Trustwave Vulnerability Scan Scam

This one is potentially a better attempt at a phishing scam than most.

Supposedly from TrustWave, it tells of a failed vulnerability scan on my network and to view the results online.

Visiting this site potentially loads Malware, or tries phishing techniques to get access to your systems.

One interesting aspect of this is it predicts IP ranges that will attempt to access your network, which makes me lean toward a malware attack.

This is an automated email message to prevent you that the scheduled TrustKeeper vulnerability scan of YOUR NETWORK SYSTEMS has completed and is not compliant.

IMPORTANT: During the scan, TrustKeeper Discovered several Unsecure systems. Trustwave strongly recommends you review these findings as your overall PCI DSS compliance status may be affected.

TrustKeeper generated a vulnerability scan report. You may view these results by accessing TrustKeeper at:

https://login.trustwave.com
User Name:webmaster@deepweb.co.nz

You will receive an e-mail confirmation when the scan completes and your results are available. Please note that this can take up to three days.

Note: If you monitor your network for activity, note that the TrustKeeper scan may originate from IP addresses in these ranges:

200.16.208.0/24
61.37.230.0/24

TrustKeeper is a certified remote assessment and compliance solution created by Trustwave and designed to help merchants meet the PCI DSS and achieve compliance with the associated programs of VisaŽ, MasterCardŽ, American ExpressŽ, DiscoverŽ, and other credit card associations. The TrustKeeper solution is an integrated easy-to-use tool that removes the challenge of navigating the complex PCI DSS requirements and provides a “one stop shop” for merchants to certify compliance.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL.

This mail is sent by an automated message system and the reply will not be received. Thank you for using TrustKeeper.
This email was sent to: webmaster@deepweb.co.nz
This email was sent by: Trustwave
80 West Madison Street, Suite 1080, Chicago, IL, 60408, USA

We respect your right to privacy – view our policy

So a new attack method, using fear to cause people to click the link and open themselves up for the real attack.

New Scam – Better Business Bureau

The Better Business Bureau have been targeted as the latest providers of a “trusted source” for email phishing attempts. Not that the BBB are actually doing something wrong, but have been targeted by the spammers as a face for their campaign due to their trustworthiness, and in this case, the concern that happens when you get an email from them saying something is wrong.

With this latest email (I received 2 today, even though I am not in the US) they use the threat of a complaint against your company to get you to click on a link in the email.

Here is a copy of the email

RE: Case # 18558568
2011/12/20

Hello,

The Better Business Bureau has been filed the above-referenced complaint from one of your clients on the subject of their dealings with you.
The detailed information about the consumer’s concern is presented in enclosed document.
Please give attention to this matter and let us know about your opinion.
We encourage you to open the ATTACHED REPORT to reply this complaint.

We look forward to your prompt response.

Sincerely yours,

Louis Gerald

Dispute Counselor
Better Business Bureau

So again, it is a case of being careful when something like this appears in your mailbox. Don’t panic and click the link to see what the issue is, if in doubt hover over the link and it will tell you in the status bar of your email program the real link that it will take you to.

If it looks in any way suspicious, leave it alone.

ANZ Bank Phishing Target Again

These phishing attempts are usually found by my virus scanner, but this one got through.

Anz Bank

We’d like to inform you that your Secure Messages Center has 1 new message.

Please login to your Online Banking and visit the Secure Message Center section in order to
read the message.

Log On to Online Banking.

(The Message Center contains only important information about your account and online banking.)

Copyright Australia and New Zealand Banking Group Limited ABN 11 005 357 522, 1996-2011.
ANZ’s colour blue is a trade mark of ANZ.

 

The log on link goes to http:// nogueirametalurgica . com . br/www . anz . com/index . php

This is a typical ploy where they hide the link to a hacked website. Here they have placed a site that looks the same as the target (This time ANZ) and hope that you do not look at the link that appears in the URL section of your browser.

Whenever you get a dodgy email, you can often just hover over the link in the email, and the email program will show you the link that you will be taken to.

If it is anything like this, then stay away

Chinese Domain Name Scam Update

I have had a number of enquiries from clients, checking to see if these emails are legitimate or not.

However, I have just received one directly and have noticed that although the scam is the same, the wording and formatting are a bit better, more convincing.

Here is the transcript:

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On October 17th 2011, We received Tianhua Ltd’s application that they are registering the name ” yourdomain ” as their Internet Keyword and ” yourdomain .cn “?” yourdomain .com.cn ” ?”yourdomain .asia “domain names etc.., they are China and ASIA domain names. But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so we are sending you this email to check. According to the principle in China, your company is the owner of the trademark, In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!

Best Regards,

John
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 136615 29704
Fax: +86 216191 8697
Web:
www.ygnetworkltd.com

So you can see that the construction of the email is much more professional, but still is  not quite perfect.

Again the point of these emails is to scare people into thinking that their domain name is going to be registered by a Chinese company. All they are wanting is to get you to register the domain name through them (often at an inflated price)

Don’t worry, I have not seen one of these be real yet.

Business Listing Scam – EU Business Register

Beware of a directory listing scam that is being emailed out to people offering a business listing with Free Updates!

What is hidden though is that by signing and sending back the form, you lock yourself in for a three year listing at EU995 per year.

But they do let you update your details for free.

Transcript is here:

From: contact@business-listing.info
Subject: EU Business Register 2011/2012
Dear Madam/Sir,

In order to have your company inserted in the EU Business Register for 2011/2012, please print, complete and submit the enclosed form to the following address:

EU BUSINESS REGISTER
BOX 252 – 28020 Madrid
SPAIN

Fax: +34 91 791 9167

Updating is free of charge!

 

These kind of scams are pretty common, I get ones faxed to me a few times a year. Similar ones for overpriced domain names are common as well.

You know your business and will know the kinds of places that are worthwhile advertising. If anything comes across your desk or into your inbox that offers advertising, check it thoroughly before committing, this one had the price in the fine print in the attached PDF, not in the email itself. IT’s terms and conditions were even further hidden on a website not linked to in the PDF.

Xerox Scan Email Virus

The tricks these guys try…

So I get an email, apparently a scan of an image from a Xerox copier sent to my inbox.

I am going to open the zip file that is attached? Um No!

This is what I see wrong with this one…

  1. Images don’t need to be zipped, it doesn’t compress them enough
  2. It was sent from someone I don’t know at admantech@nederland.8bit.be
  3. It’s incredibly vague.

Obviously targeting large organisations that have these centralised scanning machines that deliver documents in this way, but for the other masses, a real scatter gun approach.

Heres the text:

Subject : Scan from a Xerox WorkCentre Pro N 2918425

Please open the attached document. It was scanned and sent to you using a Xerox

WorkCentre Pro.

Sent by: Guest

Number of Images: 1

Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set

Device Name: XRX9679AA7ACDB40111008

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The Phishers / Virus Makers have Hooked Amazon now

Phishing is all about getting people hooked, line a sinker, this time Amazon is the recipient of the Phishers focus.

It seems to be the usual DHL / UPS style scam, where a zip archive is attached to an email that carries the nasty payload.

Asking you to print the attached postal label to get your package.

As usual, delete these emails as they are nothing but a cover for a dangerous virus or scam.

Here is the transcript of the email

Goodafternoon!

Thank you for shopping at Amazon.com
We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered ” Asus Eee PC T91Go ”

You can find your tracking number in attached to the e-mail  document.

Print the postal label to get your package.

We hope you enjoy your order!
Amazon.com
Attachment is called Postal_label_Nr234.zip

It is interesting to see these people targeting suppliers / vendors that have wide audiences. Removing any refernce to DHL or UPS as this is starting to get a little old.

I wonder how long it will take for the Anti virus brigade to recognise this new variant.

Email Scam targetting mail users at specific domain

Well they keep rolling off the spam/scam production line.

This one pretends to be an email from mail support of a specific domain. As with all of these mass email scams, they don’t realise that the person they sent the email to manages all of the mail for that domain (Including the “support” that is mentioned in the email)

This is a phishing scam hoping to gain logins and passwords to try to gain access to mail (or if you are sharing login details) or other online services.

Here is a transcript

Subject: Your profile will be locked in response to a complaint received by the Administration
from: support-62@deepweb.co.nz

***This message was created automatically by mail-delivery software. Do not reply to this message.*** 

Hello!
Your profile will be locked in response to a complaint received by the Administration 29.01.2010 ?.
According to "paragraph 8 of the user agreement, deepweb.co.nz reserves the right to suspend or terminate the provision of services deepweb.co.nz, promptly notifying the user. 

Refute the statement may be, following this link:
<a class="moz-txt-link-freetext" href="http://schwaber.net/472e3bb6">http://schwaber.net/472e3bb6</a>


If the application is not rejected within 7 days, your e-mail an account will be blocked.
It has a number 237242679231777. 

In the near future we will contact you.
It takes up to 3 days to process your request.
Thank you!
--------------------------------
Sincerely,
mail support service
deepweb.co.nz 

As you can see they are using shortened style urls to hide things, but it is unsophisticated as they use a completely unrelated domain as the link.

Most likely this will be handled by the antispam handlers, but shows these scams are still out there and are unlikely to go away.

Other variants of this try to dupe gmail users into giving their logins to the phishers

DHL, UPS Virus Email, What Next NZPost?

Many times there are things that show the US Centricness (Is that a word?) of the internet:

  • .com readily meaning US site
  • US date formats in online forms
  • USD as the default currency

Well another example is the idea that every country must use UPS and DHL for their parcels.

Why else would all of the post / courier etc virus emails sent all around the world have these two as the only options to use.

The phishers seem to have a better idea…use a local provider to have a better chance of success. (Even these guys get it wrong: Note to Spammers – I dont have any Commonwealth Bank of Australia accounts)

What is wrong with NZPost? I suspect that in any case like this, an email from a local bank / services company / postal service etc would be more troublesome to the local population.

So, look out for suspicious emails from local suppliers, and as should be usual practice, here are a few standard tips to protect you from email nasties:

  • Any email asking for any form of login / password should be treated suspiciously
  • Any email warning of a security breach should be treated suspiciously
  • Don’t click on any links in emails that you are unsure of, instead go to the website manually
  • Don’t open any attachment that is unexpected, this especially includes zip files
  • Keep your virus software up to date and make sure email scanning is turned on!

Let me know of any other tips or other virus laden emails you have had to send to your trash bin.

Igrin Email Scam

Local NZ ISP Igrin is the latest to be targetted for a phishing scam.

This one is quite crude as even the links look nothing like Igrin links

This message is from the webmail IT service, you are to provide to us the below information to re-validate your account due to spam.

What was the problem?

On November 27th, our servers were subjected to a malicious attack, which affected certain components of the operating system on some of our servers. Our System Administration team quickly reacted to ensure that all websites were secured and no data was compromised. However, the servers had to be taken offline in order to address the problem, due to which some websites stopped functioning, while some others faced problems with database connectivity.

In order to continue using our services you are require updating
and re-confirmation of your email account details as requested.
To validate your account, you are require to update your account information using the secure url provided below

http://www.pacnet-servers.co.cc/igrin/login.php.htm

Failure to do this will immediately render your account deactivated
from our database and service will not be interrupted as important
messages may as well be lost due to your declining to re-confirmed
to us your account details.

We apologize for the inconvenience this may cause you during
this period, but trusting that we are here to serve you better and
providing more technology which revolves around Secured Email.

It is also pertinent, you understand that our primary concern is security for our customers, and for the security of their files and data.
CONFIRMATION COaDE: /93-1A388-480

IT Support Team

Don’t fall for this one. Igrin has a generic “We don’t ask for your login and password” message on it’s home page, I wonder if they have sent anythign out? I wonder what their policy on protecting their clients is?

If there is anyone from Igrin out there, can you let us know?