« iPad 2 Spam | Main | Phishing Phield Day Ahead »

April 03, 2011

Coca-Cola is one of the world's most recognized brand names. The impression the average consumer has (in virtually any country) is that of a large international corporation often offering valuable prizes for various contests throughout the year. Thus, when an unsolicited message arrives via email or SMS advising that the recipient has won a substantial amount of money, plenty — and I mean plenty — of them believe it's their lucky day and begin to follow instructions to collect their alleged windfall.

There are two problems with this whole thing:

1. The contest, drawing, or promotion is phony, abusing the Coca-Cola brand name.
2. Many recipients get hooked by the criminals and end up losing sizable sums of money — usually money they can't afford to lose.

I have read about and seen video of victims of these advance-fee scams who are in complete denial about the possibility that the offer is a scam. After shelling out sometimes hundreds of thousands of dollars they'll never see again, these folks continue to believe there is a pot of gold at the end of the trail. I'm not talking about uneducated people, either. University professors and professional people have been victimized for the most amounts (when reported). Retirees have also been taken for not only their entire retirement portfolios, but additional amounts they've borrowed against their homes and personal loans from family and friends.

As more and more publicity about internet scams reaches the mainstream media, some recipients who don't immediately spot these scams are at least pausing for a moment to question the authenticity of a message arriving with such promising news. I truly hope it's the case with recipients of a message I saw here the other day, claiming to come from Coca-Cola in England, telling me I won £450,000.

I was doubly alarmed because the email message body was very sparse ("OPEN THE ATTACHMENT FOR YOUR ATTESTATION"), with the details contained by a Microsoft Word attachment. Now, I am fully aware that Microsoft Office documents (Word, Excel, PowerPoint) have been conduits for malware because the documents can contain programming scripts capable (in unprotected computers) of opening back doors for the installation of more malicious software. This applies, by the way, to Macintosh and Windows computers equally (depending on the version of Office for Mac you run).

Few casual computer users know how to pass a suspicious email attachment through a free virus detection system, such as VirusTotal (and it can be a little intimidating to the technophobic). As much as I wanted to examine this .doc attachment, I wasn't going to do anything with it in Word until I submitted it to VirusTotal. It came back with a completely clean exam. That's not to say the file is 100% clean — an inventive crook can always dream up a brand new exploit that is not yet detectable by the dozens of VirusTotal checks — but the message had arrived several hours earlier, giving the antivirus (AV) community plenty of time for at least some AV systems to have found any nastiness.

The attachment is a 4+ page document, originally named CONGRATULATIONS!!!.doc. I have output the contents from Word as a safe PDF file, which you can download here (1.6MB) to view at your leisure.

My copy of the attachment is a letter with a poorly designed Coca-Cola faux-letterhead. The corporate address is in Liverpool (Coca-Cola's UK office is in London) and two telephone numbers with cell phone exchanges. It begins with the following:

Dear Winner,

We want you to remove every skepticism from your mind
because this award is legitimate from COCA-COLA
COMPANY ENGLAND,

Any message that begins by telling you it's not a scam or spam is lying. Period. The more a message professes its authenticity, the bigger the lie.

After more blather about filling in a verification form to let them release the check that "has been vaulted safely with out corresponding Bank", comes an image that interested me. The image is shown here, along with the caption from the message:

Prof.Alex Kingston and Dr.George Williams, Past Winner in Coca-Coca Company Online Promo England,

I studied the image closely. Unless it had been Photoshopped, it certainly appeared to have been taken at a Coca-Cola building. Knowing that the company is headquartered in Atlanta, I suspected the leftmost flag was the Georgia state flag. Two seconds later on Google, I proved that correct.

So what about the people in the shot? I didn't recognized either of them (although I should have, as I'll mention shortly). The names in the caption weren't particularly distinctive, so I didn't want to follow those rabbit trails on Google. Instead, I used Google to search for images associated with Coca-Cola Company. The results are mostly logos and advertising art. Fortunately, the image search in Google lets you view pages of results in just one downloadable Google page, so it's easy to keep looking ahead. Down around page 14, I begin to see images of one of the two men in the emailed photo:

So, the guy on the right is the CEO of Coca-Cola, Muhtar Kent, and neither of the two names shown in the email photo caption. Now the hunt was on for the source of the email photo. A Google image search for Muhtar Kent yielded the following image on page 2:

The individual on the left is Timothy Shriver, Chairman of Special Olympics. The photo was taken when Kent was appointed to the Board of Directors of Special Olympics in 2007. (Shriver had been a guest on The Colbert Report a couple of nights earlier. Although I didn't recognize him from the photo, it is definitely him.)

In all of about three minutes of Google image searches (and no high-tech examinations of email headers and such), I found the email photo caption to be a complete lie. Would that finding by a more trusting recipient have dissuaded him or her from believing the letter? It's hard to say.

Such a believer would also probably not be put off by the rest of the letter with its "Congratulations" image artwork that would have been chosen by a third-grader assembling a web page.

And how about the email address for responses? Not to coca-cola.com, but to a free live.com email address. My, how professional! I'd also swear I've seen that "Approved" rubber stamp and signature in other scam emails over the years.

What will it take to convince a believer that messages like this one are scams? What do you tell a young girl who, upon opening a birthday present filled with horse manure is thrilled and convinced there's a pony in the backyard?

It seems that those victims who send the most money to the crooks are the ones who have been warned by their banks and even local enforcement not to send a dime. This isn't like the genuine state lotteries, where you stand at least a chance — extremely small though it may be — to win something; with these advance-fee scams, you stand zero chance of receiving anything, and a 100% chance of losing your hard earned dough while being conned by some very smooth and convincing criminals.