Jim Plumb

Received an obviously bogus email purporting to be from the Federal Reserve Bank with with subject line Attention - Read Carefully! If you receive this email, DO NOT CLICK on any of the links in this email unless you know what you’re doing! If you click and don’t have scripting turned off in your browser you will be subject to a drive-by install of the Hijack.Tray trojan and things could get messy.

Subject: Attention - Read Carefully!

MIME-Version: 1.0
Content-Type: text/plain;
charset=windows-1250
Content-Transfer-Encoding: 7bit

FEDERAL RESERVE BANK

Important:
You’re getting this letter in connection with new directives issued by U.S. Treasury Department. The directives concern U.S. Federal Wire online payments.

On On January 1, 2009 a large-scaled phishing attack started and has been still lasting. A great number of banks and credit unions is affected by this attack and quantity of illegal wire transfers has reached an extremely high level.

U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation (FDIC) in common worked out a complex of immediate actions for the highest possible reduction of fraudulent operations. We regret to inform you that definite restrictions will be applied to all Federal Wire transfers from January 6 till January 16.

Here you can get more detailed information regarding the affected banks and U.S. Treasury Department restrictions:

http://fedwire.usafedsecurities.net/issue_256486/
http://e-securenetworks.com/banking/391175845/

Federal Reserve Bank System Administration

 Although I’m not an eNom.com customer I assume that this email and a couple others that I’ve received look like emails that eNom might send out to its customers. Below is another fake email that is designed to have people divulge their account information at a fake website with the purpose of stealing domain names. This is another in a series of phishing emails like those fake ones from eBay, Paypal, Amazon, UPS, Google, CitiBank, Wachovia, etc.

One way to tell if it’s real or not is to hover your mouse over the link in the email. The link in the email, such as the one below, looks real but hover the mouse over it and you get a different story. Here’s where the deception takes place. If you look at the status bar, you’ll see by looking at the complete URL it goes somewhere else. You need to look at all the words in the link. In this instance the real link is http://www.enom.com.com62.biz/. You can see it does have the enom.com in it, but it really goes to someplace called com62.biz. If you use the firefox browser, you get a warning that the website is fake; using internet explorer there’s no such warning. The page is the spitting image of the real enom.com. All the links point to enom.com, but I’m sure the login portion of the page is where they perform their evil, trying to capture your login information. Once they have that, they’ll go to the real enom.com, login with your ID and password, and make off with your domain names.

++++++++

Subject:  Attention: Inaccurate whois information

Dear user,

On Wed, 29 Oct 2008 13:00:10 +0200 we received a third party complaint of invalid domain contact information in the Whois database for this domain Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

The contact information for the domain which displayed in the Whois database was indeed invalid. On Wed, 29 Oct 2008 13:00:10 +0200 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.

PLEASE VERIFY YOUR CONTACT INFORMATION - http://www.enom.com

If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:

Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260

LINK TO CHANGE INFORMATION - http://www.enom.com

Thank you,
Domain Services

[IncidentID:28820]

eNom is like godaddy, a place you can buy domain names. It appears though, somebody is phishing for domain names, because I received this very polite bogus email today with information about an upcoming “Maintenance” warning and a link to access my account. Only, I don’t have an account there and furthermore the link resolves to, gues where? Not to enom.com but to a fake enom.com where, if you login, they’ll capture your login details and then I assume they’ll go to the real enom and transfer your domains to their account.

A little further research into this, the links where the email redirected are not even real web sites, so don’t know what the purpose of these emails is. One I received came via Peru and another from Italy, probably part of a bot network.

++++++++

Subject: Maintenance at eNom - warning

Dear eNom Customer,

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable:

* Main site
* All web hosting services
* Email services
* Communication with the registry affecting new registrations, renewals, and transfers

For access your account follow this link - http://www.enom.com (real URL removed)

The following services will not be affected and will continue to be fully operational:

* DNS will resolve normally - although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period
* Email forwarding and site redirection will operate normally

We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience.

Sincerely,
eNom Tech Support

Amazon sent me this ridiculous email asking me to “accessorize” the inkjet cartridge I bought from them recently. Obviously sent out by a mail merge program of some sort with no logic to it. This is why you’ll never see so-called “artificial intelligence” on a computer ever approach human intelligence: computers cannot spot logical outpoints such as accessorizing an inkjet cartridge. See below. I’ve removed most of the links.

Subject: Accessorize Your Amazon.com HP No. 78 XL Tri-Color Inkjet Print Cartridge (C6578AN) Purchase

>  Amazon.com Gift Cards Your Amazon.com Today’s Deals Shop All Departments

We hope you’ve been enjoying your recent purchase, and thought you might like to see a few accessories that will help you make the most of it.

Recommended add-ons for your

Availability: In Stock. Availability: In Stock. Availability: In Stock. $29.23 $7.44 $5.77

› See all accessories

My good friend Alison Wood sent me this very enticing job offer today. I’ve received plenty of others like it as well, all with Russian email addresses to reply to. I can’t imagine there’s anything to be gained and a much to lose by replying. Don’t reply to these emails! It’s more than likely part of some criminal enterprise and you’ll just end up as one of their tools.

Subject: New Vacancy Proposal!

The  expanding commercial company  looks for new  members

If you  possess 5 free hours  each week, a  small experience in  PC and free phone to which we can  contact you, you have chance to  start cooperation with us and  get more than 2000 US dollars

If you are interested in our  vacancy, contact us by e-mail: lovesunfk@list.ru and we will send you  further information.

Best regards

IDC Business Group

Here’s a nasty email, pretending to be from Fidelity Investments . This came to me via some computer in Turkey. The link below almost looked like a real link but it’s really a phishing email with a link to somewhere in China where they’re looking to steal your Fidelity account login and password. The way to tell if it’s fake, is to hover your mouse over the link and see the real link in the status window. There are other REAL links in this email which might fool someone into clicking the fake link

Subject:  Important- Fidelity

Dear Fidelity valued member,

In our terms and condition you have agreed to state that your account must always be under your control or those you designate at all times. We had noticed some activity related to your account.

It has come to our attention that your Fidelity account information needs to be updated.
If you could please take 5-10 minutes out of your online experience and update your
records you will not run into any future problems with the online service.
However, failure to update your records will result in account suspension.

Once you have updated your account records your Fidelity will not be
interrupted and will continue as normal.
Please follow the link below and update your account information.

http://login.fidelity.com.xxxxxxxxxx.cn/real-link-deleted-for safey

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your Fidelity account and choose the Help link located in the top right corner of any Fidelity page.
If you have any questions, dont hesitate to contact us at 1-800-FIDELITY.

Sincerely,

Steven P. Akin
President
Fidelity Personal Investments
This e-mail may be considered advertising under federal law. If you do not want to receive similar commercial electronic mail messages in the future from Fidelity Personal Investments, you may change your e-mail preferences at any time.

Allegedly from Microsoft, this email purports to be a “private” update to protect against security threats. The attached file KB089510.exe is made to look like a real Microsoft Knowledge Base file, but is really the trojan Backdoor.Haxdoor.

From Symantec: Backdoor.Haxdoor is a Trojan horse that opens a back door on the compromised computer and allows a remote attacker to have unauthorized access. It also logs keystrokes, steals passwords, and drops a rootkit that also runs in Safe mode, making this threat difficult to remove.

What’s more, this bozo even included a PGP signature to try and raise the authenticity level.  And guess what, googling KB089510.exe finds absolutely nothing. And surprise, surprise, the sending IP of 91.195.136.11 is in Russia!

Subject: Security Update for OS Microsoft Windows

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

—–BEGIN PGP SIGNATURE—–
Version: PGP 7.1

KAMLL1U2PC8QVTOYF2HVBSIQV6PA1P6U0T4T0TJIABJE6I9DGTED3DD37HY4QWK76
3B32TNGYIKY949D31341QBYH7EZMBLT0YRQVE1E6WALD8C9M84RNRU813KNS48H1M
8NPVJ0K46D7V3W42GTSNBWAZ5QBMFN955W0Y8EEX0GACA6XSLFTU4X4IKNDR7XIPC
XH8VJ6GCZ5IBSAJA1P4A8RABTY4T1243WVA8TUFZ4JV1MS58TF690154O45ZXKH8K
GA8EAIM9DFZ0VB8OP9ASHI4U3VVUELETCIZ==
—–END PGP SIGNATURE—–

Today’s bogus email brought to you by Kendall Hankins. His attached “document” was processed by my anti-virus software:

******************   McAfee VirusScan************************
******* Alert generated at: Friday, October 10, 2008 1:17:18 PM *********
*********************************************************************

McAfee VirusScan has detected a potential threat in this e-mail
sent by “Kendall Hankins” <bkjvy@bodard.com>.

The following actions were attempted on each suspect part:

The attachment “Document.zip” is infected with one or more Trojans: Generic Malware.a!zip.
This attachment has been deleted.

We strongly recommend that you report this suspect activity.
to “Kendall Hankins” <bkjvy@bodard.com>.

Subject: High Quality Translation

Hello there

I need this document translated, and the translation is to be of high quality.
The attorney asked me to be especially careful with page 2. As I need to
submit the document tomorrow, please have it checked and translated for me today.

I have deposited $150 to your credit card account that you gave me the last time.
Let me know if any questions occur.

P.S. The document is in the ZIP-compressed MS Word file attached to this message.
I look forward to getting the result ASAP.

Take care of yourself
Kendall Hankins

This is another trojan. Ho-hum. What gets me is the sign off “Give my regards to your sister”.  Darwin, have you been fooling around with my seester?

Subject: Security Department

Good morning
Dear Valued Customer,

We have reasons to believe that your credit card
has been involved in a number of fraudulent transactions
we have spotted recently. Enclosed is the account
statement with the list of transactions made with your
credit card between 01.09.2008 and 03.09.2008. Please look
carefully through the enclosed document; the last three of
the listed transactions are the ones that we suspect to be
fraudulent.

I would appreciate if you could find time to
clarify this issue and confirm the transactions that you
have made personally. This would help us both to have this
issue resolved as quickly as possible.

Please find the Word-formatted copy of your account statement is
enclosed in the archive attached to this message.

Give my regards to your sister
Darwin Enriquez
Manager of Credit Card Fraud Defense

Here is today’s bogus email with an “account statement” attached (really a trojan). Here’s what my antivirus program says about it:

******************   McAfee VirusScan************************
******* Alert generated at: Tuesday, October 07, 2008 10:46:25 AM *********
*********************************************************************

McAfee VirusScan has detected a potential threat in this e-mail
sent by “Kathryn Sandoval” <agy@brapp.com>.
The following actions were attempted on each suspect part:
The attachment “Statement.zip” is infected with one or more Trojans: Generic Malware.a!zip.
This attachment has been quarantined.
We strongly recommend that you report this suspect activity
to “Kathryn Sandoval” <agy@brapp.com>.

Subject: Security Department

I haven’t seen you for weeks
Dear Credit Card Holder:

Please be aware that a credit card fraud involving your credit card
has been registered by our security department. For your information,
we are sending you the account statement that includes all transactions
made with your credit card from 01.09.2008 through 03.09.2008.
Please take a note of the last three transactions on the list,
which have been recognized as fraudulent.

We highly recommend you to inform us of the transactions you have
made personally. Thus, you will help us and yourself to resolve this issue
as soon as possible.

An MS Word document containing your account statement in is enclosed
in the archive attached to this message.

See you around
Kathryn Sandoval
Manager of Credit Card Fraud Defense