Phishing Phollies

The first tipoff should be the very name: NCUA. The National Credit Union Administration is NOT a credit union! It is a gov’t agency that oversees all credit unions! 1D10T5!

 I think any 3yo could do a better job!

Phishers (almost) scam grocery giant out of $10 million
Social engineers come close to reeling in a big one
Jaikumar VijayanOctober

22, 2007 (Computerworld) — Apparently it’s not just unwary individuals that fall victim to online scammers. Even large corporations, it seems, can get suckered into parting with their money by devious phishers.

Case in point: Eden Prairie, MN.-based grocery chain Supervalu Inc., which earlier this year got conned into depositing more than $10 million into two fraudulent bank accounts before recognizing the ruse. Details of the case are contained in court documents filed in connection with two forfeiture cases stemming from the incident.

According to federal court filings in the U.S. District Court for the District of Idaho, the fraudulent activity took place in late February and early March this year. In the court filings, Stephen Kilgroff, Supervalu’s vice president of legal affairs, said that on February 26 and 28 the company received two separate e-mails, one purporting to be from an employee at American Greetings Corp. and the second from an employee at Frito-Lay, both company-approved vendors.

Both e-mails told Supervalu to send future payments for each vendor to new bank account numbers. In the case of the e-mail that purported to be from American Greetings Corp., Supervalu was advised to send payments to an HSBC account in Miami. The other e-mail advised Supervalu to send Frito-Lay payments to an account at First Security Bank in Rogers, Arkansas.

Between Feb 28 and March 3, Supervalu deposited just over $6.5 million via multiple wire-transfers to the HSBC account, thinking that it was sending the money to American Greetings Corp. Similarly, on March 2 it made eight separate wire-transfers to the bank in Arkansas, depositing a total of $3.6 million to an account it thought belonged to Frito-Lay.

In addition to the $6.5 million deposited by Supervalu into the HSBC account, an additional amount of $500,000 had been deposited into the same account by a second company, identified as "ROHM" on court documents. No information has been available concerning the second company, and it is not a party to subsequent litigation.

Around March 6, according to the filings made by Kilgroff, Supervalu discovered that it had been "induced" into making the transfers to the bogus accounts. Following the discovery of the fraud, Supervalu quickly notified the appropriate law enforcement authorities, who managed to recover nearly all of the money before it could be withdrawn from the accounts.

The recovered money is now being claimed by Frito-Lay, American Greetings and Supervalu. In making the claim to the recovered money, Frito-Lay said that it believes the money belongs to Supervalu and said supported that company’s claim to ownership of the misdirected funds.

"However to the extent there is any determination that the ownership of these funds changed from Albertsons / Supervalu [the Albertsons grocery chain was recently acquired by Supervalu — eds.] to Frito-Lay (as a result of the attempted transfer, the misdirection, or any other development) Frito-Lay makes this claim to these funds in the alternative and subject to any claim of ownership by Albertsons / Supervalu" the company said in an affidavit.

A federal judge is expected to rule sometime in November on which firm should receive the recovered funds.

A spokeswoman from Supervalu responded via e-mail to a request for comment. "As indicated by the forfeiture complaint filed by the U.S. Attorney’s Office in Boise, Supervalu was the target of attempted financial fraud," spokeswoman Haley Meyer said. "Due to our internal controls and processes, we were able to quickly discover and report this to the FBI. As a result of the quick work of the Boise FBI Office and the U.S. Attorney, any funds lost are minimal."

Any unsolicited communication that asks you for identifying information or asks you to make changes to financial records should be treated as bogus until you verify it with a known source in the company the request appears to have come from!

I am a firm believer of the self-service nature of the Internet. However, when it comes to my critical information and my financial stability, I am a pessimist to the ^nth degree and I will speak with a human on the phone or face to face before I do anything with the communique.

 

 

 

 You know them, the pond scum that sends you emails telling you that you’ve been selected a winner in the lottery and you only need to send a few hundred in processing fees, or the ones that start with "Beloved" and promise you a fortune for helping them sneak millions out of their war-torn country because they are dying of cancer and suddenly grew a conscience and their murdered husband was the former president and died in a plane crash after he was tortured to death which happened just before he was hanged for stealing all the blood diamonds out of Nigeria, for which he spent 900 years in a Lyberian prison where he was forced to endure endless loops of Bush’s latest press release….. yada yada yada….. but anyway, I want to do good with the 18.3 million before I die alone and unloved, and won’t you help me? Or the 1D10T5 (geek for idiots) that bid on your eBay auction or find your ad for an apartment and tell you they just received a $25,000 check and would send it right to you as payment if you could deposit it for them, you know, because I’m moving and haven’t gotten a new bank yet, and I need travel money and my sick aunt needs gallbladder surgery and you can even keep a few grand for your trouble, but could you wire it ASAP? Pretty Please?????

Putting it in clear terms so everyone understands, if someone contacts you about:

1. Foreign Business Offers
2. Sudden Riches (yours or theirs)
3. Work-at-Home Schemes
4. Love Losses
5. Overpayments on your auction item or classified ad

Do not attempt to deal with these skanks, they are crooks and the "checks" they send are forgeries, very good forgeries, that often fool banks long enough for you to wire the requested amount to the skank and then find out from your bank that the check was no good and you are out thousands. Even checks from other states can take up to a week to clear and foreign checks can take weeks.

Do not attempt to "play" with these jerks. If you attempt to turn the tables on them and they find you, it will be your tookus on the hook, not theirs. They do not play nice, they are the scum of the Earth and they care little for your life or safety.

Rush right over to FakeChecks.org for all the dirt on these skanks and how they operate!

 There are so many things wrong with this email that I don’t know where to start. It was sent to no one (To:  is blank), the generic greeting, the capitalization of "Limited", the contradiction; after they investigate they may restore my account, if they find in my favor, yet if I fill out the form my account will be automatically restored?? and finally, the URL.

 

  ….oh, there it goes…. I decided to go back and get some screenshots of the site to show you how easy it is to fake a site and as I entered a name not normally used in mixed company and entered my "password" and hit enter, the site went belly up!

I did manage to grab the last page of it on the first round. The "success" page even had spelling mistakes! It automatically sent me to the real Amazon site after a few seconds.

 My browser of choice is Firefox, an excellent application IMHO!

 One of the many nice things about Firefox is the "early warning system" that checks an online database of reported fake sites. This notice pops up every time I go to a fake site.

Sometimes it gets annoying when I’m playing with known fakes but it is a very useful tool, especially if you are not that experienced on the Web.

 

 

 

If your Firefox does not do this you can change the settings by going to Tools/Options. It’s very quick and easy. 

 

 

 

 

• URL:
  Uniform Resource Locator. The URL defines the location of the site you are viewing.
• Prefix:
  The Prefix defines what Protocol is being called. A Protocol is a standardized means of communicating between computers across a network. http is HperText Transfer Protocol. https is a secure, or encrypted HyperText Tranfser Protocol. As a general rule, you should avoid entering any confidential information on a site that is not using https as the transfer of that data will not be encrypted or secure. Always look for the https in the address bar and the padlock on bottom of your browser. ftp is File Transfer Protocol. And, finally, news is used when using your browser to view newsgroups.
  The Prefix is separated from the rest of the URL with a colon and two forward slashes (://)

• Address:
  The address has several components. It is found in the URL between the "://" and the next "/". If you see WWW that is simply a disignator and it means World Wide Web. The use of www at the beginning of a web address is conventional, but not mandatory. WWW may be replaced by, or followed with, any.number.of.strings.separated.with.dots. In normal server hierarchy this can actually tell you quite a bit. Look at this URL: http://notes.cc.sunysb.edu. This address is telling me that I’m going to the server known as "notes" and that this server is controled by "cc" the Computing Center, which is part of Stony Brook (sunysb) and that Stony Brook is an Educational Institution (edu). This is not always the case, as can be found in many phishing emails. The most important part of the address is the last few items before first single slash "/" separated by dots (www.amazon.com, mypage.ebay.com, www.what.ever.I.feel.like.typing.domain.ext, www.amazon.com.ca) The address ends with the domain name (amazon, ebay, paypal, citibank, stonybrook) and the extension (com, net, org, edu, info, biz. Sites outside of the US often use a country designator after the extension.
  This is a legitimate URL for eBay: http://crafts.listings.ebay.com/. This is NOT legitimate: http://www.ebay.com.iam.a.scam.artist.com.ru/. This URL actually points to a domain called "artist.com" and is hosted in Russia (.ru).
  Domains can also be referred to using the numeric equivalent of their address. Every computer that connects to the Internet has an address called an IP address or Internet Protocol address. Some machines can have a fixed IP address, meaning that the number will not be changed. Others will use DHCP or Dynamic assignment which assigns a temporary number to a computer on demand and can recycle the number over a large computer collection, but never at the same time.
• Directories:
  URLs may or may not have any number of directories. On conventionally configured sites you could expect to see "domain.ext/images/", "domain.ext/css" or "domain.ext/scripts" These would typically hold images, Cascading Style sheets or scripts, respectively. To disguise a spoofed site you may see several random directories tossed in to add to the confusion.
• Files:
  The very last section of a URL will contain the name of the page you are looking at. This page, or file, name may or may not include a file type as in "index.html". Frequently seen file types are: .html, .shtml, .php, .asp, etc… WARNING! If you see a ".exe" ".scr" or ".pif" at the end of a link sent to you in an email do NOT ever click on that link! These are executable files that could very well infect your computer and/or render it a boat anchor.
  

 Let’s look at another example:

This: %70%68%69%73%68%2e%73%63%61%6d%2e%63%6f%6d

is the same as: phish.scam.com 

 Notice that "%2e" is repeated; those are periods ".". "%6d" is also repeated; these are the "m"s in "scam" and "com". So, if you had a URL that looked like: http://%70%68%69%73%68%2e%73%63%61%6d%2e%63%6f%6d it would take you to a site called http://phish.scam.com

Here is a much larger table of characters and their alter egos. If you look at the space (first column in the fifth row) "SP" you will see "0×20". This is the hexadecimal equivalent and if you change the "0x" with "%" you have URL encoded it. Think of it as a puzzle or secret language.

You need to URL encode characters other than {a-z A-Z 0-9] in URLs because some characters are "reserved" or "special" and can have a specific meaning or action, so computers know how to decipher these codes info meaningful website addresses and actions. Scammers encode special characters to hide the function the URL is performing.

The more confusing a URL appears the less likely average computer users will see through the screen of deception!