« April 2010 | Main | June 2010 »

May 30, 2010

Just saw an eBay phishing message that comes in the guise of a message from a pissed-off buyer. It has all of the images and look-and-feel of an official eBay HTML message. I doubt all the messages in this blast reference the same product, but the one I saw ran as follows:

Subject: You have received a question about eBay BRAND NEW Nikon D300S 12.3 MP Digital SLR Camera Body

Please send me the tracking number as you told me when I paid for the camera. This is my second email and there is no answer from you by now.

Of course you didn't sell anybody this thing, but you will likely be very tempted to click on the link that supposedly lets you view the auction.

DON'T DO IT

All links in the message lead to a URL that begins as http://signin.ebay.com (if you just do a quick mouse rollover) followed by more dots and subdomain gibberish until you reach the actual domain of the link — it's piping hot out of the registration oven today. But the real problem is that the URL (after the domain name) also embeds the email address of the recipient. From all appearances, this technique is being used to validate the email address as being alive, even if you don't fall for the phishing.

May 18, 2010

Here's an advance fee email that invokes the United Nations, the U.S. Department of Homeland Security, seven continents (including Antarctica!), the FBI, Interpol, climate change, global recession, and "scam."

I really like the last sentence, which inadvertently makes the sender sound like a fraudster.

Subject: Re: Intercepted Over Due Fund Transfer!!!
United Nations Palais des Nations, 1211 Geneva 10, Switzerland

Subject: Re: Intercepted Over Due Fund Transfer

Attention: Beneficiary,

In the last meeting between the United Nations OCHA and UNDP hold Copenhagen, 19 Febraury 2010-After a marathon all night session, talks aimed at injecting new and more wide-ranging momentum into the international effort to combat climate change, global recession and scam ended with a positive outcome.

The United Nations and U.S department for Homeland security has meet with delegate from Africa, Asia, Australia, Antarctica, North America, South America and Europe has agreed to Pay scam victims around the world the sum $10.8Million USD as compensation so the money could be use to combat unemployment and help people like you make the world a better place. The United States Department of Homeland Security (DHS), with the help of the FBI and Interpol Has screened through various Monitoring Networks and has been confirmed and notified that the transaction is Legal and you have the Lawful Right to claim your due
fund.

To effect and carry out the directives given, you are advised to contact Dr David Wills

Dr David Wills.
International Claims Officer
Telephone: +234 [removed]
E-Mail: [removed]@ml1.net

You have been instructed on what to do next you are strictly advice to follow his instruction so as to follow into the hands of fraudster,

Yours Faithfully,

Yvette Morris (UN)
Public Relation officer

Isn't it convenient that the U.N. has a claims officer taking calls on a Nigerian telephone number?

LOL.

May 17, 2010

You'd think that by now there would be enough polished phishing kits in the wild to let even a doofus create a credible mailing and phony web site.

But nooooo...!

Look at this drivel, which I copied verbatim from the email message:

Subject: Account limited !

Dear user of PayPal services,

This email is to inform you that we had block your PayPal account because this ip 66.70.232.98 accessed your account 3 times and tryed to change your billing information. We to continue using our service you have to renew your online account. If not, your online apologise for the inconvenience but the safety of your account is our main priority.

Thank you for using PayPal!
The PayPal Team

Then the phony web presence (on a hijacked web site) is a copy of the French PayPal home page. What a moron!

May 12, 2010

When you run a nickel-and-dime domain (as I do a few times over), it's quite a joke when malware deliveries try to make it sound as though their attachments are of vital importance. Case in point:

From: [removed].com support
Subject: setting for your mailbox [removed]@[removed].com are changed

SMTP and POP3 servers for [removed]@[removed].com mailbox are changed. Please carefully read the attached instructions before updating settings.

The attachment is a file named open.zip, weighing in at 186.9 KB.

Since I'm the one who would be sending out a message like this if I had additional users, I just laugh. But I suppose unsuspecting recipients — who may not know the difference between an SMTP and a POP3 server — might be tricked into opening the file. It's a backdoor loader, of course, but with less than 30% coverage at VirusTotal.

Oh, and point of logic, if my POP3 settings have changed, how did I receive this message in the first place? Magic?

May 06, 2010

Following on the heels of similar emails claiming to come from amazon.com, UPS, DHL, FedEx, and many others, the following one will trick tons of recipients to open the malware-loading attachment:

From: iTunes Online Store
Subject: Thank you for buying iTunes Gift Certificate!

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The 63.97KB attachment in the message I saw was named iTunes_certificate_397.zip. I'd expect to see variations on that in other messages. VirusTotal reports less than 20% coverage.