Tuesday, January 4, 2011

Foreign Banker Fraud Phishing example - pggymrk@gmail.com

Have any of you received the following phishing email? If you are reading this post, that is a good sign. See my commentary below

-----Original Message-----

From: webmaster@redcross.org.rs [mailto:admin@taiyuan-sz.com]

Sent: Tuesday, January 04, 2011 1:26 PM


Dear Friend,

In accordance to my religious persuasion,I felt expedient to write and inform you on the wicked conspiracy hatched by the duo of Mr David the Accounting Audit and Mr. William Anderson. Head of foreign remittances,Nat West Bank London - England BRANCH: Putney, 153 Putney High Street.LONDON SWI5 IRX UNITED KINGDOM to divert your money to their designated account in Europe.

As a junior staff,I discovered that they moved the Funds from our London Branch to a corespondent bank in Asia and from Asia; Today I found out through the Central computer database that they are about to reroute your fund to AIR COURIER SECURITY COMPANY in China. With this,I felt that it is important for me to alert you on this development, i have try calling but your number has not been going through.

They are still using your name and contract/inheritance identification number as the beneficiary but they have changed the account co-ordinate,that is why they are frustrating you by asking for money every time in order for them to go behind and contact you. I have the reference number of the transaction and also I have the number of the official who is directly in charge at the AIR COURIER SECURITY COMPANY.

Your Consignment is supposed to go through the London credit control financial clearinghouse before finally Lodge in AIR COURIER SECURITY COMPANY in London Uk .All the data about your claim profile are within my reach. I do not need gratification from you either in cash or kind; I can never be a part of evil because the bible said YE SHALL KNOW THE TRUTH AND THE TRUTH SHALL SET YOU FREE.

Please respect my discretion in this matter, you can send an email to me so that I can give you the reference number and the name and contact information of the officials of the AIR COURIER SECURITY COMPANY in Asia. I repeat, please do not expose my person, it is not easy to get jobs around here and I cannot contend with these powerful individuals because they can eliminate me just like that all i will do for you is to give a secret guidance on how you would contact the security department of my office and made a report to them concerning your approved fund.

But you must not expose me, all am assuring you was that once this report is made your fund will be recover immediately and release to you and them will be made to face the crime they have committed.

You can reach me through my email. (pggymrk@gmail.com)

Thanks and God bless.

Rev. Mrs.Peggy Mark

First sign of trouble in paradise is the non consistent email addresses (webmaster@redcross.org.rs,admin@taiyuan-sz.com pggymrk@gmail.com). The use of the Red Cross in the name of the from email address is no doubt used to instill a feeling of trust from a worldwide recognizable brand synonymous with goodwill.

When you read the e-mail, the tone of the e-mail is one of empathy, where the author claims to be trying to help recipient and save them from being defrauded from funds that are rightfully theirs and reside in another country in (London in this phishing example being move to somewhere in Asia then ultimately, China) and those funds are purported to be mishandled by senior executives in the company that the e-mail sender claims to work. Interesting that I did not even know that I had this money?!?

The author urges the recipient to take action to protect themselves by responding back to the provided gmail account. The author explains that they wish to help because of their religious convictions actually cite a passage from the Bible to demonstrate religious convictions. When an unsuspecting recipient responds, I assume that is when the ruse begins.

This seems like it would never work. Are there really people that gullible? Well, frankly its a numbers game. If these criminals send out 10,000 of these e-mails and they get a .1% response rate (1 out of 1000 email sent, one responds to pggymrk@gmail.com, that means that 10 people respond and if the phishing criminals and they came engage with one or more of the respondents to the phishing scam, they can get a pretty good return on their investment. This of course takes the approach to prequalify victims by sending mass emails to see which ones can be further engaged to give up their personal information, and eventually their identities.

These numbers are provided for illustrative purposed are made-up numbers. I'm not sure what the real ratios are. This particular email is particularly despicable to use the Red Cross and Bible citations as trust builders.

To protect their pggymrk@gmail.com gmail account prior to getting a response from an unspecting victim, they also attempt to appeal to the reader's good nature asking them not to expose them as they claim that their job is at risk and that if you expose them, then it will be difficult for them to find work, etc. Even as I right this blog post, I feel terrible for what's about to happen to the wholesome and honorable Rev. Mrs.Peggy Mark. Can anyone say religious appeal? Pretty slick. Burn in Hell I say you evil send of Phishing SPAM!

This phishing attempt is typical where the sender will appeal to a recipient’s sense of morality, conscious and also greed. Greed is probably the overriding appeal in this phishing scam because the recipient obviously doesn't know about any money they have in Europe, but yet they feel compelled to respond to this e-mail. For those that do have money in accounts in Europe, they know better than to fall victim to Rev. Mrs.Peggy Mark.

It will be interesting to see if there is a lot of searches for Rev. Mrs.Peggy Mark or the email address pggymrk@gmail.com. Hopefully recipients will turn to Google before respond and find this blog post.

Until next time, be safe read your e-mail carefully!

Thursday, March 18, 2010

Facebook Password Reset Confirmation Email Scam - Part II

After posting yesterday about the Facebook Password Reset Confirmation Email Scam, I received another variant of this same facebook email scam with attached virus.

The second variant of the email scam had the same harmful virus attached, and a few new features. The second variant of the Facebook Password Reset Confirmation Email Scam is pasted below:

Subject: Facebook Password Reset Confirmation YYYY

Hey [email-username],

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

The Facebook Team.
What was interesting about this variant is that it had 2 distinguishing characteristics from the variant from the previous post:

  1. The email was customized and sent to the username portion of my email address
  2. The email contained some identifier in the subject line presumable to enable the email scam artist to better track responses and possible to perform multi variate testing on different variations of the same email scam
Both of these distinguishing elements of the Facebook Password Reset Confirmation Email Scam show some marketing prowess by customizing the message in #1 to build trust and increase the response rate and #2 which was done to presumably track responses, another sign of marketing prowess.

Key Takeaways:

Never, and I mean never open an attachment from an unknown source. Even if you think you know the source (Facebook in this case), unless the source is from a trusted individual definitely do not open the attachment.  Don't be lulled into a false sense of security just because the email is personalized to you.

For More Information:
Facebook does not, based on their own policies, send user passwords in file attachments on a password reset request. Based on a scan of other sites on topic, it appears that those who are fooled into opening the attachment to "view their new password" will in fact be launching a copy of the Bredolab Trojan as featured in a recent article on abc news entitled "Facebookers Beware: Fake E-Mail Contains Virus.".

Once installed, the trojan is able to download and install other components such as key-loggers to capture everything you type on your computer including usernames and passwords, as well as software designed to identify and capture password that are then forwarded to the email scam artist enabling them to monitor and control the compromised computer without any knowledge of the computer owner, while giving the information that need to commit identity theft and bank fraud.

Wednesday, March 17, 2010

Facebook Password Reset Confirmation! Customer Support Email Scam Virus

Due to the popularity of Facebook, with as many as 400M users by some accounts, email scam artists are using email scams targeted at Facebook users.

The following email was received recently:

From: Facebook Messages [mailto:networks@facebook.com]
Sent: Wednesday, March 17, 2010 12:55 AM
To: XXX@YYY.com
Subject: Facebook Password Reset Confirmation! Customer Support.

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Your Facebook.

Email scam analysis:

The first red flag should be that no legitimate social network, including Facebook, will ever reset your password for you without you requesting it. Secondly, they will never send you an attachment to open in order to receive a password that you requested be reset. You can bet that the payload of this email scam is a computer virus that will likely be a Trojan Horse used to steal passwords of your online bank accounts to be use in bank fraud to steal your money, credit card numbers and personally identifiable information that can be used to commit identity theft and steal your identity.

The email is clever in that it appears to be sent from networks@facebook.com which is not a real email address. This is what is referred to as email spoofing and is a commonly used trick by email scam artists to convince the targets of the email scam into thinking the email is from a trusted source, thus luring the unsuspecting victim to open the malicious attachment.

Key Takeaways:

Never, and I mean never open an attachment from an unknown source. Even if you think you know the source (Facebook in this case), unless the source is from a trusted individual definitely do not open the attachment. 

Another level of scrutiny that can be applied to email attachments is to evaluate the subject and make sure that it is consistent with the style of the sender since some viruses, once infecting a computer, will replicate itself and send copies of itself to any email addresses it can harvest from email address books stored on the infected computer, thus taking advantage of the trust factor in recipients receiving email from someone they know and trust. 

These email scams can usually be identified by subject lines that are not characteristic of the writing style of the email sender. For example, I would not expect to see an email attachment with the subject "attached 0 tasty ass video of you" from my mother. 

These subject lines and emails are created and sent automatically and by the infecting virus  once they infect the unsuspecting email scam victim that opens the malicious attachment, all without being noticed by the victim/user of the infected computer. Often times they are alerted to the situation first by an email of a friend or colleague who was infected by opening a malicious attachment received by the initial email scam victim.

More Information (The Nityy Gritty) 

When sending email to that address, the following delivery failure is received:

Note: Forwarded message is attached.

Delivery has failed to these recipients or distribution lists:
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

Sent by Microsoft Exchange Server 2007

A closer inspection of the initial email scam header reveals the following information:


Received: (envelope-from )
Received: from by odb.electricsheepcompany.com; Wed, 17 Mar 2010 

Tuesday, March 16, 2010

Email Scam Example | WILLIAM L.W. CHEUNG | williamcheung_jp@yahoo.cn

Email Scam:

Good Day To You My Friend.
It is understandable that you might be a little bit apprehensive because you do not know me but I have a lucrative business proposal of mutual interest to share with you. I got your reference in my search for someone who suits my proposed business relationship.
 I am Mr. William Leung Wing Cheung a South Korean, happily married with children; i work as an Executive Director of Hang Seng Bank Ltd, Head of Personal Banking. I have a confidential business suggestion for you. I will need you to assist me in executing a business project from Hong Kong to your country. It involves the transfer of a large sum of money. Everything concerning this transaction shall be legally done without hitch. Please endeavour to observe utmost discretion in all matters concerning this issue.
Once the funds have been successfully transferred into your account, we shall share in the ratio to be agreed by both of us. I will prefer you reach me on my private email address below (williamcheung_jp@yahoo.cn) and finally after that I shall furnish you with more information's about this operation. Should you be interested, please forward the following to me urgently:
1. Full names  
2. Occupation
3. Private phone number
4. Current contact address
Please if you are not interested delete this email and do not hunt me because I am putting my career and the life of my family at stake with this venture. Although nothing ventured is nothing gained.
Your earliest response to this letter will be appreciated.
Kind Regards,
Mr William Leung Wing Cheung.JP
Hang Seng Bank Limited
Hong Kong. {Asia}
Email: - williamcheung_jp@yahoo.cn

Analysis of email scam:
  1. First red flag - email sent to To: undisclosed-recipients; this usually indicates that the email is bcc (blind carbon copied) to a whole bunch of potential bank fraud and identity theft victims solicited through SPAM email scams. On a BCC email, it is not possible to see who else is receiving the email; there would be no need to do this is the email were legit and not a scam as it would be addressed to you, the selected one
  2. The email address of the sender williancheung@fastwebmail.it is different that the reply-to email address williamcheung_jp@yahoo.cn
  3. The goal of email scam like so many other email scams is to secure recipient trust and basic contact information; the beginning of the email tries to proactively address some common sense concerns including why am I receiving this unsolicited email?
  4. The email then tries to build trust in the fictitious sender by providing an official title - Executive Director of Hang Seng Bank Ltd, Head of Personal Banking
  5. Like all similar email scams, this instance plays on the recipients propensity for greed to entice them to provide the send of the email their banking details so that the funds can be transferred to your account - more like the funds will be transferred out of your account - can you say Bank Fraud!
  6. Three times the email scam requests that the recipient to keep the offer confidential (" confidential business suggestion for you," "Please endeavour to observe utmost discretion in all matters concerning this issue," "Please if you are not interested delete this email and do not hunt me because I am putting my career and the life of my family at stake with this venture"); the last request for confidentiality even plays the guilt card by insinuating that by sharing the details of this incredible, legal offer could put the email scam sender's family at risk.
Please, never provide personal information to someone that is emailing you with a "confidential offer." If you are not expecting an email from somebody, then scrutinize it carefully. Always apply a good deal of common sense and remember, if it sounds to good to be true, then it is. 

Saturday, March 13, 2010

Email scam example | Mr.Kazim Obaid | United arab Emirates

The following email scam was recieved this morning to my business address. The email scam is particularly despicable in that it attempts to exploit victims of the EgyptAir Flight 990 crash of a regularly scheduled flight from Los Angeles to New York-Cairo which crashed on October 31, 1999.

The SPAM email scam receives even provides a real link to a legitimate BBC  news report of the tragic event of the crash of Flight 990. This is done to build trust through the appearance of some affiliation with BBC and to demonstrate that the subject referenced in the email scam is related to a real news story. The email references a deceased individual who is pictured in the BBC news story and claims to have funds from the named deceased which he would like to share with you.

The goal of the email scam is to get unsuspecting recipients of the spam email scam to respond, thus prequalifying them as a potential Internet fraud victim and easy mark. Once the recipient responds to the email which gets routed to the perpetrators masked email address (kazimobaid121@gmail.com - see below) , the potential Internet fraud victim will be asked for personally identifying information that can then be used by the perpetrator to engage in bank fraud and identity theft, all at the expense of the unsuspecting vicitm.

From Mr.Kazim Obaid

Reply-To: kazimobaid121@gmail.com (this is different that the sent from email address which should raise a red flag - the gmail address is where spam email scam perpetrator will access responses to email scam This is viewable only by inspecting the email header information which is masked by default by the software used to read email)

[spam email scam text inserted below]
From: "Mr.Kazim.Obaid"kazimobaid3@hotmail.com
Subject: From.Mr.Kazim.Obaid.
Date: Sat, 13 Mar 2010 04:09:26 +0400

To: undisclosed-recipients:; (anytime you see this in the To: line of an email message, this means that sender used the BCC (blind carbon copy) to send same scam solicitation to many different recipients)

Greetings From Dubai, [note that email scam is not addressed to any particular reciepnts by name this email is blasted to many potential Internet fraud victims]
This message might meet you in (utmost surprise),however,it's just my urgent need for foreign partner that made me to contact you for this transaction.I am a banker by profession from United Arab Emirates and currently holding the post of Director Auditing and Accounting unit of the bank.
I have the opportunity of transfering the left over funds($17.5million)our bank deceased customer late Richard Burson, who died on (Egypt Air Flight 990)along with his family on a plane crash below. http://news.bbc.co.uk/1/hi/world/americas/502503.stm. Hence i am inviting you for a business deal where this money can be shared between us in the ratio of 50/50 as a brotherhood.
If you agree to my business proposal.further details of the transfer will be forwarded to you as soon as i receive your return mail.
Mr.Kazim Obaid

Email Scam Information Introductory Post

This blog serves as an email scam information resource to educate new Internet users about the common email scams and SPAM (i.e. unsolicted email - not to be confused with the tastey processed ham food in a can) used today to lure the unsuspecting Internet victims into providing their personal information to criminals participating in Internet fraud.

The goal of the content posted to the Email Scam Information blog is to expose common email scams used to perpetrate identity theft and bank fraud scams targeting new unsuspecting potential victims coming online each and every day. Hopefully you find this resource before falling victim to Internet fraud acheived by email scams delivered as spam.

The overarching principle when dealing with spam email is that if you don't know the source and did not request the information, DO NOT PROVIDE PERSONAL INFORMATION OR OPEN/SAVE ANY ATTACHMENTS - UNDER ANY CIRCUMSTANCES.

Posts to this blog will include real example emails that are sent to a real business email that was no doubt captured by one of the email capture programs available used to aggregate email addresses for the purposes of SPAM (i.e. unsolicited email), which in many cases, is sent illegally.

Comments and active participation are both encouraged. This includes sharing example emails and even more valuable, examples of situations where you were or know of a victim of an email scam. We are doomed to suffer repeat failure unless we learn from our [collective] mistakes!