009

Why do spammers think this approach will work?  Do they hope that when they send a million messages like this, some of the recipients will happen to have an old friend Roben with whom they used to have casual and unpunctuated conversations about online pharmacies?  Who else would take it seriously?

—–Original Message—–
From: robenheavens@verizon.net [mailto:robenheavens@verizon.net]
Sent: Tuesday, March 10, 2009 9:51 PM
To: Undisclosed recipients:
Subject: hey there

 

Hello,

hey where have you been recently ? I did not get any mail from you for a long time. Anyway, I found a very quality online pharmacy. I ordered some meds and I got them in 3 days. I remember last time you were asking for a cheap and quality pharmacy.here it is :

 

Their url : http://www.e-shellmust.com

 

 

—–Original Message—–
From: motion30@att.net [mailto:motion30@att.net]
Sent: Saturday, March 07, 2009 5:35 PM
Subject:

 

Hello,

 

hey how are you doing ? get back to me as soon as possible when you read my mail because i found a great offer on the internet and you should not miss this. I discovered a free medicine shop. I just paid for shipping and they sent my medicines in 3 days. You must check them out before this promotion ends.

Here is their address :

 

http://www.cuspfled.com

 

 

see you later

 

bye

IRS Notice of Underreported Income

Wednesday, September 9th, 2009

I only see the rare spam that gets through all the filters on Gmail and my company’s Exchange server. This one gave me a start – I did have a complicated return last year, and this year will be even worse.

From: Internal Revenue Service [mailto:no-reply@irs.gov]
Sent: Tuesday, May 05, 2015 9:59 PM
To: Doe, John
Subject: Notice of Underreported Income

 

Taxpayer ID: john.doe-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: john.doe-00111174073547US

Internal Revenue Service

It startled me just for a second.  It has all the clues one needs to avoid being duped.

  • It’s an email.  The IRS just doesn’t work that way.
  • It’s an email to my company address.  The IRS doesn’t work that way.
  • It wants me to click something.  No legitimate business works that way these days.
  • As a bonus, check out the Sent date – apparently, I will be evading my taxes six years from now!

The URL is http://www.irs.gov.hyu11hep.eu/fraud_application/directory/statement.php?email=john.doe@company.com&tid=john.doe-00111174073547US

  • This URL is clearly bogus.  Remember, addresses read right to left – top level domain (.com, .gov, etc) then domain. Everything else is optional and flexible.  So, this one is “stuff” at  hyu11hep.eu.  Again, not as expected for the IRS.
  • Everything after the “?” is instructions to the program that renders the page.  The name, email, and supposed taxpayer id can all be echoed back to you.

As always, Google is your friend.  Search for a couple of key words “hyu11hep.eu fraud_application” and you get a telling scorecard – PhishTank, Malware Domain List, abuse.ch ZeuS Tracker.

Here’s a screenshot courtesy of PhishTank.  As a final insult, the instructions are to download and execute your tax return.

Ruth Madoff

Tuesday, August 18th, 2009

I thought this was an interesting twist on the standard Nigerian scam.  It’s based (loosely) on a real news article.”My husband is a thief.  I need your help to hide the stolen money he gave me.  God bless you.”

Mrs. Ruth Madoff

West, Liverpool,

London.

My Great Compliments,

I’m Mrs. Ruth Madoff, 67, wife to Mr. Bernard L. Madoff, of Bernard L. Madoff Investment Securities LLC, who pleaded guilty to operating a multibillion-dollar Ponzi scheme, is worth up to $826 million, according to a document filed with a federal court on Friday 13th March 2009.

My husband pleading stealing billions from investment from his clients and he was ordered to jail Thursday 12th March 2009, after pleading guilty to all 11 criminal counts in one of Wall Street’s biggest swindles.

Now the Federal investigators in the USA are working around the clock to freeze all my assets, fearing that I’m trying to flee the country which I have done shortly after my husband was sentenced, I have $93 million in my name beyond their reach.

 

The Securities and Exchange Commission is working with federal prosecutors in Manhattan to prepare a filing asking a judge to formally freeze all of my assets as soon as possible.

My husband deposited the sum of (USD$17.000.000.00 Million) in a Finance Firm in Europe some years ago in my name, I need you to collect this funds and distribute it to both of us since the Federal investigators are working around the clock to freeze all my assets. Meanwhile all documents related to transfer of this fund to your account is with my attorney Mr. Peter Chavkin, who is willing to help us process the release order from the UK bank.

Presently, I’m in a hard out here in UK as the Federal investigators as well the Securities and Exchange Commission is looking for me to freeze my entire asset as well prosecute me like my husband.

Please reply back to me on this e-mail as I will like if you contact my attorney directly so that he will direct you on the way forward. Please due send to me all your contact details as I will like to speak with you before we commence on the transaction.

Please keep this confidential. You can read my story on this website: http://www.nypost.com/seven/03152009/news/regionalnews/ruth_in_crosshair_159631.htm

God bless you.

 

Best Regards,

Mrs. Ruth Madoff

The Scam

Wednesday, June 24th, 2009

I alluded to a scam in an earlier post.  I guess it’s time to elucidate.

On Monday I stopped for Gas on my way home from work.  I don’t like it, but sometimes it just has to be done.  My card was denied, and I had to use another one (I have a whole deck of them, but I don’t let that get me into trouble…)

I needed contact lens solution or something and stopped at Walgreens.  My card was denied again (I just had to try it, of course).

I called Chase to get the scoop.  It seems that someone made about 20 online UPS purchases in the space of 10 minutes or so.  It turns out that someone used my card, my old home address, and my work phone number to mail — overnight — fake cashier’s checks for $2000-$3000.  The checks were from some James Carrick.  I should also point out that my Discover card was misused in the distant past — and they called me.

On Wednesday I started getting phone calls at the office.  “What’s this check for?”.  “The bank says this check is no good – what gives?”, etc.  I got one call from a Private Investigator — “I got this envelope and I’m afraid to open it – what’s in it?”  I replied “I don’t know – probably a bad check”.  He then confessed “Actually, I did open it.  Who is James Carrick and what is this payment for?”.  Suspicious fellow.  I think he disconnected his phone number the next day.  One recipient thought it was supposed to be payment for a “driving job” he got on craigslist.  Another fellow thought it was payment for “modeling work.”  I asked if he got the work on Craigslist.  He said no, it was another website; did I want to know what site?  Um, no thanks, probably.

One recipient refused delivery and the envelope was returned to sender — that’s me!.  I was able to retrieve the envelope from the family living in my old house.  It is a large cardboard mailer.  Inside is a cachier’s check and a tiny slip of paper with instructions – “Kindly check your emails for instructions.”  Apparently the scammer cannot affored full sheets of copy paper.  I think most of the envelope recipients didn’t even see the note.  I called all my victims back, and not one of them was sufficiently email savvy to produce an email for me, so I still don’t know what the instructions would be.  All of these scams involve keeping some of the money and forwarding some of it to someone else.  After your payment is gone, the check bounces and you are out some dough and feeling foolish.  Apparently dog breeders are having a hard time with this one.

I took this opportunity to change all my financial user names and passwords.   I know I should do that regularly, but somehow it just doesn’t seem urgent.  Usually.

Frogs in my underpants

Wednesday, May 6th, 2009

Blow the bacterial infections away from you. 

One of the tricks the spammers use is to hide their message in a picture and add hidden text to get past the  spam filters.   I have Outlook configured to hide pictures until I ask for them, so I don’t suppose I’m seeing the message as the spammers intended it.

The bit about frogs caught my attention (I must have been bored).  I Have to wonder where they get the raw material for the text.

This one is selling Viagra, by the way.
————————————————–

You just need to put thoose link on picture to get visit our store

there’s a tiny restaurant

and a delicious coke.
i am not going to worry…about a thing.

she’s cute
when she does these weekends she fills up really fast so don’t wait- if you need color and/or cut and/or face waxing at very reasonable prices email her promptly and she’ll get you booked and give you directions.

may you always have courage to take a chance and never find frogs in your underpants.
my happy little life

haha, that’s my girl. pug
cate was so happy she began yelling “let’s give a hand to springtime!

my homekeeping secrets
and you eat with your sunglasses on

this image of silke stoddard’s knitting is burned into my mind and tatooed on my heart.
i LOVE this picture and am so inspired to keep the needles moving.

2. to keep the bedrooms clear i throw all the dirty laundry in the laundry room and shut the door. out of sight, out of mind!
i am so grateful for quiet time with the scriptures.

where you can get great steak and shrimp
but then again, we looove roadtrips.

in a tiny town in idaho
i found that amazing old shirt (we’re big fans) at the thrift store for $1 and it’s so soft.

when you need to be home, may you find your way.
you sit at the counter

the best part of dinner was the irish soda bread- it was so so good, and it’s really easy to make.
and my wheels are turning with projects to put together for a locals knitting class.

let’s give a hand to the world, for everything it can do!!
and you are happy.

corned beef is cheap meat, a head of cabbage is less than 50 cents, and i bet you have all the ingredients for the bread in your cupboard. you should make this meal tonight!
i am blocking my two latest projects today and will show them tomorrow.

Spam, spam, spam – and a scam!

Wednesday, May 6th, 2009

I get spam.  Not a lot, but some always finds a way to squeeze in through the cracks in the system.

I find that the spam that has been making it to my inbox is actually pretty amusing.  I suppose that in itself says something about my sense of humor.

Because I find these attempts to extract something from me amusing, and because I like to find something when I search for my message, I’m going to post some of my favorites here.  And yes, I have been involved in a serious scam.  More of an innocent near-bystander than a participant, but involved nonetheless.  More to follow as events transpire…