It’s not the Russians, six out of ten top email spammers come from USA

spam

Recent research shows that six out of ten top spammers are located in USA, two in Ukraine, one in India and another in Canada.

Whenever ESET Ireland warns the public of some new spam or scam that’s hitting Irish mailboxes, we inevitably get asked the question, where is this all coming from, who is behind it. Now we have some latest statistics from Spamhaus, a Swiss-based organization, whose mission is to track the Internet’s spam operations, that shed some light on the spamming sources. Up to 80% of spam targeted at Internet users in North America and Europe is generated by a hard-core group of around 100 known professional spam gangs whose names, aliases and operations are documented in their database. The TOP 10 chart of listed spammers is based on those that are viewed as the highest threat, the worst of the career spammers causing the most damage on the Internet currently. They flag these gangs and individuals as a priority for law enforcement agencies.

The top ten spam gangs are:

1         Mamba Hosting / Rob McGee / Craig Ames – United States

2         Daniel Alvarez / Convex Marketing – United States

3         Canadian Pharmacy – Ukraine

4         Yair Shalev / Kobeni Solutions – United States

5         Dante Jimenez / Aiming Invest – United States

6         Jagger Babuin / BHSI – Canada

7         Michael Lindsay / iMedia Networks – United States

8         Century Infotech – India

9         Yambo Financials – Ukraine

10     Quick Cart Pro – United States

Their activities include using many falsified domains to send tens of millions of spams per day using botnet techniques, renting an endless number of servers to host their own spam webpages and the webpages of their spam-clients, billing for child, animal, and incest-porn, pirated software, and fake pharmaceuticals.

At ESET Ireland we often write about various spams and scams targeting Irish computer users, such as the recent fraudulent “Notice of Tax Return” purporting to come from Irish Tax and Customs and many others. Most of the time it is difficult to define where the spam is coming from, as the cybercriminals behind it use various techniques to hide their origin behind faked domain names.

All the spam the cybercriminals send is in various ways designed to make money for them and never for the benefit of the receiver, no matter what wonderful things it may promise. ESET Ireland therefore recommends computer users use spam filters and flag and delete any spam they may encounter, to help prevent its spreading.

by Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

Irish businesses targeted by an infected fake complaint email

ESET Ireland has detected another threat targeting Irish businesses. Emails are being received by .ie email addresses, with an infected attachment and an official looking complaint notification:

Subject:     FW : Complaint – 5458414
Date:     Mon, 17 Jun 2013 11:52:35 -0600
From:     Dun & BradStreet <alert@dnb.com>
New Complaint : 5458414

Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 28, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us. We look forward to your prompt attention to this matter.

To ensure delivery of Dun & Bradstreet Credibility Corp. emails to your inbox and to enable images to load in future mailings, please add alerts@dandb.com to your email address book or safe senders list.

© 2012 Dun & Bradstreet Credibility Corp.

Dun & Bradstreet Credibility Corp. 103 JFK Parkway, Short Hills, NJ 07078

The fake notice asks the receiver to open an attachment (Case_06172016DNB.zip), print the complaint and respond before June 28th, but the attachment contains an .exe file, that is actually malware, detected by ESET as Win32/PSW.Fareit.a, a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Receivers of this and similar emails are advised to mark them as spam and not open any attachments in emails from unverified sources, no matter how official they look.

ems

Scam conference invites: a tale of several cities

It’s not been a good week for spam, in my mailbox at any rate. Mostly, just half-hearted lottery scams like this:

Congratulations! Your Email was confirmed as winner of the 
Raffle draw Held in February, 2013 in Europe.
FOR CLAIMS
Send Name....
Phone..
( euroraffle1@bresnan.net )
Await response for claims.
Regards

Does anyone ever fall for scams this feeble? Well, just in case, I’ve warned all my email accounts that while I’m not an expert on legal matters, I’m pretty sure that email can’t win lotteries and they certainly shouldn’t be sending my money to pay registration fees, taxes, bribes, or whatever other excuse the scammer makes for taking money in advance. (It’s not called Advance Fee Fraud for nothing.)

I’m far more impressed by the little beauty below. Who wouldn’t be impressed by a conference that managed to get the famous Angelina Ballerina to organize it? Fortunately, Wikipedia told me that Angelina is a fictional dancing mouse, so I escaped being scammed by a whisker. But I avoided making a faux pas in the pas seul, so to squeak. Okay, I’ll stop now and let you read this gem:

Dear Sir/Madam,
It is a great privilege for us to invite you for the upcoming 
International combined conference meeting on Human Right and 
Global Financial Crisis, taking place from May 6th to 
10th May 2013, here in United States of America, California.
The aims of the conference is to bring together researchers and
practitioners in an effort to lay a ground work for future 
collaborative research, advocacy, and program development as well 
as to educate social service, health care and global financial sectors.
An expert faculty of speaker from Australia, Europe, Asia, Africa
and USA will present a comprehensive review of leaders to discuss 
relevant, timely topics related to Global Financial Crisis with 
dynamic educational sessions, invaluable networking functions, 
career advancement opportunities and cutting-edge resources. 
The 3rd Annual ECD Conference & Exhibition offers the most 
comprehensive learning experience in the field.
Registration is freely open to all interested participants; 
interested participants should contact the conference s
ecretariat via Email below for more information for 
registration and accommodation.
Secretariat Email: wfpbca@aim.com
If you are a holder of passport that may require visa to enter 
the United States, you are to inform the conference secretariat 
at the time of sending your detail for registration, as the organizers
of the event is responsible for all visa arrangements 
and travel assistance.
Once again we thank you for taking out your time in your busy 
scheduled to attend this conference meeting and we hope 
to see you at the event venue.
Yours Sincerely,
Ms. Angelina Ballerina
Program Coordinator

There were one or two other scam indicators of course:

  • The fact that a little googling found a very similar spam claiming that the very same conference was taking place in New York in March. (Don’t be too upset if it turns out that you live in one of the few American cities where it isn’t taking place. Though in this instance, it appears they forgot to mention which city in California was the chosen site.)
  • Then there’s the fact that Angelina also goes by the name Osmar Buzinhani, the proud (apparent) possessor of a gov.br email address. Is there no end to this mouse’s versatility?
  • No web site, no contact details apart from a free AIM address.
  • And the suggestion that the conference is responsible for organizing visa and travel assistance: this is a standard ploy for fake conferences, as a precursor to demands for an application processing fee (or something similar)

If you get something like this, don’t let your natural concerns over human rights issues and the fragile economy cloud your judgment. Not that these are the only topics used as a hook to draw you into the scam: variations on the conference theme include human trafficking, child abuse, racism, war-affected children and so on. They also misuse the names of entirely legitimate organizations such as the International Economic Development Council, UNESCO, and the UN, in order to target other NGOs and ‘people of conscience’.

Still, I must admit, Ms Ballerina’s English isn’t bad at all, for a Brazilian mouse.  I bet she leads the authorities a merry dance. (Sorry, couldn’t resist.)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Irish unemployed baited by online scammers

Apart from an overwhelming quantity of online banking scams hitting Irish mailboxes, ESET Ireland has in the recent months observed that the cybercriminals are also exploiting the misfortune of those worst hit by the economic situation, with the same immoral cynicism they apply when promoting fake charities or fraudulent donations during natural disasters.

Official-looking emails, equipped with company logotypes and addresses, are circulating, offering everything from easy and affordable loans, offers to work from home for an online enterprise,  to completing financial transactions and taking a cut for yourself. All topics specifically aimed at those that found themselves out of work and regular income.

Sample fake application.

Sample fake application.

Needless to say, the golden rule “If it sounds too good to be true, it probably is” should be applied rather vigorously to most, if not all, such emails. The only goal of the cybercriminals is to make money. Any offers they make, any promises or good deals they offer, all serve their main purpose, to get to some of your money and make it theirs.

Even if they sound promising enough and will claim to provide the receiver with something, either a loan, a job or a transaction fee, most of these offers will sooner or require the victim to pay some advance fee or provide some delicate personal data, such as bank account or credit card numbers, or they will go straight for the main prize. One of these scams, for instance, reads:

I would like to know if you are interested to work from home for us

WHAT YOU NEED TO DO FOR US?
My Company needs a financial representative who will serve as our Agent 
in processing any of our funds made out to us by our CANADA, EUROPE & 
AMERICAN customers, Why we need you to represent us there is because 
the payments Takes a long period of time to clear in our banks in UK, 
and due to Frequent Request and supplies of product we do not meet 
our demand due to this Failure So that why we seek your time and 
assistance.

JOB DESCRIPTION
1. Receive payment (America Cheques/EUROPE DRAFT) from Clients which will
get to you through a courier service
2. Cash Payments at your Bank
3. Deduct 10% which will be your percentage/pay on Payment processed.
4. Forward balance after deduction of percentage/pay to any of the Offices
you will be contacted to send payment to (Payment is to Forwarded By
Western Union Money Transfer).

This, second example is probably something a little different: it looks like a money mule solicitation. ESET’s expert David Harley comments: “It’s still bad news for someone who takes up the offer, who is likely to find that sooner or later he’ll attract the attention of the police and be left holding the bag, with his bank account closed and his assets frozen, at least until it can be sorted out what proportion of those assets have been acquired through involvement in money laundering. The sad thing is that the victim may honestly believe he has a legitimate job for a legitimate company, hard though that is to understand for anyone with a modicum of healthy scepticism. Of course that doesn’t mean the scammer won’t demand some sort of advance fee in order to get a little extra profit, as in fact I’ve seen 419 versions that are probably more interested in scamming the recipient than in real money laundering.”

How does the scam part usually work then? The victim receives an uncovered cheque or other counterfeit proof of payment to themselves, while they are expected to forward on their actual funds immediately. By the time they get confirmation they didn’t actually receive anything from the scammers and that the checque or other proof of payment is worthless, they have already parted with their own money via the untraceable Western Union and the scammers walk away with a hefty profit.

ESET’s spam filter should limit the amount of such scams you receive, but some may also arrive through Facebook messages, chat or phone texts. In either case, use common sense if you receive them, do not reply to any of them and warn your friends to be careful too.

It’s a Wonderful Hoax

In a world where nothing seems to be constant but change, it’s good to know that there are, in fact, some things that change fairly slowly. Unfortunately,  readiness to believe and spread hoaxes is one of them. Even worse, they’re often the same hoaxes that were being spread years and even decades ago.  Here’s a hoax message – actually two hoaxes shoehorned into the same message – that was passed on to me last month. (Apologies if you’ve already seen a shorter version of this article in the January ThreatSense Report, but I thought it was about time we had another hoax article on the ThreatBlog.)

It goes back well over a decade: my wife (who received it from a well-meaning friend) and I are both pretty sure we saw hoaxes very much like this in the 1990s.

(If you’re wondering how my wife suddenly turns out to be a hoax expert, it’s because she and I actually worked together on security-related incidents for the UK’s National Health Service even before we met. If you want the story of how I embarrassed her by sending a red rose to her office one Valentine’s Day, you’ll have to wait for my memoirs.)

While this version was received by email, the same or similar hoaxes are also spread via social media, especially Facebook. By the way, I’ve cleaned up the hoax text just a little, mostly to remove a plethora of redundant space characters and the occasional typo. Once an editor, always an editor.

URGENT – PLEASE READ – NOT A JOKE

Well, it’s certainly not funny.  (Especially if your name happens to be Simon Ashton.) Perhaps the number of hoaxes passed on with assurances that “this is not a joke” or “this is real”, do at least indicate that people are a little more sceptical than they used to be, though. Ever the optimist…

IF A PERSON CALLED SIMON ASHTON (SIMON25@HOTMAIL.CO.UK) CONTACTS YOU THROUGH EMAIL DON’T OPEN THE MESSAGE. DELETE IT  BECAUSE HE IS A HACKER!!

[In fact, this message has been spread using a variety of names for the 'hacker' over the years: recent versions name, for example, Christopher Butterfield, Tanner Dwyer, Stefania Colac or Alejando Spiljner. (Apologies to anyone  who really does have one of those names: I’m sure you’re a warm and wonderful person who wouldn’t dream of hacking Often, it’s claimed that the alleged hacker will contact you with a friend request, which gives it an extra air of authority when spread by Facebook. In those instances, however, you’re less likely to encounter the next paragraph, which is email-specific, in a muddled and seriously unconvincing sort of way.

TELL EVERYONE ON YOUR  LIST   BECAUSE IF SOMEBODY ON YOUR LIST ADDS  HIM  THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE  OUT YOUR ID COMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE  TO EVERYONE EVEN IF YOU DON’T CARE FOR THEM AND FAST BECAUSE  IF HE HACKS THEIR EMAIL HE HACKS YOUR MAIL TOO!!!!!……

Unfortunately, what looks like fantasy to a messaging or security guru may be all too convincing to someone without a tech background. And just to be on the (un)safe side, the hoaxer, like so many hoaxers, scammers, and other undesirables, introduces an element of urgency so that you don’t have too much time to think about it: the threat that if you don’t act quickly, Something Awful will happen.

And at this point we get an abrupt change of focus topic, though it isn’t flagged as such. Still, the fact that the message suddenly stops being all capitals is a bit of a giveaway. Excessive capitalization, by the way, is often a feature of hoax messages, no doubt in order to impress upon us how SERIOUS AND TRUE the message is.

Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on..   This information arrived this morning, Direct from both Microsoft and Norton. Please send it to everybody you know who has access to the Internet. You may receive an apparently harmless e-mail titled  ‘Mail Server Report’

Where to start on debunking this? Well, the fact that this targets everyone who uses Internet email and everyone who has Internet access should tell you something about the sender’s motivation, and I don’t mean sheer altruism.

Hoaxes are the last refuge of the old-school hobbyist virus writer: unlike today’s criminal gangs, the first generations of malware authors rarely had any idea of making a profit out of viruses. They were more concerned with trying to demonstrate to their peers and the AV industry what great programmers they were. (Actually, you’d be amazed at how many badly written viruses have passed through our labs, not a few of which had their moment in the sun nevertheless.) While some malware was deliberately damaging (and quite a lot was damaging because it was poorly coded), virus writers were often content to see their creations spread far and wide. Hoaxers have somewhat similar motivation: they prove to themselves how clever they are by making other people look (and feel) stupid, and they don’t even have to do any programming. And the measure of their success is the volume of people they manage to convince. It’s scamming, but the motive is bolstering their self-image, not profit.

But back to this particular hoax. (Or meanwhile, back at the plot, as Kenneth Horne used to say.)

Back when I first saw this message (or something very close), the idea that a message from Microsoft was likely to be an authoritative indicator of importance in terms of security was less convincing, but since then Microsoft has been born again as both more security-conscious and a security vendor in its own right, so I guess that bit has actually gained (spurious) authority. Microsoft may have credibility as a source of security information, but as Lincoln said, “The thing about quotes on the internet is that you cannot confirm their validity.”

The assertion that ‘This information arrived this morning’ is something of a giveaway in itself. Hoaxes are notoriously vague about exact dates and, in fact, any information that might help you locate authentic information (corroborative or otherwise). The weakness of this approach is that if the recipient actually notices that the message has been forwarded many times to many people,  he might actually start thinking about which morning that might have been, and look for more information. However, the impressive list of previous recipients on this particular email strongly suggests that plenty of people don’t take that extra conceptual step.

This hoax is a variation on the ‘Life is beautiful’ hoax, which claimed that the message would include a malicious file masquerading as a Powerpoint presentation called Life is beautiful.pps. (In itself just one of a long line of hoaxes that tell you not to open a file with a specific name, or an email with a specific subject line.)

As it happens, there was a possibility long ago that a malicious file would arrive with a specific and identifiable filename. Well, I suppose it’s still possible, but the authors of real malware learned long ago that there are all too many ways to vary the name of a malicious file spammed out with email, so it’s not very likely. In this case, though, the hoax somehow got tangled up with real (but long gone) variants of the Win32/Warezov mass-mailer that arrived in an email claiming to be a ‘Mail Server Report’.  Sometimes, though not in this case, the hoax picks up an additional ‘verified by Snopes’ message, based on the fact that Snopes – a well-known reference source for information on hoaxes, urban legends and such – listed the real Warezov malware as true.

If you open either file, a message will appear on your screen saying:  ‘It is too late now, your life is no  longer  beautiful.’

As you might guess, that’s a hangover from the Life is Beautiful version.

Subsequently you will LOSE EVERYTHING IN YOUR PC,
And the person who sent it to you will gain access to your  name, e-mail and  password.

The usual drivel. (Though not as alarming as those viruses that are supposed to eat the magnetic coating of your hard drive, blow up your PC or set fire to your mouse mat. OK, I made that last one up.) Well, trashing of your PC or theft of your credentials certainly might happen to you as a result of malware, but not the fictitious malware described in the message.

This is a new virus which started to circulate on Saturday afternoon.. AOL has already confirmed the severity, and the anti virus software’s are not capable of destroying it ..

Gosh. This must be some serious virus. Not only has it turned Saturday into the day before Friday (or perhaps it was circulating for a week before anyone noticed their system had been trashed) , but AV is incapable of defeating it. I know that the likes of Imperva are still constantly claiming we can’t detect malware we haven’t seen, but even they don’t usually go so far as to claim that we can’t remove malware we know about. And I’m not sure how anyone can know so much about the timeline of a virus that destroys every system it touches.

AOL? Well, I guess that’s an indication of how old the hoax is, going back to the days when the newsagents were perpetually tripping over AOL diskettes and CDs that had fallen off computer magazines, and hoaxes were constantly citing AOL and Microsoft in order to make themselves seem more ‘authentic’ and scary.

The virus has been created by a hacker who calls himself  ‘life  owner’.. 

Complete with extra period character to give it more weight. Or at any rate, so as to make the line a little longer. This line is another hangover from ‘Life is beautiful’.

Hark! There’s the tinkling sound of another angel getting his wings! Oh, sorry: I’m just getting confused between fact, fiction and Frank Capra movies.

(I don’t think that Goldelse, who resides on top of the Victory Column in Berlin, is really an angel, but according to Wings of Desire, the 1987 film by Wim Wenders – and a personal favourite – she is a gathering point for angels.)

Some papers you might find useful:

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Permanent TSB’s good name under attack by scammers

In the recent weeks IT security experts at ESET Ireland have seen a massive run of targeted scam emails spamming Irish mailboxes, all with various attempts to scam Permanent TSB customers.

The emails come with subject lines like “Your access to Open24 online banking has been locked”, “Your account has been temporarily suspended”, “We found suspicious activities on your account – Please read details!”, “Permanent TSB – Customer Notice”, “Open24 Internet Banking Account Notification” and they arrive from spoofed email addresses like info@permanenttsb.ie, security@permanenttsb.ie, customersecurity@permanenttsb.ie, all engineered to reassure the customers, it’s the real thing.

The emails contain attachments or links where the potential victims are asked to enter their logins and other confidential banking info, in order to “unlock” their accounts.

Here are a couple of examples:

TSB1

Notice the particular cynicism of the second example, where fraudsters actually even left the security advice to people they’re about to scam and rob:

TSB2

The Permanent TSB official website warns against this: Warning: Customers should note that we will never ask you for this information either by email or telephone and you should never disclose this information to anyone.

Permanent TSB’s official website also offers the following advice:

How you know if you’ve been the victim of a fraud or scam:

  • If it sounds too good to be true, it is
  • If you have won a prize, but haven’t entered that competition, it’s not a prize
  • If you are asked for money up front to release your win, you may not get your win
  • If you are asked for your bank account, credit card details, or other confidential information, the call is not from your bank or financial institution
  • If a caller is more excited than you are or wants to be your best friend, they could be a fraudster
  • If you are told that you must reply to something straight away or the money will be given to someone else, there may be no money

If you’ve also received emails like these and thought “so what? It’s the same old rubbish anyway!” think again. ESET’s expert David Harley says: “Right now malware and phishing forms apparently from reputable companies seem to be particularly successful at getting through mail services with exceptionally good filtering. Now, as ever, you need to be aware that you can’t rely on mail provider filtering and security software to protect you from all attacks. But scepticism and common sense will go a long way towards plugging the gaps in your defences.”

Fake loan offers out to scam the desperate

Cybercriminals are cashing in on the financial crisis, spamming Irish mailboxes with fake offers of affordable loans.

In difficult times people resort to desperate measures to try to keep their finances afloat. When it becomes impossible to get a regular loan, some people turn to loan sharks and their extortionist interest rates, while others look for other means. And cybercriminals are quick to seize the opportunity to make a quick profit on those desperate enough. Recently we came across this spam:

Fake loan spam email.

Like most “too good to be true” offers that randomly find their way to your mailboxes, this one is also a scam. A common “advance fee fraud”, tailored to the current economic climate. Anyone that replies to the scammers is asked for a lot of personal info, and later contacted with a detailed “offer” for which they’re asked to pay some sort of an advance fee, supposedly for solicitors’ expenses, bank transaction costs, etc. If the victim pays, the scammers try to keep inventing other fees to be paid, and some people have been tricked out of thousands of Euro, before they realised they were being scammed.

As always, Irish email users are advised to ignore and delete such messages and warn their friends about them. Legitimate banks and financial organisations do not usually send spam email, asking people for personal info. It is best not to reply anything at all to the scammers, as any sort of reply they may receive, confirms to them the person replying is real and a potential victim for a custom-tailored scam.

We wish we could also offer some good advice on how to get that loan, but our expertise is cybercrime…

Warnings against »disaster scammers« in the wake of hurricane Sandy

Every major disaster in the recent years like the Indian ocean tsunamis, hurricane Katrina, the Haiti earthquake and the the Japanese earthquake and nuclear disaster has attracted the attention of the lowest form of cybercriminals, the so called “disaster scammers” – people who try to make a profit on either those already victims of the disaster or those trying to help them out. Several US officials and even the FBI have already issued warnings to people about various forms of scams they could become victims of. Among the more common loansharks, fake builders or water-damaged car salesmen, a special mention also went to online scams.

Online, people are mainly targeted through

  1. “Shocking disaster news” or photos, messages or emails with links supposedly leading to yet unseen disaster footage, which usually direct to survey scams or infected drive-by malware download sites
  2. Search engine optimisation, since cybercriminals know people will use search engines to look for news on the topic, they will fill their malicious sites with buzzwords such as “Sandy”, “hurricane”, etc, to lure visitors to their sites, where they can get infected with drive-by malware.
  3. Through fake charities, donation sites, letters from disaster-stricken people, etc.

As an English speaking country, Ireland has been on the receiving end of these scammers in the past, so we expect it to receive its share of related spam this time around as well. Here’s some advice to prevent getting scammed (mostly courtesy of FBI):

  • Do not click on social media and email “shocking news” or “shocking video” links.
  • Do not go to untrusted websites for news.
  • Do not respond to any unsolicited (spam) e-mails, including clicking links contained within those messages because they may contain viruses.
  • Be sceptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
  • Beware of organisations with names similar to but not exactly the same as those of reputable charities.
  • Be cautious of e-mails that claim to show pictures of the disaster areas in attached files, because the files may contain viruses. Only open attachments from known senders.
  • To ensure contributions are received and used for intended purposes, make contributions directly to known organisations rather than relying on others to make the donation on your behalf.
  • Do not be pressured into making contributions, as reputable charities do not use such tactics.
  • Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
  • Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.
  • Legitimate charities do not normally solicit donations via money transfer services.

Stay safe and think before you click!

More Irish banks’ names abused in email scams

After the recent spams that were using AIB’s name to scam victims into disclosing their login information and security codes, we’re now receiving similar scams, abusing the names of Permanent TSB and Ulster bank.

Even though one could think Ireland would not be a prime target on the global cybercrime map, the many scams targetting our small island are convincing us of the opposite. We recently wrote about the AIB name abuse in scams, scammers lurking on DoneDeal for lucrative deals, Irish ransomware, etc.

The bank scam emails or websites they redirect to usually carry the official logotypes of the respective banks, to appear legitimate to the potential victims. The first example we have received has the following content:

Fake Permanent TSB email

While the second says:

Fake Ulster Bank email

The fake Permanent TSB’s link leads to a phishing website which tries to extract log-in information from the victim, while the fake Ulster Bank email has an .html attached, which looks like an Ulster Bank page, but requires many fields to be filled in with private information. A smart email user should know not to open unknown attachments in mails anyway, but some still do. Once a victim fills in their details and clicks “submit”, their sensitive info is sent to the scammers, while the victim is redirected to the real Ulster Bank website.

Fake Ulster Bank website

These scams are very dangerous, because many online banking users trust the official looking emails and forms and will fill them out without suspecting it is a scam. Only after their bank accounts have been breached, will they realise they have fallen into the cybercriminals’ trap. Ulster Bank’s official website has a warning about these sort of scams:

Beware of email scamsNever go to a website from a link in an e-mail purporting to be from Ulster Bank and then enter personal details.

Never respond to an e-mail that asks for confidential or personal security information. Ulster Bank will never send you such an e-mail.

Never respond to any unexpected or suspicious emails – and don’t click on any attachments within such emails.

While Permanent TSB warns of the following:

Warning: Customers should note that we will never ask you for this information either by email or telephone and you should never disclose this information to anyone.

Irish computer and online banking users should know how to recognise these scams. Banks will generally never ask them to send them any sort of log-in information via email or through unverified online forms. If any such mail is received, it should be ignored and deleted. If the user is still in doubt what to do, it is always better to ring their bank first or contact An Garda Síochána, before taking any action!

Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

Bizarre sex-related assassination threat is hitting Irish mailboxes

Spam, trolling or horsing around? An email from a supposed hitman threatening to arrange a strange sex-related death unless he is contacted is a bizarrely trolling twist on usual spam mail.

Spammers are always on the lookout for new ways to get victims to respond to them and be lured into various more or less elaborate scams, most ultimately aimed at extracting money from them. But while we have by now grown accustomed to being notified we won the lottery, or an African dictator’s assistant wanting to transfer millions to us, or even that a “friend” got mugged abroad and needs our help, we have not yet come across a death threat involving a horse, lard and a dildo.

Here’s the full text of the spam we have received, titled YOUR LIFE IS IN DANGER:

As I sit here sipping a martini it is my regretful duty to inform you that you have been selected for assassination.

I am a professional assassin (I enclose my certificate of assassination as proof) and SMERSH have contracted me to assassinate you and have specifically paid extra for a particularly nasty death which makes it look like you died in a particularly bizarre sex game gone wrong; I had already bought the shire horse stallion (he’s called Henry – picture attached), the lard and the dragon dildo (from Bad Dragon of course, I only use the very best tools) when I found out that you are innocent of the accuse, so I make out this time to contact you. Unfortunately international crime syndicates won’t admit to mistakes and cancel the hit so I will be forced to carry out the assassination on you. Sorry about that old chap but rules are rules.

There is an option for me to help you in other for you to know who had paid SMERSH for your DEATH and don’t forget my men had been monitoring you for the past few days and daily record of your activities is been sent to me but I have refuse to order your DEATH.

Get back to me if you value your LIFE with all due speed or else I regret I will have to carry out my original contract to assassinate you and although he is quite charming for a horse I don’t think Henry is the most sensitive of lovers.

Toodle Pip!

Dai Teatime
International Assassin

While it got a good laugh out of us here at ESET Ireland for its hilarious style and imagination, and kept us guessing whether his martini was shaken or stirred, a spam is still a spam and the consequent resulting scams can still cause much frustration from the unfortunate victims.

It is worth remembering, whenever encountering such spams, that they are sent out at random, so the spammers don’t know who will get them. But if they get a response from anyone, then they do know this person exists, offers feedback and is a potential victim of a targeted attack they can prepare just for them. Best thing to do in such cases is just to delete all such emails and not reply to them at all. And if you ever feel genuinely threatened by an email you receive, report it to the Gardaí.

Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

Follow

Get every new post delivered to your Inbox.

Join 72 other followers