The tricks these guys try…

So I get an email, apparently a scan of an image from a Xerox copier sent to my inbox.

I am going to open the zip file that is attached? Um No!

This is what I see wrong with this one…

1. Images don’t need to be zipped, it doesn’t compress them enough
2. It was sent from someone I don’t know at admantech@nederland.8bit.be
3. It’s incredibly vague.

Obviously targeting large organisations that have these centralised scanning machines that deliver documents in this way, but for the other masses, a real scatter gun approach.

Heres the text:

Subject : Scan from a Xerox WorkCentre Pro N 2918425

Please open the attached document. It was scanned and sent to you using a Xerox

WorkCentre Pro.

Sent by: Guest

Number of Images: 1

Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set

Device Name: XRX9679AA7ACDB40111008

For more information on Xerox products and solutions, please visit

http://www.xerox.com

Phishing is all about getting people hooked, line a sinker, this time Amazon is the recipient of the Phishers focus.

It seems to be the usual DHL / UPS style scam, where a zip archive is attached to an email that carries the nasty payload.

Asking you to print the attached postal label to get your package.

As usual, delete these emails as they are nothing but a cover for a dangerous virus or scam.

Here is the transcript of the email

Goodafternoon!

Thank you for shopping at Amazon.com
We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered ” Asus Eee PC T91Go ”

You can find your tracking number in attached to the e-mail  document.

Print the postal label to get your package.

We hope you enjoy your order!
Amazon.com
Attachment is called Postal_label_Nr234.zip

It is interesting to see these people targeting suppliers / vendors that have wide audiences. Removing any refernce to DHL or UPS as this is starting to get a little old.

I wonder how long it will take for the Anti virus brigade to recognise this new variant.

Well they keep rolling off the spam/scam production line.

This one pretends to be an email from mail support of a specific domain. As with all of these mass email scams, they don’t realise that the person they sent the email to manages all of the mail for that domain (Including the “support” that is mentioned in the email)

This is a phishing scam hoping to gain logins and passwords to try to gain access to mail (or if you are sharing login details) or other online services.

Here is a transcript

Subject: Your profile will be locked in response to a complaint received by the Administration
from: support-62@deepweb.co.nz

***This message was created automatically by mail-delivery software. Do not reply to this message.*** 

Hello!
Your profile will be locked in response to a complaint received by the Administration 29.01.2010 ?.
According to "paragraph 8 of the user agreement, deepweb.co.nz reserves the right to suspend or terminate the provision of services deepweb.co.nz, promptly notifying the user. 

Refute the statement may be, following this link:
<a class="moz-txt-link-freetext" href="http://schwaber.net/472e3bb6">http://schwaber.net/472e3bb6</a>

If the application is not rejected within 7 days, your e-mail an account will be blocked.
It has a number 237242679231777. 

In the near future we will contact you.
It takes up to 3 days to process your request.
Thank you!
--------------------------------
Sincerely,
mail support service
deepweb.co.nz 

As you can see they are using shortened style urls to hide things, but it is unsophisticated as they use a completely unrelated domain as the link.

Most likely this will be handled by the antispam handlers, but shows these scams are still out there and are unlikely to go away.

Other variants of this try to dupe gmail users into giving their logins to the phishers

Many times there are things that show the US Centricness (Is that a word?) of the internet:

• .com readily meaning US site
• US date formats in online forms
• USD as the default currency

Well another example is the idea that every country must use UPS and DHL for their parcels.

Why else would all of the post / courier etc virus emails sent all around the world have these two as the only options to use.

The phishers seem to have a better idea…use a local provider to have a better chance of success. (Even these guys get it wrong: Note to Spammers – I dont have any Commonwealth Bank of Australia accounts)

What is wrong with NZPost? I suspect that in any case like this, an email from a local bank / services company / postal service etc would be more troublesome to the local population.

So, look out for suspicious emails from local suppliers, and as should be usual practice, here are a few standard tips to protect you from email nasties:

• Any email asking for any form of login / password should be treated suspiciously
• Any email warning of a security breach should be treated suspiciously
• Don’t click on any links in emails that you are unsure of, instead go to the website manually
• Don’t open any attachment that is unexpected, this especially includes zip files
• Keep your virus software up to date and make sure email scanning is turned on!

Let me know of any other tips or other virus laden emails you have had to send to your trash bin.

I have received a Twitter email saying that:

Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset. Please create a new password by opening this link in your browser:

Now, funnily enough, I don’t remember any phishing attempts coming my way, and by the number of similar issues that others are having, who also don’t remember any phishing attempts, it seems more likely a glitch at Twitter.

Phishing attacks are usually to capture logins and passwords so the attacker can gain access for some illicit purpose, but there were no bad tweets, no changing of settings, no damage I could see at all.

Again, none of the others I have read about have found any damage either.

I use some third party software and plugins to manage my Twitter account, so it could be one of those, but that isn’t phishing, that is a security breach.

No one seems to have any ideas, the closest I found was a reference to software such as Seesmic or Tweetdeck users having problems.

Some people were getting these emails ten times or more.

Here is a blog post about someone else’s experience (worse than mine, so far

Have you received one of these, have you had any issues resetting your Twitter password?

Let us know in the comments…

Some of the more common recent spam comments posted on this blog and others are obvious spam, but have the added benefit of including jokes.

Some are actually ok. Here are a few recent ones…

• Why did the dinosaur cross the road? Because there were no chickens in those times.
• What do you get when you play a country music song backward? You get your wife back, you get your job back, you stop drinking …
• Why do hurricanes travel so fast? If they traveled slowly, we would have to call them slow-i-canes

So OK, they are not great, but make spam less annoying

Local NZ ISP Igrin is the latest to be targetted for a phishing scam.

This one is quite crude as even the links look nothing like Igrin links

This message is from the webmail IT service, you are to provide to us the below information to re-validate your account due to spam.

What was the problem?

On November 27th, our servers were subjected to a malicious attack, which affected certain components of the operating system on some of our servers. Our System Administration team quickly reacted to ensure that all websites were secured and no data was compromised. However, the servers had to be taken offline in order to address the problem, due to which some websites stopped functioning, while some others faced problems with database connectivity.

…

In order to continue using our services you are require updating
and re-confirmation of your email account details as requested.
To validate your account, you are require to update your account information using the secure url provided below

http://www.pacnet-servers.co.cc/igrin/login.php.htm

Failure to do this will immediately render your account deactivated
from our database and service will not be interrupted as important
messages may as well be lost due to your declining to re-confirmed
to us your account details.

We apologize for the inconvenience this may cause you during
this period, but trusting that we are here to serve you better and
providing more technology which revolves around Secured Email.

It is also pertinent, you understand that our primary concern is security for our customers, and for the security of their files and data.
CONFIRMATION COaDE: /93-1A388-480

IT Support Team

Don’t fall for this one. Igrin has a generic “We don’t ask for your login and password” message on it’s home page, I wonder if they have sent anythign out? I wonder what their policy on protecting their clients is?

If there is anyone from Igrin out there, can you let us know?

There are plenty of domain name scams out there, I have spoken about SEDO branded ones, Chinese domain name scams and there are plenty of others.

They are all generally trying to trick you into either registering a name similar to the one you own or trying to encourage you to renew with them as opposed to your current provider.

What is common among most is that the prices they charge a far higher that they should be.

One that did the was the Domain Registry of America (wiki entry), they would send out renewal notices in the mail, hoping for someone to fill it out and send it back hoping they didnt realise that it was not from their provider or that the charges were much higher than normal.

Anyway, I got a similar email, today. The key things here is that it is for a legitimate domain, but the registration is for USD79.95 per year, far more than you can register or renew a domain.

With most scams, they use language to lure people into thinking they are legitimate, in this case talking about ISP (Internet Service Provider)

Now this service is not necessarily illegal, because anyone can renew any domain name, however, the issue here is the price.

Here is the transcript of the email.

These virus guys are busy, so soon after the DHL and Mail Server viruses, we now have a Facebook one. It will be interesting to see if people are getting wise to these forms of delivery, or whether the threat of losing access to Facebook will panic people into opening the attachment.

Again it looks like they are in the wild for a day or so before the virus software gets updated.

As usual here is the transcript

From: “The Facebook Team”
To: validemail@yoursite.co.nz
Subject: Facebook Password Reset Confirmation.

Hey validemail ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

Attachment called Facebook_Password_420ca.zip at the bottom

As always if you get anything suspicious, look at the Email Scams and Viruses category to see if it is there.

If not, let me know

Let the fun begin!

Wow, the virus / malware people are working overtime, my last post was about the Mail Server Upgrade scam / virus, now interestingly, a DHL email has slipped past my virus scanner.

In the past these have been picked up and have never been a threat, but this one got through, the email reads

Subject: DHL delivery service. Get your parcel NR.26252

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Delivery Services.

As usual, there is a zip file attached. This normally trips the virus scanner,b ut not this time.

Hopefully the next virus updates will catch up with this new variant.