Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« April 2012 | Main | June 2012 »

May 20, 2012

Facebook is Now 419-Worthy Permalink

Now that Facebook stock has gone public, the company is truly visible in the Big Bucks category. What better way to celebrate than have advance fee criminals (419ers) invoke Facebook's name in their lottery scams? You know, the kinds of things for which we've seen Microsoft's name abused for years. Move over, Microsoft, Facebook is King! Or maybe Nigerian Prince.

Of course, the message gets off to a rocky start if the recipient is wary enough:

Subject: RE: CONGRATULATIONS FROM FACE BOOK!

Note the space in the name. This error is repeated, but not uniformly, throughout the message.

The copying and pasting from previous Microsoft lottery scam messages was also error-prone. Yet the scammer did his or her best to put a Facebook, or rather Face book, spin on the alleged reasoning behind the munificence:

The online draws was Conducted by a random selection of email you where picked by an Advanced automated random computer search from the Face book in other To claim your $600.000.00USD the lottery program which is a new innovation by Face book, is aimed atsaying A BIG THANK YOU to all our users for making Face book their number one means to connect, communicate,relate and hook up with their families and friends over the years.

The ATM card, we're told, will be shipped for the discounted fee of $220.99 (a $100 savings because they arranged a "bulk shipping" contract). Such a deal!

Finally, I wouldn't want to be the Facebook telephone operator on Monday morning. The letter was signed:

Mrs. Sandra Jones.
Lottery Result Announcer
FaceBook Inc. Group

I think the kids at Facebook should set up a cubicle for that job position—even if it remains empty.

Posted on May 20, 2012 at 11:17 AM

May 16, 2012

Irresponsible Domain Name Management Permalink

In this day and age, I fail to understand how a major .com domain registrar can allow an individual claiming a physical address in Germany (and a yahoo.de email address) to register a domain name that includes "bankofamerica". The pattern for the name is "bankofamerica-??.com", where "??" is a two-letter combination.

It allowed a phisher to include the following URL in a message today (two letters disguised by ??):

http://sitekey.bankofamerica-??.com/sas/?signonScreen.do

The URL was both readable in the clear and identical in the rollover tooltip test. I'm sure a fair number of recipients will short-circuit their wariness upon seeing the "sitekey.bankofamerica" part.

Even if the real BofA gets the domain revoked (it was registered way back earlier this morning), the damage will have been done.

Sheesh.

Posted on May 16, 2012 at 10:20 AM

May 14, 2012

Fake AT&T Wireless Bill Notification Permalink

If you are an AT&T wireless customer (like me), you probably receive legitimate email notices each month when your wireless bill is ready to be viewed online. I don't keep track of when in the month the notice is sent, so when a notice arrived in my inbox this morning claiming to be from AT&T Customer Care with a Subject: line of "Your AT&T wireless bill is ready to view", I took a peek:

Convincing, but fake AT&T wireless bill notice

I have a low-end plan (I don't talk much), so my bills are regularly well under $100 per month. Imagine my surprise at the claimed balance of over $1500. The sender hoped I'd be outraged enough to click immediately on the live links to log in to see where all the big charges came from. Unfortunately for the sender, when I see an outrageous email from one of my suppliers, I immediately smell a rat. Before clicking anything, I check the URL of the link (a mouse hover atop the link typically displays a tooltip revealing the actual URL of the link). The links in this email were not going to any AT&T web site, but rather to a hijacked site, which, upon further safe inspection of the content, loads the old obfuscated JavaScript stuff reported many times on this blog as malware loaders.

Other readily visible clues that this message is phony baloney include failure to address the recipient by name and to specify the account number in the first paragraph. It's not easy, however, to remember how each of your vendors addresses you in their regular emails. Most include your name somewhere, but not always.

Further inspecting the innards of the message, I see that the crooks tried to forge the headers to look like the message originated from an AT&T mail server. At the final stage of the header trail, however, the reverse IP address lookup performed by my mail server failed to resolve to a domain name. Legitimate AT&T emails to customers also employ a domain key signature.

You have to keep telling yourself (and your friends and neighbors) that when you receive an email message (even from someone you know) that contains anything outrageous, route your adrenalin to your rat-sniffing faculties, not your clicking finger. Clicking a link or opening an attachment in such emails may be the last thing you do with your computer before it — and all your valuable data and login credentials — fall into the hands of Bad Guys.

Posted on May 14, 2012 at 10:50 AM

May 10, 2012

Fake USPS Notification Ups the Ante Permalink

If you are on the same spam/malware delivery email address list that one of my addresses is on, then you've perhaps seen dozens (or hundreds) of phony parcel delivery notifications. Their sole purpose is to get you to install malware, either by clicking on an attached file or visiting a booby-trapped hijacked web site.

The most common ploy the crooks use is to claim the attachment/link contains a copy of the shipping label or other documents — figuring that you'll want to see what goodies have been shipped to you but can't find their way to your door. That's why I got a bit of a chuckle from a message claiming to be from USPS (that's the U.S. Postal Service for those outside of the U.S.):

From: USPS Mail
Subject: Print the postal label

Delivery information,

Our company’s courier couldn’t deliver your parcel.

Status deny: Wrong postal code.
LOCATION:Charlotte
STATUS OF YOUR ITEM: sort order
SERVICE: Standard Shipping
NUMBER OF YOUR PARCEL:U062504390 NU
FEATURES: No

The label of your parcel is enclosed to the letter.
Print your label and show it in the nearest post office of USPS

Important information!
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it's keeping in the amount of $13.79 for each day of keeping.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Logistics Services.

[attached file: Label_Parcel_ID9279US.zip]

That's rich! The post office charging for "keeping" a package. The idea here is to encourage the recipient to act now on the attachment to prevent those "charges" from piling up. The message suggests you inquire about those charges at your local post office. I suppose that's one way to entertain the crowd of people in line behind you.

Posted on May 10, 2012 at 09:47 AM