Notes on a phishing expedition

I found the following in my gmail spam this morning and it easily lends itself to explaining some of the telltales it is a scam and/or phishing expedition. I’ve put the areas I wish to discuss in boldface for you.

CONTACT HSBC BANK FOR YOUR BANK TRANSFER UPDATE

Mr. Stanley Clarke @gmail.com>

01:48 (9 hours ago)

to

HSBC Regional Bank FL (HSBC Regional Bank)
Avenue Cotonou , BP 988 Cotonou Benin Republic.
Telex :5211 F B COTONOU BENIN REPUBLIC .
Tel::+22968579277
From the desk of, Mr. Stanley Clarke ,
Director Payment Department. Hsbc Bank
of West African(HSBC Regional Bank)
Instant compensation Payment valued at US$7,500.000.00 usd

It is my modest obligation to write you this letter as regards the authorization of your owed payment through our most respected financial institution (HSBC Regional Bank). I am Mr. Stanley Clarke , the chief executive officer, foreign operations department HSBC Regional Bank, the British government in conjunction with U.S government, united nations organization on foreign payment matters has empowered my bank after much consultation and consideration to handle all foreign payments and release them to their appropriate beneficiaries.
Having received these vital payment numbers, you are instantly qualified to receive and confirm your payment with us within the next 48hrs.

Be well informed that we have verified your payment file as directed to us and your name is next on the list of our outstanding fund beneficiaries to receive their payment before the end of this first term of the year 2015. Be advised that because of too many funds beneficiaries due for payment at this first quarter of the year, you are entitled to receive the sum of Seven million Five hundred thousand United State dollars (7,500.000.00 us dollars only) as part payment of your fund.
So you are therefore advise to re-confirm the following Information for immediate payment processing.

1) Your full name:…..
2) Your full address:….
3) Your contact telephone and Fax:…..
4) Your profession:…….
5) Any valid form of your identification/driven license:…

As soon as we receive the above mentioned information, your payment will be processed and released to you without any further delay. Be also informed that You are not allowed to communicate with any other person(s) or office so as to avoid conflict of information, you are required to provide the above information for your transfer to take place through HSBC Regional Bank to your personal bank account.

We look forward to serving you better.

Yours sincerely.

First, I doubt strongly a firm with the global reach of HSBC would be using a gmail address. Email would probably come from their own site. Incidentally, I deleted the sender’s name which was shown as “johnsonmarkso99″ because I’ve had a problem with WordPress not liking too many email addresses in blogs – they take it as spam and shut you down.

Next, Benin Republic. Benin seems to have become the new Nigeria for this type of scam. I’ve also received similar messages from Burkina Faso among others.

Another clue this is a shotgun style scam is that it isn’t addressed to anyone in particular.

US$7,500,000 is a nice amount to offer. Not too large as to seem suspicious, yet not small enough to make people ignore it. However, the way they showed the amount “US$7,500,000.00 usd” is not the way a legitimate banking operation would show any dollar figure.

Dummy, you forgot to change the year to 2016. If you did indeed mean “the year 2015″, you’ve been very lax in performing you duties in advising me.

Now that they’ve dangled the bait in the form of seven-and-a-half mill, they set the hook. Notice the information they ask for, especially the inclusion of a copy of some form of identification. If you were foolish enough to actually send them the requested information, you can not only kiss the 7.5 good-bye, but you’ve given them sufficient information to steal your identity. But of course since you’re one of my followers or readers, you have the smarts not to fall for this.

The fact you are advised not to tell anyone about this is to stop you from going to the authorities once they’ve stolen your name. (Damn!! Since I’m telling you, I guess I’m not getting my money. Oh well.)

There is one more thing that is glaring in its absence. They ask for all kinds of information except for the number of the bank account in which you want the money deposited. Were this legitimate, wouldn’t you think they’d need that information?

These are a few of the things to watch for the next time someone tells you they’ve got millions for you and they are all red flags.

Enjoy your weekend (unless you’re in the northeastern US, in which case, stay safe); don’t take any wooden nickels and remember to hug an artist – we need love too.

Cat

Sorry, wrong number

I received the following in my Gmail spam over the weekend:

Your Navy Account Is Under Review
Navy Federal <inft@usamail.org>

26 Jun (1 day ago)

to Recipients

Navy Federal Credit Union

Attention !!!

Our system can not verify your account and this might
leads to account suspension

please click here to resolve the problem.

*Warning*

Do not login elsewhere after you verify the account within 24 hours

There are a couple of things wrong with this message from my perspective and a couple of general red flags. First, I’m Canadian and second, have never served in the U S Navy. I did serve in the Canadian Army however if that makes a difference.

Now, the general warnings. The address “to recipients” is a prime giveaway you are dealing with spam. If it was a message specifically for you, it would bear your name. I am also suspicious of the email address of the sender. “usamail.org” sounds official, but I somehow doubt it really comes from the USPS.

The warning at the end not to log in anywhere else for 24 hours is something I’ve not seen before, but it raises concerns. Why is it necessary that I stay off the computer for 24 hours after I click on their link? Would doing so somehow mess up their trojan or whatever they’ve put on your computer?

If you receive this email, even if you are a Navy veteran, just delete it. Or if you have some concerns, use the telephone and call whoever you need do. Just don’t click on the link.

Cat.

Nice try

My email brought me the following early this afternoon:

iTunes <iTunes@websitewelcome.com>

Identity verification required

Dear Customer ,

You have received this email because our system has noticed some unusual activity under your Apple ID account.

We have taken steps to ensure nothing can be purchased until you have confirmed your identity.

Please take a moment to confirm it using the link below.
< Click Here

Thanks,
Apple Customer Support
TM and copyright © 2014 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.

Sounds serious, doesn’t it? I can’t speak for you, but when I see something like this, one of the first things I do is check my credit card statement to see if there has indeed been any unusual activity involving the company telling me I’ve been cut off. Since I haven’t bought anything from iTunes in months, any purchases would show up immediately and I’d be on the phone to the credit card company. Nothing. The only purchase in the last week was the incense I bought yesterday.

This showed as being sent “to me”, which is quite common for gmail I’ve found. But there is a little arrow that allows you to see more information. Clicked on the arrow and found something very interesting. It wasn’t sent from iTunes or Apple. Oh no. Here’s what the detailed information showed me:

from: iTunes <iTunes@websitewelcome

to: gcathoward@
cc: iTunes@websitewelcome.com
date: 2 May 2014 12:05
subject: Your Apple ID Has Been Temporarily Restricted
mailed-by: subaru.websitewelcome

Since WordPress’s robots consider any posting with too many links to be spam and blocks your account (I had it happen last year) I’ve removed the extensions on the addresses, but they were both “.com” and I removed the balance of my address for the same reason.

I’m working on only my second coffee of the day so perhaps my brain isn’t fully functioning yet, but am I the only one who finds it suspicious that a message purportedly sent by iTunes is actually being sent by Subaru? I suspect that had I actually clicked on the link I would have provided Subaru with all kinds of information that would have resulted in all kinds of promotional information being sent to me.

Not that I have anything against Subaru. We had a new sedan back in 1983 and I loved it. And truth be told, I’d love to have a new WRX Sti, but that ain’t gonna happen. Besides, there’s something about a 70 year old woman flying around in Subaru’s nastiest offering that puts people off.

If you receive a similar email apparently from iTunes, before you do anything, check your credit card statement. And when you find there is nothing unusual, delete the email. DO NOT, under any circumstances, click on the link.

Enjoy your day and remember to hug an artist – we need love too.

Cat.

They’re back

On September 9, 2012, I wrote a blog about China Shenhua Energy and their “contest” in which I won a 2012 3-series BMW (value$42,505 – same as this year) and one-and-a-half million US. I keep copies of these emails and the resultant blogs just so I can refer back to them, as in this case.

Today’s spam contained another email from them. This time the extension on the sender’s name showed “ru”, which is Russia. Seems a little odd for a Chinese company wouldn’t you say? There are a few things which stand out in today’s email. They’ve upgraded to a 2013 BMW for one thing.

Amazingly, the number they ask me to quote in my reply is the exact same number they used eighteen months ago. Does that mean I’m going to get a 2012 3-series? Still in the body of the bill, they ask me to contact Doctor Francis Chen. In the previous message, they gave me a London address. This time, while it asks me to contact Dr Chen, the contact information is for Dr Fred Chang, in New Delhi, India. Sloppy editing on their part obviously.

What takes this message from being just plain annoying to hilarious is the note they’ve added to the end of the email. Here it is in its entirety: * NOTE* : If you find this mail in your spam or junk folder, it is due to the service of your internet provider. Wrong. It’s in my spam folder because that is where the gmail filter put it. It has nothing to do with my internet provider.

If you receive this email, don’t give them any information. You aren’t going to get a BMW and 1.5 million. All you’re going to get is a lot of grief because you’ve provided them with enough information for them to set up a phony identity.

The same spam also contained a message from someone purporting to be Fedex telling me they were holding a package containing a bank draft for $750,000 US and if I send then $120 they’ll send it to me. I’ll get right on that.

Not a bad haul for a quiet Wednesday. Both emails, including the value of the car, mean that I’ve picked up about 2.3 million, more if I convert it to Canadian funds, before lunch. Maybe I can conquer the world. But first, I need coffee.

Enjoy your day and remember to hug an artist – we need love too.

Cat.

Truth in scamming

 

Despite the date, no, this is not an April Fools’ joke.

I found the following in my gmail spam today:

Pedro A. Bartzen pedrob@cascavel.pr.gov.br

This is a Scammed Victims Compensation by the UN for the sum of $400,000. If you have received this mail, get back to the Payout Bank representative Mr Mark Shawn for your funds with your personal details , by sending your Names, Telephone No and Address directly with the email below,

Contact Payout Bank Email : hboaf (email address removed by me. C.)
Regards,
Pedro A. Bartzen.
(UN Announcer)

I think the first four words sum up the intent of this message quite well “This is a scam…”. If this is indeed from the UN, why is it coming from a Brazilian email address and not the UN in New York? The return email address was from one of the many you can find without much digging, in this case “qq.com” which could be anywhere in the world, or nowhere.

The message mentions the amount of $400,000 but fails to say if that would all be for me, or if it is to be shared. I’m not greedy, but it would be nice to know. I think it is also very self-effacing of Pedro to simply describe himself as “UN Announcer” rather than some grandiose title as is more common with these scams.

Dear readers, if you receive this, delete it. Do not send your names, telephone number and address to these people. If you do so, the only people getting any money from this are the people involved and the money would be yours.

Enjoy your day and remember to hug an artist – we need love too.

Cat.

The name says it all

I found the following in my spam folder this morning (gmail is doing its job):

Gareth & Catherine Bull <yamaguchi-zb@m5.gyao.ne.jp>
   
22:34 (12 hours ago)
My wife and I won the Euro Millions Lottery of £41 Million British
Pounds and we have decided to donate £1.5 million British Pounds each to
4 individuals worldwide as part of our own charity project.

To verify,please see our interview by visiting the web page below:
http://www.dailymail.co.uk/news/article-2091124/EuroMillions-winners-Gareth-Catherine-Bull-scoop-41MILLION-lotto-jackpot.html

Your email address was among the emails which were submitted to us by
the Google, Inc as a web user; if you have received our email please,
kindly send us the below details so that we can transfer your £1,500,000.00
pounds in your name or direct our bank to effect the transfer of the funds to your operational bank account in your country, congratulations.

Full Name:
Mobile No:
Age:
Country:
Send your response to (garethbul2012@hotmail.co.uk)

Best Regards,
Gareth & Catherine Bull

Notice this one didn’t contain the usual “undisclosed recipients”, just nothing for a recipient. And I didn’t think “the Google Inc” would disclose their customer lists.  Well, “the Google Inc” might, but I doubt Google would.

Also notice that even though you are asked to reply to an email address in the UK the origin was actually Japan.  Another sign it’s a scam.

And since this is a scam and I wouldn’t see a penny anyway, I’m going to bitch a bit.  They won 41 million pounds (somewhere north of $60 million Canadian) and all they’re willing to do is give me a measly 1.5 million, or about $2,250,000 Cdn.  Cheapskates.

Do not – repeat “do not” – give them any information.  Doing so will only allow them enough access they can copy your identity. Just delete the message.

Enjoy your weekend and remember to hug an artist – we need love too.

Cat.

I don’t need it

The following ad popped up on my gmail today:    Free Spell Check Toolbar – http://www.DictionaryBoss.com – Avoid Spelling Mistakes with Free Spell Checker – Download for Free!

Correct me if I’m wrong, but don’t word processing programmes such as Word and WordPerfect come with spell check built in?  I know for a fact WordPerfect does because I sometimes use it, in fact I’ve got it set for Canadian English. I got Microsoft Word Starter as part of Windows when I got this system and yes, it too has a spell check feature (I just checked).  So why would anyone need to download a spell check programme from some outside source?

My concern with this particular programme being advertised is that I probably couldn’t make use of it for I suspect it is an American programme and would constantly correct words like “colour”. As I said, I don’t need it since I don’t use the American lexicon.  Another concern is this: what did they use as a source for their spellings?

Cat.

And who are you when you’re home?

Found the following in my gmail spam this morning:

Enchance Your Regions Online Access
    x
Regions Bank <Aerts_security@regionsbank.com>
    
10/12/2012
        
to undisclosed recipients

Dear Regions Member,

Your Regions Account was recently logged into from a computer, mobile device or other location you’ve never used before.
For your protection, we’ve temporarily locked your account until you can review this activity and make sure no one is using your account without your permission.

Did you log into your Regions Account from a new device or an unusual location?

– If this was not you, there’s no need to worry. Simply Download the attached member profile attacment and complete Regions verification form.Otherwise your account will be suspended soon.

For more information, visit our Help Center:by downloading the attachment form and click Submit .

Thanks,
Regions Security Team
Regions_Bank_Private_Login_Page_Verification_form.html    Regions_Bank_Private_Login_Page_Verification_form.html
99K   View   Download  

First telltale: undisclosed recipients.  This is a sure sign the message is either spam or phishing.  If it was a message intended for you, it would have your name on it, not a generic “hey you”.

“Regions Bank”.  As I said in the title, who are they when they’re at home?  Well, according to Google, Regions Bank is a legitimate enterprise with headquarters in Birmingham Alabama and branches in 16 states.  Well, that answers that.

Even with this information, I have trouble believing this is anything other than an attempt to get me to give up personal information.  For example, notice the date on this message  – 10/12/2012.  So has this been wandering aimlessly through cyberspace?  I ask because I got it on February 7, 2013, which is at least two months after it was sent or longer depending on whether they used mm/dd/yyyy or dd/mm/yyyy as the format.

The main question I have about this is “Can these people honestly expect that we would have forgotten whether or not we have an account with Regions Bank?  Do they think we will just automatically send them the requested information because the message is from a “bank” and therefore must be legitimate?  Then again, perhaps some people don’t have any idea where they bank, although I find that hard to believe.  But then again, with things such as direct deposit and the fact there seems to be an ATM on every street corner, some people haven’t seen the inside of their bank for years.

If you get this message, just delete it.  If you do in fact deal with Regions Bank, phone your branch to ask about this, don’t just blindly assume it’s a real message and respond.

Enjoy your day and remember to hug an artist – we need love too.

Cat.

They need better writers

I found the following in my gmail spam about fifteen minutes ago:
PAYMENT ACCOUNT ALERT
    x
IRS OFFICE <irsoffice1@globomail.com>
    
20:34 (0 minutes ago)
        
to undisclosed recipients

Internal Revenue and Deputy Commissioner for Services and Enforcement
 
 
Sir/Madam
 
This is an official advice from the Acting Commissioner of Internal Revenue and Deputy Commissioner for Services and Enforcement (Mr. Steven T. Miller). It has come to our notice that the Central Bank of Nigeria (CBN) has approved and released the sum of $1.5, 000,000.00 U.S dollars into a Bank in USA and in your name as the beneficiary by Inheritance means and as reward for default in the release of funds you are expecting from The Nigerian Government ,And the bank of Nigeria knowing full well that they do not have enough facilities to effect this payment from their Bank to your account used what we know as a Secret Diplomatic Transit Payment (S.T.D.P) to pay this fund through wire transfer.
 
But after the investigation on this fund, the attention Reaching Our Department from the Presidential Office in Abuja Nigeria Revealed that Such Transfer was made into The United States Bank as The officials handling this transfer has been Plotting on How to Divert The Funds into a Secret Account . But The UNITED STATES FINANCIAL CRIMES DIVISION (USFD) and THE FEDERAL BUREAU ON INVESTIGATION (F B I) has arrested Most of them and they are under the custody of Nigerian Authorities. The Reports Reaching Our Intelligence Department has declared that you are the original beneficiary to this amount then we have to carry out our investigation to know if they are telling us the fact because we believe that Nigerians are full of scams cheaters.
 
Now your fund is no longer in Nigeria rather its in a Bank accordingly to the Custody of the Internal Revenue and Deputy Commissioner for Services and Enforcement. You have to contact us immediately so that we Can direct you on how to receive your fund from the Bank. Now that you have been in communication with Our Office, you dont have any more problems hence the imposters in Nigeria are behind the bar but You are required to present a classified FUND ONWERSHIP PERMIT to be issued in your favor by The UNITED STATES FINANCIAL CRIMES DIVISION (USFD) so that of the Internal Revenue and Deputy Commissioner for Services and Enforcement can execute the payment order of $1.5, 000,000.00 U.S dollars to your favor.
 
You are also expected to Re-confirm This Office with the below Information Immediately; Your Full name…………..Address……………… Email address…… Country……..Telephone number………………
 
Thank you
 
Mr. Steven T. Miller 59.50.102.171
Acting Commissioner of Internal Revenue and Deputy Commissioner for Services and Enforcement

Where do I begin?  Well, beyond the obvious sign “to undisclosed recipients”, there are many telltales that this is not a legitimate message.  Another good clue is that although this purports to be from the IRS, it wasn’t sent from a US government email.

The English is quite frankly atrocious.  There is no possible way any government agency anywhere in the English speaking world would hire someone with such poor language skills.   The most honest statement, which you wouldn’t find in any legitimate correspondence, is “we believe that Nigerians are full of scams cheaters”.

If you get an email like this, laugh at it, then delete it.  If you do let your greed get the better of you and actually give them the information they seek, you’ve only yourself to blame.

Cat.

not their jurisdiction

I’m still in the process of proofreading my friend’s manuscript, so haven’t checked my email and spam much the past two days.  Found this from yesterday sometime:

FBI OFFICE <postmaster@deneme.com>
    
10 Dec (6 days ago)
        
to undisclosed recipients

Attn please,

This message is coming to you from FBI office here, We are writing this mail to inform you that your (Inheritance winning awarded funds of $1.5million) has been totally converted into a ATM Master card and it’s to be delivered to your address via courier service, Be inform that the courier delivery company will deliver the card with all the manual and instruction both with PIN code to access the Card upon receipt. It’s the best option to receive this amount since every attempt failed, therefore you will need to contact the Barrister that helped in re-claiming the check back and converted it into an ATM visa card with his address below:

Barrister Necter Polimars
Email: barristernecter-@superposta.com
Phone: +229 98651731

Send him your current address where the check should be delivered to and remember to indicate the Reg:code of ATM-0034 to him when making contact with him. Please also choose the courier service you would like to deliver the Card Post office is also working but could take the card much time to get to you.

Please endeavor to inform us once you have received the ATM Card.

Sincere regards
Robert S. Mueller

FBI Monitoring Team Service

Once again, sign number 1 is “undisclosed recipients”.  If it was intended for me, why not just send it to me?   Where do I go next?

Well, the email address of the sender “deneme” is the same address used in the earlier phishing expedition for gmail information – see my posting “This is a fake”.

The telephone number for the “barrister” has a Benin country code, which also seems a little suspicious.  And (and perhaps one of my English readers could advise me) I thought barristers did courtroom work and this should have been from a solicitor.

Now, I know I wrote about an ATM scam a little while ago, although I’m too lazy to look it up, but that originated from some other African nation.  Since the origin and the “barrister” are located somewhere in Africa, Benin apparently, and I’m in Canada, the FBI wouldn’t have any involvement in this anyway unless they were investigating it.  Also note the message merely states “FBI office here”, without specifying where “here” is.  Hell, we have FBI agents at the US Consulate in Toronto (special assignment dealing with gun smuggling).

If you receive this email just delete it.  If the FBI really wants you, they’ll come and get you – same as the RCMP would in Canada – so don’t worry.  It’s just someone trying to steal your identity.

Cat.