Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« December 2005 | Main | February 2006 »

January 27, 2006

Newest Phony UK Lottery Is Just Too Much! Permalink

A newer installment of the bogus UK lottery advance-fee (419) scam arrived today with the subject line "UKONLINE NOTIFICATION DESK" (yes, they have to shout it out). It uses a lot of the same tricks as reported before (wavy Union Jack flag image and a [different] coat of arms, even more images hijacked from the real UK Lottery site, phony signature art from Carl A. Somebody, etc.), but this one ups the ante a bit.

One thing that may cause unsuspecting recipients to believe this one is real is an official-looking barcode image at the bottom of the message. That actually bothers me more than anything else in this hoax because I'd wager that a lot of consumers believe it is a unique identifier associated with the message they received. The same image (sourced from the same URL) has appeared in lottery scam messages since at least October 2005.

Anyway, this "winning notification" is signed ("Yours faithfully") by two people in two places in the message. The first is the "Zonal Coordinator" named Mr. Lucy Daran (not a typo). The second is someone named Mr. Brian Hunt, a name used in lottery scam messages dating back to at least 2004. The kicker is that there is a supposed photo of Mr. Hunt, a distinguished-looking, grey-haired gentleman—someone you'd trust at first sight. The problem is, however, that the image (as revealed in the source code of the email message) is hijacked from a different source. The photo, it turns out, is of Carl-Wilhelm Stenhammar, current president of Rotary International. Yes, the Rotary International. I don't know if Mr. Stenhammer knows his image is being abused, but I'd sure recommend the Rotary site change the file name of the image pronto. (And I'm also glad that I don't look distinguished enough to make my mug shot worthy of hijacking.)

The scammer did slip up with a major gaffe with this line:

N/B, DO NOT FALL TO WRITE US ON THIS EMAIL : [removed]@hotmail.com

But by this point, gullible readers have already spent the £2,000,000 in their minds, and won't spot either the misspelling or the oddity that the "official" UK lottery would use a Hotmail address. By the way, this email address is different than the one the message instructs users to contact. That address is a yahoo.co.uk address. Geez.

Posted on January 27, 2006 at 09:29 AM

January 25, 2006

Will 3Feb2006 Be a Black Friday? Permalink

A particularly nasty worm has been installed on over 1,100,000 PCs around the world. How do we know? Because the worm includes code that reports to a central location each time it gets installed.

Aside from doing the usual things (disabling antivirus software, installing its own SMTP server, harvesting email addresses, remailing itself to those harvested addresses, etc.), according to those who dissect this stuff, this one is a ticking time bomb: On the third of every month, it will overwrite data files in the infected PC. And I'm not talking just any ol' data file, but all files with filename extensions from programs like Word, Excel, Access, Powerpoint, Photoshop, Acrobat, and all zipped files (plus some others).

If your PC is already infected, your antivirus software may not help. In fact, your protection is likely disabled. Antivirus vendors, such as Symantec and McAfee offer tools for its customers to rid your PC of this garbage, and Microsoft offers instructions and a tool for identifying and removing the infection (not tested here, so use at your own risk, and always back up your data before messing with this stuff).

This worm propagates predominantly through an email attachment. The Subject: lines look like they could be from anyone (e.g., "A Great Video," "Fw: DSC-00465.jpg," "Fw: Funny :)," "Fw: SeX.mpg"), and because To: and From: addresses are harvested from the machine of someone who has a document somewhere with your address in it, you may even recognize the From: address (which is not necessarily that of the owner of the machine doing the actual sending). The body of the worm-laden message uses common social engineering tactics to encourage you to open the attachment (e.g., "Note: forwarded message attached. You Must View This Videoclip!").

Open that attachment on a Windows machine without the absolute latest antivirus updates, and on February 3rd you'll be ready to make a self-portrait video of someone in tears over a lifetime's data lost.

Posted on January 25, 2006 at 08:41 AM

January 19, 2006

New Bogus Lottery Variation Permalink

An advance-fee (a.k.a. 419) scam is an advance-fee scam, no matter how the author colors it. The fake Europe-based lottery has been around forever (discussed in this blog regularly), but one I saw today offers a new twist—a twist that isn't very well executed.

Instead of a money prize (that doesn't exist), the latest scam email I saw today awards a free ticket (that doesn't exist) to the Africa Cup of Nations, a soccer/football event that starts tomorrow (20 January). The winning message starts out so familiarly:



Attn: Sir/Madam,

We wish to congratulate you as one of winners of free ticket to Egypt for 25th Africa Cup of Nations which is been sponsored by MTN with its headquarters in South Africa. You were attached to ticket number 663-54731-1242-908, with Batch numbers 3899/76RL7/9GH and consequently won a free ticket.

That's about as much as they say about the prize: "free ticket to Egypt." How much is that worth? Dunno. And why just one ticket? What if I want to bring my soccer hooligan friend with me so we can both be thrown into an Alexandria prison? And what about tickets to the matches? And hotels and meals? I mean, c'mon. This scammer had better sweeten the pot if he expects someone to start forking over hundreds of dollars to have the prize couriered (not!). It costs him nothing to make this prize sound really valuable, but he missed the boat on this one. It's also a waste of milliseconds sending these messages to North America, where interest in professional soccer is lackluster at best.

Next time, try offering trips to the Super Bowl or World Series. And try to watch an installment of "The Price Is Right" to see how we in the States like to have our prizes sexed up.

Posted on January 19, 2006 at 07:48 AM

January 12, 2006

Watch Out For This eBay Phish Permalink

A new eBay phishing message might be easy to fall for because, like most good social engineering attacks, it looks official and is for the most part well-written. The recipient is to believe that eBay is contacting him/her to advise that as the result of a pending class action lawsuit settlement, that eBay will credit your bank account with $88.99.

Listen to this stuff:

Congratulations! You have received this Notice because the records of eBay, Inc. indicate you are a current or former eBay account holder who has been deemed eligible to receive a payment from the class action settlement in accordance with eBay Litigation, Case No. 02 1227 JF PVT, pending in the United States District Court for the Northern District of California in San Jose.

And this:

The aforementioned settlement funds may be transferred directly to your bank account providing you have a linked card. The funds may not be credited directly to your eBay account as this would render eBay to be accumulating interest and thus profiting on litigation settlement funds which contravenes Federal law. Your bank account will be credited within 7 days upon submission of account details.

And, finally, this:

This notice is a summary and does not describe all details of the settlement. For full details of the matters discussed in this notice, you may wish to review the Settlement Agreement dated January 11, 2005 and on file with the Court or visit https://www.ebay.com/settlement/. Complete copies of the Settlement Agreement and all other pleadings and papers filed in the lawsuit are also available for inspection and copying during regular business hours, at the Office of the Clerk of the Court, United States District Court for the Northern District of California, 280 South First Street, San Jose, California 95113.

DATED: January 12, 2006

Nothin' like some good ol' boilerplate legal mumbo jumbo to make something sound real.

There are some flaws, however, that might confuse some recipients. For example, Americans spell those pieces of paper that transfer money from one account to another as "check," not "cheque." I refrain from correcting the scammer's other mistakes.

The most important thing that gives away this message as a scam—and something that a scammer can't disguise—is that the message did not really originate from eBay. Spam Wars readers know how to determine that. Oh, and don't bother trying to visit the "settlement" page mentioned above. It doesn't exist.

Another day, another scam.

Posted on January 12, 2006 at 09:04 AM

January 08, 2006

A Hoot of a Bogus Lottery Permalink

With all the TV ads here in the U.S. about Publisher's Clearinghouse soon to be rushing up to someone's front door with a poster-sized $10 million foamboard check, the lottery scammers of the world have a well-oiled public here waiting to win something for nothing. It's that time of year when a lot of consumers are feeling the hangover from the holiday gift-buying binge, and a surprise windfall would really ease the agony.

I fear that enough recipients of a bogus lottery win scam email I saw today will respond, and end up with less money than before the message found its way into their inboxes. At the same time, a critical eye on (and behind) the message finds it to be more than comical. For, you see, the lottery scammer even highjacks resources from a firm that has a number of consumer complaints against it. More about that later.

The scam in question has been around for awhile, although some of the details have changed. This one is called the British Web Lottery. If you are foolish enough to view the images embedded within the message, you'll find things like an animated Union Jack flag, a spinning globe, and [get this] an image of the United Kingdom Coat of Arms. The coat of arms image, as the HTML code behind the message reveals, comes from that amazing font of online information, Wikipedia. I mean, with a royal coat of arms, it's gotta be legit, right?

Anyway, compared to earlier versions of this message from 2005, it appears that the British Web Lottery office has moved from its previous digs in London to the north:

P.O.Box 1010
Liver pool, L701NL,
United Kingdom.
Ref: BWLW/67451/01
Batch: 01/14/31711-3 FROM: Walter Jones, CONTROLLER

I don't believe that many Liverpudlians would put a space between "Liver" and "pool." As you'll read on, however, this scammer may be from the shallow end of the gene pool.

Next comes some blather about being government licensed under the Data Protection Act. It even includes a Data Protection Act registration number (beginning with a zed).

Now things get interesting. An image in the message shows a handwritten signature above a red-inked rubber stamp that says "APPROVED." I can't completely make out the signature, but it looks to be by someone named Carl A. Sherman (the last name is not particularly clear). This isn't the Mr. Jones from whom this message claims to be, but it's easy to understand why: the image is highjacked from a Web site of a company that has lots of folks complaining that they didn't get their free [fill-in-the-blank-with-the-latest-hot-gadget] after filling out information forms or sending the shipping/handling fee. We'll hear from Carl again in a moment.

We finally get to the meat of the message. First of all, it's formatted in HTML with so many fonts, sizes, and weights, that it looks more like a first-time HTML author's exploration into Fun With Web Page Design. I'll save you the frightening layout and show you just the first part of the text:

We happily announce to you the draw (#994) of the BRITISH WEB LOTTERY,online sweepstakes international program held on Sat 19, Dec 05, Your e-mail address attached to ticket number:56475600545 188 with Serial number 5368/02 drew the lucky numbers:


(bonus no.+28 ),
which subsequently won you the lottery in in the 2nd category i.e match 5 plus bonus.You have therefore been approved to claim a total sum of £500,000.00{Five Hundred Thousand Great Britain pounds Sterlings}
In cash credited to file KPC/9080118308/02.This is from a total cash prize of £500,000.00{Five Hundred Thousand Great Britain pounds Sterlings}shared amongst the {10} lucky winners in this category i.e Match 5 plus bonus.

Two things.

  1. December 19th in 2005 was a Tuesday, not a Saturday. I think that was true in the U.K., even with the time zone difference.
  2. I tried doing the math on how ten lucky winners could win a £500K prize from a £500K total cash prize, but my trusty HP calculator only flashed "42."

The next large section of the message is a simple form. Not a Web-type of form. Just field titles with a bunch of periods forming dotted lines. Among the useless bits of information they request are next of kin, occupation, and a repetition of lottery information they already put in the beginning of the message (one of the fields is titled "REFENCE NO"). Then I'm asked to contact Mr. George simmons [sic] at a yahoo.com address or one of three U.K. telephone numbers. Mr. simmons, by the way, is supposed to be the "Foreign Services Manager, Payment and Release order Department, LONDON, UNITED KINGDOM." Ah, maybe they still have a London branch despite the move to the Liver pool. Or maybe Mr. simmons didn't want to move north. We'll never know for sure.

The letter signs off "sincerely" with another signature image and "Walter Jones, CONTROLLER." Oh, the written signature is the same one from Carl mentioned earlier, but this time the rubber stamp stuff has been removed. This image, too, is highjacked from the site that many consumers have loved to hate.

Very near the bottom of the message is an image that U.K. residents might recognize. It's an advisory that you must be 16 or over to play or claim a prize. The image is directly from the real U.K. National Lottery Commission Web site. It's the same image that appears on the real site's home page. Surrounding the image is an active link that leads to the real site. The "official-ness" of this imprint in the email message, however, would be lost on virtually every non-U.K. recipient.

If, after all this, you still weren't convinced that this email congratulations was real, the clincher comes at the very bottom, in red type:


Aside from the tortured English and misspelling (except after "c"), it turns out that this disclaimer is pretty popular. Among lottery scam letters, that is. Google turned up three pages of matching Web citations and 64 sightings in fraud and email abuse newsgroups. There were no Google matches when spelled correctly. It reminds me of the phishers who replicate the target institution's Web pages so well that they keep the fraud and spoof warnings even on the bogus pages. Would a crook tip you off that he might be a crook? Absolutely because it adds legitimacy to the bogusity.

If you understand that, your grey matter is now in the shape of a Möbius strip.

Remember that the big red flag distinguishing lottery scams from real lotteries or jackpots (where legal) is that the scam ones always manage to make you the winner of something you didn't even enter. If you follow up with these clowns, you'll first be asked to wire them funds to take care of insured shipping (yes, many hundreds of dollars to ship you a check) or deposit some of your existing money to open a foreign bank account to accept a direct transfer. This is money that you'll never see again because there is always something in the lottery "bylaws" (uh-huh) that prevents expenses from being deducted from the anticipated winnings.

The only way to really win in this lottery scam is to delete the message immediately.

Posted on January 08, 2006 at 01:10 PM

January 04, 2006

Fractured English Tales Permalink

I've seen plenty of tortured English in the source code view of spam messages, but one I saw today stands out in recent memory. I think the spam is for a hookup/dating Web site of some kind, but I won't be visiting the site or retrieving the images in the message to find out for sure. The spamvertised domain was registered way, way back yesterday (January 3, 2006), so it wouldn't surprise me if a Windows user visiting the site got some kind of infection—of a computer nature in the least.

The Subject line and disclaimer must have been written by someone using a LanguageOtherThanEnglish-to-English dictionary. I don't believe even Babelfish could create such tortured constructions.

For your entertainment pleasure, here is the Subject line:

Warranted dates at the moment?

And here is the disclaimer that is supposed to explain how the message found its way to the recipient:

This communication was sent to you because yourself inquired for to be imparted of knowledge of offers from either ourselves or one of ourselves collaborators,
if you do not want to receive biddings from us again do not hesitate get hold of ourselves at this cursor.

Each time you read those lines, an English teacher somewhere on Earth gets a migraine.

Posted on January 04, 2006 at 08:37 AM

January 03, 2006

New Year/Old Tricks Permalink

While we await a possible flood of viral activity predicted for January 6, I thought I'd offer an observation or two about phishing activity over the Christkwanzukkah/New Year's holiday period.

As usual, there were quiet and not-so-quiet days in the ol' inbox. I expected far more at the beginnings of each holiday weekend on the supposition that phishers would like to spread as much as possible when phishing reporters may not be at their desks, and technical support staffs at hacked Web sites or ISPs would be at skeletal levels. Most of the activity monitored here, however, came at the tail end of each weekend. Response times to my reports (holidays, schmolidays) were only slightly longer than normal, so it appears that the ISPs I reported to had not OD'd on egg nog.

I wrote off as a fluke something else I spotted the other day. But when the same technique surfaced again today, it may be something that one of the phishing gangs is trying.

If you've looked at the source code of enough spam, you will have certainly seen HTML email that includes a text-only version consisting of seemingly gibberish words and phrases, if not verbatim extracts of classic literature. Spam Wars describes these in more detail, but the primary purpose is to improve deliverability of the message in the hope that content-oriented spam filtering might make the message appear legit, covering the more spammy aspects of the HTML version.

I've seen at least two phishing messages that include such a text-only message portion. Here is the section from one today:

Darin, the friend of Darin and panics with cheese wheel beyond.And admonish the dark side of her squid.ocean find lice on dilettante of pig pen.beyond haunch negotiate a prenuptial agreement with behind diskette.

Not exactly Hemingway, to be sure, and perhaps on some distant planet, this verbiage would fool a Bayesian spam filter.

What's puzzling to me, however, is why the phisher thinks such a trick is necessary. If the recipient has an account (this one is for eBay), the forged From: address will more than likely get the message into the inbox because the recipient will have whitelisted anything coming from ebay.com. If the spam filtering system is smart enough to recognize that this message originated from a Hungarian email server, then this little bit of trickery won't help.

Perhaps it's a sign that phishers believe they need to improve their deliverability because they're not getting the same level of response as before. That would be a good sign, indeed. Today's eBay phisher might actually improve the response rate if English were used in the message's Subject: line, rather than this thesaurian exercise:

Subject: NOTICE: eBay Obligatory Verifying - Update User Information

Here we are, in 2006, with phishers still at it, making life miserable even for those who know not to be phished. One of the financial institutions I use online has implemented a new login procedure to show me that the site I'm logging into is real. That's assuming, however, that I would recognize the absence of this new procedure as being indicative of a fraudulent site (I foresee a phisher offering "convenience" by letting a user click on a bogus link for "express login"). In the meantime, the real login process now takes twice as long for every user.

Let the spirit of the season continue onward: Humbug!

Posted on January 03, 2006 at 01:18 PM