Old school email frauds that still work
by Rich SuttonFebruary 27th, 2008
As the average Internet user wises up to the the classic fraudster angles, criminals have to move to new targets. People are getting better at recognizing emails phishing for their Bank of America online banking credentials. We’ve all seen 419 scams in our inboxes, which are looking for you to front money for a bigger payout down the line (aka “advance fee fraud”).
As a result, the bad guys have had to turn their attention to new targets. In 2007, we saw attacks looking to get at employers’ Monster.com accounts, individuals’ MySpace and Facebook contacts as well as Salesforce credentials. There has also been a rise in classic phishing emails targeting smaller banks or banks in emerging economies, where the average end user isn’t as experienced at dealing with phish.
But in our hurry to stay on top of the latest trends, we can sometimes lose sight of the tried-and-true fraud techniques that still work.
And sometimes it’s easier to be fooled when the threat is directed at our employers.
I recently had the following two emails forwarded to me. Folks were asking: are these for real?
Cyber-squatting fraud
Cyber-squatting fraud has been around for a long time, but isn’t as widely known outside of the webmaster world. It preys on the fear of domain squatting on a company’s brand.
Here’s an email that demonstrates this type of scam:
—–Original Message—–
To: support
Subject: Company X for domain nameDear Company X:
We are Shanghai Huibai Internet Service Co., Ltd, which is the domain name register center in China.I have something need to confirm with you.
We have received an application formally,one company named “Wansheng (China) Venture Capital Co.,Ltd” applies for the domain names(www.companyx.hk www.companyx.tw etc.) ,and the Internet keyword(companyx) on the internet Februrary 22, 2008. We need to know the opinion of your company because the domain names and keyword may relate to the copyright of brand name on internet.
we would like to get the affirmation of your company,please contact us by telephone or email as soon as possible.
So this guy is saying that some company in China is trying to register “www.companyx.hk” and “www.comapnyx.tw”, presumably for the sole purpose of domain squatting, and he’s generously giving the mark the chance to head it off at the pass.
A little research sheds light on this scam:
The IANA, the Internet Assigned Numbers Authority, maintains a list of the organizations to which management of country-code top-level domains (like .tw and .hk) has been delegated. The organization in charge of Taiwan (.tw) is the Taiwan Network Information Center (TWNIC) (here’s the english version of their site).
TWNIC in turn maintains a list of authorized registrars for the .tw root domain. “Shanghai Huibai Internet Service Co” is not on the list.
So this is clearly not an individual who is affiliated in any way with the domain registration process in Taiwan. I’m going to go out on a limb and guess that he’s unaffiliated with Hong Kong domain registration as well.
“Consumer Complaint” spear phish
A “spear phish” is a phish targeted at a specific user. It includes personal info designed to pass through an end users mental phishing filter.
Snopes.com (one of my favorite sites) has a write-up on previous emails like this one. This particular version claims to come from the DOJ — in the past other versions have purported to be from the Better Business Bureau (BBB) and the IRS.
Update: from Satnam Narang, a security researcher here at 8e6 — This email included an attachment named “complaint.zip”. When opened, the attachment drops malware on the system, then opens a pdf pulled from the DOJ site in order to fool the user into thinking nothing happened. McAfee has a write-up on it. As always, don’t open untrusted attachments.
From: US Department of Justice [mailto:complaintscenter1@usdoj.gov]
Sent: Tuesday, February 26, 2008 3:25 PM
Subject: Complaint Update for Jane Doe, Company X (Case id: #CE7203)
Dear Mr. Jane Doe ,
A complaint has been filled against the company you are affiliated to ( Company X ) in regards to the domain of business activity.
The complaint was filled by Mr. James Palmer on 25/02/2008 and has been forwarded to us and the
IRS .Complaint Case Number: #CE7203 Date: 25/02/2008
A copy of the original complaint and the contact information of Mr. James Palmer has been attached to this e-mail.Please print and keep this copy for your personal records.
Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
Claims based on product liability;
Claims for personal injuries;
Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
The decision as to whether your dispute or any part of it can be arbitrated rests solely with the US Department of Justice.
The Department of Justice offers a binding arbitration service for
disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
I love the offical looking banner! That’s a link to an image straight off the DOJ site.
The red flags here are obvious. There’s no method for contacting the DOJ. The email doesn’t even mention an individual DOJ employee. The only possible next step on this email is to contact the individual filing the complaint, undoubtedly to begin the arbitration (er extortion) process that is described at the end of the email.
The lesson here is simple but surprisingly difficult to internalize, even for the most experienced, Internet-savvy technology veteran. Approach every single unsolicited email, instant message or text message with deep, deep skepticism and always seek trusted third-party confirmation of every assertion in that message.
Tags: cybersquatting, fraud, Phishing
