upgrade account possible spam?

jbseatrobe · 29 May 2010, 05:22 PM

I've had this message:

"Upgrade Account" <upgrade01@9.cn> [Add]
To:info@upg.org [Add]
Date:Sat, 29 May 2010 2:41 AM (6 hours 27 mins ago)
Show originalShow full headerDear E-mail Account User,

This is to inform you that webmail/mail will be performing maintenance
on
their database starting from 29th May 2010.And this will cause some
interruptions,to avoid
your account from being deactivated, you are to reply with your valid
password here: {..............} for us to upgrade your account.
I assume this is spam. Has anyone else had this?

ehlo · 29 May 2010, 10:03 PM

Definitely a scam considering the from address and the fact that fastmail would never need to ask for your password by e-mail

n5bb · 30 May 2010, 05:18 AM

Welcome to the EMD Forums, jbseatrobe!

This doesn't appear to even mention Fastmail in the message. You should never click a link or respond to any email for any service (bank, email, etc.) which asks you to enter your password. These are always scams.

Bill

robert@fm · 30 May 2010, 11:41 AM

Another very clear "this is a scam" warning is the generic salutation ("Dear E-mail Account User"). Messages which are genuinely from your email provider, bank or whoever they're claiming to be from will always be addressed to you specifically ("Dear Joe Bloggs") or have some other identifying detail; for instance, when Halifax Bank email me they always address me by my name and include my postcode.

**Gankaku** · 31 May 2010, 01:22 AM

Isn't it true that most of these spam messages have a bunch of obvious misspellings and grammar errors in them? LOL They just never look professionally written.

What annoys me is I posted something on Craigslist for a friend two days ago. I get this message from "Craigslist" saying that I have to "click on the link below" and login to Craigslist to check my account. The fastmail phishing filters displayed the url right there as something that was definitely not Craigslist. But the bulk of the message looked like it could have been from them. There was even a warning at the top of the message about spammers and avoiding having your account hijacked in the red+yellow format that Craigslist uses. haha "Let's pretend I'm your friend so I can hack your account."

LazyGun · 2 Jun 2010, 09:25 AM

Put it this way - regardless of whether it seems to be from your bank, email provider, insurance company, online forum, eBay, Paypal or your fridge; the following are all signs that it's spam and/or phishing:

1. The domain in the "from" address is NOT correct. If your bank's emailing you why are they using a gmail/yahoo/hotmail account or an account based in china (.cn) or some other country? The same goes for similarly spelled domains.
CITIBANKONLINE.COM
C1TIBANKONLINE.COM
CITIBANKONLINE.JP
CITIBANK0NLINE.COM
CITIBANK-ONLINE.COM

2. The "Dear ...." is generic, ie Dear customer, Dear email account user, etc. When you signed up, you doubtless provided your name, why aren't they using that? Have they emailed you before? What did they call you then?

3. Hover your mouse over the link they want you to click on and look at the status bar at the bottom of your browser. You can see the URL (http://www.somedomain.tld/somefolder/somepage.etc) that you're really being sent to. Does it match the genuine domain of your bank/email provider/etc? No? Then you're being scammed. Even if the URL is shown in the body of the email itself, it's just text - the real URL is still the one displayed in your status bar.
Example:
http://this-is-really-your-bank-honest <== Hover your mouse over this bit and look at the statusbar at the bottom of your screen

4. This one's a bit twisty and easily missed. The URL (as you see it in your status bar) is disguised partially or completely using code.
Example:
>>www .citibankonline .com:4%4e%50%74%708%4d%65%6e%50%57@%6c%6c%61%6b%724%646%62%2e%64%61%2e%52%75/%3f%70%44%6b%59%67%69

At first glance you see "http://www.citibankonline.com:" so it's a genuine citibank URL, isn't it? Well, no. Look again, for a start all that code should warn you away. However, see that "@" about halfway along? That means that you're actually looking at something like an email address and everything before the "@" is just a username. In this case "citibankonline.com". Depending on what browser you use you may get different results if you try to go to the link. Internet Explorer 8 simply doesn't work and Opera helpfully gives you the following warning:
-----
Security warning:

You are about to go to an address containing a username.

Username: www .citibankonline .com
Server: llakr4d6b.da.ru

Are you sure you want to go to this address?
-----
So, what you're actually being sent to is a russian (.ru) website with the word "citibankonline.com" plonked in front.

5. Some scam emails may use correct/genuine links for parts linking to things like Terms & Conditions, but a fake link for the "enter password here" bit. Images and logos can be copied with almost zero effort and emails using HTML can easily include whole sections identical to the real article.

6. Regardless of how real the email looks, if you are asked for your password/PIN/identifying information then you are almost definitely being scammed. And I only say "almost definitely" because I'm only 99.9999n% sure about them being scams.

7. The vast majority of companies that deal in the english language tend to employ people with a good grasp of grammar, syntax and spelling. Scammers on the other hand, well, don't. Scammers usually have atrocious standards in this regard. I assume their spelling is just as bad regardless of what language they're trying to scam you in.

8. You're not sure... Simple, it's your money/email/account so if you're not completely happy then don't click through. Either ignore it, manually type in the address you're used to using or forward the email to customer support and ask their opinion.

This is by no means an exhaustive list, but the majority of scams and phishing emails have one or more of these signs. As with everything else though, over time, they become more refined and more professional. Do NOT rely on your security software to protect you, FastMail has good anti-phish protection, but at the end of the day these scams are social engineering and it's up to you to pay attention.

READ what's in front of you.
CHECK the details match.
PAY ATTENTION to what you're actually clicking as compared to what you THINK you're clicking.

For your amusement, this may well be the most pathetic attempt at a phish ever!
http://www.theregister.co.uk/2010/05/18/phish_email/

From: HSBC BANK [benno209@gmail.com]

Dear valued customer Incidentally,there is an emergency shortlited varified problem in your account which there is a need to restore Pls send us all the enqiures of your bank account so that the varified problem will be entirely and stupidiously retrieve. Thanks for banking with us.

robert@fm · 2 Jun 2010, 01:32 PM

Quote:

Originally Posted by LazyGun

At first glance you see "http://www.citibankonline.com:" so it's a genuine citibank URL, isn't it? Well, no. Look again, for a start all that code should warn you away. However, see that "@" about halfway along? That means that you're actually looking at something like an email address and everything before the "@" is just a username. In this case "citibankonline.com". Depending on what browser you use you may get different results if you try to go to the link. Internet Explorer 8 simply doesn't work

Which is yet another bug in IE.

There are legitimate uses for a URL containing a username (if you're going to a private website for instance), so just blocking such a URL regardless is wrong. Opera's approach is far better.

A variant of this technique was used in a scam I received recently, in which the URL given was just an IP address (something like http://127.0.0.1, although of course the numbers were different). I wasn't inclined even to do a DNS search on this address.

an3 · 3 Jun 2010, 01:46 PM

Today I got a spam message from a Sgt. in the "1st Armored Division in Iraq", who was wanting help getting $25 million out of Iraq. It was actually well-written, with no spelling mistakes or grammar atrocities. I was quite impressed. That is, until I checked the email server he used: sify.com. India??!! Come on! So close, yet so far!

n5bb · 3 Nov 2010, 11:39 PM

Most of these scams try to scare you (your bank or email service is closing your account unless you act immediately) or appeal to your pity on those in need (the local "sheriff's association" is gathering money to send handicapped children to a circus, but they don't tell you that 90% of the funds raised are used for the third party fundraisers) or they appeal to greed (if you help us get the $25 M transferred, we will give you a big fee). It's like a lottery -- people are greedy and improperly gauge the likely return on such a dubious investment of what starts small but can grow into a sizable loss to the scammers. Of course, most of those big money returns would be illegal, since they are suggesting you participate in money laundering or improper transfer of goods and not tell the taxing authorities.

Bill

29 May 2010, 05:22 PM	#1
jbseatrobe Junior Member Join Date: May 2010 Posts: 1	upgrade account possible spam? I've had this message: "Upgrade Account" <upgrade01@9.cn> [Add] To:info@upg.org [Add] Date:Sat, 29 May 2010 2:41 AM (6 hours 27 mins ago) Show originalShow full headerDear E-mail Account User, This is to inform you that webmail/mail will be performing maintenance on their database starting from 29th May 2010.And this will cause some interruptions,to avoid your account from being deactivated, you are to reply with your valid password here: {..............} for us to upgrade your account. I assume this is spam. Has anyone else had this?

2 Jun 2010, 09:25 AM	#6
LazyGun Senior Member Join Date: Jan 2002 Location: Dublin, Ireland Posts: 128	Put it this way - regardless of whether it seems to be from your bank, email provider, insurance company, online forum, eBay, Paypal or your fridge; the following are all signs that it's spam and/or phishing: 1. The domain in the "from" address is NOT correct. If your bank's emailing you why are they using a gmail/yahoo/hotmail account or an account based in china (.cn) or some other country? The same goes for similarly spelled domains. CITIBANKONLINE.COM C1TIBANKONLINE.COM CITIBANKONLINE.JP CITIBANK0NLINE.COM CITIBANK-ONLINE.COM 2. The "Dear ...." is generic, ie Dear customer, Dear email account user, etc. When you signed up, you doubtless provided your name, why aren't they using that? Have they emailed you before? What did they call you then? 3. Hover your mouse over the link they want you to click on and look at the status bar at the bottom of your browser. You can see the URL (http://www.somedomain.tld/somefolder/somepage.etc) that you're really being sent to. Does it match the genuine domain of your bank/email provider/etc? No? Then you're being scammed. Even if the URL is shown in the body of the email itself, it's just text - the real URL is still the one displayed in your status bar. Example: http://this-is-really-your-bank-honest <== Hover your mouse over this bit and look at the statusbar at the bottom of your screen 4. This one's a bit twisty and easily missed. The URL (as you see it in your status bar) is disguised partially or completely using code. Example: >>www .citibankonline .com:4%4e%50%74%708%4d%65%6e%50%57@%6c%6c%61%6b%724%646%62%2e%64%61%2e%52%75/%3f%70%44%6b%59%67%69 At first glance you see "http://www.citibankonline.com:" so it's a genuine citibank URL, isn't it? Well, no. Look again, for a start all that code should warn you away. However, see that "@" about halfway along? That means that you're actually looking at something like an email address and everything before the "@" is just a username. In this case "citibankonline.com". Depending on what browser you use you may get different results if you try to go to the link. Internet Explorer 8 simply doesn't work and Opera helpfully gives you the following warning: ----- Security warning: You are about to go to an address containing a username. Username: www .citibankonline .com Server: llakr4d6b.da.ru Are you sure you want to go to this address? ----- So, what you're actually being sent to is a russian (.ru) website with the word "citibankonline.com" plonked in front. 5. Some scam emails may use correct/genuine links for parts linking to things like Terms & Conditions, but a fake link for the "enter password here" bit. Images and logos can be copied with almost zero effort and emails using HTML can easily include whole sections identical to the real article. 6. Regardless of how real the email looks, if you are asked for your password/PIN/identifying information then you are almost definitely being scammed. And I only say "almost definitely" because I'm only 99.9999n% sure about them being scams. 7. The vast majority of companies that deal in the english language tend to employ people with a good grasp of grammar, syntax and spelling. Scammers on the other hand, well, don't. Scammers usually have atrocious standards in this regard. I assume their spelling is just as bad regardless of what language they're trying to scam you in. 8. You're not sure... Simple, it's your money/email/account so if you're not completely happy then don't click through. Either ignore it, manually type in the address you're used to using or forward the email to customer support and ask their opinion. This is by no means an exhaustive list, but the majority of scams and phishing emails have one or more of these signs. As with everything else though, over time, they become more refined and more professional. Do NOT rely on your security software to protect you, FastMail has good anti-phish protection, but at the end of the day these scams are social engineering and it's up to you to pay attention. READ what's in front of you. CHECK the details match. PAY ATTENTION to what you're actually clicking as compared to what you THINK you're clicking. For your amusement, this may well be the most pathetic attempt at a phish ever! http://www.theregister.co.uk/2010/05/18/phish_email/ From: HSBC BANK [benno209@gmail.com] Dear valued customer Incidentally,there is an emergency shortlited varified problem in your account which there is a need to restore Pls send us all the enqiures of your bank account so that the varified problem will be entirely and stupidiously retrieve. Thanks for banking with us. Last edited by LazyGun : 2 Jun 2010 at 10:09 AM.

3 Jun 2010, 01:46 PM	#8
an3 Junior Member Join Date: Jun 2003 Location: Salem, Oregon, USA Posts: 24	Today I got a spam message from a Sgt. in the "1st Armored Division in Iraq", who was wanting help getting $25 million out of Iraq. It was actually well-written, with no spelling mistakes or grammar atrocities. I was quite impressed. That is, until I checked the email server he used: sify.com. India??!! Come on! So close, yet so far! Last edited by an3 : 3 Jun 2010 at 01:51 PM.

29 May 2010, 10:03 PM	#2
ehlo Member Join Date: Oct 2008 Location: UK Posts: 39	Definitely a scam considering the from address and the fact that fastmail would never need to ask for your password by e-mail

30 May 2010, 05:18 AM	#3
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	Welcome to the EMD Forums, jbseatrobe! This doesn't appear to even mention Fastmail in the message. You should never click a link or respond to any email for any service (bank, email, etc.) which asks you to enter your password. These are always scams. Bill

30 May 2010, 11:41 AM	#4
robert@fm The "e" in e-mail Join Date: Feb 2002 Location: London, UK Posts: 4,681	Another very clear "this is a scam" warning is the generic salutation ("Dear E-mail Account User"). Messages which are genuinely from your email provider, bank or whoever they're claiming to be from will always be addressed to you specifically ("Dear Joe Bloggs") or have some other identifying detail; for instance, when Halifax Bank email me they always address me by my name and include my postcode.

31 May 2010, 01:22 AM	#5
Gankaku Moderator Join Date: Mar 2002 Location: Virginia, USA Posts: 3,265	Isn't it true that most of these spam messages have a bunch of obvious misspellings and grammar errors in them? LOL They just never look professionally written. What annoys me is I posted something on Craigslist for a friend two days ago. I get this message from "Craigslist" saying that I have to "click on the link below" and login to Craigslist to check my account. The fastmail phishing filters displayed the url right there as something that was definitely not Craigslist. But the bulk of the message looked like it could have been from them. There was even a warning at the top of the message about spammers and avoiding having your account hijacked in the red+yellow format that Craigslist uses. haha "Let's pretend I'm your friend so I can hack your account."

3 Nov 2010, 11:39 PM	#9
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	Most of these scams try to scare you (your bank or email service is closing your account unless you act immediately) or appeal to your pity on those in need (the local "sheriff's association" is gathering money to send handicapped children to a circus, but they don't tell you that 90% of the funds raised are used for the third party fundraisers) or they appeal to greed (if you help us get the $25 M transferred, we will give you a big fee). It's like a lottery -- people are greedy and improperly gauge the likely return on such a dubious investment of what starts small but can grow into a sizable loss to the scammers. Of course, most of those big money returns would be illegal, since they are suggesting you participate in money laundering or improper transfer of goods and not tell the taxing authorities. Bill