Category: Phishing

Fake McDonald’s Survey

There’s a new phishing email that takes readers to a fake survey claiming to be from McDonald’s (the fast food company). It’s similar to this one seen recently.

The email suggests that McDonald’s will give you $75 for filling in the survey. Clicking on the link takes you to a web site with a survey and some McDonald’s images.

When you submit the survey form it then asks you for:

  • Your full name
  • Your email address
  • Your credit card number
  • Your credit card’s expiry date
  • Your credit card’s security code

This information is collected and later used for fraudulent purposes (i.e. to make purchases using your credit card). If you receive this email or similar ones just delete them. Don’t be tempted by whatever they promise to give you.

And remember that to fill in a survey form there’s never any reason to give out your credit card details. It’s always a scam.

Fake Survey Emails

A fake email has been sent claiming that JP Morgan Chase (a financial services company) will pay you $50 for filling in a survey. Sounds tempting, except that the link they want you to click on does not take you to the real JP Morgan Chase’s web site.

Instead it takes you to a fake web site with a form asking you a few questions (the form looks like a real survey). At the end it asks you for your full name, credit card number, expiry date, and PIN number! This kind of trick is known as phishing. Any information you enter here is collected and eventually used to steal money from people’s accounts.

The idea is to entice you with filling in a survey by promising a reward ($50), making their site look like it’s from a large company, then collecting private information that you really shouldn’t be giving out to anyone.

The email reads:

Online Survey – Add 50$ to your account in 2 minutes!

Dear Customer,

You are invited to take part in our nation-wide 5 question survey. Your time is very important to us so $50 will be credited to your account upon the completion of this survey.

Please note that no sensitive information will be required, collected or stored. The information will be used to further improve our services

To take part please click here

So if you see any emails like this just delete them. Also keep in mind that a good anti-virus package can often detect you’re going to a fake web site and stop you.

WorldPay Fake Emails

Another fake email, this time claiming to be from WorldPay. The body of the email makes you think you’ve paid for something, and since you surely haven’t you’ll be suspicious enough to open the attachment hoping to find more information.

The attachement is a zip file, disguised as something else. The attachment’s filename is WorldPay_CARD_Transaction_Confirmation_OrderNo76621.doc.zip – this is an old trick of using two extensions at the end. .doc is usually a Word document, but the real extension is the last one, in this case .zip. A zip file can contain programs (.exe) such as malware. So always look at the last bit of the extension (.zip) when deciding whether or not to open the attachment.

Below is an extract of the email:

Thank you!

Your transaction has been processed by WorldPay, on behalf of Academic Resources Center Inc. 

The invoice file is attached to this message.

This is not a tax receipt.

We processed your payment. 

Academic Resources Center Inc has received your order, and will inform you about delivery. 

Sincerely,

The AcaDemon Team

Enquiries

This confirmation only indicates that your transaction has been processed successfully. It does not indicate that your order has been accepted. It is the responsibility of Academic Resources Center Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

Fake eNom emails

Below are two fake emails claiming to be from eNom (a domain name and web hosting provider). The emails are worded such that they sound technical and that they require immediate action.

Both emails contain a link you’re supposed to click on, however if you examine the link closely you’ll see they actually point to someone else’s site. This is sneaky and you really need to be aware how to distinguish real links from malicious ones like these.

In this case the link is displayed as: http://www.enom.com – but if you place the mouse pointer over the link and wait a second, you’ll see the real link displayed (depending on which browse and email client you’re using). In this case the link really points to httpz: // w ww.enom.com.com92. _biz  – See what they did there? They added a few characters to the end. This is enough to make it point to a completely different site. Even though is has part of eNom’s address in there, it’s different. (Note that I broke up the URL to stop you from accidently clicking on it).

The second email is similar, it really points to h ttp :/ / www. enom. comcom94._com – Again this is different, even though it has part of eNom’s address. Even one letter or number is enough to make it go somewhere else. (Again I broke up the address to stop you clicking on it).

How can they do this? Unfortunately at this time nobody stops scammers registering an address that is very similar to a legitimate address. It’s up to you to take care what you click on.

Another couple of tips to protect you from these tactics:

  • Use a good antivirus package that checks every web page you load. These days they have a list of good and bad sites, and it’ll warn you if you’re going to a known “bad” site.
  • If your web browser or email client doesn’t let you see the real link (by hovering the mouse pointer over the link) then upgrade to another browser or email client.
  • Use some kind of spam filtering with your email. This is fairly common these days.
  • Use an alternative browser, such as FireFox, Opera, Chrome, or Safari. This isn’t always enough these days, as we’ve seen with Flash malware. But it helps a little.

Below are the two emails. I’m putting them here so that people can search Google and get to this page to learn what they really are.

Email 1:

Dear eNom Customer, 

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable: 

* Main site 

* All web hosting services 

* Email services 

* Communication with the registry affecting new registrations, renewals, and transfers 

For access your account follow this link – http://www.enom.com 

The following services will not be affected and will continue to be fully operational: 

* DNS will resolve normally – although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period 

* Email forwarding and site redirection will operate normally 

We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience. 

Sincerely, 

eNom Tech Support

Second email:

Dear eNom Customer, 

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable: 

* Main site 

* All web hosting services 

* Email services 

* Communication with the registry affecting new registrations, renewals, and transfers 

For access your account follow this link – http://www.enom.com 

The following services will not be affected and will continue to be fully operational: 

* DNS will resolve normally – although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period 

* Email forwarding and site redirection will operate normally 

We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience. 

Sincerely, 

eNom Tech Support

False Microsoft Patch Emails

Tuesdays are when Microsoft publishes patches to their software, and today they’ve published quite a few (if you use Windows then you should be installing the patches today). 

However today there’s a malicious email being sent around that looks like it came from Microsoft (it’s actually fake). The email tells people about the patches and has a file attached. 

The attachment isn’t really a Microsoft update, it’s actually a trojan that installs something on your PC that lets hackers log into it, without you ever finding out. You really don’t want this kind of thing installed on your PC.

The email has a few features designed to convince people that it’s genuine, such as a PGP signature at the end, and the fake sender address.

The subject of the email is:

Security Update for OS Microsoft Windows

If you see this just delete it. You should also have a good spam filter for your inbox – email services such as Gmail do a good job of this. For businesses it’s a little more complicated and even more important. You should also invest in a good antivirus package, one that checks everything and downloads updates at least once a day.

And remember to never trust attachments you unexpectadly receive(you didn’t ask Microsoft to send you an attachment, so why would they really do this?)