Rick's World

Life, the Universe and Everything

Category: "Malware"

Spam Scam #9: Your Online Flight Ticket N 45109

Posted by on Oct 16, 2008 in Malware

Time for yet another spam scam email analysis. This time, the scam is an emailed plane ticket. Here's the email I got:

Return-Path: <bykvjypw@brainstem.com>
Received: from 37-8.2-85.cust.bluewin.ch (37-8.2-85.cust.bluewin.ch [85.2.8.37])
	for <rick@ekle.us>; Mon, 13 Oct 2008 23:23:39 -0700 (PDT)
Received: from [85.2.8.37] by brainstem.com.inbound10.mxlogic.net; Tue, 14 Oct 2008 07:23:39 +0100
From: Southwest Airlines <bykvjypw@brainstem.com>
To: <rick@ekle.us>
Subject: Your Online Flight Ticket  N 45109
Date: Tue, 14 Oct 2008 07:23:39 +0100
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2
Importance: Normal


Good day,
Thank you for using our new service "Buy flight ticket Online" on our website.
Your account has been created:

Your login: rick@ekle.us
Your password: PASS0PAW

Your credit card has been charged for $986.14.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Southwest Airlines

Attachment: E-ticket.zip

Let's take a look at the mail headers. Here are a few things to notice:

From: Southwest Airlines <bykvjypw@brainstem.com>

Hmm. So apparently I'm getting an email from Southwest Airlines. If that is true, why is someone from brainstem.com sending it to me? Clearly, 'brainstem.com' is not Southwest Airlines. It's some Microsoft certified company in Maryland. Clearly this email address is fake. I would suspect the spammers did a couple of things here.

  1. Picked the name of an American airline company, likely at random. This time they choose Southwest Airlines, but I suspect other emails are sent with other airline names (Delta, American Airlines, JetBlue, etc.)
  2. Chose a domain name at random... In this case it was brainstem.com
  3. Created an email address at random... In this case it was 'bykvjypw'.

From Addresses are easily forged and should never be trusted. I've had spam emails sent with my email address as the From email, and I certainly did not send it, nor did I approve it. Unfortunately, there's nothing you can do to stop this. You just have to accept that people will do this. Of course, if this email was from Southwest Airlines, the email address would have been 'something@southwest.com'. Southwest.com is the domain of Southwest Airlines. This is one sign that it is not valid.

Received: from 37-8.2-85.cust.bluewin.ch (37-8.2-85.cust.bluewin.ch [85.2.8.37])

This header tells us the domain name and IP address of who sent the email. By looking at the name and IP we discover that this was sent by 'bluewin.ch', which appears to be an ISP of some kind in Switzerland! So, I'm getting emails from Southwest Airlines by way of Switzerland? I don't think so. Looks like another zombie computer.

Your credit card has been charged for $986.14.

Scare tactics. They expect you to react to this as "Oh my God, someone charted nine hundred bucks on my credit card! I'd better check this out." You then open that evil file attachment and you are infected. This is a scam. Your credit card was not charged. They don't have your credit card.

print it on a color printed

Um, what the heck is a 'printed'? I assume they meant 'printer' here. This is yet another example of the bad grammar and/or typos that frequently appear in these scam emails.

File Attachment: E-ticket.zip

Look. It's another zip file attachment. This is a huge warning sign. Let's take a (careful) look at the contents of this zip file... Unzipping this zip file, I find a single file 'e-ticket.doc.exe' inside. This is yet another example of the double file extension trick. Due to the way Windows works, it will normally hide that '.exe' part of the filename. This makes the filename look like 'e-ticket.doc'. This makes you think it is that airline ticket they said it was. Of course it's not. It's actually a program that will infect your computer if you run it.

Conclusion

A good attempt. They got the grammar mostly right. I only found one blatant typo. This would likely trick most people. For a brief moment I thought it was real. Of course, once I studied it some more I realized it wasn't. It also helps to use a little common sense here. Did I recently spend $900 on a plane ticket? No. Clearly this is not valid. Could it be identify theft? Yes, but even if it was, you can log onto your credit card company's web site and validate if this $900 charge was made. And even if it WAS made, you just dispute the charges with the credit card company and you are not out a penny. None of your money is at risk.

Always remember that a little common sense and a healthy dose of skepticism will often save you from falling for these scams.

Spam Scam #8: Fraud Transactions

Posted by on Oct 08, 2008 in Malware

The scare tactics in this email attack your pocketbook. It appears to be an email from my credit card company indicating that someone used my credit card fraudulently. Here's the body of the email:

Received: from [67.158.232.43] (unknown [67.158.232.43])
	for <rick@ekle.us>; Tue,  7 Oct 2008 14:54:16 -0700 (PDT)
Received: from [67.158.232.43] by mxmta.bellnet.ca; Tue, 7 Oct 2008 13:54:16 -0800
From: "Kelsey Fuller" <telesonicstetherese@qc.aira.com>
To: <rick@ekle.us>
Subject: Fraud Transactions
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869

Greating
Dear Valued Customer,

We have reasons to believe that your credit card 
has been involved in a number of fraudulent transactions 
we have spotted recently. Enclosed is the account 
statement with the list of transactions made with your 
credit card between 01.09.2008 and 03.09.2008. Please look 
carefully through the enclosed document; the last three of 
the listed transactions are the ones that we suspect to be 
fraudulent. 

I would appreciate if you could find time to 
clarify this issue and confirm the transactions that you 
have made personally. This would help us both to have this 
issue resolved as quickly as possible.

Please find the Word-formatted copy of your account statement is 
enclosed in the archive attached to this message.

Best regards
Kelsey Fuller
Manager of Credit Card Fraud Defense

Attachment: Statement.zip

IP Address: 67.158.232.43

If you do a reverse DNS lookup on this IP you get an IP owned by Pocketinet Communications, Inc, out of Walla Walla, Washington. This company appears to be yet another DSL provider. This likely means that this email was sent by a home user, or maybe a computer in a business that has been 'owned' by a previous malware and is now, yet another zombie computer. This email is supposed to be coming from my credit card company... Um, my credit card company is not a DSL provider in Walla Walla, Washington. If it were from my credit card company, it would be from an IP owned by my credit card company. That fact that it is from a DSL provider means that this is coming from a small company, if not an individual. This is clearly not my credit card company.

'01.09.2008 and 03.09.2008'

This is clearly the dates September 1, 2008 and September 3, 2008. These dates are once again formatted in a non-American style of date. This indicates that it is not coming from someone in the United States.

'Greating '

As is often the case, bad English grammar shows up as another indication of this coming from outside the United States. This should really be 'Greetings' to be correct. The English grammar is actually pretty good on this one, though. It is much better than most.

Binary Attachements

Once again we have a binary attachment - a ZIP file. If you unzip this file, you find something interesting:

Statement_01.doc                             .exe

What we see here is a file with one hundred spaces between the '.doc' and the '.exe' extension. (I shortened the number of spaces above for formatting purposes.) This is really another one of those double file extension binary attachments. This email is again taking advantage of the Windows setting to hide the '.exe' file extension. If you have this extension hidden, as Windows normally does, it looks like 'Statement_01.doc'. This makes it look like it is the Word document it claims to be. But this email goes one step farther and adds those 100 spaces between the '.doc' and the '.exe' extensions. Why do they do this? It is done so that if you are not hiding the file extensions, then the spaces cause the real '.exe' file extension to be moved so far to the right, that you likely won't even see it, if you viewed this file in Windows Explorer. Very clever. So once again we have an EXE that likely contains the program that installs the malware on your computer.

No credit card company name mentioned

The final red flag in this email is the fact that it says it's from your credit card company, but it never says which one! If this email were real it would say something more specific like 'Chase Financial Fraud Services' or something like that. The fact that it is an 'anonymous' email, means it's not from your credit card company. The email is intentionally made to be more generic so that it will be noticed and read by many people, no matter who their credit card company is.

Another day, another scam.

Spam Scam #7: New Law

Posted by on Oct 07, 2008 in Malware

Time for some more malware that uses scare tactics. Here's something I got in my email recently...

 

Return-Path: yjm@bossa-hashi.com
X-Original-To: rick@ekle.us
Received: from 209-16-113-5.net.bhntampa.com (209-16-113-5.net.bhntampa.com [209.16.113.5])
for rick@ekle.us; Fri, 3 Oct 2008 14:33:31 -0700 (PDT)
From: "Jeffrey Mclean" yjm@bossa-hashi.com
To: rick@ekle.us
Subject: New Law

I haven't seen you for weeks

New clauses have been added to the legislation regulating your online activities; some of the
operations are now considered illegal. The new law has come into force as of 25.09.2008; the
penalties have been toughened.

Please read the new document and be more accurate further on.

Remember me to your wife

Attachment: Legislation.zip


Let's look at why this is a scam.

25.09.2008

This is clearly supposed to be the date of September (9) 25, 2008. However, this date lists the day of the month before the month. This is not the traditional American style of writing dates. In America this date would likely be written as 9/25/2008. Note how the month is listed first. This implies that this was written by someone who is used to a non-American date style. Since I live in America, that makes this email suspect.

From IP Address: 209.16.113.5

If you do a reverse DNS lookup on this IP address, it returns '09-16-113-5.net.bhntampa.com'. This name appears to be Bright House Networks out of Tampa Florida. This does not appear to be anyone who has any reason to be emailing about my 'illegal online activities'. This makes me suspicious. I looked at what services Bright House Networks provides and these include 'Digital Cable' and 'Digital Phone'. This leads me to believe that this is a cable modem provider in Tampa, Florida. It looks like we have another zombie computer running in some cable modem customer's home.

Note that I got a second one of these emails from IP address 208.119.131.129. This IP address resolves to an IP owned by the Indiana State Library. This appears to be another zombie computer running in a public library in Indiana. Anyone else noticing a pattern here? These malware emails are sent by zombie computers that have already been taken over by other malware programs. These programs are designed to spread themselves in ways that are difficult to stop.

Binary Attachments

Once again, we have a binary attachment. If you extact the contents of that 'Legislation.zip' file, you find the file 'Legislation-25.doc.exe'. An EXE is an executable. It's a program that runs on your computer and does something. This is clearly not some legislation. If it was, it would be a text file (TXT, DOC, RTF, PDF, etc). And what does this EXE program do? It installs the malware on your computer! This is the 'payload' of the attack. Also, notice how the attached file has two extensions: '.doc.exe'. This is another big red flag. Windows is normally set to hide the file extension of any file displayed in Windows Explorer. This means that it would hide the '.exe' part of the filename, giving you 'Legislation-25.doc'. This makes it look like it IS a text file. This double filename extension trick is very common among spam and malware. I haven't scanned this file, but I suspect it's some form of virus/malware.

Strange statements

'Remember me to your wife'. Um, what? This doesn't mean anything. it's not even proper English. This is another red flag that this is coming from someone who doesn't have a good grasp of the English language. Note that I've gotten several of these emails from different people and this line line is different on them. The other email I got like this had the final line of 'See you around', which is a bit more believable.

So there you have it. Another malware disassembled. Always be suspicious of emails like this.

This collection ©2023 by Richard Ekle • ContactHelp

Build your own site!