Monday, April 13, 2009

Phishing Bait Uncovered

This is an e-mail my sister received today. She forwarded it to me to see what I thought of it. Since I don't think we can spread the word about this kind of thing enough, I thought I would share my answer with everyone.

Subject: Verify Your Account Now To Avoid It Closed (VX2G99AAJ)
Date: Sat, 28 Mar 2009 08:36:48 +0000

Dear Account User

This Email is from Hotmail Customer Care and we are sending it to every Hotmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Hotmail accounts so we are shutting down some Hotmail accounts and your account was among those to be deleted. We are sending this email to you so that you can verify and let us know if you still want to use this account. If you are still interested please confirm your account by filling the space below.Your User name, password, date of birth and your country information would be needed to verify your account.

Due to the congestion in all Hotmail users and removal of all unused Hotmail Accounts, Hotmail would be shutting down all unused Accounts, You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 24 hours for security reasons.

* Username: ..............................
* Password: ................................
* Date of Birth: ............................
* Country Or Territory: ................

After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconveniences.

Warning!!! Account owner that refuses to update his/her account after two weeks of receiving this warning will lose his or her account permanently.

The Windows Live Hotmail Team

This is a classic example of a PHISHING message. It has all the hallmarks.
First: The return address. (Although this one is not always 100%, since it is a very simple thing to spoof the return address on any email message!) The sender address is Hotmail is operated by Microsoft, which is one of the most wealthy companies in the world. How likely is it that Microsoft employees would be required to send out official e-mail using their personal free e-mail account? Anything official coming from Microsoft would more likely be from a "no-reply" address. (Again, this is easy to spoof, so never think that a message is genuine just because the sender address looks legit. I have recently been receiving a lot of spam that gets through the filter because it apparently came from me!)
Second: Poor grammar and spelling. Once again, Microsoft definitely has enough money to hire workers who can use proper spelling and grammar in their official communications. Many phishers are not native English speakers, so watch out for mangled english phrasing especially in tense and gender. Example: "we are having congestions" No capitalizations at the beginning of a sentence and misuse of the word Congestion. (How many congestions have you had lately?) Example: "Verify your account to avoid it closed."
Third: Basic rules of Internet security. Companies will rarely if ever contact you via e-mail asking for sensitive information. Companies that do should be chastised by their customers (I certainly do!) because this is a horrible way to get info from your customers. How do they know it is you replying, and how can they guarantee that your information is safe? Even when my bank sends me a legitimate message telling me that I need to take some action they won't ask for the information in an e-mail. They will instruct me to log into my account and get or give the requested information. They may provide a link - just to be on the safe side I will never use their link. I will open a browser window and go to the site the way I normally do. This is to prevent someone from putting a bad link in the message that directs me to a different spoof site. If you really, really, really think the message is genuine, find a legitimate phone number for the organization (NOT from the e-mail itself!) and call. Banks especially LOVE to hear from their customers that there is an e-mail out there trying to initiate fraudulent activity on people's accounts. Can you imagine why?
Fourth: Asking for information that is irrelevant. When you signed up for your Hotmail account, do you remember having to enter your birthdate and country of birth? What in the hell would Hotmail need that info for to confirm that you are using your account? This message at least isn't asking for your SSN or DL number, but once they get into your account, they are free to dig through your messages for whatever info you may have stored in there aren't they? In addition they can assume that you use the same password for multiple online accounts, and once they have your password for Hotmail, they are free to go try that same password at your bank website too. Finally, once in your account they can send out spam messages from your account, and guess what? People you know will be more likely to trust a message that comes from you. And access to your account also gives access to your address book. Eureka! A gold mine of new victims who will initially trust a message from you!
Fifth: Common Sense. Think how many people have Hotmail accounts. Think how many of those accounts are used once or twice and then forgotten. Think of the administrative burden on some poor analyst at Microsoft to sort through those millions of accounts and try to figure out which ones to flag for deletion. Wouldn't it be easier to just go through and delete all of the accounts that have not been logged into for say 90 days? Leave your Hotmail account idle for 90 days and see what happens. You can sign into it after that time, but all of your mail will be gone, and it will act like you just opened a new account.
Sixth: A sense of urgency. Scam messages will ALWAYS give you a ridiculously short deadline to follow the instructions. The don't want you to think, or to consult anyone, or otherwise have any time to consider what they are asking. They want you to react out of emotion and panic. Because paniky people are stupid. Einstein would have been stupid if you could have made him sufficiently panicked. How many people you know (including yourself) might go for a day or two without logging into their email accounts? How reasonable would it be for someone to set a 24-hour deadline for deleting your account?
Seventh: Google is your friend. Google the e-mail address of the sender. OK, in this case there is nothing. No surprise. Free e-mail accounts are simple to set up and so this one just has not shown up on the scam radar just yet. Wait a week or two and see what develops. Next, try Googling some text from the message. Try to pick a phrase that is kind of unique in the message. I chose the one that I pointed out above as having some grammar problems. "we are having congestions due to the anonymous registration"
Number one hit? A website dedicated to debunking e-mail scams. Number two through 1,320,000 - probably more of the same. This script is used by phishers all over the world to try and lure unsuspecting victims into giving up their account information.
So what now? You can feel good that you detected this particular phish-bait. You also did the right thing in not replying. Even replying to say that you were not fooled would only let them know that they had a live one. (Think when you were fishing. Even nibbles could keep you at that spot for hours. Don't nibble!) Hotmail has a "Junk" button you can click to mark the sender as a spammer. (

Click it. And forget it. There is not much more you can do. The scammer will monitor this mailbox until it quits receiving replies or gets shut down and then will simply open a new free account, paste a million potential victims in the To: or CC: line and hit send again. As long as you use common sense and don't allow emotion to dictate your actions, Spam like this will remain simply an annoyance like stepping in dog doo at the park. People aren't supposed to do it, but law enforcement usually has better things to do than chase down people that do.
© 2009 Tyler Willson. All rights reserved

No comments:

Post a Comment