Archive for the Phishing Trip Category

« Previous Entries
Next Entries »
Nov 20 2007

The hackers appreciate your “Black Friday” business

Posted by: melissa in Scams, Phishing Trip
Scams Phishing Trip

According to ComputerWorld "Black Friday" is one of the most profitable events for hackers trying to steal your holiday cheer and anything else they can get their filthy paws on.

There are usually a handful of "hot" items that everyone is vying for this time of year; be it a Tickle-Me-Elmo or a Wii. Don’t fall victim to that email claiming to have your Holy Grail at an unbelievable price/quantity on a very popular site. Do NOT click on the link! VERIFY the code behind that link to see where it is really trying to take you. The scammers are not only trying to take you to a fake site to steal your info, their fake site may also be installing key stroke monitoring code on your computer to collect what you type in the future.

I’m disturbed by the following excerpt from the ComputerWorld article:

"Online fraudsters have been busy this year. Fraud losses related to U.S. e-commerce will top $3.6 billion in 2007, up 20% from last year, according to a report by the vendor CyberSource this month. The increase in dollar loss is due mostly to growing e-commerce sales, as the percentage of transactions that are fraudulent has held steady.

The run-up to Christmas and tax filing season are the two most dangerous times of the year for online shoppers, Yaneza says.

In addition to being wary of e-mails, be careful when searching for holiday deals or specific products on Google and other search engines. Operators of malicious sites have figured out ways to rise to the top of search listings.

"We’ve seen instances where the top site that is ranked actually gets there by gaming the Google search algorithm," Yaneza says."

$3.6 BILLION, These dirtbags have stolen THREEPOINTSIX BILLION bucks out of your pockets! WAKE UP PEOPLE!!!!!! And, remember, that is only the reported amounts. Many victims are too embarrassed to report their losses.

I don’t know how many different ways we; the people who don the superhero capes to fight these criminals, can say it: DON’T BE FOOLED!  Even if you are a regular customer of "Company X" do not click on a link in an email purported to be from Company X without making damn sure that email is real. better yet, open your browser and type the URL you always go to (www.amazon.com) rather than clicking on any link in an email. It only takes a second people, it isn’t going to destroy your day to exercise those fingertips and type rather than clicking on your mouse.

A message from your local superhero; Super Pessimist

Comments 2 Comments »

Oct 25 2007

Where to begin?

Posted by: melissa in Phishing Trip
Phishing Trip

OK, there are so many things wrong with this I just don’t know which one to address first!

The first tipoff should be the very name: NCUA. The National Credit Union Administration is NOT a credit union! It is a gov’t agency that oversees all credit unions! 1D10T5!

Second, lets review the bottom of the email…. hmmmm a disclaimer about "Spheris.com" and "HIPPA" warnings… Spheris is a medical documentation company. Credit unions do not need a HIPPA disclaimer (Health Insurance Portability and Accountability Act). They don’t deal with patient information!

The scammer hacked into a Spheris mail account to send the mail without realizing that Sheris attaches the HIPAA disclaimer on all outbound mail. 1D10T5!

Next, the moron is "sending" the mail from "fcu.com" which is also NOT a credit union! They provide information on credit unions!

The next clue that this is a scam is the body of the email; a blurry screenshot image that is so bad you can hardly read it, but if you squint really hard you will see mistakes in the text.

 I think any 3yo could do a better job!

Comments No Comments »

Oct 23 2007

Would you like that $10,000,000 in paper or plastic?

Posted by: melissa in Phishing Trip
Phishing Trip

Talk about "big game" phishing! The following article is from ComputerWorld (my morning coffee partner):

Phishers (almost) scam grocery giant out of $10 million
Social engineers come close to reeling in a big one
Jaikumar VijayanOctober

22, 2007 (Computerworld) — Apparently it’s not just unwary individuals that fall victim to online scammers. Even large corporations, it seems, can get suckered into parting with their money by devious phishers.

Case in point: Eden Prairie, MN.-based grocery chain Supervalu Inc., which earlier this year got conned into depositing more than $10 million into two fraudulent bank accounts before recognizing the ruse. Details of the case are contained in court documents filed in connection with two forfeiture cases stemming from the incident.

According to federal court filings in the U.S. District Court for the District of Idaho, the fraudulent activity took place in late February and early March this year. In the court filings, Stephen Kilgroff, Supervalu’s vice president of legal affairs, said that on February 26 and 28 the company received two separate e-mails, one purporting to be from an employee at American Greetings Corp. and the second from an employee at Frito-Lay, both company-approved vendors.

Both e-mails told Supervalu to send future payments for each vendor to new bank account numbers. In the case of the e-mail that purported to be from American Greetings Corp., Supervalu was advised to send payments to an HSBC account in Miami. The other e-mail advised Supervalu to send Frito-Lay payments to an account at First Security Bank in Rogers, Arkansas.

Between Feb 28 and March 3, Supervalu deposited just over $6.5 million via multiple wire-transfers to the HSBC account, thinking that it was sending the money to American Greetings Corp. Similarly, on March 2 it made eight separate wire-transfers to the bank in Arkansas, depositing a total of $3.6 million to an account it thought belonged to Frito-Lay.

In addition to the $6.5 million deposited by Supervalu into the HSBC account, an additional amount of $500,000 had been deposited into the same account by a second company, identified as "ROHM" on court documents. No information has been available concerning the second company, and it is not a party to subsequent litigation.

Around March 6, according to the filings made by Kilgroff, Supervalu discovered that it had been "induced" into making the transfers to the bogus accounts. Following the discovery of the fraud, Supervalu quickly notified the appropriate law enforcement authorities, who managed to recover nearly all of the money before it could be withdrawn from the accounts.

The recovered money is now being claimed by Frito-Lay, American Greetings and Supervalu. In making the claim to the recovered money, Frito-Lay said that it believes the money belongs to Supervalu and said supported that company’s claim to ownership of the misdirected funds.

"However to the extent there is any determination that the ownership of these funds changed from Albertsons / Supervalu [the Albertsons grocery chain was recently acquired by Supervalu — eds.] to Frito-Lay (as a result of the attempted transfer, the misdirection, or any other development) Frito-Lay makes this claim to these funds in the alternative and subject to any claim of ownership by Albertsons / Supervalu" the company said in an affidavit.

A federal judge is expected to rule sometime in November on which firm should receive the recovered funds.

A spokeswoman from Supervalu responded via e-mail to a request for comment. "As indicated by the forfeiture complaint filed by the U.S. Attorney’s Office in Boise, Supervalu was the target of attempted financial fraud," spokeswoman Haley Meyer said. "Due to our internal controls and processes, we were able to quickly discover and report this to the FBI. As a result of the quick work of the Boise FBI Office and the U.S. Attorney, any funds lost are minimal."

It pays to be vigilant no matter how big or small you are!

Any unsolicited communication that asks you for identifying information or asks you to make changes to financial records should be treated as bogus until you verify it with a known source in the company the request appears to have come from!

I am a firm believer of the self-service nature of the Internet. However, when it comes to my critical information and my financial stability, I am a pessimist to the nth degree and I will speak with a human on the phone or face to face before I do anything with the communique.

Comments No Comments »

Oct 17 2007

My newest Phishing Buddy

Posted by: melissa in Scams, Phishing Trip
Scams Phishing Trip

While not directly related to phishing emails, my newest friend covers the other side of email skanks.

 You know them, the pond scum that sends you emails telling you that you’ve been selected a winner in the lottery and you only need to send a few hundred in processing fees, or the ones that start with "Beloved" and promise you a fortune for helping them sneak millions out of their war-torn country because they are dying of cancer and suddenly grew a conscience and their murdered husband was the former president and died in a plane crash after he was tortured to death which happened just before he was hanged for stealing all the blood diamonds out of Nigeria, for which he spent 900 years in a Lyberian prison where he was forced to endure endless loops of Bush’s latest press release….. yada yada yada….. but anyway, I want to do good with the 18.3 million before I die alone and unloved, and won’t you help me? Or the 1D10T5 (geek for idiots) that bid on your eBay auction or find your ad for an apartment and tell you they just received a $25,000 check and would send it right to you as payment if you could deposit it for them, you know, because I’m moving and haven’t gotten a new bank yet, and I need travel money and my sick aunt needs gallbladder surgery and you can even keep a few grand for your trouble, but could you wire it ASAP? Pretty Please?????

Putting it in clear terms so everyone understands, if someone contacts you about:

  1. Foreign Business Offers
  2. Sudden Riches (yours or theirs)
  3. Work-at-Home Schemes
  4. Love Losses
  5. Overpayments on your auction item or classified ad

and wants to send you money that does not belong to you or give you a check in excess of your price with the stipulation that you deposit the large amount and wire or transfer back to them any amount quickly, DELETE THE EMAIL ASAP!

Do not attempt to deal with these skanks, they are crooks and the "checks" they send are forgeries, very good forgeries, that often fool banks long enough for you to wire the requested amount to the skank and then find out from your bank that the check was no good and you are out thousands. Even checks from other states can take up to a week to clear and foreign checks can take weeks.

Do not attempt to "play" with these jerks. If you attempt to turn the tables on them and they find you, it will be your tookus on the hook, not theirs. They do not play nice, they are the scum of the Earth and they care little for your life or safety.

Rush right over to FakeChecks.org for all the dirt on these skanks and how they operate!

Comments No Comments »

Oct 16 2007

Accusations of terrorist activities

Posted by: melissa in Phishing Trip
Phishing Trip

Here’s an interesting twist on trying to bully you into giving them what they want.

The claim is that they discovered your credit card (BOA details) has been used on a site supporting our friend bin laden and because of this activity BOA is "limiting" your account.

The claimed website is a real website, however, it is not what you think… The guy running it is, IMHO, a sensationalist and is using the shock value of the domain name to spout his agenda. He claims it WAS bin Laden’s site but the domain name expired on 9-11-2001 and he snapped it right up.

In any event, the email is 100% phish phoop! By now I should not have to point out the obvious identifiers to you, the generic greeting, the threat of account problems, the mistakes ("that your that your" in the first line), and the all important URL that points to an IP number and not a domain name, which, BTW, is no longer reachable.

I did think it was fun that they included the text about always looking for your SiteKey before signing in…

WARNING: Personal opinion alert! Queasy people stop reading now…

I still am amazed at the large number of people who fall for phishing, even with all the obvious clues, or the "Nigerian" or Lottery scams. Then again, 52% of you voted for Bush… ‘nough said! As my pal Forrest says, "stupid is as stupid does"

Comments No Comments »

Oct 10 2007

Online Banking @ Amazon!

Posted by: melissa in Phishing Trip
Phishing Trip

Now, this is fun! I knew that Amazon was big and that I could get anything from steel cut oats to bandsaws, but according to the "From" address: onlinebanking@amazon.com they sell money too!

 There are so many things wrong with this email that I don’t know where to start. It was sent to no one (To:  is blank), the generic greeting, the capitalization of "Limited", the contradiction; after they investigate they may restore my account, if they find in my favor, yet if I fill out the form my account will be automatically restored?? and finally, the URL.
 

redshift.com is an ISP in Monterey, California. I notified them. I also sent this to Amazon. And, it is already submitted on PhishTank. The site, however, is still up. So, I paid them a visit using a proxy to mask my real IP number and filled in "my" name, which, I can’t tell you because it would make you blush, and my address happens to be the same as the ISP’s address in Monterey.

  ….oh, there it goes…. I decided to go back and get some screenshots of the site to show you how easy it is to fake a site and as I entered a name not normally used in mixed company and entered my "password" and hit enter, the site went belly up!

I did manage to grab the last page of it on the first round. The "success" page even had spelling mistakes! It automatically sent me to the real Amazon site after a few seconds.

Ha! while I was writing this I got the exact same email again, only this one points to an ISP in China (hinet.net). Once again, the URL has already been reported to PhishTank and I sent the URL to the ISP though they won’t do anything, they’ve probably got an arrangement to get a cut of any action the creep gathers on the site! The site even had the same stupid spelling mistakes on it as the first one.

 My browser of choice is Firefox, an excellent application IMHO!

  I just don’t know why it took me so long to switch over. I haven’t seen a pop-up or banner ad in years, I can get an indepth look into any site I’m on, I can block any script I want, easily download entire sites in mintues… but I’ll save that for another article.

 One of the many nice things about Firefox is the "early warning system" that checks an online database of reported fake sites. This notice pops up every time I go to a fake site.

Sometimes it gets annoying when I’m playing with known fakes but it is a very useful tool, especially if you are not that experienced on the Web.

 

 

 

 

If your Firefox does not do this you can change the settings by going to Tools/Options. It’s very quick and easy. 

 

 

 

 

 

IE needs to get its act together…..

Comments No Comments »

Oct 03 2007

More on the Mutual Bank scam

Posted by: melissa in Phishing Trip
Phishing Trip

Dear Robert Mickelsen

You’re truly an idiot:

Whois
Domain Name………. mymutualban.com
  Creation Date…….. 2007-10-03
  Registration Date…. 2007-10-03
  Expiry Date………. 2008-10-03
  Organisation Name…. robert mickelsen
  Organisation Address. 4400 Dixie Way
  Organisation Address.
  Organisation Address. Mims
  Organisation Address. 32754
  Organisation Address. FL
  Organisation Address. UNITED STATES

Admin Name……….. robert mickelsen
  Admin Address…….. 4400 Dixie Way
  Admin Address……..
  Admin Address…….. Mims
  Admin Address…….. 32754
  Admin Address…….. FL
  Admin Address…….. UNITED STATES
  Admin Email………. mickelsen.robert@yahoo.com
  Admin Phone………. +1.3213642642
  Admin Fax…………

Tech Name………… YahooDomains TechContact
  Tech Address……… 701 First Ave.
  Tech Address………
  Tech Address……… Sunnyvale
  Tech Address……… 94089
  Tech Address……… CA
  Tech Address……… UNITED STATES
  Tech Email………..  domain.tech@yahoo-inc.com
  Tech Phone……….. +1.6198813096
  Tech Fax………….
  Name Server………. yns1.yahoo.com
  Name Server………. yns2.yahoo.com

 

Comments No Comments »

Oct 03 2007

Mutual Thanks

Posted by: melissa in Phishing Trip
Phishing Trip

Here is a real quick and easy one. The first tipoff for me was my lack of association with this bank. I don’t live in Massachusetts or have an account with any bank there, let alone Mutual Bank.

Looking at the URL behind the "click here or die" link shows only a very minor difference; the "k" is missing at the end.

I reported this to the bank as the site was still up and I reported it to PhishTank.

 

Sometimes reporting these things to the company being used pays off!

I got a nice personal Thank You note for alerting them.

A million bucks would have been even better, but I’ll take the thank you!

 

Comments No Comments »

Oct 03 2007

URL Cryptology 101

Posted by: melissa in Phishing Trip
Phishing Trip

To decode a URL you need to understand the following basic parts that make up the whole string. We’ll use one from a previous post.

 

 

 

  • URL:
    Uniform Resource Locator. The URL defines the location of the site you are viewing.
  • Prefix:
    The Prefix defines what Protocol is being called. A Protocol is a standardized means of communicating between computers across a network. http is HperText Transfer Protocol. https is a secure, or encrypted HyperText Tranfser Protocol. As a general rule, you should avoid entering any confidential information on a site that is not using https as the transfer of that data will not be encrypted or secure. Always look for the https in the address bar and the padlock on bottom of your browser. ftp is File Transfer Protocol. And, finally, news is used when using your browser to view newsgroups.
    The Prefix is separated from the rest of the URL with a colon and two forward slashes (://)
  • Address:
    The address has several components. It is found in the URL between the "://" and the next "/". If you see WWW that is simply a disignator and it means World Wide Web. The use of www at the beginning of a web address is conventional, but not mandatory. WWW may be replaced by, or followed with, any.number.of.strings.separated.with.dots. In normal server hierarchy this can actually tell you quite a bit. Look at this URL: http://notes.cc.sunysb.edu. This address is telling me that I’m going to the server known as "notes" and that this server is controled by "cc" the Computing Center, which is part of Stony Brook (sunysb) and that Stony Brook is an Educational Institution (edu). This is not always the case, as can be found in many phishing emails. The most important part of the address is the last few items before first single slash "/" separated by dots (www.amazon.com, mypage.ebay.com, www.what.ever.I.feel.like.typing.domain.ext, www.amazon.com.ca) The address ends with the domain name (amazon, ebay, paypal, citibank, stonybrook) and the extension (com, net, org, edu, info, biz. Sites outside of the US often use a country designator after the extension.
    This is a legitimate URL for eBay: http://crafts.listings.ebay.com/. This is NOT legitimate: http://www.ebay.com.iam.a.scam.artist.com.ru/. This URL actually points to a domain called "artist.com" and is hosted in Russia (.ru).
    Domains can also be referred to using the numeric equivalent of their address. Every computer that connects to the Internet has an address called an IP address or Internet Protocol address. Some machines can have a fixed IP address, meaning that the number will not be changed. Others will use DHCP or Dynamic assignment which assigns a temporary number to a computer on demand and can recycle the number over a large computer collection, but never at the same time.
  • Directories:
    URLs may or may not have any number of directories. On conventionally configured sites you could expect to see "domain.ext/images/", "domain.ext/css" or "domain.ext/scripts" These would typically hold images, Cascading Style sheets or scripts, respectively. To disguise a spoofed site you may see several random directories tossed in to add to the confusion.
  • Files:
    The very last section of a URL will contain the name of the page you are looking at. This page, or file, name may or may not include a file type as in "index.html". Frequently seen file types are: .html, .shtml, .php, .asp, etc… WARNING! If you see a ".exe" ".scr" or ".pif" at the end of a link sent to you in an email do NOT ever click on that link! These are executable files that could very well infect your computer and/or render it a boat anchor.

In the above example you will notice "/%20%20/". This can be another ploy used by the scammer to conceal the actual site. Any character that can be seen/typed on a computer is schizophrenic, if you will. Characters have "Alter Egos" or other forms of representation. Computers like numbers and prefer numeric representations rather than text. One of these numeric representations is known as "hexadecimal". The hexadecimal representation of the character we know as space: " " has a hexadecimal equivalent of 20. It has another alter ego of "32" in the ISO-Latin character set that we use. When converted to hexadecimal, 32 becomes 20. And, in URL encoding 20 is referred to as "%20".

 Let’s look at another example:

This: %70%68%69%73%68%2e%73%63%61%6d%2e%63%6f%6d

is the same as: phish.scam.com 

 Notice that "%2e" is repeated; those are periods ".". "%6d" is also repeated; these are the "m"s in "scam" and "com". So, if you had a URL that looked like: http://%70%68%69%73%68%2e%73%63%61%6d%2e%63%6f%6d it would take you to a site called http://phish.scam.com

Here is a much larger table of characters and their alter egos. If you look at the space (first column in the fifth row) "SP" you will see "0×20". This is the hexadecimal equivalent and if you change the "0x" with "%" you have URL encoded it. Think of it as a puzzle or secret language.

You need to URL encode characters other than {a-z A-Z 0-9] in URLs because some characters are "reserved" or "special" and can have a specific meaning or action, so computers know how to decipher these codes info meaningful website addresses and actions. Scammers encode special characters to hide the function the URL is performing.

The more confusing a URL appears the less likely average computer users will see through the screen of deception!

Comments No Comments »

Oct 03 2007

Making a game out of phishing

Posted by: melissa in Phishing Trip
Phishing Trip

Dr. Cranor is a professor from Carnegie Melon University. Her team has developed a great game to help people learn how to spot Phishing attempts.

Anti-Phishing-Phil is a tiny little fish whose adventures teach him about the perils of scam emails and how to spot them.

While the game is cute, it is the initial series of frames that are really good in introducing the user to URL construction and what to look for and spot a fraud.

I sent Professor Cranor an email suggesting that she give the user a "Pause" button so they can go look up URLs presented in the game to see if they are or are not fakes. During one of my rounds on the game a URL was offered that I did not recognize, but the game did not give me enough time to go check it. The game also seemed to malfunction in that it was offerring users a chance to register and possibly win a prize, however, it never presented the screen to register.

The initial testing is over (no more prize), but you can still play the game. I suggest that everyone give the game a try, several in fact, so that you can become more familiar with the scams that exist.

You can also find more useful information on the CMU Usable Privacy and Security Laboratory(CUPS) page on Internet Trust issues.

In my next post I will show you how to decode a URL.

Comments No Comments »

« Previous Entries
Next Entries »