Rick's World

The scare tactics in this email attack your pocketbook. It appears to be an email from my credit card company indicating that someone used my credit card fraudulently. Here's the body of the email:

Received: from [67.158.232.43] (unknown [67.158.232.43])
	for <rick@ekle.us>; Tue,  7 Oct 2008 14:54:16 -0700 (PDT)
Received: from [67.158.232.43] by mxmta.bellnet.ca; Tue, 7 Oct 2008 13:54:16 -0800
From: "Kelsey Fuller" <telesonicstetherese@qc.aira.com>
To: <rick@ekle.us>
Subject: Fraud Transactions
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869

Greating
Dear Valued Customer,

We have reasons to believe that your credit card 
has been involved in a number of fraudulent transactions 
we have spotted recently. Enclosed is the account 
statement with the list of transactions made with your 
credit card between 01.09.2008 and 03.09.2008. Please look 
carefully through the enclosed document; the last three of 
the listed transactions are the ones that we suspect to be 
fraudulent. 

I would appreciate if you could find time to 
clarify this issue and confirm the transactions that you 
have made personally. This would help us both to have this 
issue resolved as quickly as possible.

Please find the Word-formatted copy of your account statement is 
enclosed in the archive attached to this message.

Best regards
Kelsey Fuller
Manager of Credit Card Fraud Defense

Attachment: Statement.zip

IP Address: 67.158.232.43

If you do a reverse DNS lookup on this IP you get an IP owned by Pocketinet Communications, Inc, out of Walla Walla, Washington. This company appears to be yet another DSL provider. This likely means that this email was sent by a home user, or maybe a computer in a business that has been 'owned' by a previous malware and is now, yet another zombie computer. This email is supposed to be coming from my credit card company... Um, my credit card company is not a DSL provider in Walla Walla, Washington. If it were from my credit card company, it would be from an IP owned by my credit card company. That fact that it is from a DSL provider means that this is coming from a small company, if not an individual. This is clearly not my credit card company.

'01.09.2008 and 03.09.2008'

This is clearly the dates September 1, 2008 and September 3, 2008. These dates are once again formatted in a non-American style of date. This indicates that it is not coming from someone in the United States.

'Greating '

As is often the case, bad English grammar shows up as another indication of this coming from outside the United States. This should really be 'Greetings' to be correct. The English grammar is actually pretty good on this one, though. It is much better than most.

Binary Attachements

Once again we have a binary attachment - a ZIP file. If you unzip this file, you find something interesting:

Statement_01.doc                             .exe

What we see here is a file with one hundred spaces between the '.doc' and the '.exe' extension. (I shortened the number of spaces above for formatting purposes.) This is really another one of those double file extension binary attachments. This email is again taking advantage of the Windows setting to hide the '.exe' file extension. If you have this extension hidden, as Windows normally does, it looks like 'Statement_01.doc'. This makes it look like it is the Word document it claims to be. But this email goes one step farther and adds those 100 spaces between the '.doc' and the '.exe' extensions. Why do they do this? It is done so that if you are not hiding the file extensions, then the spaces cause the real '.exe' file extension to be moved so far to the right, that you likely won't even see it, if you viewed this file in Windows Explorer. Very clever. So once again we have an EXE that likely contains the program that installs the malware on your computer.

No credit card company name mentioned

The final red flag in this email is the fact that it says it's from your credit card company, but it never says which one! If this email were real it would say something more specific like 'Chase Financial Fraud Services' or something like that. The fact that it is an 'anonymous' email, means it's not from your credit card company. The email is intentionally made to be more generic so that it will be noticed and read by many people, no matter who their credit card company is.

Another day, another scam.