Digital Wild West

This scam is aimed at someone who has registered a domain name

It is the third I’ve received in 3 weeks, this one targets eNom clients, but I’m sure GoDaddy, Xin Net, Melbourne IT, and Netfirm might shortly be well represented.  

Designed to trick novices, it will also snare those net-savvies who should know better but are asleep at the wheel, err, keyboard.

Image, right: Click for full-size. Note the tool-tip at bottom-right that reveals real web address hidden beneath the stated enom.com

If the owner of only one domain name, you are at greater risk from assuming this message refers to it.  "They" are threatening to take your domain name away from you due to your oversight with wrong contact details. Allegedly.

Domain name registrars often nag us about such issues ("invalid domain contact information") via email, so it is not suspicious to get an email like this. Unlike messages from banks, who never communicate by email - especially unsolicited - and never invite you to login using the convenient link in an email, and tell them things about yourself.

Danger

That is the danger of this email: inviting you to visit a website, login, and do something. Urgently!

In our example (linked to at the end of this article) the link in the email looks like a simple helpful path to the eNom website. How can that be dangerous?

Pretending to be a plain text email, the message is really a ‘web page’ using that ole’ monospace font. But unlike a plain text email, being web code (html) things are easily hidden behind the text you read.

The innocent "http://www.enom.com" hides a completely different web address: "http://www.enom.com.sys43.ru" - and that’s your clue that this message is NOT what it seems.

Our detailed article explains how you can learn to determine for yourself that these never-ending emails are, indeed, fake.

I own more than 100 domains, so this sort of email grabs my attention because I am still updating contact information I know is incorrect. I got a similar scam message recently purportedly from ICAAN the non-profit that oversees domain names on the Internet .. and it made my toes curl. If that email was really from ICAAN, I was seriously worried. Never having been reprimanded, I had no idea if this is what to expect when someone complains about false/faulty domain name registration details. But that email, like this eNom scam, did not specify a domain name. Odd, maybe, but entirely possible.

The ICAAN email was not, happily, from ICAAN. Neither was the coincident scam email from networksolutions.com, Nor is the eNom message.

Which is why you are reading this - to be certain, and learn the skills to sort this muck in the future, again and again.

Are you being scammed?

So, how do you, an Internet novice who just wants to get their work done, easily and quickly prove you are being hoaxed, or worse, scammed?

After all, this is technical stuff, domain names, and you don’t know how to deal with it confidently.

You might reply to the email, but it will never reach your domain name registrar because they didn’t send it. You can go directly to their website and generate a support ticket. They will then likely ask what domain name you are talking about. Unless the helpdesk person realises you are on about a scam email, he and you will be sidetracked for awhile about details, and support will tend to shrug off your enquiry, telling you to just check the details.

Since we all get a dozen hoax emails like this every day, most of which are painfully, obviously, stupid emails and easily dismissed, you still need a method of evaluating the tough, ambiguous, and genuinely deceptive message that you have no choice but to assume is real till proven false.

The generic process to determine if an email is a scam or hoax is here. It is a series of simple steps and uses the eNom email scam as an example, with illustrations showing screen shots and the hidden text behind them.

The scam is discussed on the Sophos anti-virus vendor’s website in Graham Cluley’s blog. Graham connects a few dots in the domain registrar industry, questioning the simultaneous release of targeted emails seeking to gather domain name owner’s credentials.

Well, they’re back!

Unless you live under that rock (the one invoked for Rip Van Winkle folk, who have slept for the past half-century) you would be aware of a community of emails known as “The Nigerian Scam.”

If this is news to you, simply take it as established fact that unsolicited email containing the work “Nigeria” anywhere is to be simply ignored.

Exactly like the Coca Cola email yesterday, today’s differed only in being more illiterate and reverting to the old offer of a free grant of much money (half a mill this time) to lucky you.

As if.

Notes on why this is a scam (of course, it might not be, but ..):

* Asks for far too much personal information

* Illiterate

* Offers far too much money

* Supplies an email contact from a free provider (Yahoo)

Well, punk, do you feel lucky?

OFFICE OF THE SENATE HOUSE FEDERAL
REPUBLIC OF NIGERIA COMMITTEE ON
FOREIGN PAYMENT(RESOLUTION PANEL
ON CONTRACT PAYMENT)IKOYI-LAGOS
NIGERIA14th FLOOR51/55BROAD STREET.

DEAR BENEFICIARY,
CONGRATULATIONS WE BRING TO YOUR NOTICE!!!
THE OFFICE OF THE SENATE HOUSE HAS CHOSEN YOU BY THE BOARD OF TRUSTEE AS ONE OF THE FINAL RECIPIENT OF THIS NEW YEAR 2008 PROMOTION CASH  GRANT/DONATION, TO CELEBRATE THE 30th ANNIVERSARY CELEBRATE, WE ARE GIVING OUT A YEARLY DONATION OF THE ATM CARD VALUE IS USD($500,000.00) FIVE HUNDRED THOUSAND UNITED STATE DOLLARS TO 7 LUCK RECIPIENTS, AS NEW YEAR PROMOTION FROM THE W.H.O,UN,AND THE EU in ACCORDANCE WITH THE ENABLING ACT PARLIATED.THE ATM GRANT/AID ONLY COLLECT EMAIL ADDRESS OF FINAL RECIPIENT FROM DEFFERENT COUNTRY: UNITED STATS, GREECE, SAUDI ARABIA, EUROPE,ETC.AND WITH AN ELECTRONIC BALLOTING SYSTEM, WITHOUT THE RECIPIENT APPLYING, YOU EMERGED ONE OF OUR LUCKY BENEFICIARY.

YOU ARE TO FILL OUT THE BELOW INFORMATION AND SEND IT BACK TO THE PAYMENT REMMITANCE OFFICE VIA EMAIL CONTACT ADDRESS.

WINNING BATCH No:(W-342-8876,U-500-32)

FULL NAME:________________________
RESIDENTIAL ADDRESS:______________
OCCUPATION:_______________________
NATIONALITY:______________________
PRESENT COUNTRY:__________________
AGE:_______________________________
SEX:_______________________________
TELEPHONE NUMBER:________________
FAX NUMBER:_______________________

ONCE AGAIN CONGRATULATIONS…..
(PAYMENT REMMITANCE OFFICE CONTACT)
Mr.Larry Musa
E-Mail:laryy.musa@yahoo.com.hk

What does that mean? No idea.

In the constant cat & mouse game between Internet fraudsters and you, the more interest taken in scammy emails, the more confidence in spotting and dealing with them.

In other words, choose to be ignorant - seeing Internet and email as a huge unfathomable mystery of the universe - and you will always be a victim.

Sorry for the lecture. It’s just that I’m self taught and choose to dedicate a modest percentage of my life being aware of threats, while my clientele choose to treat their primary tool of trade - the humble PC - and all it encompasses (their lives) as a forbidding and eternal puzzle. When all they need do is learn about it, like they did to drive a car.

Having said that, I nevertheless sympathize with those having trouble with remote controls. I’m still confounded by the half-dozen in my house, all of which have 30 - 60 buttons to do really complex tasks like “on” or “play.”

This week’s fraud email - I assume instantly it’s fraud, as I haven’t entered a competition for about 25 years - sails under the Coca Cola flag of convenience:

THE COCA COLA COMPANY
PROMOTION/PRIZE AWARD
DEPT COCA COLA AVENUE
STAMFORD BRIDGE LONDON
SW1V 3DW UNITED KINGDOM.

We are pleased to inform you of the result of the just concluded annual final draws held on the (1st October 2008) by Coca-Cola Promotion, your email was among the 20 Lucky winners who won £1,000,000.00 each on the the COCA COLA COMPANY PROMOTION.

your email was attached to ticket number(7PWYZ2008) and ballot number (BT:12052008/20), The on-line draws was conducted by a random selection of email addresses from an exclusive list of (2500,000) However, no tickets were sold (free of
charge) all email addresses were assigned to different ticket numbers for representation and privacy. E-mail addresses of individuals and corporate bodies and picked by an advanced automated random computer search from the Internet.

The selection process was carried out through random selection in our computerized email selection machine (TOPAZ) from a database of over 2500,000 email addresses which was drawn from all the continent s of the world This Lottery is approved by the British Gaming Board and also Licensed by the The International Association of Gaming Regulators (IAGR).. This lottery is the 3rd of its kind and we intend to sensitize the public. 

this to inform you that your winning was zoned among to be released from our payment office in west Africa. The Payment of our winners was grouped into three payment zones.
{Europe, ASIA And united kingdom} through computer balloting and you were zoned to our united kingdom Office for payment. so you will contact the united kingdom office (Mr.
Frank Brown) for payment.

Winner shall be paid within 5hours after contacting thier Claims Agents. In other to claim your £1,000,000.00 CHEQUE prize winning, you will have to fill the form below and send it to the united kingdom Claims Agent Bank for claims

CLAIMS REQUIREMENT

Your Full Name:…………………
Your Age:………………………
Your Sex:………………………
Your Address:……………………
Your Phone:…………………….
Your Country:……………………
Your Email:…………………….
Your Ticket Number……………….

Your Ballot Number………………
Note: this lottery must be claimed within 10days after date of receiving this notification Claims your winnings CHEQUE as soon as possible by sending your claims form with details to claims agent bank.

CONTACT CLAIMS AGENT BANK
Informa tion and Payment Bureau:
united kingdom Representative Office.
Name:Mr. Frank Brown
EMAIL: mr.frankbrown007@hotmail.com
Tele: +44 70359 42580

Your Sincerely,
Management
EDWARD PETER

Well, duh!

And only a million bucks prize money, huh? Oh well, guess I’d better send Edward Peter, or Mr. Frank Brown, at Hotmail, not at Coca Cola dot com, everything about me.

And I may as well preempt their unlikely reply with the only other item of personal importance they might seek, my bank account number.

Oh, and thank heavens they included those pesky and elusive ticket and ballot numbers that, in the next breath, they request.

Ho hum, another day on the Internet.

Below is a memo to staff of the small company I work for. We occasionally terrify or confuse the plebs with a warning if the helpdesk gets 3 or more calls about what they should do with an email that says:

Hello. Please click on the attachment to lose all your data and have your bank account cleaned out.

I tell them to go ahead, open the attachment. They seem pleased.

I jest.

The Northwest (and other airline names) scam is simple and ordinary (see sample at end of this post) but it provoked me to warn staff when two people I consider intelligent nevertheless were not only duped but highly distressed by the email.

One of them tried replying (of all things) while the other got Northwest’s number from directory assistance and waited 10 minutes on the phone - only to eventually lose connection.

My God, I thought, what if it was a scam phone number, too. At a dollar a second.

Anyway, read on:

=== Start message =============

To Staff,

Two items of interest:

1. Criminal hacking gangs are continuing to use the names of legitimate media organizations, such as the BBC, CNN and MSNBC, and of course, celebrities, as a disguise in their attempts to infect the computers of innocent Internet users.

Sophos, our virus vendor, discusses the issue here:

http://www.sophos.com/blogs/gc/g/2008/08/13/hackers-disguise-malicious-email

[If the above link does not work, copy the entire address into your browser]

2. Northwest Airlines credit card scam

An otherwise ordinary hoax is mention-worthy for affecting both an NBN staff member and a close relative of mine. Both were alarmed by the possibility their credit cards had been billed and tried to contact the sender, Northwest Airlines, to resolve the issue.

The email, of course, carried an attachment that, when opened, would infect an unprotected computer with a data-stealing Trojan.

This typical and unremarkable hoax email demonstrates that we are all vulnerable when the contents of an unsolicited email seem to relate to what’s going on in our lives. Since variations are infinite and spam is endless, eventually everyone receives an email that is too believable.

The criminals behind these emails are smarter than us, know what they are doing, and are relentless.

We must adopt a new way of thinking when processing emails and browsing the Internet. Be observant and suspicious online and devote time and attention to personal security. Treat all web pages as potentially malicious or deceptive. Treat all emails as suspicious and simply IGNORE those that make no immediate sense.

Sample Northwest Airlines scam:

Subject: E-ticket #4731381568

Good morning,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: yourname@nbntv.com.au
Your password: passDFL6

Your credit card has been charged for $493.67.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printer, and you are set to take off for the journey!

Kind regards,
Trudy Cameron
Northwest Airlines

The hoax randomly uses several different airline names, of course.

Regards, IT Support

==== End message =============

Graham Cluley, Senior tech consultant at Sophos, reports  unintended exposure on Facebook for those assuming their profile is shared only with invitees.

I was flabbergasted when I joined a network on Facebook using a profile which I thought was secure, only to find Facebook had changed a number of settings and was opening me up to millions of strangers," said Cluley.

Who was to say that cybercriminals weren’t in that network too? Is it right that Facebook works this way?"

A particular concern of Sophos in their security appraisal was that, of the London network with 1.2 million members, over half entered their exact date of birth - the first desired element of cyberfraud.

The Facebook network issue almost amounts to identity-on-demand for cybercriminals, who are fully capable of taking advantage of unwitting Facebook fans. It’s crucial that users take a few minutes to look at their privacy settings before getting caught up in the undisputed fun of Facebook," concluded Cluley.

Sophos offer this essential guide to Facebook security, a must-read.