APCUG Reports
July-September 2011

We all get hundreds of spam messages seeking to sell us all sort of things we have absolutely no interest in, but we can just delete them. And if we are stupid enough to buy them, not only will we likely get trash, but we will get many hundred more spam messages. But buried in the hundreds of spam messages are some that are even worse, including scam messages and pfishing attempts seeking access to our financial records. Let us look at some of them to make sure we know how to detect them.

I got an email recently, supposedly from Western Union, which I have used in the past to send money to a friend.

But before I could read the email I had to click on one of these:

I know most of the stuff we buy is made in China, but I doubt Western Union has moved there, and if they have, I suspect they would be bright enough to send me an email from a computer installed with a Chineese character set. I am also bright enough not to click on a link in an email from a financial institution (if I plan on actually connecting), but for the purposes of this article I went ahead and clicked on the link, which supposedly was going to take me to www.westernunion.com, and instead briedly went to:

which immediatly redirected me to:

and showed me this

We can tell from the first of those that it actually came from a student at Lulin Observatory in Taiwan (lulin.ncu.edu.tw) who must have decided to try his hand at pfishing to try to get into my banking account. He was bright enough to redirect the browser to an IP address 211.75.112.26 which http://www.iplocation.net/index.php confirms is also in China, but he was not bright enough to do it in English. Sorry I don’t read Chinese so I can’t tell you much more about this pfishing attempt.

Everyone on the APCUG Board of Directors received:

I quickly warned everyone not to click on it. Notice the “708628777483.pdf.exe”. It is not a PDF as some might think. The last part of the address is what counts, and “EXE” means it is executable. It is probably a virus, although it could be a worm or a trojan horse. The distinction between them is not germain to this article; none of them are anything I want infecting my computer.

Well this one certainly looks suspicious. Either they did not put good graphics on their email, or the site they were pulling them from has been taken down, but if I clicked on “here” it would take me to http://87.56.58.182/card.exe. Remember an “exe” is an executable file, probably a virus, worm or trojan horse. http://www.ip2location.com/free.asp says 87.56.58.182 is in Denmark. Sorry I don’t want any Danish Malware.

d.konne@hotmail.fr wrote me:

DEAREST RESPECTFUL ONE,

I know my message will come to you as a surprise. Don’t worry I was totally convinced to right you in reference of 600 kilos of GOLD, i want you to help me receive this 600 kilos of GOLD and also help me investment in your country for the best of my future. I promise you that your % is sure for your assistance, I will wait to hear from you so that i will give you more details on how we can get this done successfully, Have a nice day.

yours sincerely,

David Konne.

Maybe it is just my suspicious nature, but I bet David really does not have that much gold, and is going to want me to put up some money to show I am sincere before I get anything (which I never will, except for the feeling I’ve been ripped off). Thanks but no thanks.

Twitter does not send an email to indicate that you have not read a message (thankfully), but it is good that I have Trend Micro installed on my computer, because http://abandon.go.ro/backplate.html does not appear to be a place I would want to go (darn those sneaky Romanians).

I did not remember ever getting a Master Card from the Bank of Montreal, but it looks like I must have lost it because the bank’s account has been suspended (not mine, BMO’s).

Interesting, they tell me “RBC NEVER asks customers to enter their Activation Code numbers via email or through a link in an email” and then they ask me to “Sign in” to resolve the problem with a link to webmail.lancaster.com.br. BR is the country code for Brazil. Do you think I am just being suspicious to wonder why the Royal Bank of Canada (where I do NOT have an account) has their website in Brazil?

I received the following

It certainly is possible I am waiting on a package to come via UPS, but this is not the way UPS sends tracking info. Notice the UPS_Document.zip. It looks innocent doesn’t it, after all it is not an exe file. But let us see what is inside it:

Oh no, it contains an exe file, which is probably a virus, although it could be a worm or a trojan horse.

And the above is not what a UPS tracking email looks like. Rather it looks like:

Which has a link where I can get full tracking info, but which tells me exactly when and where the package was deliverd (they left it at the front door of the people I shipped it to; fortunally they found it). Here is one that I received:

Since I am disabled, I have a note on my door asking FedEx and UPS to bring packages inside, and they honor that. Notice they said “MET CUSTOMER MAN”. They physically saw me, and knew I was a man.

I seldom get boxes from DSL, but I seriously suspect this is from the same virus people that sent the first one.