SCAMALOT! Part II

Posted January 18th, 2013 at 11:07 am.

Welcome to SCAMALOT!  In Part I, our heroes explored the anatomy of a scamtastic message claiming to be from Facebook.  In our continuing adventures, we will take a closer look at two messages which claim to be from popular shipping companies.

Example 1

Let’s start with an easy one.  In our first example, we will look at this somewhat weak attempt to impersonate a FedEx message:

What’s wrong with that, you ask? Let’s take a closer look…

  1. It has an attachment which is a .doc file (not a .pdf).  The document does not reference in its name a tracking number or other specific information.  It is possible for some files, including .doc, .zip, and .exe files, to contain viruses.
  2. It’s from a Mr. Ashley Sherlock, not from a FedEx alert address.  If I hold my mouse over Mr. Sherlock’s name, I see the address is “Mr Ashley Sherlock” <weboffinvsxxx@btinternet.com>.  Oooh! By the way…there is no To: line, meaning it was not sent directly to me.  Suspicious!
  3. The reply-to address is different and does not appear to be official either.  Holding my mouse over this address, I see it is “fast deliveryservice002” <fast_deliveryservice002@yahoo.com.hk>.
  4. The body of the email is odd — it has little information, no logo, is in all caps, and doesn’t look very professional.  It does not reference anything on Fedex’s Web site, and has no specific link for package tracking information.  It also has no specific information about the contents of the attached file.

Ok, so that one was pretty easy.  However these scams are so common that FedEx has set up a whole fraud prevention site containing examples of the most common scams. They would like to remind their customers that “FedEx does not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information.” and offer this advice:

Common Warning Signs of Online Scams

  • Unexpected requests for money in return for delivery of a package, often with a sense of urgency.
  • Requests for personal and/or financial information.
  • Links to misspelled or slightly altered Web-site addresses (fedx.com, fed-ex.com, etc.)
  • Spelling and grammatical errors or excessive use of capitalization and exclamation points.
  • Claims that you have won a large sum of money in a lottery or settlement.
  • Certificate errors or lack of SSL for sensitive activities.

Example 2

Now let’s try something challenging!

Well, that looks pretty good.  What’s wrong?

Let’s start at the top.

Woah!  This message is titled as if from UPS, but the address claims to be from USPS.com.  The letters might be close, but those are *not* the same. That’s one sign. Let’s see what else we can find.

That’s an awful lot of addressees, and they seem to be a random, alphabetically ordered list of Bryn Mawr addresses.  This is not directed to me, or even to me and several colleagues with similar roles.

In fact, this message is about UPS invoices for “my” account.  Wait!  Do I even have a UPS account that should be invoicing me?

Ok, let’s look at one more thing.  The text at the bottom seems pretty legit, but let’s take a look at some of the links.  I’ll hover my mouse over the link and…hey!

That’s not a UPS site.  In fact, all of the links in this email go to the same site, which is not UPS.

I guess it really is a fake.  Time to hit that spam button in the toolbar.

Well, that’s all the time we have today, kids.  Tune in next time to see more scams uncovered in….SCAMALOT!

Filed under: Email,Information Security Tags: by Amy Pearlman

Comments are closed.