It allowed a phisher to include the following URL in a message today (two letters disguised by ??):

http://sitekey.bankofamerica-??.com/sas/?signonScreen.do

The URL was both readable in the clear and identical in the rollover tooltip test. I'm sure a fair number of recipients will short-circuit their wariness upon seeing the "sitekey.bankofamerica" part.

Even if the real BofA gets the domain revoked (it was registered way back earlier this morning), the damage will have been done.

Sheesh.

I have a low-end plan (I don't talk much), so my bills are regularly well under $100 per month. Imagine my surprise at the claimed balance of over $1500. The sender hoped I'd be outraged enough to click immediately on the live links to log in to see where all the big charges came from. Unfortunately for the sender, when I see an outrageous email from one of my suppliers, I immediately smell a rat. Before clicking anything, I check the URL of the link (a mouse hover atop the link typically displays a tooltip revealing the actual URL of the link). The links in this email were not going to any AT&T web site, but rather to a hijacked site, which, upon further safe inspection of the content, loads the old obfuscated JavaScript stuff reported many times on this blog as malware loaders.

Other readily visible clues that this message is phony baloney include failure to address the recipient by name and to specify the account number in the first paragraph. It's not easy, however, to remember how each of your vendors addresses you in their regular emails. Most include your name somewhere, but not always.

Further inspecting the innards of the message, I see that the crooks tried to forge the headers to look like the message originated from an AT&T mail server. At the final stage of the header trail, however, the reverse IP address lookup performed by my mail server failed to resolve to a domain name. Legitimate AT&T emails to customers also employ a domain key signature.

You have to keep telling yourself (and your friends and neighbors) that when you receive an email message (even from someone you know) that contains anything outrageous, route your adrenalin to your rat-sniffing faculties, not your clicking finger. Clicking a link or opening an attachment in such emails may be the last thing you do with your computer before it — and all your valuable data and login credentials — fall into the hands of Bad Guys.

The most common ploy the crooks use is to claim the attachment/link contains a copy of the shipping label or other documents — figuring that you'll want to see what goodies have been shipped to you but can't find their way to your door. That's why I got a bit of a chuckle from a message claiming to be from USPS (that's the U.S. Postal Service for those outside of the U.S.):

From: USPS Mail
Subject: Print the postal label

Delivery information,

Our company’s courier couldn’t deliver your parcel.

Status deny: Wrong postal code.
LOCATION:Charlotte
STATUS OF YOUR ITEM: sort order
SERVICE: Standard Shipping
NUMBER OF YOUR PARCEL:U062504390 NU
FEATURES: No

The label of your parcel is enclosed to the letter.
Print your label and show it in the nearest post office of USPS

Important information!
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it's keeping in the amount of $13.79 for each day of keeping.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Logistics Services.

[attached file: Label_Parcel_ID9279US.zip]

That's rich! The post office charging for "keeping" a package. The idea here is to encourage the recipient to act now on the attachment to prevent those "charges" from piling up. The message suggests you inquire about those charges at your local post office. I suppose that's one way to entertain the crowd of people in line behind you.

Subject: RE:Enclosed Tutoring Materials

Dear Colleagues

It might be useful for you to know that we are taking part in a joint event with Fire and Counter Terorrism Safety icnluding 3 written tests on Thursday.

Last year four in ten epmloyees survyeed could not pass the Fire Safety test.

Each of you will find enclosed a Fire Safety Policy and your role decsription. Please take a look at the enclosed materials before April.
Kind regards,

Susan
Department of Human Resources

The attached file is named Fire Safety Guidance.pdf.zip, apparently trying the old chestnut of hoping the PC is set up to not display file name extensions (thus making this file look like an Acrobat file — not that PDFs are necessarily safe, but that's another story). Opening the attachment in an unprotected Windows machine will load spyware and/or a Trojan loader, which can then load and spy on anything you've got. In fact, if your machine gets infected, you might wish for a fire, and toss the PC into it on your way out the door.

If you are a Verizon customer and suddenly see an impending $1445 bill coming, the adrenalin flow will likely trigger a click of the link to see how your bill could have gotten so high. The links, of course, are to a hijacked web site, where a "WAIT PLEASE Loading..." visible screen masks the loading of obfuscated JavaScript from three other hijacked web sites. The scripts then begin their attack on your PC.

Remember that spammers and scammers rely on you to act, and will use every trick in the book to outrage you and get that mouse button a-clickin'. Roll over the links to check the URLs. If you're still not certain, log into your account via a previously-saved bookmark. Once there, you'll see that you don't have a $1445 wireless bill.

From: Apple Store
Subject: Order Acknowledgment W273706813

The order numbers vary from message to message. The body is a well-formatted HTML page that is very reminiscent of the actual order confirmations that Apple sends out (under a different Subject: line, mind you).

Bill to and Ship to names and addresses are apparently filled in from a random database under the crook's control. You won't recognize the names, but you will be terrified that you are being charged for a 17-inch Macbook Pro to the tune of about $2600.00.

Whatever you do, do not click any links in that email message. The links I've seen go to hijacked web sites. Although the pattern of what the link serves up has been used before (links to auto-load multiple JavaScript pages that then redirect to a different destination), and those in the past have been used to deliver Windows malware, these days even Mac users can't be too careful — thanks to the drive-by Java exploit that some experts say has infected over one-half million Macs.

If you are concerned about the possibility of your Apple account having been hacked (most likely through phishing, by the way, so you were the one who gave yourself over to the crooks), visit the Apple Store through a previously-saved bookmark and inspect your order history. You'll find nothing whatsoever about these bogus orders. Let the adrenalin drain from your system, and get on with your day.

I was certainly expecting the first two messages, a notice of sending an invoice and the payment in return. But then nine minutes after the payment comes a third message also claiming to be from service@paypal.com. Now, I've seen this message and it's grammar-challenged Subject: line many times before in recent weeks, so I knew that this message had no connection with: a) my transaction; and b) reality. Yet consider the power of attention this bogus message had in the wake of two legitimate messages, especially the message that conveyed information about money coming to me.

For the sake of completeness, here is the content of the third message:

The overall look of the message, aided by images downloaded directly from a PayPal web server, might also get the recipient's attention. If you know English, however, the whole thing starts to fall apart with horrific grammar and punctuation in the first two lines. My mind's ear puts the first paragraph into the mouth of the Soviet submarine captain in the movie comedy "The Russians Are Coming! The Russians Are Coming":

"Emergency! Everybody to get from street!"

By the way, here's a hint for you bogus email spotters out there: Whenever you see "information" spelled as a plural ("informations"), you can be guaranteed the message was created by an English-challenged writer, living in a non-English-speaking country.

Readers of this blog and my book know that I encourage development of healthy paranoia when it comes to one's email inbox. When something like a phishing email message arrives right on the heels of some legitimate activity you've just had with the institution being phished, that paranoia might lead you to think the institution's servers have been hacked or monitored by bad guys, and you are being personally targeted as a result of your legitimate activity. It happens to me a few times a year.

True, the coincidence is unnerving, but it is nothing more than coincidence. In the case of this particular email sequence, I knew the last one had nothing to do with the first two because the last one was sent to a different email address than the one I use for PayPal. If you still feel uneasy, simply log into your account via a previously saved bookmark. If there were truly a problem with the account, you'd learn about it there.

While I'm on this message, let me also address other advice that I give about rolling over links in potential phishing/malware messages to examine the actual URL of the link. This phony PayPal message employs a technique that bad guys have used for years to try to trick non-techies who think they know about URLs. Here is the URL of the "Relog in your account now" link from the above message:

http://paypal.com-us.cgi-bin-webscr-cmd.login-submit-dispatch.74fghghs68g48fyrt4mn86wvnchtor26hgbfn83m48hg3ufghd4sbnghtyrtdf.[removed].com/account.php

In the rollover tooltip, the uninitiated user might be fooled by the leading references to paypal.com and think all the gobbledygook following it is like the stuff you frequently see in browser address fields. But the actual domain (which I've removed) is just to the left of the slash near the end. The domain has been registered for over 10 years, so this looks to be a typical hijacking. It's possible that the hijacker set up a subdomain whose name is all the gobbledygook, or he modified the server to accept any subdomain.

Thus, even the best advice might not always be easy to follow. You might have to dig out your magnifying glass and deerstalker cap to follow the clues.

It's a dead ringer for the real thing. You won't know the person requesting your friendship, so the first instinct is to click on the person's name to view their profile (or perhaps you're so desperate to increase your friend count, you click the Confirm button without thinking). No matter which link you click in this message, if your PC isn't fully protected and patched, it (and all your active login credentials) will soon belong to some crook.

Each link in the above message goes to a different hijacked web site, where an obfuscated JavaScript script starts your PC on its way to hell. If you've been reading this Spam Wars Dispatches blog recently, you'll recognize a pattern in the multiple links to malware loading web sites. What's a bit different in this one is that instead of frightening you to click a link, this message uses your typical response to a familiar email from a source you probably trust (although inherently trusting Facebook is perilous in itself).

So, how can you tell if this is phony?

Two ways:

1. The easiest way is to hover your cursor atop each of the links without clicking. In most email readers, you will see a tooltip showing the URL of the link — in this case, definitely not to facebook.com. (BTW in the email client on iOS devices, you can press and hold on a link to get the same kind of popup revealing the URL. Just be sure to cancel the popup, rather than navigating to the link.)


2. I'm also an advocate for learning how to read email message headers to spot when the sender isn't who it claims it is in the From: field you see in the message. Almost everything in an email header can be forged without consequence to the sender. Understanding what's true is vital to interpreting headers and avoiding being scammed.

It is email messages like this one that leads me to distrust every piece of email until I can satisfy myself that it is genuine. As is proven here, crooks count on your automatic response to familiar things. Be smart about it.

The Subject: line of this message, "Your Apple ID password has been reset", is like the one that Apple sends out when you really change your password. But when this message arrives when you haven't changed your password, you might think that someone has gotten into your account and ripped off your Apple ID (and is now buying up the iTunes and Apple Stores on your credit card).

Although the above message is credible-looking (unless you dig into the message headers, which immediately reveal its origin not from Apple), each link is to a different hijacked web site where malware loaders are standing by to take over your machine.

Due to recent revelations of Java-based silent takeovers that can affect Mac OS machines (without requiring the user to enter any system passwords), it's best to avoid even coming close to a page that could grab your computer with a simple visit. Rolling the cursor over the links in the above message shows that the links are not to Apple — one simple way to check out the veracity of this and similar messages.

If you receive a message like this from any (apparent) source that has one of your passwords, visit the site from a previously-saved bookmark. If there is a problem with your password (a possibility approaching zero), you'll find out there.

The attached HTML file is similar to the one discussed in the fake IRS message, whereby you'll see a "Loading. Please wait." message while a bunch of obfuscated JavaScript is executed to direct your browser to more harmful pages.

First the fake Internal Revenue Service notification. The Subject: line reads "Your tax return appeal is declined." Then comes the message body that includes logos directly from the irs.gov web site, but in a silly arrangement that makes the IRS look like it's creating a doorbusting sale advertisement:

The payload is an attached HTML file, which, when decoded, reveals a good amount of obfuscated JavaScript — a sure sign that the sender is up to no good. If you were to open the attachment, you would see momentarily the wording

Loading. Please wait.

That gives you something to look at while the script determines if you are running a susceptible operating system/browser. If your computer qualifies, let the malware loading begin!

Today's PayPal-inspired malware missives look halfway decent (except for the errant HTML end tag).

If you receive multiple messages, they'll likely have different dollar amounts and names of people to whom money was(n't) sent. Each of the seven links in the message goes to a different hijacked web site, where the multiple-copy JavaScript loading gimmick reported here takes over. While that's doing its stuff (redirecting and script-checking your system), you see momentarily the following in your browser:

WAIT PLEASE

Loading...

This observable behavior makes me think the campaigns are related, perhaps by authorship.

Although most of these types of JavaScript-in-an-HTML-document attacks have targeted unpatched Windows PCs in the past, I get more nervous about them than .exe or similar executable attachment. While executables are more easily spotted in an email attachment, you just don't know what a JavaScript-based attack is doing unless you painstakingly fetch the script code (not in a browser) and study it, often requiring careful examination to inhibit code that is booby trapped to execute when being studied. A script-based attack could silently afflict systems other than Windows, should the crook know how to take advantage of an unpatched or zero-day vulnerability. Even though I'm primarily a Mac user, I don't feel that my systems are untouchable. Mac and Linux users can just as easily fly too close to the Sun with their wax wings.

From: Apple® <iPad3request@apple.com> Subject: deal or no deal

These fraudsters are also kind of stupid. To broadcast a bogus offer for the iPad 2 on the release day of the succeeding generation is idiotic at best. I mean, if you're going to hold out a fake carrot, at least make it a good one.

[Update: Apparently the crook has updated the artwork to say "iPad 3", which is equally ludicrous.]

It's clear the sender hopes recipients believe this offer comes from Apple, and a simple click is all you need to finish the job. What isn't clear is that the link is to a domain whose name includes the word "timeshare". That page redirects to another domain that wraps you up into a barrage of surveys (for which the host makes money) and other costly tricks that aren't worth the effort (and usually entail giving up the email addresses of your friends in the process).

Forging the headers, as this message does, is enough for them to be prosecuted for CANSPAM violations. But that assumes the crooks behind this scheme are in the U.S., which I doubt. In any case, don't fall for it. Don't even click the link to satisfy your curiosity because the links might be coded to verify your email address.

From: Online Transfers from Bank of America
Subject: Your Same Day wire transfer was successfully sent

We have successfully sent the following transfer:

*********************************************
Item #: 996474891
Amount: $5151.00
To: Brooks Sports
Fee: 45.00
Send on Date: 03/16/2012
Service: International
*********************************************

You can always check your transfer status on the Review Transfer screen at www.bankofamerica.com.

Wire Details Report: report_996474891.doc (Microsoft Word Document)

Sincerely,

Member Service

www.bankofamerica.com

(C) 2012 Bank of America Corporation. All rights reserved.

The links are to a hijacked Turkish web site, where the inserted page loads not one, not two, but five copies of the same JavaScript script, each one hosted at a different domain or IP address. The script loads a page from a still different hijacked web site.

Although phony banking alerts typically lead to phishing pages, there are hallmarks of this campaign that point more to malware delivery. Of course, one cybercrook is equally capable of pulling off both types of scams. Installing malware helps build the bot network; phishing helps fund the botnet-building activity.

In any case, I can see recipients of this message (who are also Bank of America customers) freaking out about a $5100 wire transfer. If you want to put your mind to rest about this possible transaction, ignore the links in the message and log into your BofA account by way of the bookmark you normally use to do your electronic banking. Any wire transfer would show up as a debit in your account — but you will find no such debit because this email is entirely bogus.

Subject: I'm in trouble!

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???

I have attached the photo to the mail (Open with Internet Explorer).

I need to find him urgently!

Thank you
Zenith

The real trouble is that the crook didn't program his malware-sending bots to change out the From: header lines from previous campaigns. We had suffered many days of the "we can't deliver your package" spam containing malware attachments. He changed out the Subject: and message body, but the From: fields are from the old campaign:

From: package update <ups-account-services@ups.com>
From: UPS <ups-services@ups.com>

If the story in the message sounds familiar, well, it should. Open an attachment/click a link — they all lead to the same bad end.

Today's example uses up a lot of 419 material. It starts out with a threat that the recipient is engaged in illegal activity (including the first time I've seen them refer explicitly to puppy scammers). Suddenly they shift gears to tell the potential victim of a massive "Contract / Inheritance payment" (that covers the gist of a lot of long-winded, non-lottery 419 scams) of $11 million...in the form of an ATM card that needs to be claimed.

Next they show the names and UPS or FedEx tracking numbers of previous payment recipients. I referred to these tracking numbers in earlier posts, and unfortunately, the ones in this email are real tracking numbers for deliveries to various U.S. towns. Only one record showed the origination point of a shipment, in Pennsylvania. I strongly doubt the crooks had anything to do with those shipments, perhaps entering random numbers into the tracking services to find real ones to use in their email messages.

As has been happening in several 419 scams of the ATM card variety recently, this one reveals up front that the victim needs to wire $255 for the card to be shipped. The victim is to believe that "there is no other payment attached to this after the payment for your delivery has been confirmed." If you believe that, I have a beautiful red bridge spanning the Golden Gate I'd like to sell you.

I must say that the part of this message that tickled me the most is the following: "please if you know you cannot be able to afford the US$255 for the shipment of your ATM card, then do not bother to contact Mr. Frank Diru for your ATM card shipment." That's right: Don't unload your poverty sob story onto the crook. He doesn't want to hear it.

And now, for your coffee break enjoyment, the full text:

Attn: Beneficiary,

This is to officially inform you that it has come to our notice and we have thoroughly investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Kelvin Williams, Zenith Banks, Mr. Michell Brown From union bank, kelvin Young of HSBC, Ben of FedEx,Ibrahim Sule,Larry Christopher, puppy scammers are impostors claiming to be the Federal Bureau Of Investigation.

During our Investigation, we noticed that the reason why you have not received your payment is because you have not fulfilled your financial obligation given to you in respect of your Contract / Inheritance payment, and also the wrong people that you have been dealing with earlier.

Therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in total US$11million in an ATM CARD which you can use to withdraw money from any ATM MACHINE CENTER anywhere in the world with a maximum of US$5,000 per daily withdrawal.

Below are few list of tracking numbers you can track from FedEx website to confirm people like you who have received their payment successfully.

Name: Donna L. Vargas: UPS Tracking Number: 1Z966AR90105033136 (www.ups.com)
Name: Rovenda Elaine Clayton: UPS Tracking Number: 1ZA0T5861379047617 (www.ups.com)
Name: Linda Emlina: FedEx Tracking Number: 468888861983 (www.fedex.com)
Name: Susan T. Love: FedEx Tracking Number: 949856926109095 (www.fedex.com)

You now have the lawful right to claim your fund in an ATM CARD. Since the Federal Bureau of Investigation is involved in this transaction, you have to be rest assured for this is 100% risk free it is our duty to protect the lifes. All i want you to do is to contact the ATM CARD CENTER via email for their requirements to proceed for the delivery of your ATM card, and it will cost you US$255 only and note that without this payment your ATM card cannot be delivered to your doorstep.

This is the only payment legally requested of you to do for ATM CARD, to be delivered to you safely. there is no other payment attached to this after the payment for your delivery has been confirmed.

After the your payment has been confirmed by the courier company your ATM card will get to your doorstep within 24hrs, this was the assurance giving to the us by them, and it was officially signed by the fedex courier manager. And after your package leaves for a tracking number will be giving to you, where you can track your package in their website http://fedex.com/ng/

CONTACT INFORMATION, ATM PAYMENT CENTER:

NAME: Mr. Frank Diru
Address: 86b Peterson Close Off Moblie Road Apapa Lagos
EMAIL: xxxxxdiru@yahoo.cn
Telephone:+234-815-xxx-xxxx

Do contact Mr. Frank Diru with your correct details, to avoid mistake during delivery:

FULL NAME:
HOME ADDRESS:
TELL:
CELL:
CURRENT OCCUPATION:
GENDER/ AGE:

So your files would be updated after which he will send the payment information which you will use in making payment of $255 via (WESTERN UNION TRANSFER) or (MONEY GRAM TRANSFER) for the procurement of your APPROVAL SLIP after which the delivery of your ATM CARD will be effected to your designated home address without any further delay.

You are advice to call him with his number +234-815-xxx-xxxx before sending him e-mail and please if you know you cannot be able to afford the US$255 for the shipment of your ATM card, then do not bother to contact Mr. Frank Diru for your ATM card shipment.

Note: Do disregard any email you get from any impostors or offices claiming to be in possession of your ATM CARD, you are hereby advise only to be in contact with Mr. Frank Diru of the ATM payment center who is the rightful person to deal with in regards to your ATM CARD PAYMENT and forward any emails you get from impostors to him so we could act upon and commence investigation.