Spam Scam #6: The Internet Service Provider Consorcium

Posted by on Sep 23 2008 in Scams

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home/ekleus/ekle.us/inc/plugins/model/_plugins_admin.class.php on line 1455

Ok, time to discuss another malware email that I received today. I wanted to describe this so that I can help others learn to identify scam/malware emails. The body of the email is as follows:

From: monitoring@isp.com
To: rick@ekle.us
Subject: Your internet access is going to get suspended
Date: Tue, 23 Sep 2008 07:12:49 -0500

Dear Sir! 

The Internet Service Provider Consorcium was made to protect the rights of software
authors, artists. We conduct regular wiretapping on our networks, to monitor
criminal acts.

We are aware of your illegal activities on the internet which were originating from 

You can check the report of your activities in the past 6 months that we have
attached. We strongly advise you to stop your activities regarding the illegal
downloading of copyrighted material or your internet access will be suspended.
 Sincerely 
 ISC monitoring team

Attachment: user-EA3911X-activities.zip

Ok, so how do I know this is a scam? Let's describe each in detail.

From Email Address: monitoring@isp.com

First of all, this email address is very generic. 'isp.com' is not the domain name of my ISP. Had this been the domain name of my ISP, I might be inclined to believe it is real. Because this is a very generic name it is clearly fake. However, to the uneducated, they may think that it is their ISP sending this instead of a generic 'ISP'. Plus, the from email address of an email is easily faked. These should never be trusted.

From IP Address: 192.206.246.200

The IP address that sent an email cannot be faked. Had this email truly been from my IP address, it would have been within an IP range owned by my ISP. I just looked up the geographic location of this IP and it returned that it is from the 'CARROLLTON-FARMERS BRANCH INDEPENDENT SCHOOL DIST'. In other words, it's a school in Texas somewhere. I live in Florida. My ISP is not a school in Texas! This email likely came from a 'zombie' computer in a gradeschool district in Texas somewhere.

'Consorcium'

Misspellings are often a sign of scam emails. The misspelled word 'Consorcium' in the email is a blatant sign that this email is fake. The correct spelling is 'consortium', by the way, as any spell-checker will tell you.

Scare Tactics

This message is clearly meant to try to scare you. It accuses you of engaging in illegal activity on the Internet. It basically threatens you to open the attached file or you will lose your Internet access. Suddenly you are afraid of not only losing your Internet access but of going to jail! A true email on this subject would likely be much more polite.

Zip file attachments

Any time I see an attachment that is a ZIP or an EXE I instantly get very suspicious. This attachment is usually the malware program. You unzip the attachment, run the EXE inside and your computer is infected. I downloaded this attachment (very carefully) and viewed the contents. It contains a file named 'user-EA3911X-activities.exe'. Clearly this is not a record of your 'violations'. If it were it would likely be in a text file or a Word document or something similar. An EXE means this is a program. Were you to run this program it would likely infect your computer. However, when I attempted to extract this program so i can scan it with my virus checker to see what kind of virus/malware it is, my unzip program reported that the zip file was corrupt! These stupid malware people can't even send a valid zip file!

So there you have it. My quick and dirty analysis of this scam email. I hope this saves you from having to fall victim to this scam.

This entry was posted by and is filed under Scams.

26 comments

Comment from: Deanne

Got exactly the same mail today in South Africa..... thanks for the advice given above as I instantly became worried that i had inadvertently downloaded something I shouldn't. Then I googled the ISP consorcium..... THANKS

Comment from: Diana

Arrived in my mail in the UK today - as coming from someone in northshoremag.com.

Comment from: graham

i am down under and i received one today as well

Comment from: Sara

I just got one on my student e-mail account today. How do they actually find your e-mail accounts?

Comment from: Rocio

I'm living in India at the moment and I received a similar email, not the same though. And there was no attachment. That strikes me as odd. As a scam that more or less defeats the purpose of the email doesn't it...

Comment from: Kerry

Thanks for this! Got an e-mail today and nearly opened the file but realised it was so generic I would do a search to see what I could find on it. Thanks!

Comment from: John W

Thanks so much------i got one of those this morning---and knowing it was a phishing scam first off i didnt click anything-----but my avast! 4 free home edition antimalware went off anyway-----said id been exposed to a worm -- i nearly hit delete on the file until i googled the email and found your site---and knowing that exe viruses sometimes activate if you try to delete the virus coupled with your information, allowed me to know to quarantine rather than remove the infected file everybody needs to know this---exe attachments found by your antivirus should be quarantined not deleted, until you know if the file will be activated by such actions

Comment from: John W

oh and also, theres a second one going around from a different email addy---this one looks more official because it has "you will face prosecution under " and the US legal code for the laws youve violated

Comment from: Emil Mollberg

Thanks a lot for your accurate information on this one. I maintain several blogs with lots of written and other´s material and always try to keep a straight line about all rights concerned as far as I can. I live in Berlin, so this is going all the world round, then? But so are my blogs on LiveJournal, MySpace and Wordpress; one of which has incidentally been hacked down pretty much simultaneously (wordpress, is placed on our private server, but still suddenly "gone") which may or may not have anything to do with this scam. So "international", the useless schoolkids of today, aren´t they? But unable to spell anything right in their own language.

Comment from: M Cox

Yikes! I opened it! I have a Mac..how will it affect it?

Comment from: rekle

if you opened the virus file on a Mac it won't have any effect. Most if these virii program target Windows. Since you aren't running Windows it won't do anything. If the virus fileh as the extension EXE then it only runs on Windows. That's why I like macs. None of these windows virii can effect macs.

Comment from: Martin

Got the e-mail this morning. Thanks for the advice. I also take precautions when words are mispelled. I'm in Canada. I see that this e-mail is making a world tour. Can't we find those people and put them in jail ?

Comment from: ANNIE

Hi, thanks for the info on these buggers,I got 1 mail yesterday from an "ISC.com" address, and 2 today from "monitoring@isp.com" and the other from "monitoring@mediadefender.com". Reported it to my ISP provider,and they taking it further. Oh, the ones I got today, threatens prosecution. Well I know I did not download anything,much less commited a crime. As someone asked before, where do these morons get the e-mail addresses from? I am in South Africa, so the mind boggles, but luckily, anti virus warned of infected e-mail, and did its job.

Comment from: Shar

WOW...I thought I might be the only one! Got two at my home email address and one at my work email address! Gee wiz! Both from the same email address "monitoring@isp.com"...I was a little alarmed at first...however I don't do anything online that's illegal...so I was pretty sure I was in the clear! I also know how to spell, so that was the first alarm!!! Thanks for this blog! Greatly appreciated!

Comment from: Roselee

Thank you so much for this information. I received the above message today and tried to open the file to see what illegal activities I had done, but it would not open. Why do people waste their time doing this type of thing? Thank you again.

Comment from: Frank

Thanks received exact same message. It is a good thing to know there are places where we can go to look up these things.

Comment from: Ross Dix-Peek

I got this e-mail today, and was also very worried. Thank you for the info...much appreciated!

Comment from: Chris

Same message. Jan 31st. Nice work

Comment from: R.B.

How can I get these people to stop sending this e-mail. They are claiming that I am doing illegal activities on the internet, which originate from 68.111.94.136. I have no idea what this is?

Comment from: BOBZEE

THANKS FOR ALL YOUR ADVICE GUYS. I ALMOST OPENED THE ZIPFILE UNTIL I NOTICED THE SILLY SPELLING ERROR. I JUST WONDER HOW THEY CHOOSE THEIR 'VICTIMS' COZ I DIDN'T THINK MY EMAIL ADDRESS WAS ON SUM DODGY DATABASE THAT COULD ACCESSED BY ANYONE...

Comment from: Lisa

Received today. Exact same email. I am in the U.S., California. I goodled the email address and found your website. Want to say thanks for the info!! I'm glad I did'nt open the zip file but, wondering what I do with the email? Do I just delete it or take other steps to protect my computer? Thank you for your time.....

Comment from: anita

Thanks i live in Australia and have recieved this email several times i am now going to block the sender. Thanks.

Comment from: Hein

I received this email two days ago. Nearly got a heart attack. I did not notice the spelling, i was to shocked. I tried to open the attachment to see what crimes i commited. Lucky my anti virus told me there is a virus in the attachment. Im in South Africa and afrikaans speaking. I dont have my computer very long and still learning. Thank God for U.

Comment from: Teaser

Thanks for revealing that this email is a scam. I first saw it when checking my email on my mobile. So I thought to open it on my pc. Instead I googled and saw your link. Thanks

Comment from: Dawn

Hi, also in SA, JHB. I also received the monitoring@isp. mail. Luckily, I picked it up with the @isp, the spelling, zip and the fact that I'm not a criminal! HERE is another one I received today, which I'm sure is the same type of thing so BEWARE of confirm-r16xa@facebookmail.com. Facebook never sends an email like this to confirm a friend... Facebook notifier (asks for your username & password)! One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook. To see her picture please check your attachment. (picture attachment) Thanks, The Facebook Team Facebook © 2008 Remember to forward warnings on to your contacts about the above. Thanks for letting me share!

Comment from: Eric

This is still doing the rounds almost a year and a half later. I got called to help an elderly lady (who never even surfs the Web, let alone downloads!) who received this mail scam and another, apparently from the mediadefender.com domain, on the same day. Almost made her throw away her computer completely. ;-) Showing her this article (and the comments posted by others) convinced her of the falsity of these mails. Thanks!

Mon	Tue	Wed	Thu	Fri	Sat	Sun
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31
<< <				> >>