Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« December 2011 | Main | February 2012 »

January 26, 2012

Phony (and Inept) Intuit Email (Updated) Permalink

I love it when crooks make simple mistakes that cost them. Look at the following email message claiming to come from Intuit (the accounting and tax return software company):

Subject: Your tax information needs verification.

Dear Account Holder,

In order to guarantee that correct data is being maintained on our systems, as well as to provide you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have discovered, that your name and/or Employer Identification Number, that is indicated on your account does not correspond to the data obtained from the IRS and/or SSA.

In order to check and update your account, please click here.

Yours truly,

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Is this a phishing expedition or a malware lure? It's hard to tell because the doofus failed to set up the botnet spam sender to fill in the actual link. Here's the source code:

<a href="http://{int_link}">click here</a>

The {int_link} text is a placeholder for the actual link to be inserted. My gut feeling is that this template is supposed to be used to lure recipients to a hijacked web site for malware delivery. That's just my, um, intuition based on years of reading this crap.

Anyway, don't be surprised to see a subsequent blast with this social engineering trick — don't want to screw around with tax stuff, right? — but with the link "fixed."

Update (26Jan2012, 1800 PST): He's been going at it now for over six hours and still no change in the URL. He must be scratching his head over why he has zero responses (my favorite number). Here are variations in the Subject: line I've seen personally:

  • We need your tax information ASAP.
  • Your tax information needs verification.
  • Urgent update of tax information is requested.
  • Verify the correctness of your tax information.
  • Tax Information needed urgently.
  • Please update your tax information promptly.
  • Verify your information for INTUIT INC..

Message bodies also vary a little, but the basic intention is the same.

Somewhere along mid-run, the idiot figured out how to include the actual image binary data for the Intuit logo header at the top of the message. But he still can't figure out the active link stuff. He must have burned through at least a hundred bucks of botnet time with no chance of payback. I'm doing the Snoopy happy dance.

Posted on January 26, 2012 at 11:59 AM

January 25, 2012

Microsoft Legal Department Malware Lure Permalink

The latest in the malware lure campaign invokes the mighty piracy-fighting lawyers at Microsoft. In the email, the recipient is essentially accused of using pirated MS products, and he/she had better click the link to register a PC and avoid court. What a bunch of bullshit.

Here's the message:

Subject: Microsoft legal department

We've been tracking the illegally installed versions of our products for a long time, we've recently won tht claim in International Court, and we were alloud to request from the providers personal details of persons using the illegally installed versions of Microsoft products. We've decided to solve this problem avoiding court. After you follow this link, we register your PC as a legal one, thereby you avoid the judicial issues concerning presumably illegally instaled software on your PC.
With Respect To You
Emeline Welsh

SHA2 check sum: c084bfe116bfe1169dc08e16923723a5a5728e11169dcccccc08e6b572849237

How 'bout the typos and use of the non-word "alloud"? Hmmm, not what I'd expect from Microsoft's lawyers. Tee hee.

As a million times before, the link leads to a hijacked web site, where a page of obfuscated JavaScript can lead a user of an unprotected PC down the path of screwdom.

Posted on January 25, 2012 at 10:43 AM

January 19, 2012

iPhone 5 Malware Lure Permalink

Some believed that the "Think Different" ad campaign of Apple was grammatically incorrect. Not so. But here's a scam email that is way too incorrect:

Subject: Brand new iPhone 5 design

We are pleased to introduce you a piece of future. Take a look at the new iPhone's design here.

[35 line breaks omitted]

Copyright © 2012 Apple Inc. All rights reserved.

The link, of course, is not to any genuine Apple site (although the freshly-minted domain has "iphone5" in its name). It downloads a Windows executable...which is a piece alright, but not a piece of future.

Posted on January 19, 2012 at 09:42 AM

January 16, 2012

The OTHER Ben Bernanke Permalink

Bank of America is frequently abused by crooks who try to gain a level of credibility in perpetrating their scams. The following is a slight variation on a frequent 419 (advance-fee) scam:



Attn: Beneficiary,

We received a payment credit instruction from the Federal Government of Nigeria to credit your account with your full Inheritance fund of US$10.3Million from the Nigerian reserve account with our bank, Bank of America on 23rd of December, 2011.

However, you shall required to provide the followings data’s below:

{1}. Your Full Name and Address.
{2}. Your Confidential Tel, Cell and Fax.
{3). Your Bank name and address.
{4). Your A/c Name and A/c Numbers.:
(5). Your Swift Code / Routing Numbers.

Please do provide the above information accurately, because this office cannot afford to be held liable for any wrong transfer of funds or liability of funds credited into a ghost account.

Thanks for banking with Bank of America while we looking forward to serving you with the best of our service.

Thanks and God bless you.


I omitted the full signature section because it's where the fun really begins:

Ben Bernanke's sign-off

So, I'm supposed to believe that Ben Bernanke is an account office at the Athens, GA branch of BofA, while also being Chairman of the Federal Reserve Bank of New York. Notice, however, that this is Ben M. Bernanke. The middle initial of the real Ben Bernanke is S. He's also the Chairman of the whole Federal Reserve. And something tells me that Ben S and Ben M are not identical twins with only distinguishing middle names.

Anyone who takes this email as genuine and responds needs some adult supervision. Seriously.

Posted on January 16, 2012 at 08:50 PM

January 13, 2012

Goofy Malware Lure Permalink

I'm kind of left speechless by this amateurish attempt to get unsuspecting recipients to click their way to PC infection:

Subject: Your order for chopper for the weekend

Your order for our air commuter services has been taken and processed. The rotorcraft will be at your disposal from 16.45 saturday to 7.30 p.m. wednesday. Once again, the rates are as follows:
1 hour in the air: 525$
Takeoff / Landing: 254$
1 hour standstill on the ground: 78$
Longest period in the air is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost consequently increases by 120$ per hour.

Tital to pay.doc 406kb
Best wishes
Trey Toney

Secure Checksum: 5a572849d084b57dccc03af4bf49

Clearly written by a non-U.S., English-as-a-third-language crook. Like so many of these messages, the link isn't to an attached document, but rather to a hijacked web site, where obfuscated JavaScript takes over.

Posted on January 13, 2012 at 11:30 AM

January 10, 2012

Tuesday Morning Malware Lures Permalink

More malware lures today to induce unsuspecting email recipients to click a link to Hell or open a Trojan-loaded attachment.

First the link variety. This time, the crook is using a bunch of legal mumbo jumbo. It's mostly meaningless, but invocating "the court" may put the fear of God into recipients and get the clicking finger adrenalin going:

Subject: Re: Fwd: Our chances to win an action are better than ever.

We discussed it with the administration representatives, and if we plead guilty our slight infringements to improve their statistics, the major action will be closed due to the lack of the state interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it of you feel uncomfortable with anything in it, advise us.

Speech.doc 556kb

Best Regards
Alita Feliciano

Secure Checksum: b1de6f8a5c8a50c3e1de127d4b650c3e6f

Although the message is formatted to make it appear as if the link is to an attachment, it is really just a clickable hyperlink to a hijacked web site where nefarious things happen to the unprotected PC.

The second one displays the guts of the malware distributors. They pose as no less than the United States Computer Emergency Readiness Team (US-CERT). Check this out:

From: soc@us-cert.gov
Subject: Phishing incident report call number: PH0000005724464

US-CERT is forwarding the following Phishing email that we received to the APWG for further investigation and processing.

Please check attached report for the details and email source

US-CERT has opened a ticket and assigned incident number PH0000001057411. As your investigation progresses updates may be sent at your discretion to soc@us-cert.gov and should reference PH0000009366166.

Thank you,

US-CERT Operations Center

[Attached File: US-CERT Operations Center Report 9463207.zip]

Ignoring the use of three different PH numbers (I guess as in PHony incident numbers), the fact that the message headers reveal its origination in Indonesia taints the authenticity just a tad.

Just remember: The more an unsolicited email message tries to elevate your blood pressure, the more likely it's B.S.

Posted on January 10, 2012 at 10:39 AM

January 04, 2012

Shame, Shame, Shame Permalink

There is a spammer out there who squeaks past the U.S. CANSPAM law by the thinnest of margins, yet he practices a technique that should have been outlawed: He floods the body of the message with hidden text content intended to trick spam filters, often called hash-busting.

He's doing this to advertise all kinds of products and services, including some very well-known brand names, such as Pimsleur language training. It's impossible to know if the spammer is an actual affiliate, or is using another route to generate leads for Pimsleur. Links in the messages do not go to Pimsleur (or whatever company is being promoted), but rather to domains whose registrations were minted fairly recently and are privacy-protected. The opt-out links go to the same domains as the offer links.

The particular hash-busting technique that this guy has been using for quite awhile is to load the hidden text at or near the end of the visible HTML, buried within a <style> tag. If you're not into HTML, let it be known that a browser does not render the content of <style> tags because they're supposed to contain layout instructions, such as fonts, colors, margins, and so on.

To give you an idea of the magnitude of the hash-busting text, I studied the content of a recent Pimsleur spam message. The entire message (including headers) was 12,397 characters long; the hash-busting text represented 10,650 characters of that. Eighty-six percent of the message's bytes were dedicated to bypassing recipients' spam filters.

In that particular message, the hash-busting text was predominantly scraped from a macrumors.com forum web page from 2008. Here's a brief excerpt:

<style type="text/css"> Apple News

Front Page
Mac Blog
iOS Blog
Buyer's Guide

Register FAQ / Rules Community Forum Spy Today's Posts Search
Go Back MacRumors Forums > Apple Hardware > Notebooks > MacBook Pro
Reload this Page Advice Appreciated: MacBook Pro Logic Board Replace?

User Name Remember Me?


Thread Tools Search this Thread Display Modes
Old Aug 12, 2008, 11:04 PM #1
macrumors newbie

Join Date: Aug 2008

Advice Appreciated: MacBook Pro Logic Board Replace?
Hi everyone. I don't have Apple Care. I am out of warranty.

My computer recently, today, got a problem where the monitor no longer works, and an external monitor doesn't work. Thought it was maybe this can't get out of sleep problem, but it's not. A shut down and restart, battery removal, connect a another monitor does not do anything. It seems to work fine otherwise. Took it in and they said the entire logic board had to be replaced, and would be $1,300. owwww.

Is this reasonable? Anyone have a cheaper way to go about this? This is a 2.4 MacBook Pro. Another option, I would hate to do without my computer for a length of time, but $1,300 is money I really don't have now. I see in the Buyer's Guide another incarnation of the MacBook Pro is coming. Does that mean the price of my logic board would drop soon?

Thanks in advance!
intercept789 is offline 0 Reply With Quote

Another spammer out there has been pushing a skin care line using slightly different hash-busting overloading. His technique uses a combination of syntactically-correct style sheet rules (although referencing HTML elements that don't exist in the message), plus multiple series of slash-delimited dictionary words and wide-spaced single words all within the same <style> tag, like the following:




















A typical message arrives with a total of 18,313 characters, 16,734 (91%) of which are dedicated to hash busting.

It's clear from the source code of these messages that the spammer knows the recipients likely don't want to receive these messages, and is working diligently to get past whatever defenses lie in his path. Unfortunately, this activity is protected by the CANSPAM law, as long as an opt-out link is provided. But I can tell you that the way the opt-out language is written, it's totally worthless when spammers use thousands of domains for their advertising campaigns. There is nothing preventing a spammer from taking an opt-out email address for one domain and handing it over to be used for any of his other domains. That's why I recommend never opting out of an unsolicited email message — it's merely confirming that the address is alive and ready to receive more crap from other domains from serial spammers.

If the brand-name companies are either hiring these "email marketing" firms directly or let such firms sign up to be affiliates, they must monitor the senders' activities. Any brand-named product I see being advertised with onerous (as in 80+%) hash busting content goes on my black list as a consumer. From this morning's email alone, the list added Pimsleur, match.com, and American Home Shield.

Posted on January 04, 2012 at 11:14 AM
The 419-Parcel Connection Permalink

The bits were hardly dry on my rail against the phony parcel scam (tied to malware distribution) when an advance-fee (a.k.a. 419) scammer tried to ride the coattails of FedEx credibility to perpetrate a more direct withdrawal of recipients' funds.


Subject: GOOD DAY

Dear Customer,
Good day to you. We have been waiting for you to contact us for your Confirmable Package that is registered with us for shipping of your Package to your residential location.
We are hereby obliged to inform you that your parcel has been with us for weeks now, We got over 20 set of packages from the United Kingdom We took time to write out the email addresses on the label Of each parcel and yours was included This is to inform you that we are in possession of your Parcel (which include a certified cheque worth of $800,000.00 USD and other vital documents) that we facilitate the clearance of the cheque in your country, which is to be couriered to you. It is the usual practice of our organization to conduct a proper verification of all PaCkages that we are to delivered, to ensure that they are valid. Be rest assured that your cheque has been confirmed valid and true and delivery will be made once you have meet the necessary requirements. The package is registered with us for mailing by the Online Lottery Award Promo Board as claimed,in England, United Kingdom.
We are sending you this email because your package has been registered on a Special Order.
What you have to do now, is to contact our Delivery Department for immediate dispatchment of your package to your residencial address.
Note that as soon as our Delivery Team confirms your informations, it will take only one working day (24 hours for your package to arrive it designated destination. For your information, the Mail, VAT & Shipping fees have been paid by the Lottery Award Promo Board before your package was registered. What you need to pay is the Security Keeping fee of the FedEx company as stated in our privacy terms & condition page, in order to secured your Package.
The cost for the Security Keeping fee is $286 USD.
This is mandatory, kindly complete the below form to reconfirm your Postal
Await your Swift Response.

Yours Faithfully,
Mike Robert

Email:fedexdeliveryservice[more removed]@yahoo.com
(The Dispatched Officer).
FedEx Online Team Management © 1995 - 2012 FedEx

Even if you were to fall for the preposterous FedEx part of the story (e.g., calling themselves "Fedex Courier Company"; that they confirm the contents of a package to contain a massive check; that they would charge recipients a Security Keeping fee), hopefully the lottery connection will give you pause, since lottery scams have been around forever.

On the one hand, the crook tells you up front how much money you'll be scammed out of in the first round. On the other hand, believe me when I tell you it's only a down payment. That poor, nonexistent parcel will travel around the world several times, winding up in places that need official fees, taxes, security costs, and bribes to free it on its way to you.

Oh, and if you think this scam is a new hybrid, examples with nearly verbatim language have been circulating for at least two years. It's just one of the many templates in the 419 Crook's Playset.

Posted on January 04, 2012 at 10:07 AM

January 01, 2012

The Mysterious Parcel Syndrome Permalink

It's an oldie, but a goodie: The email message arriving from a delivery service (UPS, USPS, Fedex, DHL) claiming that they have a package for/from you that needs to be picked up. In order to pickup the parcel, you must print out the form/label attached/linked to the message. Here's one that arrived today:

From: Postal Service <support@usps.com>
Subject: USPS service. Get your parcel NO#2517

Dear customer,

Your parcel has arrived at the post office on December 5.
We were not able to deliver your package to your address.
To receive a parcel you should go to the nearest USPS office and show your post label.
The post label is attached to this letter.

Thank you for your attention.
USPS Customer Services.

[Attached File: Post_Label_N1976US.zip]

Problem is, the attached file or the page at the end of the link destination can rip open an unprotected PC faster than a 5 year old kid tearing through wrapping paper on Christmas morning.

That's one way to get your New Year off to a crappy start.

Posted on January 01, 2012 at 09:50 AM