SCAM ALERT: Fedex emails, Best Buy text messages and in the news, new APWG report

Just another quick “Be careful” note….

Today, I get to warn you about scams I am aware because I’ve personally gotten all of them in the last 24 hours.  The first, which I hope and expect NO ONE should fall for, is a flood of “Fedex” notifications that are so badly written they’re actually entertaining.

What’s more interesting to me as a linguist is to see if you can localize the scammer based on HOW it’s badly written.  For instance, Russian speakers (and those of other related Slavic languages) will frequently make all kinds of errors with particles. You see, Russian has no “a”, “an” or “the” equivalents, so they often appear (and disappear) sporadically and in the wrong places.  See excerpts from my flood of (malware-laden by the way, please don’t open those attachments!) Fedex notices the last few days.

  • “Our courier couldn’t make the delivery of parcel.”
  • “Label is enclosed to the letter.”
  • “…information about the procedure of parcels keeping…”

You can almost hear the voice of The Count from Sesame Street.

Then I got a text message that said:

“Your entry last month has WON! Goto and enter your Winning Code: “6655” to claim your FREE $1,000 Bestbuy Giftcard!”

What’s interesting about this one to me is the link sent via text.  This means essentially it is either:

  1. A phish in the classic sense, meaning it just asks you to divulge information on the destination page; or
  2. The link is malicious, which is kind of neat because, given the delivery via SMS, it would therefore (I assume) engage malware targeting either the iOS or Android operating system.

Given the deplorable, nearly non-existent state of mobile malware protections and smartphone anti-virus defenses, I elected not click the link from my phone to find out.  (Given that the domain was created on Monday of this week via anonymous registration in Panama, this seemed like a good site to avoid. )

Finally, in scam-related news, the Anti-Phishing Working Group published their report on H2 2011.  There’s a nice synopsis here, or you can download the full report from APWG’s Web site.



Columbia Researchers Put Metrics to Phishing Victims’ Gullibility

Researchers at Columbia University have built a small scale system that synthesizes phishing emails and measure the susceptibility of a targeted population to them.  First-round participants who fell for the simulated scams were notified of their mistake, but were NOT notified that they would also be re-targeted for future probing/attack.  As the guy who (warning, shameless plug alert) authored my company’s Cyber Safety Awareness Training product, I can’t say I’m surprised by the most depressing tidbit.  Even targets who were warned they were being taken online went as many as four successful scams before learning a bit of caution.

I’m just hitting a few highlights of course, but the full paper is an interesting read, available for download at

SCAM ALERT: Justin Beiber emails part of malware spreading over Facebook

Kaspersky Labs researcher Sergey Golovanov has a detailed post this morning about the the LilyJade worm, a technologically fascinating  bit of naughtiness that is spreading via messages about teen pop star Justin Beiber (though of course the content of the emails will change constantly.)  For users, all you need to know is, as always:

1.  Don’t trust messages, click on links or open attachments from anyone you don’t know.

2. Even if it’s from someone you do know, if the message seems generic, is totally off any topic you care about or seems out of character for the sender, same rules apply.  Their account may have been compromised.

3. If the message seems like it actually might be important, reach out to that person via alternate channel, e.g. phone call text or email to another account.  You may just make them aware of the fact their account is compromised and they didn’t know it.

4. Hover your mouse over all links in emails and see if the visible link and the underlying actual destination agree.  If they don’t, don’t click the deceptively labeled link.

5.  Never respond to online requests for personal information, passwords, login credentials or financial data except on a reputable web site you trust (e.g. Amazon, Zappos, eBay) where you TYPED IN THE ADDRESS YOURSELF.

For the really nerdy among you, who care about “cross-platform browser vulnerabilities or like reading code on a command line (dorks), the Kaspersky post is pretty interesting and detailed.

SCAM ALERT: Facebook, Gmail, Hotmail, Yahoo – “Rebates” and “New security measures”

Just a quick heads up to all – this post from security vendor Trusteer details the latest widespread, and technologically pretty smart, phishing / malware campaign against users of the big Web-based email services, as well as Visa and Mastercard.  A few articles out there too, but I like the original Trusteer post because it has pictures of the actual materials.

As always:

1.  Assume any email asking you to do, click or download something is fake

2.  Hover your mouse over the links in the email. The destination of the link should appear.  If it goes to a site you’ve never heard of, or the actual link disagrees with the one shown in the text, don’t click it.

3.  If you need something from any web based vendor you use and trust, amazon, gmail, or whatever, type the name in the address bar yourself.

Surf safely!



%d bloggers like this: