Software

The anatomy of a scam email message

Scamming people has never been easier. Currently, one of the more successful methods used by cybercriminals is fraudulent email messages. Let's see if we can change that.

Scamming people has never been easier. Currently, one of the more successful methods used by cybercriminals is fraudulent email messages. Let's see if we can change that.

---------------------------------------------------------------------------------------

Lately, my spam filter has been bombarded with different scam and phishing email. Seeing that some were pretty sophisticated, I thought it best to share my research. That way if one slips by your spam filter, you will still recognize the signs of a con in the making.

Scam 1: You have won

In a recent article, I interviewed security consultant Shellee Hale. She mentioned that one successful social-engineering technique is to offer prizes or a reward. I have to agree, being told you are a winner is enticing. That 600,000 pounds would have been nice:

This particular approach may seem fairly common. What makes it unique is that you do not have to enter. That has been a problem for scammers. How can you win if you did not enter? Either way, be suspect. Also, notice the email was sent from the att.net domain, which is typically reserved for customers of AT&T, the ISP. That's another hint that something is wrong.

The next part of the email shows what the cybercriminals are really after. Personal information that can be sold on the Internet black market:

After reading that part of the email, all sorts of alarms should be going off. No honest business or financial institution will ask you to send personal information via email.

Scam 2: I didn't send that

Security pundits warn how social-networking sites like Facebook and Twitter are ripe for exploiting. Why? Their popularity and member's willingness to share personal information. Just today, an investor who's also on Facebook's board of directors had his account compromised -- ouch.

Another example is the following email supposedly from Twitter:

On the surface, the email looks real enough. Even the Twitter Support link near the bottom is legitimate. So more than likely, users will not be on the defensive, just wanting to fix the problem.

The full URL is the nasty bit. Clicking on it, sends you to a website whose sole purpose is to download malware onto your computer. Possibly, scareware that will completely hijack the computer or maybe a key logger that sits quietly in the background stealing all your personal information.

Sadly, this type of scam email has a high success rate. Fortunate for me, Red Condor, my spam filter service, checks email addresses and found that "engineer at twitter.com" is not legitimate:

The email actually came from "j??????n@icd.????????.com" which you can see is a good address, but definitely not one associated with Twitter:

Something else I wanted to mention. I have received the same email from many different senders. That usually means compromised computers belonging to a botnet are being used to propagate this particular malicious email.

Cybercriminals do this for two reasons. They can send an inordinate amount of email without the owner of each compromised computer becoming suspicious. It also prevents security analysts from back tracking the attackers.

Scam 3: Your mailbox is full

The following scam email uses a different twist. It's quite effective, since nobody wants to lose email:

From: System Administrator <removed>

Reply-to: System Administrator <removed>

To:

Date: Sat, May 1, 2010 at 6:20 AM

Subject: Final Warning!

Your mailbox has exceeded the storage limit which is 20GB as set by your Administrator. You are currently running on 20.9GB, you may not be able to send or receive new mail until you re-validate your mailbox. To re-validate your mailbox please click the link below:

http://(removed)

If the link above don't work please copy and paste the link to your browser window.

Thanks

System Administrator

There are several clues that should raise alarms:

  • One or two prior warnings are normal procedure. It gives the user a chance to clean the mailbox out.
  • The storage limit mentioned in the email was not the same size as provided by the email account.
  • This is supposed to be an automated message. Bad use of grammar; "the link above don't work" should make anyone suspicious.

If users happen to click on the link advertised in this email, they are sent to a compromised website. Where once again, any number of malicious applications could be downloaded and installed.

There is help

If you ask the experts, skepticism is still the best way to combat email scams. If that's less than comforting, you will be glad to know there are organizations out there that offer help. The Anti-Phishing Working Group (APWG) is one example:

APWG is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.

One page on their website is especially useful. It explains in understandable terms, what people should be watching out for. I make sure to send that link to anyone concerned about phishing scams.

Another useful website is millersmiles.co.uk. The people at MillerSmiles share APWG's enthusiasm about wanting to eliminate phishing and email scams:

"MillerSmiles stands out as the prime international source of information about spoof emails and phishing scams, with a vast library of real examples including details and images of the emails themselves and related bogus web content."

It's MillerSmiles searchable database of existing phishing schemes that's unique. Users can check questionable email messages, by entering the following information; subject, content, apparent sender, or Web URL:

Final thoughts

Until taking advantage of people stops being a problem, we need to be aware of the latest scam techniques. I offered a few examples that I recently encountered. I would appreciate learning about your encounters with scam and phishing email messages.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

62 comments
tom_housden2k8
tom_housden2k8

Now I know about apelord, I'm very grateful! Apelord is a header analysis tool. I use Thunderbird as my email program, but you'll be able to view the source from any. While the message is selected, click on View Source, go to http://headertool.apelord.com/ copy and paste the source into the box, and it will tell you the ip addresses used, and the country the email originated from.

bboyd
bboyd

Give us 4 minutes, we'll give you a 4GB USB. Wanted to check it out further, but don't care enough to make my computer a honeypot.

XnavyDK
XnavyDK

I get emails that appear to be from our email provider that their email settings have changed and have to click a link that lead to a web site that sells viagra...

Tommy S.
Tommy S.

Seriously who really fall for those crap. They are around since the late 90s and they are as laughable as they were back then. Lets take the whole loveletter debacle, Id say its analogue to natural selection. If you fell for a loveletter.zip.exe, you deserved it.

webhostingruchi
webhostingruchi

Yes it is right I am also receive that kind of mail so many. thanks

jkameleon
jkameleon

From: If your company email address is hey.you@your.employer.com, the sender address is spoofed to admin@your.employer.com . Subject: Your new security settings Body: Please doubleclick the attached file to update your security settings. Regards, your friendly sysadmin. Attachment: settings.exe

Michael Jay
Michael Jay

And just got a TR peer mail from Michael Kassner, since I am in the bunker thought I would just respond, then something did not look quite right, perhaps wrong, so I did not respond to the message rather peer mailed you Michael. Let me know if it is really you as I don't have access to all my contacts from the bunker. Perhaps just being overcautious, but better to make sure.

AnsuGisalas
AnsuGisalas

That one takes advantage of the fear of stuff being lost. Of course it's still dependent on an attachment or link, but I'm glad I haven't been getting these while waiting for overdue parcels, it wouldn't be a nice situation.

d.w.w.
d.w.w.

I've been seeing more and more of scam 3. My other job is help desk/night time support at a community college, and we get calls regarding issues like this. We also had a bad out break due to a bogus link(s) on facebook. I've always told people not to open links like that. Due to that outbreak, the college was black listed but luckily we aren't any more.

mcbinder
mcbinder

Funniest one I ever saw was: "My guys have been watching you for a week now and we have your routine. There is a contract out for a hit on you and since it's just money I want, I figured if you gave me more than the contract, I'll tell my guys to leave." Then how to pay, etc. Like this: http://urbanlegends.about.com/library/bl_hit_man_scam.htm mcb

wizard57m-cnet
wizard57m-cnet

I've been seeing a variant of Number 3, in the subject line it reads something like "New settings file for someuser@somehost.net". The recipient is not the same as "someuser@somehost.net", and there is an attached executable. The body of the message urges the recipient to "double click" the EXE to install the new settings, along with dire warnings of loss of the email services if they fail to "update" their settings. The tip-off is of course the recipient is not the same as the email address in the subject line, and the email has usually been sent to a long string of similar email addresses at that domain. "Do not double click on files without scanning for infections!" If there are still questions about your email, I urge people to contact their provider's help desk directly rather than via email, if possible.

Michael Kassner
Michael Kassner

Glad that you liked it. I hope it will be of some help.

Michael Kassner
Michael Kassner

I would not trust it either. Removing malware would probably cost more in time and money than a 4 GB flash drive.

JCitizen
JCitizen

for some time. The heck of it is, I can't even trust what is in the header of an Office Outlook email. The whole damn thing is bogus!! It is no wonder so much gets through! I only use one server based email account, and Avast has been the best parser of junk, I have even found! It makes reading that email, SO MUCH EASIER!! I only look through the junk to find mistakes, and that is all! Most of my email is double filtered before then, by Postini and My.Mail. I still get a lot through, even then!

Michael Kassner
Michael Kassner

That users have varying experience levels. The less-experienced need our help.

AnsuGisalas
AnsuGisalas

One more zombie for the botnets every minute is everybody's problem.

Michael Kassner
Michael Kassner

Are you referring to? Just curious to see the ones that are active right now.

Michael Kassner
Michael Kassner

Do .exe files get through? My provider drops those immediately.

jkameleon
jkameleon

From: mycompany.com.support[myemail@mycompany.com] To: Yours Truly Subject: Setting for your mailbox myemail@mycompany.com are changed Message: SMTP and POP3 servers for myemail@mycompany.com mailbox are changed. Please carefully read the attached instructions before updating settings. http://felixss.googlegroups.com/web/setup.zip Don't worry about the link, Google already took it down.

Michael Kassner
Michael Kassner

Michael, yet I would not know how it would be spoofed. I had better change my password. Thanks for the information.

Michael Kassner
Michael Kassner

I was fortunate enough to have tracking number and I called UPS.

Michael Kassner
Michael Kassner

It seems that the third scam is more popular than I thought.

bboyd
bboyd

Don't use attached files unless your expecting the file from that source, even then scan it. and god forbid a zero day or unique exploit. Compromised systems can be used to tailor attacks on friends by using sent info and file names to craft an email to get them to spread the intrusion. Try to get all my friends and family to not use HTML mail and shortened links. Like to pull teeth.

Datacommguy
Datacommguy

Some (probably most) of my users don't have - or even know about - some of the tools you mentioned. They usually do have an anti-virus program. And they can usually see the poor language skills in so many of the bogus offers. But one trick I've tried hard to teach them all is to roll the cursor over the link that's supposed to be used to claim your 'reward' or respond to the request from what sometimes looks like a legit logo and company. Likely as not, what you see will not be what is displayed for you to click on. And of course, if it seems to good to be true.....

vtassone
vtassone

Have you won the Micro$oft lottery? Great !! Respond back to them from a throw away mail box. I've kept some of these @holes going for up to a year. I waste their time and internet cafe money so they don't have the time to rip off little old ladies. Go to forum.419eater.com for more info and some really funny stories ;-)

spawnywhippet
spawnywhippet

I think there is a point at which a user's action crosses the border from 'inexperienced' to 'plain stupidity'. Filling out and sending off your personal details in a reply to an overseas, badly-worded, grammatically incorrect 'lottery win notice' is just dumb and has nothing to do with lack of computer experience. People need to re-learn how to think for themselves and take responsibility for their own actions - the compensation culture is making everyone a victim

JCitizen
JCitizen

and legitimate pictures/video through web based email. I can certainly see why it would be weird for anything to survive from attackers. It seems their is always a well meaning server from AT&T, or Yahoo!, or some such provider who strips legitimate email of all characteristics, even when it is a legit forward, or originating email. But then I insist on using HTML email, because my clients do; so it is food for the honeypot lab.

jkameleon
jkameleon

Emails with .exe attachments are quarantined, and recipient is notified by email. That's how I've learned about that trick in the first place. Normally, I don't dwell into my Spam folder. There are two reasons for this: - Sometimes we receive executable files from legitimate sources, for example our software vendors, or hotfixes from Microsoft, - Had emails with .exe attachments been sent to the Spam folder unaltered, somebody could still run that .exe

JCitizen
JCitizen

but I'd call my ISP anyway. I can see how a lot of people would fall for that one!! Even smart people.

JCitizen
JCitizen

from the past to believe that one. But I would still contact the FBI, and local law enforcement anyway. For one thing no one would pay money to kill me anyway, but they would have to put two and two together that I am who I say I am online. Even for someone trying to pick up my trail from yesteryear, they couldn't find me with my present online persona. They would have to know more about me than my blood brother to figure that out.

Michael Kassner
Michael Kassner

That a .exe file got through. Most email apps drop them right away.

JCitizen
JCitizen

Sounds like some of the stuff I used to do to snail mail junk senders! HA!

JCitizen
JCitizen

on that thread. I thought you and two others had the right ideas. One poster actually had a link to the solution! It seems it used the very ideas you all alluded too! I really think the problem can be solved to everyone's satisfaction. I just don't know if they want to pay the costs. However - in the very expensive area of prison funding, this one may have a very good ROI, if you catch my drift.

AnsuGisalas
AnsuGisalas

I guess my phased array idea is too costly... would probably rock though.

JCitizen
JCitizen

environment as I've done for personal use, is Comodo firewall with sandboxing, and Avast's virtualization for untrusted apps/exe files. I've never really ventured into the virtualization field. I will probably start with a Linux distro and use virtual Windows and/or apps from there. That is, providing Linux doesn't have something better to use for totally replacing the same capability.

AnsuGisalas
AnsuGisalas

In that, in the end, the amount of hardware/software is not as relevant as the defendability of the position. So, "terrain" security provided by the CPU or PortAuthority or OS trumps "indoors/gadget" security like apps. Virtualization has a huge advantage there, if it's done right.

JCitizen
JCitizen

I do have occasional access to FLIR technology, but I let my brother do the improvements, I just supply the weapons! ]:) An M63 mount does wonders for the low flying variety of target: http://www.tnwfirearms.com/guns_m2hb.shtml That is just one of my old suppliers. Ifra-red rockets are a lot of fun to play with, when I can get the chance. :)

AnsuGisalas
AnsuGisalas

You got thermal imaging too? If you add an Armbrust you should be pretty much covered. Starstreak for aerial targets. These days you have to look out for aerial drones too... badly. I think a laser detection device could be handy, then if they use a laser ranging device, it gives them away.

AnsuGisalas
AnsuGisalas

I guess one of these is just a ringer then... er... look, elephant!

JCitizen
JCitizen

And I only have old photos that are barely identifiable of me online. And then, only wearing sunglasses. And there are only two of them. And besides, anyone survelling me would be taking his/her life down a risky path. I have camera surveillance in my haunts, and I'm pretty good with an M40 7.62mm sniper rifle. Woe be to him that makes me crank up my .50 cal HBMG!!

AnsuGisalas
AnsuGisalas

...if it contains clandestine photos of the recipient taken recently.

AnsuGisalas
AnsuGisalas

I didn't ask, but I informed them why I was anxious to open it, and asked confirmation from them that it was legit. If it turns out to be a repeating mistake I'll make sure they understand.

Michael Kassner
Michael Kassner

The sender what happened? Was it a rename/save and they forgot that Word automatically attaches the .doc?

AnsuGisalas
AnsuGisalas

I went straight to the spam folder of course. I was worried for a while about that one, but since it was potentially work-related I eventually scanned and opened it. It was ok, but the project was cancelled because nobody else apparently dared check it before acceptance deadline, so some other house got it.

Editor's Picks