Evil Email Analyzed Let's start with the sender: Webmail Helpdesk

advertisement
Evil Email Analyzed
Let's start with the sender:
Webmail Helpdesk Support Centre <landerso@kidsroe.org>
In the first place Centre is a British spelling , so why are Brits writing to me about my email?
The sender URL is
kidsroe.org
Geek Tools tells me it belongs to
"Domain Discreet Privacy Service"
But this is not the owner -- it is a company whose business it is to hide the actual ownership
of a domain (this is legal and there may even be good reasons for this, but it does raise
questions.)
While looking at the registration I see
Domain Name:KIDSROE.ORG
Created On:22-Feb-2000 16:31:19 UTC
Last Updated On:04-Nov-2011 22:43:56 UTC
Expiration Date:22-Feb-2019 16:31:19 UTC
Now this is strange for a fraudulent site since it has been around for 13 years while most
frauds come and go in a matter of months. The registration is good for another six years,
and since you pay by the year, whoever registered this expects to use it well into the future.
Given the strangeness of the dates, I Google
kidsroe.org and the first hit is:
KIDS | Kishwaukee Intermediate Delivery System | Loves Park, IL
www.kidsroe.org/
Kishwaukee Intermediate Delivery System (KIDS) offers school development and school
improvement services in Boone/Winnebago, McHenry and DeKalb ...
The remaining hits on the Google page are either to or about this same organization so I judge
that it may be safe to visit their website (remember I run various protection software on my
browser.) The site looks completely legitimate -- not at all the origin for a lame email.
At this point I put on my special Geek Tinfoil Hat and look at all of the email headers (way
beyond what I expect of you) and find that the "From" address is spoofed -- the email originated
at the IP address 41.71.189.216
A trip back to GeekTools tells me that the internet service provider for this address is in Lagos,
Nigeria!
Now, back to the email:
The "To" line is
To: Recipients <landerso@kidsroe.org>
This is the "sender's" email. This tells me that the mail was probably sent to a number of
addresses as blind carbon copies (BCC) Well, it could be that the same virus hit a lot of users,
but it doesn't seem likely.
Now to the body of the email:
It starts
Strong virus has been detected
Well, this isn't grammatical (it should say" A strong virus") and the phrase "strong virus" is not
one I have ever seen in the literature.
The email goes on
Use the below web link to Delete…
Again, the grammar is bad and there is no reason to capitalize "Delete." You might also wonder
why they don't just delete the virus themselves.
Finally, why the copyright notice? What about this message could possibly be worth protecting
as a work of authorship?
Now we turn our attention to the link:
The domain name is google.com
So that seems legitimate (you could check it with GeekTools if you have doubts)
In fact, docs.google.com is the site for Google documents which lets people create and share
documents. Our email senders haven't bothered to have their own evil website to send you to
and so they are using a free service. Clearly Google doesn't approve of such things, but right
now it has been 48 hours since I first reported it to Google and the page is still here -- in case
you wondered, this is what it looks like.
Evil from Nevada?
Here is an email which I got from the Bank of Nevada
Here is the plain text behind the email
-------- Original Message -------Subject:
Expand the range of possibilities!!
Date: Wed, 17 Feb 2010 18:17:32 +0100
From: Bank of Nevada <banknews@bankofnv.com>
Reply-To:
4devt@nexstepworld.com
To:
drott@drexel.edu
Bank of
Nevada
*Expand the range of possibilities for your business
with Bank of Nevada!*
At Bank of Nevada, we believe the best interests for you and your
business come first. We performed a detailed analysis of your banking
needs to ensure we service your relationship to your complete satisfaction. During the past year, Bank
of Nevada has continued to
strengthen its service array with new technological innovations for
treasury management, enhanced merchant services, and new banking
offices. As for this year, we are beginning it with an absolutely *new
offer <http://bank-of-nv.us/Offer2010>*, which includes an
extra-ordinary series of services for all types of businesses. We
welcome you to visit our *Regional Banking Offices
<http://bank-of-nv.us/contactus/locations>* or our *website
<http://bank-of-nv.us/Offer2010>* for additional information.
You can rely on Bank of Nevada, and our banking professionals are
anxious to assist you with all of your financial needs!
Evil Internal Revenue Service?
Here is an email which I received several days ago.
Download