Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« June 2011 | Main | August 2011 »

July 28, 2011

Wrong Hotel Transaction Nonsense Permalink

Today's POS* has a strong stylistic reminiscence of the phony credit card overdue notices described here and here. The crook's English isn't so good, and he obviously doesn't have an English spelling checker.

The bogus message today claims to be about some kind of erroneous transaction at a hotel that entitles me to a sizable refund ($1944 in the copy I received, but probably different in other versions). If I fill out the attached form (a file named RefundForm043.zip) and take it to my bank, they'll return the money I never lost. At least I think that's what the tortured English is trying to tell me:

From: Reservation Departament <[removed]@mybookings.org>
Subject: Wrong transaction from your credit card in Madison

Dear client!

Transaction: Credit Card 49498_0M3f
On July 26th, 2011 Hotel made wrong transaction writing-down from your account for an overall amount of $1944.
For noncompliance of the service contract this Hotel was divested accreditation in Moverick Company.
For the return of funds please contact your bank and fill information in the attached form.
In the attachment you will find expense sheet with the sum of wrong transaction error of transaction.
As Company is not responsible for money transactions and acts as intermediary you can seize the court directly to return the funds from the Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Jennifer Oregel,
Manager of Reception Desk & Reservation Departament

Unfortunately, at this hour, the Trojan-laden attachment has extremely low coverage by antivirus applications (only 4 of 42 at VirusTotal's test). Recipients' greed for a free couple of grand may get the better of them...and the Trojan will do the same.

This message happened to really catch my eye because I went to college in Madison, Wisconsin, a city I'm truly fond of. I haven't been there in over ten years, so there was no other connection between the message and myself. But it does point to the fact that coincidences do happen frequently in the high-volume spam world. I suspect the template used for this malware bomb uses a placeholder for the city, and different recipients will see different cities in their versions. Although I have been around this country quite a bit, I can safely say that I have not been to the majority of cities. The spammer just got lucky this time, and I absolutely do not feel threatened that he or she is personalizing the message around my life's history.

I think it's good to be paranoid with respect to unsolicited email ("they" really are out to get you), but the chance that they're targeting you, specifically, is next to nil.


*Piece of you-know-what.

Posted on July 28, 2011 at 02:03 PM

July 08, 2011

Overdue Notices, Part 1.1 Permalink

Following up on my earlier post about so-called Credit Card Overdue Notices, my email addresses have been hit by a new blast with slight variations of Subject: and message body. The sentiment is the same, however: you're supposedly late for some financial payment, and you have two days to open the attached file to get the details and settle the score.

Here is one I saw this morning:

From: Important notification <helping@creditdepartment.com>
Subject: Your financial debt overdue

Dear Customer,

Your Credit Card is one week overdue.
Below your Card information

Customer 4838487517
Number XXXXXX
Card Limit XXXXXX
Pay Date 29 Jun 2011

The details are attached to this e-mail.
Please read the financial statement properly.

If you pay the debt within 2 days, there will be no extra-charges.
In 2 days $25 late fee and a finance charge will be imposed on your account.

Please do not reply to this email, it's automatic mail notification.
Thank you.

The attachment for this particular email was titled Financial_Statement#98165.zip. Inside that zipped archive is a real oddball: a .cpzg file. This is a compressed Unix-style archive, indicating that it may be targeting Mac OS X and Linux users, but I think WinZip can also open these things.

In any case, if you try to open this file and have a problem, that's a GOOD THING! You've saved yourself from installing a Trojan loader onto your computer. Delete the email message and get on with your life. If you're late with a payment, you'll learn via snail mail soon enough.

Posted on July 08, 2011 at 09:33 AM