Financial In-Fidelity, Yours For 72.5 Million US Dollars!

Here's an offer I received via e-mail that seems to be the answer to most peoples prayers; a large pile of money just for helping out someone move some money. Of course in reality it isn't as simple as that, but I'm getting ahead of myself.

Here's a screenshot of the e-mail in full:



It says it was sent by Tim McCarron of Fidelity Investments here in the UK. He is a fund manager for them. It seems that Tim, allegedly, has acquired over 145 Million US Dollars from his employers without their knowledge. Moreover he wants my help to move the funds, and for my trouble he will give me 50 percent; very generous. That is over 72.5 Million US Dollars.....tempting, isn't it? ;-)

All he wants from me are some personal details, some proof of identity, such as a copy of my drivers licence or passport, and a bank account number to use for the transaction.

To prove that he really exists, Tim has even included a link to some details about himself and his performance which is available on the Fidelity Investments website.  How thoughtful!

Here's a screenshot of the webpage in the first link:



See, there's Tim's name and various other detals about him and the funds he manages. Yes, this is the real Fidelity Investments website.

Let's look in to this in more detail.

OK, the email reply address seems odd, it is timmacarron@superposta.com (seems Tim can't even spell his surname correctly) but the From: address header in the email tells me his email address is tmcarron@ymail.com......hmmm, I'm confused. I know he is trying to cover his tracks, but why use two free webmail addresses?

So, what does this tell me?

Well for one this email is not from the real Tim McCarron, or from anyone at Fidelity Investments. Furthermore, there is NO MONEY; sorry to disappoint you.

If it was real, then the person responsible would have committed fraud; as they have stolen money from their employers and potentially customers too. Furthermore, if you took part in this, if it was real, you would also be committing fraud as well as money laundering....lucky there is no money then, eh? ;-)

Yes, this is yet another 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. If you were foolish enough to reply to the email you would be assured that the money was real, but somehwere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead
of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called "suckers list" and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such a tempting offer, remember the old adage "if something seems too good to be true, it probably is....too good to be true". Also, think very carefully before
you click on any links or contact anyone mentioned in these email, at the very least you could end up on a phishing site, you could lose some of your money, or worse, as there have been cases of beatings and even murders linked to these scams.

Oh, and just in case you were wondering, the links in the email were included by the scammer to try and give extra credence to their outlandish financial proposal.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Oh yes, and the personal details you supply them will almost certainly be used for identity theft and/or in another 419 scam, using your personal details and proofs to attempt to make it more believable.

Amazon Marketplace Listing Canceled...

How many of you out there use Amazon's Marketplace to sell items?

Well, if you do then this posting should be of some interest and I'd also be interested in how many of you have received similar emails to the one shown in the screenshot below:



Looks like a typical notification from Amazon that your item listed on Amazon Marketplace has been canceled; for those that use this Amazon service this usually happens when your item listing has expired, and is quite normal.

So, let me see where I end up when I click on the link contained in the e-mail; screenshot below:

 

Is this Amazon.co.uk? Looks genuine doesn't it? would you sign-in via this page, or not?

For the moment, let us assume [quite rightly] that I'm suspicious of this page, let me have a look at the source HTML for the page above; I'm especially interested in the FORM section (the bit that deals with the login credentials; your e-mail address and Amazon.co.uk password). Here's a screenshot of the related part of the HTML source for that function:




Hmmm.....notice anything odd?

Surely the real Amazon.co.uk doesn't use a generic mailto CGI script [in this case a PERL script] to handle login routines, does it?

No, of course it doesn't, the code in the screenshot above sends your now stolen Amazon.co.uk login details to the bad guys and girls via e-mail using the mailto.pl script hosted on http://www-cgi.paonline. It then goes onto send you to the real Amazon.co.uk page, sneaky huh?

So, this is another phishing scam, in this case they want to steal you Amazon login credentials, so that they can steal any personal details, including and stored credit-card data, or maybe they just want to buy things using your account, and have them sent to a drop-box to then be turned into cash. Such as ordering themselves a new MP3 player, phone, some CD's or DVD's or whatever, leaving you to pick up the bill and deal with the resulting mess.

Of course this type of attack is not just limited to Amazon, it would in theory work with any e-commerce site, so be careful out there especially where you have sites that store you credit-card details, as in most cases this is what the bad-guys and girls are after. If they can't get that then they will just buy things from the site using your stored card data instead.

yet again, as with other recent examples I've blogged about it shows that phishers are not just interested in getting you bank details, they are just as happy to get e-commerce site credentials, game login credentials (such as WoW) or webmail account details (how many of you store e-mails which contain personal or financial  details?), amongst many others. Furthermore, do you you the same password for more than a single site? If you do then you are making it easier for the bad guys and girls to compromise your other accounts wherever they may be.

Walmart Survey Worth $150 US Dollars...

I received an e-mail yesterday asking me to take part in a survey that Walmart were apparently carrying out to gauge customer satisfaction. A screenshot of the e-mail I received appears below:



So, even though I am not and never have been a Walmart customer, let me see where we go if I click on the link provided, as if I were a Walmart customer. This is where I ended up:



Looks like a very typical web based survey, so what happens when I fill in the details and then click on the proceed button at the foot of the survey page? This is where I ended up next:



OK, so they want some more personal details now, they already have my phone number and e-mail address. Now they want my credit card number, expiry date for it and.......my CVV and ATM pin.....hmmmmm; can anyone smell something 'phishy' yet? ;-)

Yes, this is a phishing scam, squarely targetted at Walmart customers that will be fooled into believing that they will recive 150 US Dollars for filling out the survey and supplying their credit card details. In a few days they will get a surprise, but not the pleasent one they were expecting. Instead of having money credited to their account, they will have lost money through bogus purchases. It may even be worse, their account could be cleared out via ATM withdrawals, or even overdrawn, leaving them with a large bill to pay [unless their bank covers phishing scams and related things] . In the worst case scenario the personal details they gave could be used for identity theft so that loans or mortgages could be set up using the stolen details, leaving the victim with the bills and the resulting damage to their credit rating.