Tax Scams, Malware, Phishing and a 419

A roundup of scam information, including a tax scams article, email with a link to malware, a phish, and the worlds laziest 419.

A roundup of scam information, including a tax scams article, email with a link to malware, a phish, and the worlds laziest 419.

It wasn’t until Stephen Cobb described me in a tweet as “My esteemed scam-fighter colleague…” that I really began to appreciate how many of my own recent blogs have been about scams rather than malware or other aspects of security/insecurity. Scams aren’t necessarily my only priority, but an awful lot of them have crossed my radar recently. So here’s a roundup of some recent stuff I haven’t really mentioned on this blog, but I can’t promise it’ll be my last word on the topic.

These are items that were originally intended to be part of another article that focuses mostly on tech support, accident insurance scams and PPI insurance, but that one will now come out a little later. It was getting so long it seemed sensible to give it some room to itself. Watch this space…

Death and Tax Scams

Sadly, it’s the time of year for tax scams, and there’s an article (by me) devoted entirely to tax scams in ESET’s January Threat Radar report. Unfortunately, I expect there’ll be another one along in a minute. A tax scam, that is, not another article on tax scams. Not by me, at any rate.

The monthly Threat Radar report is an online resource to be found on ESET’s Virus Radar site, along with lots of other resources like the Threat Encyclopaedia, a Glossary, threat prevalence statistics, and various tools and utilities.

Part and Parcel

And on a slightly different note, as Benjamin Franklin might have said, here’s a neat example of a common means of directing a victim to a booby-trapped webpage.

Dear Customer

We have received your order and it’ll be processed for 2 business days. The order reference is 333067.

Your credit card will be charged for 672 pounds.

Information about the order and delivery located at: [link redacted for obvious reasons. (In this case, the link appears to have gone to a ZIP file: by the time I got to the message, though, the link had disappeared.)]

Best regards

Balvac Whitley Moran Company

Wilhelm Clapton

You’re charging me £672 and you don’t even know my name or any details of my credit card account? I don’t think so. As I often point out, the weak point for phishers and malware distributors is usually that they can’t personalize the message because they’re just sending out the same message to a whole load of email addresses in the hope that a few people will respond and click on a fake site or a malicious object. As a general rule, if there’s no personalization, the sender doesn’t know anything about you, he’s just hoping you won’t notice you’re falling into a trap.

I love the name Wilhelm Clapton, though. It suggests a cross between the Kaiser Chiefs and one of the great English rock guitarists. Perhaps I’ve bought a new Strat? Unfortunately not…

Of course, there are instances where the malefactor does know enough about you to send you what appears to be a personal message (spearfishing, APTs, Londoning and so on), so don’t assume that if the sender appears to know something about you, it must be OK.

In the case of the email from Eric – sorry, Wilhelm – the ‘To’ field simply said ‘customer’, and it’s safe to assume that lots of people were receiving the same message. However, the fact that the ‘To’ field shows your correct name (not just your email address) doesn’t prove everything is OK. This week, I received several messages like this ‘correctly’ addressed to ‘David Harley’ at one of my ESET addresses.

Subject: Important Notice (ID:17289273647)

Please click the link below to proceed with verification process: [link redacted]

Fidelity Brokerage Services LLC, Member NYSE,SIPC

Not only am I not a Fidelity customer, I’d never heard of the company until I saw these, so I’m pretty sure this isn’t from the real Fidelity. The real giveaway here, though, is that (as usual) there is no real personalization. (That ‘ID’ number is just a random numeric string, intended to make the message look personalized.)

If you accept the invitation of a mail client like Outlook to tell it ‘the way your name is to be displayed to other people’ then an address like (apologies to its owner if that address actually exists!) will look to the recipient of one of your messages, something like this:

‘John Doe <>

From there, it’s quite easy to generate a list of captured addresses that include the names associated with simple email addresses, and a  mail exploder will channel the bulk mail to individual mailboxes. It’s even possible to automate embedding the name (rather than the email address) into the message so that it does look more personalized. Few scammers do this at the moment, but that could change. So you should always look for personalized data that couldn’t simply be extracted from your email address. Even then, don’t forget that such data are often stolen from legitimate sites: treat embedded links and attachments with suspicion, and verify with the company from which the message appears to come.

Another malware link I found by accident in the ‘infected items’ folder for an email account I hardly ever check had an interesting wrinkle, though the message goes back to August 2013. Nevertheless, I thought the social engineering was of interest. The message claimed to come from UPS Global, advising me of a package that couldn’t be delivered because of a postcode error. The attachment was identified by ESET software as Zbot (Zeus). The interesting wrinkle was that the message claimed that UPS

…will have the right to claim compensation from you for it’s keeping in the amount of $7.77 for each day of keeping of it.

Dreadful English, but I can see that it might panic a potential victim naive enough to think that a parcel carrier could impose such a condition rather than simply returning it to sender after n days. Anyway, I don’t remember seeing that particular bit of social engineering before, and it’s certainly a gambit that could turn up again. Fake parcel deliveries are very commonly real malware deliveries…

Footnote. Or Foot in Mouth Note.

And the award for the laziest 419 of the month goes to roselyngrey2, who sent me a message with the subject “I have a project. If interested. Reply”. Yes, that’s how it was punctuated. And there was no message body. I find it hard to imagine that anyone has ever fallen for that one…

David Harley
ESET Senior Research Fellow

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center