Like I said, I'm not a security specialist, but I have the questionable goof fortune to be the recipient of a lot of this stuff myself.
On Fri, 2012-06-29 at 22:12 -0400, Chad Bailey wrote: > Working in tech support for internet services, I can say first hand > the phishing emails these days seem to be getting weirder and weirder. > I don't even understand what they are trying to accomplish anymore. > Some just have gibberish in them and don't even ask you to do anything > that would be dangerous to you. Maybe this is an attempt to gain your > trust before scamming you? \o_O/ > I suspect that you can make a whopping 50 cents for every thousand "live" email addresses you can collect in places like Pakistan. Since you can generally tell when you receive a "recipient does not exist" message from the destination mail system who is potentially live and who isn't, sending empty messages isn't such a bad idea in such a case. The messages that consist solely of gibberish might be an attempt to up the odds on detecting a live destination by raising the odds a spam filter won't intercept it. Then again, some of that stuff is probably simply broken. After all, every month I get a totally unreadable email from the Jacksonvile Public Library System. They apparently outsourced their newsletter mailing to an outfit in Belgium, of all places, and the results are some of the most horrendously malformed HTML I've ever seen. I'd make my usual nasty crack about Low Price Everyday computing, but in their case, there's little choice, since they're taxpayer-funded and we all want Lower Taxes Everyday, too. > > My suspicion is along the lines of what Tim was thinking. It's either > an infected server, a legit email (someone could have typed their own > email wrong), or they are just baiting you before the true scam -- in > other words just trying to see if you're a legit email and will > respond. I have seen some with 1-800 numbers lately, and have even had > customers say they were contacted by "someone from microsoft" who > "determined they had a serious virus" and needed to "perform repair > work immediately". Of course, the person in question (this was a real > customer of mine...) promptly paid the guy on the phone to remote > control into her PC and infect it beyond belief. > Wasn't it Kevin Mitnick who said that a lot of hist most successful hacking was actually social engineering? And to think that the biggest complaint about us software geeks are that that we're not social enough! :) Well, second-biggest, anyway. > Expect "support" people to be totally ignorant. After all, they're only there because customers will stand for a lot of being ignored and abused, but total automation just doesn't work with some people. Still, those support people so grudgingly supplied are paid primarily to make you shut up and go away, not to understand things and fix them, regardless of whether their accent is Mumbai Welsh or Alabama Twang. You might get lucky and get someone who knows something and actually cares, but Management tries hard to ensure you don't. If George Orwell were writing today, "1984" would be about a guy whose identity was stolen online and Big Brother would be a bank based in North Carolina. And thus even more depressing than the original. Proceed with extreme caution. > My route of action would be completely reverse. This is how I would > handle: > * If she has a credit monitoring service, check it to verify > there have been no changes > * Verify if the bank is a legitimate establishment > * If it is, do your own research to find the customer support > number and contact them > * Do not assume the customer support rep will be > completely knowledgeable about phishing emails (silly, I know) > and approach it from a perspective of has she opened an > account or not > This is how I would handle any phishing attempt that seemed so real I > didn't feel comfortable ignoring it. Unfortunately, these days that > also includes phone calls (hang up, call the number of the place > directly and verify it's really them). > > > Just so you know, it is AT&T company policy to not to send anything > "official" except through standard snail mail. So if you ever get an > email or phone call claiming they need something from you in reference > to AT&T you can safely ignore it. Of course, AT&T does send > generalized emails regarding privacy updates or things like that, this > is only in reference to things that could affect your bill or > sensitive personal information. > > > On Wed, Jun 27, 2012 at 9:20 PM, Dean, Mike <[email protected]> > wrote: > Tim, > > Great point, I had forgotten that some of these phishing > expeditions are > really fishing expeditions -- and they are looking for live > emails and > people who will respond to them. > > Along those lines though, since there wasn't any java script > in the source > of the emails, or any images or URLs that loaded automatically > (the one > image was a attached to the email, not remotely loaded), thus > letting the > senders know they caught one, how would they know they caught > one? > > The one phone number appears to be valid. For those that want > to look into > the phone number, it is 888.588.2623. > > Thanks for all the responses and ideas! > > Mike > > > On Wed, Jun 27, 2012 at 8:49 PM, Tim Holloway > <[email protected]> wrote: > > > Well, I don't claim to be an expert on all things hacking, > but sometimes > > just getting a mail delivered is information enough - it > means that > > there's a live recipient that can then be targeted. > > > > A popular approach that I have seen lately is to include an > HTML page > > that has obscured JavaScript in it, although I think you > would have seen > > that. > > > > I would be concerned about identity theft, though, proper > email address > > or no. It's possible that the bank cross-checks and that was > an attempt > > to fool the bank. > > > > It's also, alas, very, VERY possible that the bank itself is > infected > > and that visiting its webserver would then infect YOU. But > hey, they got > > the Low Price on security, didn't they? Doesn't everybody? > > > > Speaking of infected servers, I got another LinkedIn malware > "care > > package" yesterday. It was one of the bogus UPS notification > types. Who > > on Earth would believe that LinkedIn is sending UPS packages > to them? > > Never mind. People respond to Nigerian princes. > > > > The server that's sending this garbage from LinkedIn is NOT > their normal > > news mailserver, incidentally. However, it definitely did > come up as a > > LinkedIn IP address. > > > > Tim > > > > On Wed, 2012-06-27 at 18:07 -0400, Dean, Mike wrote: > > > Who feels like finding some phish? > > > > > > My step-daughter received three emails supposedly from a > bank, that she > > > doesn't do business with, stating that an online account > had been set up > > > and that the password had been changed. > > > > > > At first, one would think that obviously these are > phishing emails or > > > perhaps, and outside possibility that someone had opened > an account in > > her > > > name. With regard to the latter thought, if so, why put > down her email > > > address unless they also hacked her email account and > forwarded copies of > > > her emails (or changed her password). Neither of those > things has > > happened. > > > > > > One of the emails states that a copy was sent to her > "secure email > > address" > > > as verification, but again, why have a copy of the emails > go to her > > actual > > > email? > > > > > > So, back to the phishing thought. One of the emails had a > Customer > > Service > > > number (I know, Aha, that's it!). But, that phone number > pops appears > > > legit. I did; however, find a reference to Harshad > numbers and spammers, > > > but haven't been able to get any concrete information on > that line. > > > > > > The 2nd email had an image attached to it with the bank's > logo. My > > thought > > > here was that something was embedded in the image. But, I > have no way to > > > really determine that. > > > > > > Finally, in none of the emails was there any links that > pointed anywhere > > > strange or any javascript (I have the original emails in > the Gmail "Show > > > Original" format, which includes the raw message along > with the Base64 > > > encoded image file). > > > > > > I didn't want to send an email with attachments to the > list, so if anyone > > > wants to see if they can find the phish (or purpose of the > emails), reply > > > back and I'll forward you a copy of the "Show Original" > emails. > > > > > > Mike > > > > > > > > > --------------------------------------------------------------------- > > Archive http://marc.info/?l=jaxlug-list&r=1&w=2 > > RSS Feed > http://www.mail-archive.com/[email protected]/maillist.xml > > Unsubscribe [email protected] > > > > > > > --------------------------------------------------------------------- Archive http://marc.info/?l=jaxlug-list&r=1&w=2 RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml Unsubscribe [email protected]
