Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Some spamwars.com Statistics | Main | Faux United Parcel Service Delivers...Malware [Updated] »

September 05, 2009

No Holiday for E-Crooks

I doubt any Americans are behind the scams described here, so the perps may not be aware that this weekend is Labor Day weekend in the United States, with Monday being the actual holiday. It marks the psychological end of summer here, with kids back to school, vacations over, and the start of the inexorable march toward the depths of winter.

It used to be the case that email tended to go unopened until travelers returned home Monday night or got to the office on Tuesday morning. These days, however, a sizable number of emailing folks have WiFi-enabled devices and smartphones with them 24/7. If their email addresses are on the crooks' lists, they may discover these attempts to steal and infect long before the holiday's end.

PayPal phishers are out in force (as I mentioned earlier). One of them, whose Subject: line mysteriously says

Subject: Paypal ownership verification

has a fairly well-crafted message body, formatted in HTML and using a logo image retrieved directly from the real paypal.com. Here's the text of the spiel:

Dear Customer,

As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason: Our system requires further account verification. Case ID Number: PP-000-087-024 This is a third and final reminder to review and renew your account, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety. In accordance with PayPal's User Agreement, your account access will remain limited until the issue has been resolved. Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to review your PayPal account as soon as possible to help avoid this.

To review and renew your account and all of the information that PayPal used to make its decision to limit your account access, please click here you will be automatically logged into your account.

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

PayPal Account Review Department


Veteran phish spotters will immediately recognize the Dear Customer greeting as a dead giveaway that PayPal didn't send the message. In fact, so-called "account verification" pitches from any online business that begins with Dear Customer or Dear Member without referring to you by name (not email address) is a sign to delete. Of course, some email lists also have names attached to addresses, so just the presence of your name in the greeting does not guarantee legitimacy; but lack of your name guarantees crookdom.

Another PayPal phishing attempt isn't as polished. This one, titled

Subject: PayPal - New Message

looks as though it was composed by someone who failed HTML 101. The message body is short and to the point:

You have 1 new ALERT message Please login to your PayPal account in order to read the message.

To proceed, please click here

Thank you for using PayPal
Copyright © 2009 PayPal Inc. All rights reserved.

Ugh. Not even a "Hi, howareya?". The link is to a hijacked Roadrunner (rr.com) account. First of all, even if PayPal sent out such notices, they wouldn't do it with such an u-g-l-y message. Second, the only way you should log into your PayPal (or other financial) account is via a browser bookmark that you created after having manually typed the URL the first time (don't forget the https: part) and verified that it's the real site.

And finally this morning(!), we have a greeting card malware distribution scam. As with the gazillions like it that have come before, this one abuses the domain name of a legitimate online greeting card firm, claiming to have originated from greetings.com (owned by Hallmark). Here's the email message:

Subject: Hey, you have a new Greeting !!!

Hello friend !
You have just received a postcard Greeting from someone who cares about you...

Just click here to receive your Animated Greeting !

Thank you for using www.Greetings.com services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !

Clicking the link in most email clients will start a download of a file named card.gif.exe, hosted on an otherwise legitimate site of an Ecuadorean rose grower. This backdoor Trojan file has been around the malware circuit for about a month and a half, and has pretty good antivirus coverage according to VirusTotal. Even so, I wouldn't want to open that file on any production Windows PC. I contend that antivirus software should be installed as a safety net against accidental exposure to Bad Stuff. A message asserting some anonymous admirer is best left for dropping into the vent hole of a high school student locker.

Posted on September 05, 2009 at 10:45 AM