PC-Armor Computer Security News Blog

Nigerian Scam

Greetings,

While checking the Email for “info@pc-armor.com” today, I came across what appears to be a Nigerian Scam.  Before I show you the body of the Email, I would like to quote a warning by the FTC that is posted on their website at:

http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.shtm

 “If you’re tempted to respond to an offer, the FTC suggests you stop and ask yourself two important questions: Why would a perfect stranger pick you — also a perfect stranger — to share a fortune with, and why would you share your personal or business information, including your bank account numbers or your company letterhead, with someone you don’t know? And the U.S. Department of State cautions against traveling to the destination mentioned in the letters. According to State Department reports, people who have responded to these “advance-fee” solicitations have been beaten, subjected to threats and extortion, and in some cases, murdered.

If you receive an offer via email from someone claiming to need your help getting money out of Nigeria — or any other country, for that matter — forward it to the FTC at spam@uce.gov.

If you have lost money to one of these schemes, call your local Secret Service field office. Local field offices are listed in the Blue Pages of your telephone directory.”

Or course, the FTC site has more information about such scams, but I wanted you to see the important questions to ask yourself and what to do if you receive anything like the following example, which would be to forward the entire email to “spam@uce.gov” and then delete the message.  Now, let’s see what the body of one of these emails might look like…

Dear friend,

I know this will come to you as a surprise because you dont know me. I am (named removed for your protection) I work in the Citibank International Plc as the Head Of the Packaging and Courrier service Dept. During the air-lift of some Royal Luggages to Middle east, I decided to include additional Luggages Containing $15M(Fiftheen Million US Dollars)Only for my own Benefit though it was Labelled Security “Equipment” for security reasons.

I am Obliged to contact you to assist me in getting this luggage cleared and delivered to you from the agent as I have agreed on the Following terms.
1) Relevant Documents to claim this luggage will be procured in your name to enable the agent clear and deliver it to your mailing address.
2) That you will be entitled to a share of 30% of the total Money.
3) That 10% of the total money will be set aside for any expenses.
4) That 60% of the money will be for me.

If this business Transaction/Terms is ok by you, do Furnish me with your full names,Mailing Address,Your Personal Telephone/Fax Numbers for Communication and Onward Transfer to the agent in Middle East. You can reach me at my private email address: (Email address removed for your protection)

Note that this Business Transaction is 100% risk free as all relevant documents to back up the claim of the luggage will be provide for you hence we advice you to keep the entire transaction close to yourself until you must have received the luggage,for security reasons.Other modalities will be discussed as soon as you get back to me. Use this code when replying: (Secret Code Removed for your protection)/CitiBank.

Yours Faithfully,
(named removed for your protection)
Courier Dept(Citibank Plc).
+(Probably a Fraudulent Telephone Number, Removed for your protection)

Not only does the Email ask for personal information, it has numerous spelling and grammatical errors; which are dead giveaways to fraudulent scams!  It is important to understand that NO LEGITIMATE BUSINESS WILL EVER ASK YOU TO DIVULGE ANY OF YOUR PERSONAL INFORMATION IN AN UNSOLICITED MANNER, and that includes Email, Regular Mail, by Telephone, or in person.  As long as you can remember that very simple concept, you will avoid becoming a victim of such scams, because you didn’t take the bait!  The best thing you can do if you ever receive scams such as this, would be to forward the entire email to “spam@uce.gov“, as well as the investigative department of the company the email is imitating.

Common Sense will go a long way in protecting your financial security and personal identity.

PC-Armor.com

Amazon Phishing Scam

Here is a new phishing scam…this time, the attackers are fraudulently scamming “Amazon.com”. For your reference, you will find a copy of the e-mail with footnotes and references at the bottom of the sample.

From: Amazon.com Security- Center.

Sent: Tuesday, May 29, 2007 9:33 AM

Subject: “Amazon.com”: Possibile[1] Account Theft !

Dear Customer,

-Due to recent account takeovers and unauthorized listings, Amazon.com is requesting a new account verification procedure. From time to time, randomly selected accounts (seller and/or buyer)are placed under an advanced updating process based on merchant accounts/bank relationsand[2] on-file credit cards. Amazon.com may also request in an email message scanned/faxed copies of one or more photo ID’s. Your account confirmation may go wrong if your credit card/bank account has expired, or if you have changed/replaced your credit card without letting us know about the change.

-Your account is not suspended, but if in 36 hours after you receive this message your account is not confirmed we reserve the right to terminate your Amazon subscription.

-If you received this notice and you are not an authorized Amazon account holder, please be aware that it is in violation of Amazon policy

to represent oneself as an Amazon user. Such action may also be in violation of local, national, and/or international law.

To confirm your identity with us please click here[3]

-We apologize in advance for any inconvenience this may cause you and we would like to thank you for your cooperation as we review this matter.

Respectfully,

Amazon.com, Inc.

Copyright 2007 Amazon.com, Inc. All rights reserved.

Amazon sent this e-mail to you because your Notification Preferences

indicate that you want to receive information about Special Events &

Promotions.[4]Amazon will request personal data (password, credit card/bank

numbers) only on our home site, wich[5] is securely incrypted[6] with SLL.

Now that you have seen a sample of the phishing scam, here is a break down of red flags within the e-mail:

[1] Spelling Error: Should be “Possible”

[2] Grammatical Errors: There is no space between “relations” & “and”

[3] If someone clicks this link, it will not take them to “Amazon.com”; instead, it will take them to http://www.amazon.com.somewhere.com/security.html.” I substituted “somewhere” for the actual address for your protection.  As you can see, the link points to “somewhere.com“, instead of “Amazon.com“.  A common ploy is to trick the user into thinking the link is legitimate by inserting the scammed domain name (www.amazon.com) ahead of the actual domain name (somewhere.com).

[4] There is no space after the period; technically, there should be two spaces after each period.

[5] Spelling Errors: Should be “which”

[6] Spelling error: Should be “encrypted”

Finally, Amazon.com explicitly states on their website that, “Amazon will never ask for…requests to verify or confirm your account information”. You will find this policy at:

http://www.amazon.com/gp/help/customer/display.html?nodeId=15835501

Whenever you receive any e-mail asking you to verify your account information from anyone, investigate the policy of the business that “apparently” sent the request. As with Amazon, most legitimate companies will have similar policies.

Call Forwarding Phishing Attack

Last month, Don Jackson wrote an article that appeared on the SecureWorks “Threat Analyses” web page outlining a new type of Phishing attack utilizing a call forwarding scheme. The victims are warned that if they do not update their bank account information using the steps outlined in the e-mail, their accounts will be suspended.

As Mr. Jackson explains, victims receive an e-mail with instructions to dial *72 and then a “secure” number they state is the victim’s bank telephone number. After completing these tasks, the victim will supposedly receive a confirmation call within an hour and then the victim will be able to complete the process, which involves updating their personal information using an online form. Once the victim has completed the steps, the scammers are then able to use their personal information fraudulently, knowing that if the victim’s bank calls the victim’s telephone number on file to verify charges on their account(s), the calls will be forwarded to the scammer’s telephone number…who will in turn tell the bank the charges are authorized. This is a clever tactic and you need to be aware of it to avoid a nightmare of consequences.

As always, computer users should never fall for any scheme, intimidation attempt, or any form of solicitation in the form of an e-mail. You can read about this new scam at:

http://www.secureworks.com/research/threats/callforward/?threat=callforward

Social Networks are an Effective Tool for Scammers

Lenny Zeltser wrote an eye-opening article for the SANS Internet Storm Center Wednesday, May 16, explaining why scammers are attracted to Social Networks and how such networks can result in huge returns for them.

If you or anyone you know uses MySpace, Facebook, or similar social networks, this is an article worth reading.  A phisher was interviewed for the article and explains how [they] use social networks for [their] malicious deeds and why social networks yield such high returns compared to other sources.

The article ends with suggestions to limit your risk of exposing sensitive information to phishers and their scams.

You can read the article at: http://isc.sans.org/diary.html?storyid=2808

419 Death Threat Scam

On Tuesday, May 8, 2007, the SANS Internet Storm Center reported on a new e-mail scam with a new twist…a death threat against your life!

In looking at the example of such e-mails, the grammar is consistent with e-mails originating from overseas addresses, or the spammers are just plain illiterate. At any rate, this is a story worth reading and offers suggestions if you receive this type of e-mail, including where to report the threat(s).

You will find the story at:

http://isc.incidents.org/diary.html?storyid=2771

Virginia Tech Phishing Scams

The SANS Internet Storm Center reported that there are a large number of new domains being registered today in connection with the Virginia Tech massacre yesterday.  If you think back to Hurricane Catrina, there were numerous scams that came out of the wood work hoping to take advantage of caring and giving individuals who donated money with the intent of providing assistance to the unfortunate victims.

If you are looking to donate to the victims of the Virginia Tech tragedy, do some research before freely giving out your personal information and donations over the Internet.  You can read the story at:

http://isc.sans.org/diary.html

Beware of IRS Tax Phishing Scams

Warnings have been issued over the past couple of months regarding IRS Tax Phishing Scams and now that the tax deadline is almost here, there may be one last wave of attacks.

There are reports of Web sites claiming to be legitimate places where tax payers can file their returns electronically for free…but for the informed and Internet savvy, we all know that this is simply not true.

Do not become another victim and if you wish to file for free, the IRS does have a “Free File Program” located on the IRS.gov site.  You would be well-advised to type the address IRS.gov in to your browser, rather than trusting a link.  You can read more on this story at:

http://www.pcworld.com/printable/article/id,130789/printable.html

Beware of US Bank Phishing e-mail(s)

Today, I received an e-mail with the subject of “U.S. Bancorp Commercial and Business : Important Security Mail For All Customerss”.  There are a number of things wrong here…

- I am not a US Bank customer;

- “Customers” is spelled with an extra “s” (misspellings are common in fraudulent emails);

- The US Bank website specifically states, “U.S. Bank Security Commitment
At U.S. Bank, we’re committed to protecting your privacy and security. We will never initiate a request for sensitive information from you via email (ie., Social Security Number, Personal ID, Password, PIN or account number). We strongly suggest that you do not share your Personal ID, Password, PIN or account number with anyone, ever.”

- The originating IP address of this email was a “Comcast.net” address; which obviously is not “USBank.com”

The body of this particular email reads:

Dear U.S. Bank Connections Web and bus.E Ebanking Services client!

By following the link below please start the procedure of the client details update:

Link removed for your protection

These directives are to be sent and followed by all Connections Web and bus.E Internet Banking members of the U.S. Bancorp.

Copyright © 2007 US Bank Commercial and Business Internet Banking All Rights Reserved.

Your best decision would be to NOT OPEN the email and quickly delete the message.  This e-mail contains an image file, which could have harmful code hidden within it.  You would be particularly vulnerable to harmful code if you read your e-mail in HTML instead of text.

As always, legitimate businesses will usually never initiate a request for sensitive information; therefore, you would be advised to delete any e-mail requesting any type of information.

Phishing scam targets Dell customers

There are reports of new spoofed e-mails being distributed to Dell customers with the intent of obtaining financial gain at the expense of the victim(s).

At least one such e-mail appears as an order confirmation from Dell, complete with an order number, Dell customer number, and an order amount.

The e-mail(s) may contain a virus or have a virus attached to the links contained within the e-mail; therefore, you are advised to delete the e-mail. You should not open, forward, or respond to the e-mail; nor should you click any of the links within the e-mail.

According to the Direct2Dell Blog, it looks similar to Dell order confirmation e-mails; however, the fake e-mail does not contain “Bill to” or “Ship To” information. Legitimate order confirmation e-mails from Dell contain this information. You can read more about this new phishing scam at:

http://direct2dell.com/one2one/archive/2007/03/23/9351.aspx

Unsure about clicking on that link?

I received another e-mail with the following subject and body today:

Subject: Confirmation link

Thank you for your loan request, which we received yesterday, your refinance application has been accepted.  Good Credit or Not, We are ready to give you a $315,000 loan, after further review, our lenders have established the lowest monthly payments.

Approval process will take only 1 minute.  Please visit the confirmation link below and fill-out our short 30 second Secure Web-Form.

Obviously this is another scam, but to reinforce my suspicions, I searched for the location of the originating IP address, which came from Skopje, Macedonia.  Next, I searched for information on the domain the link was pointing to (if I would have been foolish enough to click it), and it just happens the domain was created yesterday, on 03-19-2007. 

First off, I never applied for any loans over the Internet.  But more importantly, when a domain is registered 1 day before the spam made it into my Inbox, odds are quite high it is a phishing scam!

If you have doubts about the validity of any link, you can research them at http://www.dnsstuff.com/.  You will be able to find out to whom the domain is registered, when it was created, when it expires, the country or origin, and other important information.

Be smart and do your homework BEFORE you make a big mistake!