Tag Archives: Phishing

Never “Verify Your Email.”

Posted on by The Old Wolf

No email service will send you a message asking you to provide your address and password, or other financial data. They just won’t.

yahoo

This email is bogus. Note the red circle next to the “click to validate” link – that’s a warning from WOT (Web of Trust) that indicates the website is not to be trusted.

If you’re foolish enough to click the link, which goes to http://bookinghh.myfreesitehost.com/smluptt/wadohjom.htm (NOT a Yahoo website), you’ll get this:

Yahoo2

If you fill out this information, scammers now have access to your email account, and they will use it to steal information or send out criminal spam.

Never do this. Be careful out there.

The Old Wolf has spoken.

PayPal Scam: Your account has been limited.

Posted on by The Old Wolf

I’ve mentioned phishing scams before, in a number of places. This email arrived yesterday,

phishing

Note the red flags on this one:

  1. A sender’s address that is not “Paypal.com”
  2. Poor formatting
  3. Incomplete text

The attachment they mention gives you this:

Phishing2

If you are foolish enough to provide this information, it will be sent not to PayPal but to http://162.213.154.42/~oilreol/service.php:

NetRange 162.213.152.0 – 162.213.155.255
CIDR 162.213.152.0/22
NetName FUC-US-2001
NetHandle NET-162-213-152-0-1
Parent NET162 (NET-162-0-0-0-0)
NetType Direct Allocation
OriginAS AS26272
Organization FortaTrust USA Corporation (FUC-9)
RegDate 2013-06-10
Updated 2013-12-17
Ref http://whois.arin.net/rest/net/NET-162-213-152-0-1
OrgName FortaTrust USA Corporation
OrgId FUC-9
Address 3701 NW 82 Ave.
City Doral
StateProv FL
PostalCode 33166
Country US
RegDate 2012-03-08
Updated 2014-07-02
Ref http://whois.arin.net/rest/org/FUC-9
OrgAbuseHandle IPADM602-ARIN
OrgAbuseName IP Admin
OrgAbusePhone +1-305-898-0033
OrgAbuseEmail ipadmin@fortatrust.com
OrgAbuseRef http://whois.arin.net/rest/poc/IPADM602-ARIN
OrgNOCHandle IPADM602-ARIN
OrgNOCName IP Admin
OrgNOCPhone +1-305-898-0033
OrgNOCEmail ipadmin@fortatrust.com
OrgNOCRef http://whois.arin.net/rest/poc/IPADM602-ARIN
OrgTechHandle IPADM602-ARIN
OrgTechName IP Admin
OrgTechPhone +1-305-898-0033
OrgTechEmail ipadmin@fortatrust.com
OrgTechRef http://whois.arin.net/rest/poc/IPADM602-ARIN

This information does not mean that FortaTrust itself is necessarily behind the phishing attempt, but someone could be using their servers in spurious ways.

Whatever the case, be careful out there. PayPal and other legitimate financial institutions will never ask you for sensitive financial data by email.

The Old Wolf has spoken.

Phishing: Watch those URLs

Posted on by The Old Wolf

Today in my Yahoo! mail account:

Yahoo

If you click that “Sign In” link, you get taken to

http://www.oficinadentalpr.com/includes/drpbx/db/obfuscated.php

which is apparently a dental office in Brazil. (I tried contacting them to let them know that their website had been compromised, but their contact page seems to be malfunctioning.)

Edit: As of today, the entire “Oficina Dental” account has been suspended. Either they got infected and their ISP suspended them on general principles, or the whole page was a sleazy front for this scam operation. We’ll never know.

At any rate, this is what you get:

Yahoo2

Which leads you to the regular “Enter your critical personal information and credit card and bank data” page.

The ongoing lesson: Don’t click embedded links in emails. Just don’t.

The Old Wolf has spoken.

An especially convincing Phishing scam

Posted on by The Old Wolf

Here’s the email that came to me yesterday:

Image1

  1. Notice that it appears to come from “Paypal.com,”  However, the original sender was 23.249.163.109 (if even that’s not spoofed) which is in Buffalo, NY rather than PayPal’s headquarters which is in California.
  2. Second, the message is an image rather than text. That’s a red flag right there. The images link back to:

These are definitely nothing linked to PayPal. So we know even without any further examination that we are dealing with a phishing scam.

The image itself, if you click on it, will lead you to a long URL which actually contains the email address that their phishing email was sent to. If you click on these links, they know who you are.

http://redirect.paypal.com.0.session…..=MyEmailAddress@comcast.net

Image2

So notice that when you get to the phishing website, they already have your email address. This is what makes the scam more credible – they’re not asking for your PayPal ID, because they are counting on the fact that you use your same email address as your PayPal address, and they already have that.

If you foolishly enter your password, the first thing you’ll see is this bit of misdirection:

Image3

But that’s just a clever bit of misdirection. So you try again, and this is what you get next:

Image4

Which soon passes to:

Image5

And off to the races we go.

REMEMBER: Banks or PayPal or other financial institutions will NEVER ask you to verify information like this via email. All such requests are SCAMS.

When I check out websites like this (don’t try this at home – you could also be picking up a lot of malware if you’re not properly protected), I usually enter really insulting phrases for names, cities, and so forth. It’s a small thing, but it’s really the only way I can get under the skins of these criminals.

Image6

That billing address is nothing I would ever want to repeat in polite company – but notice that the scammers are trying to make their victim think they already have a credit card on file, and you’re just supposed to verify it.

Image7

So again I give them some bogus information that could never be used as a real card or be used to hurt anyone else.

Image8

The last screen will redirect the victim, once they have handed over their sensitive information to thieves, to the real PayPal website. Notice however – nothing else on the page works. All the other links are non-existent.

This scam is well-contrived enough that I fear any number of people will be taken in.

The most important thing to remember is that, as I said before, PayPal will NEVER ask you to give up sensitive financial information like this through an email message.

Be careful out there, and protect your loved ones.

The Old Wolf has spoken.

Phishing in the Yahoo! Pond

Posted on by The Old Wolf

Just received:

Mail Blocked

Email Service

Today at 8:05 PM

To: me

Not from Chase: Watch the URLs

Posted on by The Old Wolf

scam-alerts2

It goes without saying that this email is NOT from Chase.

From: chase.online2@verizon.net
Subject: Chase Online Important Alert : Action Required

To: Undisclosed recipients: ;

Chase Online Logo

We’ve Updated Our Online Access Statement

Dear Customer:

Technical se rv ices of the Chase online  are carrying out a planned statement upgrade. We earnestly ask you to visit the following link to start the procedure of confirmation on customers data.

To get started, please click the link below:

please visit our secure server web form by Click here to get started

Sincerely

Customer Service
©2015 JPMorgan Chase & Co.

1) First red flag: To “Undisclosed Recipients.”  If you’re getting an email from your bank, it will be addressed to you and not to everyone in the world.

2) Next red flag: Nigerian English:

  • Technical se rv ices of the Chase online
  • “We earnestly ask you to visit”
  • Start the procedure of confirmation on customers data

Nobody at Chase ever  wrote such a bad email. If it sounds wrong, it is wrong.

3) Next red flag: Banks will never ask you to divulge confidential information on the internet. They just won’t.

4) Most importantly, look where you go when you click the link:

http://schlatterhof.ch/junk/Capt/index.htm (I broke the link so you can’t accidentally go to the fraudulent website.)

That is a lot different from the real URL you should be seeing when you go to Chase:

https://chaseonline.chase.com/

A bank should always have an “https” URL, which indicates secure data transmission. These turdcaskets didn’t even try to make the web address look like something from Chase.

Be aware. Be Careful. Practice safe computing.

The Old Wolf has spoken

Phishing: My Yahoo Account has “expired.”

Posted on by The Old Wolf

Phishing, as I have mentioned numerous times elsewhere, is rampant. In a world with over 7 billion people, it’s hard to say how many electronic bad guys there are out there, but even if its a relatively small number, the nature of the web gives the bad actors a lot more access to a global pool of potential victims than your average con-man enjoyed in pre-internet days.

This email arrived this morning:

yahoo1

Two things:

  1. YahooMail is always free. There’s a no-ad service you can pay for, but the drones are counting on the fact that grandma or grandpa (or any other potential sucker) won’t know that.
    77
    A significant portion of internet users are terribly un-technical, and find computers are to be feared; if they use them at all, it’s on a cookbook level. “If you see it on the internet, it has to be true” is sadly a part of far too many people’s psyches, hence many people get taken advantage of in myriad ways.
  2. See that little yellow circle by the link? If you hover over it with your mouse, you’ll get a popup indicating how any particular website has been rated by users for trustworthiness and child safety.Yahoo2That’s a function of a browser extension called “WOT” (Web of Trust) that I have mentioned elsewhere. It’s invaluable for stopping problems before they start. The circles displayed are green, yellow, or red, and you can follow the “Click to view details” link for more information, user reviews, or to rate a site yourself if you have a (free) account.It’s not perfect by any means – WOT can be subject to shill reviews and malicious comments from unethical competitors and the like, but like anything else on the internet, it’s part of a body of evidence and I find it extremely useful as a canary in the mine.  In this case, the top-level domain “twomini.com” is rated very poorly on both counts, with the one user-posted review stating “Domainhoster hosting sites used for fraud, scam and Accountphishing.” Which is certainly true in this case.

If you hover over the “go here” link, your browser indicates that you are being directed to “http://bit.ly/10VyM2I” which is most definitely NOT a Yahoo address. It’s a shortened link which expands to:

DrudgeSirenSmallhttp://infoskale.twomini.com/obyno/Connect%26True%3DUser1%25%3DXclusiv-
3D%23Anonymous7Dole%3DReason%26Upgrade1%25continue%25True4.php DrudgeSirenSmall

Web addresses like that are not necessarily bad in and of themselves, but they are not what you would expect to see when you visit a major site like Yahoo, or Comcast, or your financial institution. Those little drudge lights up there point out that this kind of URL is a red flag for suspicious activity, and to proceed with extreme caution.

If the victim unwisely clicks on the link, they get this:

Yahoo3

which quickly redirects to this:

Yahoo4

If you try to “log in” from this screen, your account information is sent to Russia or the Ukraine or Nigeria or somewhere else, and the bad boys now have access to all your email, as well as an account to send out spamvertising or other scams with, and they do so on a regular basis. The victim is then sent back to the regular Yahoo Mail  website, and continues on their merry way none the wiser.

indiana_jones_grail_knight-you-have-chosen-poorly

I logged in several times with user names like “ScammersEatCamelDung”, just to make sure they got the message. Of course, it’s possible that responses are simply harvested into a login script that will never be seen, but what the heck; I’ll take any opportunity to insult one of these wastes of human cytoplasm.

Please be careful out there, and for the love of Ella Wheeler Wilcox and the music of the spheres, protect your loved ones. If you have people you care about who use the computer and who are not tech-savvy, educate them on how to protect themselves from scammers.

We demand that people get licenses to drive a car; it’s a shame no basic training is required before venturing into the potentially-scary world of the internet.

The Old Wolf has spoken.

Your Bank of America Account is Under Review. Right.

Posted on by The Old Wolf

Well, since I don’t have one, that would be a Neat Trick. But here’s the email:

From: Bank Of America <dugginp@pitt.k12.nc.us>
Date:12/08/2014 1:39 PM (GMT-07:00)
To:
Subject: Your Bank Of America Account is under review

Your Bank Of America Account is under review

Bank Of America is reviewing some costumers account for possible Fraudulent & unpaid bills. The balance for your checking & saving account has reached reviewable level (uncharged & un-deducted billing).This information is accurate as of 5/12//2014 03:44:12 CST. You are required to, sign on and verify  your account informations.If you have questions, Bank Of America Online Customer Service is available 24 hours a day, 7 days a week. Sign on to send a secure email.    bankofamerica.com | Fraud Information Center

Suffice it to say this is a phishing email of the worst kind. The embedded “sign on” links take you to this link (obfuscated):

http://conwaycentralbaptist.org/blah-blah-blah/.safe.ssl-comfirmed-onlinebankingofamerica.com/index.html

In case you needed an additional hint, this is not a Bank of America website.

Conway Central Baptist Church will probably not be pleased that someone has infiltrated their servers and is using them to host phishing data; they have been informed.

But the website looks like this:

bank

They want all sorts of information from you, including “Father’s Maiden Name” and “Father’s Middles Name.” If those aren’t screaming red flags , I don’t know what would be.

So many scumbags out there want your identity, your financial information, and your money, and they would sell their own mothers to get it.

Be careful out there.

The Old Wolf has spoken.

Why you *never* click embedded links in your email

Posted on by The Old Wolf

Scam

See that link to “Capital One” there in the body of the email? It will actually take you to an entirely different website that just looks like it’s from Capital One.

Scam2

Congratulations, you’ve just handed the key to your bank account and your email account to thieves, probably in Eastern Europe or Africa.

One would think people would understand this by now, but there are a lot of folks who use computers who really don’t get below the level of Lolcats or Pinterest, and they need to be protected. Phishing scams are still rampant because phishing scams are still profitable. Far too many people are duped by websites like the one above, and happily hand over their information to criminals either online or via telephone.

2012-02-24-ScamArtist

If you are just learning about computers, this is Rule Number One about emails:

NEVER CLICK ON EMBEDDED LINKS IN AN EMAIL – ALWAYS TYPE THE WEB ADDRESS DIRECTLY INTO YOUR URL BAR.

I can’t emphasize that enough.

Not only are you at risk of losing your money or your identity, but you could seriously damage your computer files, for example, if you carelessly open an attachment which contains evil software like Cryptolocker.

If you are computer-savvy and have loved ones who are not, or who might be vulnerable to this sort of thing, please educate them and watch over them.

Be careful out there.

The Old Wolf has spoken.

A repetitive Phishing Scam: Apple ID

Posted on by The Old Wolf

Your Apple ID was just used to purchase TuneIn Radio Pro $3.99 Your receipt No.226816512

Your Apple ID was just used to purchase TuneIn Radio Pro from the App Store on a computer or device that had not previously been associated with that Apple ID. You may also be receiving this email if you reset your password since your last purchase.

This purchase was initiated from Spain.

If you made this purchase, you can disregard this email. It was only sent to alert you in case you did not make the purchase yourself.

If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

Regards,
Apple

TM and Copyright ı 2013 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014, USA.

All rights reserved | Keep Informed

Naturally, this message is not from Apple. iforgot.apple.com is a valid Apple page, but the link redirected to a bogus site which was almost instantly deleted, and would have gathered your personal and financial data.

I’ve seen this one appear several times in my email box, so it’s an active fraud; please be careful out there.

The Old Wolf has spoken.