Thursday, March 15, 2007

Recognizing E-Mail Scams


Every now and then I come across an interesting email scam. You have to admire these guys for their creativity and understanding of human nature. This one looked almost good enough to fool me, but there were a couple of tell-tale signs that gave it away.

First and most importantly - Thunderbird flagged this as a Scam and when I clicked on the link it popped up a message that said "Thunderbird thinks this site is supicious! It may be trying to impersonate the web page you want to visit. Are you sure you want to visit bluemountain.kokocards.com?"

A little information here - domains work from right to left. bluemountain.kokocards.com is controlled by kokocards.com - not bluemountain.com! If it had been kokocards.bluemountain.com, then I would have felt a better about the information presented.

Second, there was no indication who this card was from. I've received enough cards from Blue Mountain to know that they indicate who is the sender. Normally, I don't like receiving these type greetings - and often don't even open them. If you aren't my wife or kids or someone very special, chances are I'm not going to bother opening the card unless I think there is something special you want to say to ME. To me, the ability to automatically have cards sent to a list of people is too impersonal. If you want to wish me a happy birthday, send me an email message, IM or phone call - or facebook, or any other number of ways. I like knowing that you are thinking of me on my birthday - not some day two years ago when you added my information to the BlueMountain Calendar. But, I digressed...

After having my suspicions raised, I looked at the status bar when I positioned my pointer over the link and noticed that it pointed to a site different than that shown in the message. This ALWAYS throws up big red flags for me.

When I clicked on the link I got a window indicating that I have chosen to open "postcard.jpg.exe" from http://210.192.102.115. If I wasn't sceptical yet, now the warning alarms, bells and whistles are screaming "CANCEL NOW! GET OUT OF HERE!"

There are several red flags in this window.

The filename - postcard.jpg.exe - is an old way of fooling people to open an executable file because some applciations don't show the file name extension - they would just show "postcard.jpg" which many users would assume the extension is JPG and it is a photograph. Big red flag!

Next, the "from: http://201.192.102.115" tells me that this is not a registered server. HUGE red flag!

Finally, even if I knew who this was from - and wanted to get it, chances are very good that I'm not going to install any application in order to get it - even if I thought that Blue Mountain had started doing business this way - which they haven't.

Just stay alert because these scammers are getting smarter and smarter about how to trick you into installing programs like key loggers or worse or getting you to give them information they can use to take your money and identity.

3 comments:

Allison said...

Hi, I came across your blog about email scams and recognized that I have just fallen for the scam you were talking about...where it asks to download an exe. file. I did it several times but when I would click on the file, it would just open up a bunch of scrambled text.

Any chance you have any advice on what I should do now? Could this mean my computer now has a virus? You sounded knowledgeable about this scam, so I thought you might have some suggestions...thanks!

John Dorner said...

Allison,

I'm not a security expert, but I would bet that you are now infected.

My best recommendation would be to run a full system virus scan with your antivirus software. If you don't have an up-to-date antivirus program, GET ONE NOW!

Good luck!

John Dorner said...

Here's some more info about this spam message.

http://isc.sans.org/diary.html?storyid=3063&rss

Thanks to Deb Coates

Still don't have a definitive answer for what to do if you opened the executable file.