Rick's World

I got this email yesterday:

Return-Path: >gardcm23@mail.buffalostate.edu>
X-Original-To: rick@ekle.us
Received: from smtp.buffalostate.edu (smtp.buffalostate.edu [136.183.139.54])
Received: from mail.buffalostate.edu (unverified [136.183.139.147]) 
	by mail.buffalostate.edu (SurgeMail 3.9e) with ESMTP id 6842901-1888925 
	for multiple; Sat, 13 Dec 2008 16:06:31 -0500
To: (Recipient List Suppressed)
Received: from 115.67.221.114 by HTTP
Sender: gardcm23@mail.buffalostate.edu
From: "Update Your E-mail Account" >edu-accountupdate2008@live.com>
Reply-To: edu-accountupdate2008@live.com
Subject: Dear Email Owner
X-Mailer: 115.67.221.114 - gardcm23
X-Originating-IP: 115.67.221.114
Date: Sat, 13 Dec 2008 16:06:32 -0500
Priority: normal
Message-id: >494423d8.115.6a4b.32340870@mail.buffalostate.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Authenticated-User: gardcm23@mail.buffalostate.edu 

Dear Email Owner,

This message is from messaging center to all Email owners.
We are currently upgrading our data base and e-mail center.
We are deleting all unused email to create more space for
new one.

CONFIRM YOUR EMAIL BELOW:

Email Username: ...............
EMAIL Password: ................

Warning!!! Email owner that refuses to update his or her
Email, within Seven days of receiving this warning will lose
his or her Email permanently. You are to send your email
username and password to the webmaster via this email:
org-accountupdate@live.com

Regards

Mrs. Anderson Mary
Webmaster (ORG)

This one is clearly a scam. There is also some interesting redirection going on here. If you start with the originating IP of 115.67.221.114, we find that this IP is located in Queensland, Australia. However, the sender appears to be 'gardcm23@mail.buffalostate.edu'. This is an email address at New York State University College at Buffalo (and the IP addresses appear to confirm this.) So the email was sent from Australia, through a mail server in New York in the United States. Plus the visible email address in there that you are supposed to return your email login information to is 'org-accountupdate@live.com'. Live.com is a domain named owned by Microsoft. It's one of the domain names you can get from signing up for a free email address with Microsoft's Hotmail service.

So someone in Australia, sends an email through a New York University mail server, and masquerades as someone from Microsoft??? Um no. This is clearly a scam. It's trivial to create an email address called 'org-accountupdate' at Hotmail. This name looks pretty legit, but when you follow the email back through the path it takes through the internet it is clearly a scam. We see several classic signs of spam here. First the English grammar is incorrect in this email. It's better than most, but still wrong. Second, it uses scare tactics to get you to respond to it. If you don't send your email username and password immediately you'll lose your email! Considering how I received this email in an email box that is not run by Microsoft, nor anyplace in Queensland, Australia, or anything related to a university in New York, it is clearly a scam. Third, it is very general. 'org-accountupdate' is just general enough to make it sound official. There is no mention of WHAT organization is sending the email. Also, keep in mind that your email provider would never ask you for your email username and password - they already have it!

The secret to learning if an email is valid is to study the raw email headers. Most email programs hide these from you because they are full of information that's not useful in most cases. The email program should have some way to find this information though. If you find an email like this that you are suspicious of, look through the options of your email program to find out how to view the raw headers. Then start looking at the various servers and IP addresses in the 'Received:" and other headers. These headers give you the full information as to the route this email took to reach you. If it sounds suspicous, then it's very likely that it is.

Time for yet another spam scam email analysis. This time, the scam is an emailed plane ticket. Here's the email I got:

Return-Path: <bykvjypw@brainstem.com>
Received: from 37-8.2-85.cust.bluewin.ch (37-8.2-85.cust.bluewin.ch [85.2.8.37])
	for <rick@ekle.us>; Mon, 13 Oct 2008 23:23:39 -0700 (PDT)
Received: from [85.2.8.37] by brainstem.com.inbound10.mxlogic.net; Tue, 14 Oct 2008 07:23:39 +0100
From: Southwest Airlines <bykvjypw@brainstem.com>
To: <rick@ekle.us>
Subject: Your Online Flight Ticket  N 45109
Date: Tue, 14 Oct 2008 07:23:39 +0100
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2
Importance: Normal


Good day,
Thank you for using our new service "Buy flight ticket Online" on our website.
Your account has been created:

Your login: rick@ekle.us
Your password: PASS0PAW

Your credit card has been charged for $986.14.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Southwest Airlines

Attachment: E-ticket.zip

Let's take a look at the mail headers. Here are a few things to notice:

From: Southwest Airlines <bykvjypw@brainstem.com>

Hmm. So apparently I'm getting an email from Southwest Airlines. If that is true, why is someone from brainstem.com sending it to me? Clearly, 'brainstem.com' is not Southwest Airlines. It's some Microsoft certified company in Maryland. Clearly this email address is fake. I would suspect the spammers did a couple of things here.

1. Picked the name of an American airline company, likely at random. This time they choose Southwest Airlines, but I suspect other emails are sent with other airline names (Delta, American Airlines, JetBlue, etc.)
2. Chose a domain name at random... In this case it was brainstem.com
3. Created an email address at random... In this case it was 'bykvjypw'.

From Addresses are easily forged and should never be trusted. I've had spam emails sent with my email address as the From email, and I certainly did not send it, nor did I approve it. Unfortunately, there's nothing you can do to stop this. You just have to accept that people will do this. Of course, if this email was from Southwest Airlines, the email address would have been 'something@southwest.com'. Southwest.com is the domain of Southwest Airlines. This is one sign that it is not valid.

Received: from 37-8.2-85.cust.bluewin.ch (37-8.2-85.cust.bluewin.ch [85.2.8.37])

This header tells us the domain name and IP address of who sent the email. By looking at the name and IP we discover that this was sent by 'bluewin.ch', which appears to be an ISP of some kind in Switzerland! So, I'm getting emails from Southwest Airlines by way of Switzerland? I don't think so. Looks like another zombie computer.

Your credit card has been charged for $986.14.

Scare tactics. They expect you to react to this as "Oh my God, someone charted nine hundred bucks on my credit card! I'd better check this out." You then open that evil file attachment and you are infected. This is a scam. Your credit card was not charged. They don't have your credit card.

print it on a color printed

Um, what the heck is a 'printed'? I assume they meant 'printer' here. This is yet another example of the bad grammar and/or typos that frequently appear in these scam emails.

File Attachment: E-ticket.zip

Look. It's another zip file attachment. This is a huge warning sign. Let's take a (careful) look at the contents of this zip file... Unzipping this zip file, I find a single file 'e-ticket.doc.exe' inside. This is yet another example of the double file extension trick. Due to the way Windows works, it will normally hide that '.exe' part of the filename. This makes the filename look like 'e-ticket.doc'. This makes you think it is that airline ticket they said it was. Of course it's not. It's actually a program that will infect your computer if you run it.

Conclusion

A good attempt. They got the grammar mostly right. I only found one blatant typo. This would likely trick most people. For a brief moment I thought it was real. Of course, once I studied it some more I realized it wasn't. It also helps to use a little common sense here. Did I recently spend $900 on a plane ticket? No. Clearly this is not valid. Could it be identify theft? Yes, but even if it was, you can log onto your credit card company's web site and validate if this $900 charge was made. And even if it WAS made, you just dispute the charges with the credit card company and you are not out a penny. None of your money is at risk.

Always remember that a little common sense and a healthy dose of skepticism will often save you from falling for these scams.

The scare tactics in this email attack your pocketbook. It appears to be an email from my credit card company indicating that someone used my credit card fraudulently. Here's the body of the email:

Received: from [67.158.232.43] (unknown [67.158.232.43])
	for <rick@ekle.us>; Tue,  7 Oct 2008 14:54:16 -0700 (PDT)
Received: from [67.158.232.43] by mxmta.bellnet.ca; Tue, 7 Oct 2008 13:54:16 -0800
From: "Kelsey Fuller" <telesonicstetherese@qc.aira.com>
To: <rick@ekle.us>
Subject: Fraud Transactions
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869

Greating
Dear Valued Customer,

We have reasons to believe that your credit card 
has been involved in a number of fraudulent transactions 
we have spotted recently. Enclosed is the account 
statement with the list of transactions made with your 
credit card between 01.09.2008 and 03.09.2008. Please look 
carefully through the enclosed document; the last three of 
the listed transactions are the ones that we suspect to be 
fraudulent. 

I would appreciate if you could find time to 
clarify this issue and confirm the transactions that you 
have made personally. This would help us both to have this 
issue resolved as quickly as possible.

Please find the Word-formatted copy of your account statement is 
enclosed in the archive attached to this message.

Best regards
Kelsey Fuller
Manager of Credit Card Fraud Defense

Attachment: Statement.zip

IP Address: 67.158.232.43

If you do a reverse DNS lookup on this IP you get an IP owned by Pocketinet Communications, Inc, out of Walla Walla, Washington. This company appears to be yet another DSL provider. This likely means that this email was sent by a home user, or maybe a computer in a business that has been 'owned' by a previous malware and is now, yet another zombie computer. This email is supposed to be coming from my credit card company... Um, my credit card company is not a DSL provider in Walla Walla, Washington. If it were from my credit card company, it would be from an IP owned by my credit card company. That fact that it is from a DSL provider means that this is coming from a small company, if not an individual. This is clearly not my credit card company.

'01.09.2008 and 03.09.2008'

This is clearly the dates September 1, 2008 and September 3, 2008. These dates are once again formatted in a non-American style of date. This indicates that it is not coming from someone in the United States.

'Greating '

As is often the case, bad English grammar shows up as another indication of this coming from outside the United States. This should really be 'Greetings' to be correct. The English grammar is actually pretty good on this one, though. It is much better than most.

Binary Attachements

Once again we have a binary attachment - a ZIP file. If you unzip this file, you find something interesting:

Statement_01.doc                             .exe

What we see here is a file with one hundred spaces between the '.doc' and the '.exe' extension. (I shortened the number of spaces above for formatting purposes.) This is really another one of those double file extension binary attachments. This email is again taking advantage of the Windows setting to hide the '.exe' file extension. If you have this extension hidden, as Windows normally does, it looks like 'Statement_01.doc'. This makes it look like it is the Word document it claims to be. But this email goes one step farther and adds those 100 spaces between the '.doc' and the '.exe' extensions. Why do they do this? It is done so that if you are not hiding the file extensions, then the spaces cause the real '.exe' file extension to be moved so far to the right, that you likely won't even see it, if you viewed this file in Windows Explorer. Very clever. So once again we have an EXE that likely contains the program that installs the malware on your computer.

No credit card company name mentioned

The final red flag in this email is the fact that it says it's from your credit card company, but it never says which one! If this email were real it would say something more specific like 'Chase Financial Fraud Services' or something like that. The fact that it is an 'anonymous' email, means it's not from your credit card company. The email is intentionally made to be more generic so that it will be noticed and read by many people, no matter who their credit card company is.

Another day, another scam.

Time for some more malware that uses scare tactics. Here's something I got in my email recently...

 

Return-Path: yjm@bossa-hashi.com
X-Original-To: rick@ekle.us
Received: from 209-16-113-5.net.bhntampa.com (209-16-113-5.net.bhntampa.com [209.16.113.5])
for rick@ekle.us; Fri, 3 Oct 2008 14:33:31 -0700 (PDT)
From: "Jeffrey Mclean" yjm@bossa-hashi.com
To: rick@ekle.us
Subject: New Law

I haven't seen you for weeks

New clauses have been added to the legislation regulating your online activities; some of the
operations are now considered illegal. The new law has come into force as of 25.09.2008; the
penalties have been toughened.

Please read the new document and be more accurate further on.

Remember me to your wife

Attachment: Legislation.zip

Let's look at why this is a scam.

25.09.2008

This is clearly supposed to be the date of September (9) 25, 2008. However, this date lists the day of the month before the month. This is not the traditional American style of writing dates. In America this date would likely be written as 9/25/2008. Note how the month is listed first. This implies that this was written by someone who is used to a non-American date style. Since I live in America, that makes this email suspect.

From IP Address: 209.16.113.5

If you do a reverse DNS lookup on this IP address, it returns '09-16-113-5.net.bhntampa.com'. This name appears to be Bright House Networks out of Tampa Florida. This does not appear to be anyone who has any reason to be emailing about my 'illegal online activities'. This makes me suspicious. I looked at what services Bright House Networks provides and these include 'Digital Cable' and 'Digital Phone'. This leads me to believe that this is a cable modem provider in Tampa, Florida. It looks like we have another zombie computer running in some cable modem customer's home.

Note that I got a second one of these emails from IP address 208.119.131.129. This IP address resolves to an IP owned by the Indiana State Library. This appears to be another zombie computer running in a public library in Indiana. Anyone else noticing a pattern here? These malware emails are sent by zombie computers that have already been taken over by other malware programs. These programs are designed to spread themselves in ways that are difficult to stop.

Binary Attachments

Once again, we have a binary attachment. If you extact the contents of that 'Legislation.zip' file, you find the file 'Legislation-25.doc.exe'. An EXE is an executable. It's a program that runs on your computer and does something. This is clearly not some legislation. If it was, it would be a text file (TXT, DOC, RTF, PDF, etc). And what does this EXE program do? It installs the malware on your computer! This is the 'payload' of the attack. Also, notice how the attached file has two extensions: '.doc.exe'. This is another big red flag. Windows is normally set to hide the file extension of any file displayed in Windows Explorer. This means that it would hide the '.exe' part of the filename, giving you 'Legislation-25.doc'. This makes it look like it IS a text file. This double filename extension trick is very common among spam and malware. I haven't scanned this file, but I suspect it's some form of virus/malware.

Strange statements

'Remember me to your wife'. Um, what? This doesn't mean anything. it's not even proper English. This is another red flag that this is coming from someone who doesn't have a good grasp of the English language. Note that I've gotten several of these emails from different people and this line line is different on them. The other email I got like this had the final line of 'See you around', which is a bit more believable.

So there you have it. Another malware disassembled. Always be suspicious of emails like this.

Ok, time to discuss another malware email that I received today. I wanted to describe this so that I can help others learn to identify scam/malware emails. The body of the email is as follows:

 

Return-Path: <monitoring@isp.com>
X-Original-TO: rick@ekle.us
Received: from isp.com (unknown [192.206.246.200])
for <rick@ekle.us>; Tue, 23 Sep 2008 05:12:49 -0700 (PDT)
From: monitoring@isp.com
To: rick@ekle.us
Subject: Your internet access is going to get suspended
Date: Tue, 23 Sep 2008 07:12:49 -0500

Dear Sir!

The Internet Service Provider Sonsorcium was made to protect the rights of software
authors, artists.  We conduct regular wiretapping on our networks, to monitor
criminal acts.

We are aware of your illegal activities on the internet which were originating from

You can check the report of your activities in the last 6 months that we have
attached.  We strongly advise you to stop your activities regarding the illegal
downloading of copyrighted material or your internet access will be suspended.
Sincerely
ISC monitoring team

Attachment: user-EA3911X-activities.zip

Ok, so how do I know this is a scam? Let's describe each in detail.

From Email Address: monitoring@isp.com

First of all, this email address is very generic. 'isp.com' is not the domain name of my ISP. Had this been the domain name of my ISP, I might be inclined to believe it is real. Because this is a very generic name it is clearly fake. However, to the uneducated, they may think that it is their ISP sending this instead of a generic 'ISP'. Plus, the from email address of an email is easily faked. These should never be trusted.

From IP Address: 192.206.246.200

The IP address that sent an email cannot be faked. Had this email truly been from my IP address, it would have been within an IP range owned by my ISP. I just looked up the geographic location of this IP and it returned that it is from the 'CARROLLTON-FARMERS BRANCH INDEPENDENT SCHOOL DIST'. In other words, it's a school in Texas somewhere. I live in Florida. My ISP is not a school in Texas! This email likely came from a 'zombie' computer in a gradeschool district in Texas somewhere.

'Consorcium'

Misspellings are often a sign of scam emails. The misspelled word 'Consorcium' in the email is a blatant sign that this email is fake. The correct spelling is 'consortium', by the way, as any spell-checker will tell you.

Scare Tactics

This message is clearly meant to try to scare you. It accuses you of engaging in illegal activity on the Internet. It basically threatens you to open the attached file or you will lose your Internet access. Suddenly you are afraid of not only losing your Internet access but of going to jail! A true email on this subject would likely be much more polite.

Zip file attachments

Any time I see an attachment that is a ZIP or an EXE I instantly get very suspicious. This attachment is usually the malware program. You unzip the attachment, run the EXE inside and your computer is infected. I downloaded this attachment (very carefully) and viewed the contents. It contains a file named 'user-EA3911X-activities.exe'. Clearly this is not a record of your 'violations'. If it were it would likely be in a text file or a Word document or something similar. An EXE means this is a program. Were you to run this program it would likely infect your computer. However, when I attempted to extract this program so i can scan it with my virus checker to see what kind of virus/malware it is, my unzip program reported that the zip file was corrupt! These stupid malware people can't even send a valid zip file!

So there you have it. My quick and dirty analysis of this scam email. I hope this saves you from having to fall victim to this