Email Fraud

ADP Payroll Invoice Spam/Virus

Monday, January 27th, 2014

There’s a very successful spam campaign out now spoofing legitimate ADP payroll invoice emails. They most commonly arrive as:

Subject:     Payroll Invoice
From:     “payroll@adp.com”

In reality, they come from previously infected personal computers spanning the globe.

An example of the above:

‘from 60-240-131-86.static.tpgi.com.au ([60.240.131.86])

(envelope-from <photojournalistvi@wetleather.com>)

It doesn’t take a trained email professional to realize that’s not ADP emailing.

more »

Google Docs Phishing Frauds

Saturday, March 23rd, 2013

It seems that almost every tool Google provides is readily adopted by spammers and scammers alike.  Not a day goes by that we don’t see spam and Phishing fraud and other identity theft emails from hacked Gmail and Google Groups accounts and often abusing systems such as Google Docs.

The ubiquity of these free services makes for the perfect no-cost social engineering platform for hackers to use for launching their attacks.

A current Phishing campaign uses stolen Gmail accounts to steal the credentials to other email accounts, allowing spammers to increase their spam volume day over day.

The most common email circulating now comes with a subject that references the sharing of a file though “Google Docs” and often has a subject line of simply:

Subject:     Important Document

Since the email comes from a previously hijacked account, the recipients will typically recognize the sender’s address which makes it more likely that they will be taken in by this fraud:

more »

Receipt for your PayPal payment to WHO?

Monday, March 4th, 2013

We fondly remember the days when PayPal Phishing frauds were easily spotted by their subject line alone. The urgent warnings about your compromised account made identity theft emails almost trivial to identify.

But, as with all things technology, the lame Phishing attempts too have evolved, and they’re snaring even users with moderate technology skills. The latest evolution of the PayPal identity theft fraud relies on the user’s reaction to what appears to be a standard account notice. The subject line is a receipt for payment, but to a seller with which you have not conducted a valid transaction, such as:

Subject:     Receipt for your PayPal payment to Soo Duk Lee

The email itself contains standard language like:

You sent a payment of $149.49 USD to Soo Duk Lee (commercializesa8@datkin.net)

Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.

and

It may take a few moments for this transaction to appear in your account.

Here’s a complete copy of such a fraud:

more »

The Better Business Bureau Trojan Horse

Thursday, February 21st, 2013

With the fake Better Business Bureau Trojan Horse campaign, we find yet another infectious email that is socially engineered so well, that users often release such messages from quarantine; even after spam filtering has clearly identified the emails as a Virus carrying Trojan Horse.

The emails typically arrive with spoofed headers such as:

Subject:     FW: Complaint Case 091921
From:     “Better Business Bureau” <Kerri_Rucker@newyork.bbb.org>

In order to appear legitimate and to try and evade simple spam filtering systems, the Complaint Case number will be randomized, and the spoofed sending email address will vary as well.

The content will include vague yet serious sounding allegations, such as:

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

A full copy of such the bogus email:

more »

REMAX “Hot Properties” Email Phishing Fraud

Sunday, November 18th, 2012

One of the most effective tactics in use by spammers today is the hijacking/theft of legitimate user’s email accounts for use in furthering spam campaigns.

There are actually four distinct reasons why it is so powerful for spammers to be able to send spam from a previously legitimate user’s email account:

  1. Once the account is stolen, the spammer’s software can read through the address book, inbox, sent mail and all other folders scraping the email addresses of people the legitimate user has corresponded with  in the past. These emails then make excellent targets for sending spam.
  2. Email from actual AOL, Gmail, Hotmail, Yahoo and other ubiquitous email services are much less likely to be blocked by spam filtering systems.
  3. Even when a spam filter correctly recognizes that an email is spam, end users often have added such senders to their Allow or White lists, thus forcing delivery from the now compromised account.
  4. Further, recipients commonly retrieve spam from their filtering system when they recognize the sending address, but don’t realize the sender’s account has been compromised.

When you add it all up, there really is no better method of getting your spam delivered, and then actually opened by the target recipient.

more »

Mailbox Closure Warning!!! – Google Docs Email Theft

Tuesday, May 29th, 2012

The latest abuse of Google Docs for email theft appears in your inbox as:

Subject:     Mailbox Closure Warning!!!

or

Subject:     WEBMAIL ADMIN.ntc

If that manages to grab your attention, the content of the message goes further:

Helpdesk requires you to upgrade webmail by Clicking

https://docs.google.com/spreadsheet/viewform?formkey=dGkzVVg4WGlMaWFpaGdYcG1wVlV4cVE6MQ

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your webmail account was accessed by a third party. Protecting the security of your webmail account is our primary concern, we have limited access to sensitive webmail account features. Failure to revalidate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

more »

HSBC ACCOUNT VALIDATION REQUIRED – Fraud Emails

Sunday, May 13th, 2012

The latest bank Phishing Fraud emails to make the rounds via email are targeting HSBC Bank customers and clients.

The emails typically arrive shouting out warnings in all capital letters:

Subject:     ACCOUNT VALIDATION REQUIRED!

And greet you as their “Dear Esteemed HSBC customer,”

Strong wording explains that you need to take immediate action to protect your account. An example of such a message:

Your Account Validation did not work properly. We are experiencing difficulties in updating your account from our maintainance servers as some information are either out of date or missing from our systems.

To this end, we are contacting you to please validate your account information with us.

To begin log on to internet banking on https://www.hsbc.ae/1/2/InternetBanking/?SecureLogin with your internet Banking credentials and validate your account with us as soon as possible.

This Email is subject to mandatory action. Failure to comply will lead to suspension of account activities with HSBC. HSBC will bear no responsibility of any mishaps caused if no action is taken.

more »

Introducing Your US Department of Justice and FBI Victim Notification System

Thursday, January 19th, 2012

Here’s something we really don’t see every day….

We recently received an email claiming to be from the U.S Department of Justice Victim Notification System (VNS)

Subject:     US Department of Justice Victim Notification System
From:     Courtney Walker <fedemail@vns.usdoj.gov>
To:     Business Representative <address>

Our typical “common sense” check for email Phishing Fraud starts with the obvious:

  1. Overly serious/threatening Subject line…. check!
  2. Human sender doesn’t match email address…. check!
  3. Impersonal and generic salutation… check!

The email itself open with:

DO NOT REPLY TO THIS EMAIL.

U.S. Department of Justice
Federal Bureau of Investigation
FBI – New York
26 Federal Plaza, 23rd Floor
New York, NY 10278
Phone:  (212) 384-2564
Fax:  (212) 384-4104

more »

Rejected ACH payment – Virus/Fraud

Monday, August 15th, 2011

Look out for fraudulent emails spoofing “The Electronic Payments Association” that are arriving as:

From:     risk_manager@nacha.org
Subject:     Rejected ACH payment

In reality these messages are from previously infected personal computers from across the globe:

from [122.168.251.32] (helo=ABTS-mp-dynamic-032.251.168.122.airtelbroadband.in)

These messages include a fictional warning that includes content such as:

The ACH transaction (ID: 32604668345041), recently sent from your checking account (by you or any other person), was rejected by the other financial institution.

more »

Please Restore Your Account Access – Chase Fraud

Wednesday, August 10th, 2011

Spammers are nothing if not persistent, and even more so when it comes to the most sinister ones that are trying to steal your identity and your entire bank account.

They’re also smart enough to Phish in the biggest pools of potential victims, so the endless stream of cons targeting JP Morgan Chase customers makes perfect sense.

The latest comes with a subject:

Please Restore Your Account Access

more »