GI Benefits Fraud

This is another form of email fraud that really burns us.

We don’t really mind the fraud campaigns that seek to ensnare the greedy. If you’re dumb/greedy enough to believe that you won the lottery because of your email address; amoral enough to want to help smuggle someone else’s ill gotten gains for them or have done something that makes you believe someone would want to assassinate you then maybe you deserve to be fleeced.

Fraud that targets people who are looking for help is another matter and pretending to offer GI Benefits is particularly scummy.

For example:

Subject:   GI benefits update
From:      “M i l i t a r y B e n e f i t s” <> Click Here

You may have unclaimed G.I. Bill Benefits!

Find Military friendly schools and see if you’re eligible for up to $1,321 per month for school.
Eligibility: US residents who have served or are serving in the military: visit here if it applies to you

Visit here and learn more on the GI Bill Benefits Guide:

* Up to $1,321 per month for school

* Find Schools with Campus Life or Online Schooling

* Get Information on High Paying Careers like Criminal Justice, IT and Legal studies

This message claims to be a “GI benefits update” but we find it very doubtful that any legitimate government organization would leave the subject of the message half un-capitalized. If the government did email you about GI benefits, which is pretty unlikely in the first place (they’d use the USPS), we’d expect better grammar.

The “From:” address is also extremely shaky:

“M i l i t a r y B e n e f i t s” <>

What’s with the spaces between every character in the human readable part of the name? This kind of thing generally occurs in one of two places:

  1. Graphic designers use wide spaced type to make the text stand out.
  2. Spammers use spaces between characters to avoid word filters.

Let’s see . . . should we believe that the government cared about graphic design on a benefits notification? Probably not.  This is especially obvious when you look at the address the message appears to be from: They didn’t even bother to spoof a .gov address.

The rest of the message is all about getting you to click on this link:

This particular domain has now been removed.  However, because the email campaign uses many similar variations, there are still a few things worth noting about the structure of the link:

  1. A sub-domain like “mx4” generally indicates the presence of a mail server. This was probably a hacked domain that was temporarily running a hijacked web server.
  2. The link contains a long random string of characters. This is probably unique to each instance of the message and allows the spammer to track any clicks back to the address that received the message.
  3. Given the emphasis on the link this was probably not a financial fraud and was far more likely to be an attempt to add computers to a spammer’s botnet. (This is impossible to tell for sure since the domain is gone, there may have been a page at the link that was used to collect info for fraud, or it could have been both.)

Whether this was financial fraud or botnet bait we still consider it extremely bad form to take advantage of active and former military personnel. There are plenty of other ways to abuse email.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , ,

Comments are closed.