Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« February 2015 | Main | May 2015 »

April 27, 2015

Less [Info] is More [Curiosity] Permalink

Imagine seeing this in your email inbox listing:

From: Ty Ronca
Subject: Your account #105570127846 has been frozen

Now, you have no idea who or what "Ty Ronca" is...and that's exactly what the crook who sent the email is counting on. The recipient's reaction to this email listing is intended to be outrage ("How dare someone freeze my account!"). The immediate goal is to trick you into opening the message, upon which you'll see:

Your account #105570127846 was frozen for violation of our TOS. Please see attached.

Ty Ronca
Gifhorner Str. [removed] 29379 Knesebeck
+49 5834 [removed]
+49 5834 [removed]


The From: name/email address information is not—in any way—associated with the crooks behind this email barrage. Instead, the data comes from the email list of recipients. I just saw another instance of this email message with an Italian "sender". In fact, it's quite likely that there are copies of this trash going around with my email address as the "sender" (they obviously have my address because they sent the message to me).

As for the physical address and phone number information shown in the message body's signature, it was snarfed from a German company's web site. The company's domain name is completely different from that of the "sender".

If I could see the template used to generate these messages, I know I'd see a bunch of placeholders where either random data is inserted (e.g., the account number, also assigned to the .zip file attachment) or a randomized pick from a list of blank-fillers (e.g., "frozen", "suspended", and the From: field data).

And so, the recipient is incensed to be accused of violating the Terms of Service, even though there is no recollection of having an account with the signatory. In a fit of pique, the recipient double-clicks the attachment, thinking it contains information about the account.


In this case, that .zip file contains a Trojan loader that affects Windows PCs. Not only has the recipient discovered nothing about this ghost account (which does not exist), but his or her PC is now under the spell of the crooks who have full reign over everything going on within that computer (capturing passwords, logging network traffic, grabbing email addresses, and so on).

This campaign is the antithesis of those that try to trick users by fabricating all kinds of elaborate stories. In this case, there is very little to go on. Yet the lack of details is exactly what drives recipient curiosity to double-hit that mouse button ASAP.

Posted on April 27, 2015 at 11:10 AM

April 21, 2015

Tax Time Hijinks Permalink

It's income tax season here in the United States, and the crooks are certainly ready to tug at our fear-strings.

Here's a juicy email tidbit that aims to cause enough concern to trigger a double-click of a horribly dangerous attachment:

From: TAX@irs.gov
Subject: Your FED TAX payment (ID:1O2IRS749979290) was Rejected

Your federal Tax payment (ID: 1O2IRS749979290), recently sent from your checking account was returned by the your financial institution.

For more information, please download attached notification. (Security Adobe PDF file)

Transaction Number: 1O2IRS749979290}

Payment Amount: $ 5114.87
Transaction status: Rejected ACH Trace Number: 8888888888 Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service
Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.


Recipients might easily overlook a few content issues that make this message suspicious (e.g., some grammatical snafus and an ACH Trace Number that should trigger a race to buy a lottery ticket). Also, even in these days of e-filing, the IRS makes exception notifications via postal mail, not email.

Except for the occasional tax protester, nobody wants trouble from the IRS, especially if delays or what-have-you might cause penalties to accrue. That's what the crook who wants to grab control of your computer (and, potentially, your employer's network) is counting on. Double-click that attachment, and you'll soon wish the email really had come from the IRS.

Posted on April 21, 2015 at 11:50 AM