I have to admire these strange and intricate works of art created by digital artist Alex Dragalescu.
This series of 3D digital portraits inspired by internet security threats was commissioned by the internet security firm MessageLabs.
Subjects include Phishing, the Netsky virus, the Ghost spyware program, Trojanagentil3, Russian 3 spam, and the Storm botnet.
In the last month, I have seen many many phishing scams pretending to be emails from banks. I will post some here in case it helps clear up any confusion. As I am not a customer of any of these banks (nothing personal!), I am convinced that every one of these is a phishing email:
The first ones to appear targeted Royal Bank of Scotland customers, followed by the Alliance and Leicester, NatWest (National Westmainster) and Sparkasse, which appears to be a bank in Germany.
The following are examples of the phishing emails:
The Royal Bank of Scotland: please read this message! (message id: 5992548690)
The Royal Bank of Scotland
to Faust_lehmus
22 Oct
(well done to my Firefox ‘Better Gmail’ extension for catching this 
)Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more
Dear customer of The Royal Bank of Scotland,
RBS Customer Service requests you to complete Digital Banking Online Form.
This procedure is obligatory for all RBS Digital Banking users.
Please click hyperlink below to access Digital Banking Online Form.
(link removed, domain name began with rbsdigital-id)
Please do not respond to this email.
—————-
The Royal Bank of Scotland © 2007
(NB Remember, these are Phishing emails not the real thing)
Alliance and Leicester Mobile Banking - Not. This one was scarily realistic looking, but when you hover over the links you can only see an IP address. Also, as I said, I’m not one of their customers:
Know what your money’s doing - whatever you’re doing
from Alliance & Leicester Business Banking
date 26 Oct 2007 17:16
subject Know what your money’s doing - whatever you’re doing
Dear Alliance & Leicester Commercial Bank Customer,
MONILINK™ Mobile Banking
Know what your money’s doing - whatever you’re doing
As an Alliance & Leicester Business Banking, when you register for Mobile banking through Internet Banking and use the service before 31st December 2007, you will receive Ј5.
Plus we’re offering FREE Mobile Banking to all new and existing Mobile Banking customers until 31st December 2007. So register today - MONILINK is also free to download!
If you are an Internet Banking customer, simply log in to Internet Banking as normal and select Mobile Banking from the left hand menu to follow our simplified registration process, allowing you to start using Mobile Banking straight away!
If you’re not an Internet Banking customer, there is still a quick and easy way to register; just choose the “All other customers” button on the right hand side.
MONILINK™ Mobile Banking
With MONILINK™ Mobile Banking you can:
-Check your account balance*
-Request a mini-statement*
-Add credit to up to 5 pay as you go mobile phones, direct from your current account for no extra charge
Access account information 24/7, even abroad*
Mobile Banking Security
You can rest assured that your information is secure. Your details are protected by a personal Passcode and any information displayed is automatically deleted. No personal details are stored on your mobile phone.
To register for MONILINK™ Mobile Banking all you need is a compatible mobile phone and your Alliance & Leicester debit card.
MONILINK™ Mobile Banking
(NB Remember, these are Phishing emails not the real thing)
Phishing email aimed at Nat West bank customers:
Urgent security notification for client of the NatWest Bank! (message id: d88545068688fi)
National Westminster Bank Plc
to Mansurmerrifie.
show details
08:33 (6 hours ago)
(better Gmail caught this again!) Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more
Dear National Westminster Bank (NatWest Bank) customer,
We regularly perform scheduled maintenance for our OnLine Banking customers. We intend upgrading our OnLine Banking security server for better online services.
In order to ensure you do not experience service interruption, you are required to complete our OnLine Banking Customer Form by following the secured hyperlink below:
(left this link but unlinked it because of a couple of odd things: firstly it’s not a secure link, as a secure link would be https, not http:, secondly, a whois check shows that Nat West bank does own natwest.com themselves, so something else must be disguising the destination of this link, and thirdly, what does that Referrer ID number do?)
p://www.natwest.com/securesession/action.aspx?refererident=78 (long number, needs a line break!) 8533442182465046534329762369580434607716155702425
Thank you for banking with National Westminster Bank, the industry leader in safe and secure online banking.
National Westminster Bank Customer Service
—————————————————————————-
National Westminster Bank © 2007
(NB Remember, these are Phishing emails not the real thing)
Another one aimed at NatWest:
Your Online Account With Natwest Bank!
NatWest Bank
to annabel
show details
5 Nov
Dear NatWest Bank customer,
NatWest Client Service Team requests you to complete the Customer Confirmation Form (CCF).
This procedure is obligatory for all clients of NatWest Bank.
Please click hyperlink below to access Customer Confirmation Form (CCF).
(link unlinked, redirected to a domain including ‘natwest.co.uk.fwpls.cn’, a subdomain of a Chinese domain name)
ps://www.nwolb.com/default.aspx?refererident=BE34EEE
Thank you for choosing NatWest Bank for your banking needs.
! Please do not respond to this email.
This mail generated by an automated service.
(NB Remember, these are Phishing emails not the real thing)
The email above was obviously so much less convincing a forgery that I wondered if it might even have been produced by the same people to make customers more likely to believe the more convincing looking ones.
(NB Remember, these are Phishing emails not the real thing)
Here’s one aimed at the German bank Sparkasse:
Sparkasse Online-Banking (nachrichtenzahl: q8305588)
Sparkasse
to Faust_lehmus
show details
8 Nov
Sehr geehrter Kunde, sehr geehrte Kundin,
Die Technische Abteilung der Volksbanken Raiffeisenbanken führt zur Zeit eine vorgesehene Software-Aktualisierung durch, um die Qualität des Online-Banking-Service zu verbessern.
Wir möchten Sie bitten, unten auf den Link zu klicken und Ihre Kundendaten zu bestätigen.
(link removed)
Wir bitten Sie, eventuelle Unannehmlichkeiten zu entschuldigen, und danken Ihnen für Ihre Mithilfe.
=================================================
(NB Remember, these are Phishing emails not the real thing)
Personally I’d like to know where that original forged email from ‘Faust_lehmus’ went that is potentially causing me trouble.
The beginning of August was disrupted for me by an avalanche of Spam.
It started when I checked my email early one evening and found over 30 messages in my Spam folder. I may have been lucky until now, but this was unusually high for me. So I checked the folder and was horrified to discover the dreaded bounced back spam mails were back: every single one was a bounced back spam email that had failed to be delivered and appeared to come from my domain name. (See my earlier post, Email spoofing - Spammers are pretending to be me).
But it was to get much worse.
I moved that first batch to save in a folder in case I needed to investigate them later. When my Spam folder refreshed itself, another 30 emails appeared. I tried refreshing it again, and the number of Spam mails went up to 60. Every time I refreshed my Spam folder another 30 spam mails appeared, and this went on for the next 6 hours until I had over 3000 bounced back spam emails. I dreaded to think how many other spam mails might have got through.
I put the ’sorry but it’s not my fault’ type spam message back at the top of my home page, expecting fallout throughout the next couple of days, and started testing my SPF record. The SPF instructions are terrible, so not surprisingly it wasn’t quite right. This was annoying in itself, as every time I changed it via my web hosts the change would take at least 6 hours to propagate through the internet. I changed it several times after this until the testing script finally said it was valid.
In between testing my SPF records, I started checking through the spam mail headers to see if any of it could be traced or reported to anyone. I found the most complete headers generally came back from ‘qmail’ programs. I posted every one I could find into ‘Spam Cop’, which traced most of them to a server in Mexico and a couple to other servers as well, so I sent spam reports for all of these. I also reported as many as I could stand to the address that Gmail suggests for this purpose, which is: spam@uce.gov
I continued doing this as more and more of the spam mails came back. The next day I expected a second avalanche of angry responses from real people, but thankfully most of them seemed to either recognise spam without opening it or ignore it: I only had one reply from someone in Australia, saying ‘Please don’t send emails any more’. I felt bad that even one person would think I would send this rubbish.
I must have sent some of it to some kind of email address collectors as well, as I have been receiving a lot more spam myself since then.
It’s been that kind of week.
Following hot on the heels of the email spoofing incident, I received this fake email pretending to be from PayPal, with the subject line ‘Account Authentication Required’:
[PayPal logo was copied here]
Dear PayPal Customer,
Due to recent fraudulent activities on some of PayPal online
accounts we are launching a new security system to make
PayPal online accounts more secure and safe. Before we can
activate it we will be checking all PayPal online accounts to confirm
the authenticity of the holder.We will require a confirmation that your account has not been
stolen or hacked. Your account has not been suspended or frozen.To confirm your account status please Login
-complete the required information to authenticate and reset your account
-make sure your account balance has not been changed
-make sure your details have not been changed
-review recent transactions in your account history for any unauthorized
transferIf you find any type of suspicious activities please contact us immediately.
Please include in your message your account number, your account name
and the unauthorized transfer date & time.Please do not reply to this message. For any inquiries, contact Customer Service.
PayPal Copyright © 2007
Although the ‘reply-to’ field says PayPal, the email address given is ‘account2 @payprocorp.com’ (though as I’ve learned, reply-to addresses can be faked to look like anyone). Links in emails such as this (see the ‘Login’ link) will often lead to a fake website designed to trick you into entering your account details. PayPal, like online banks and eBay, advise against ever trying to log into your account from an emailed link. Instead, they recommend always going directly to the website. Pay Pal themselves say:
Many phishing emails have links that look valid, but send you to fraudulent sites instead. Here’s what you should do: Open a new browser window, type https://www.paypal.com and log in to your PayPal account directly.
Try out PayPal’s ‘Can you spot Phishing?’ Challenge.
PayPal’s web page on security and protecting against identity theft, fraud and phishing is here.
EBay also provide a very clear and helpful tutorial on recognising spoof emails and fake websites.
Slashdot: New Targeted E-mail Attack Hits Business Execs
A couple of days ago I found a lot of bounced emails in my ‘Spam’ folder. On closer inspection, I was alarmed to discover they were all spam that appeared to have been sent from my domain. The return addresses all began with different nonsense usernames like ‘Three_Nasrabi’ before the @ sign, and then ended with my domain name. The contents were various kinds of junk mail.
My home computer has a firewall and virus shield that is updated daily, and my email hosts also check for viruses, so I didn’t think that was the cause of the problem.
My first concern was that someone might have sent them by hijacking scripts on my website. I had recently been working on improvements to overall security, but what if I had made a mistake? I checked my website statistics, and the scripts did not seem to have been accessed more than usual. I deactivated them just in case while I contacted my web hosts.
They replied very quickly, offering to check the headers of any of the spam emails to see where they were coming from. Luckily, some of them had very detailed header information. But unluckily, it showed that the problem was nothing I could fix.
Somebody, somewhere else, had found that my domain name was a valid name, and was inserting it into their email headers as the return address for sending spam. They need to use a genuine domain name to get past the spam filters used by email accounts that receive them. Sometimes they use programs that put words together at random to make possible names and test them. Otherwise they just get a list of genuine domain names in other ways, such as automatically spidering the internet, collecting marketing information lists, and so on.
This is a form of identity theft known as ‘email spoofing’ and there is apparently no way to prevent people from doing this. The best protection currently is to add an ‘SPF’ listing to your DNS TXT record.
SPF stands for ‘Sender Policy Framework’ (here’s its listing in Wikipedia). The SPF record allows you to specify which computers are allowed to send email from your domain name, so that email applications that check this can reject the spoofed email as spam before they even receive the body of the message.
SPF records look approximately like this:
example.org. IN TXT “v=spf1 a mx -all”
Wikipedia explains them quite well. There is more information (though very technical and confusing) at the SPF Project Overview home page and an online tool to help you set them up at: http://old.openspf.org/wizard.html?mydomain=example.com&submit=Go%21
The tool will provide you with the code to add to your DNS TXT record. For the exact formatting, you will need to know whether your hosting uses BIND, Windows DNS or tinydns (djbdns). You will also need to change the DNS TXT record yourself via your hosting control panel or if you can’t access this, ask your web hosts to do it. Be aware that DNS changes can take several hours to work their way through the system.
Having taken immediate steps to establish the cause and protect (as far as possible) against further spamming, I thought I should do the responsible but embarrassing thing and warn my customers. The next day one of them told me their computers had had a virus, so that could have caused a small amount of bounced emails to addresses taken from their address book (fingers crossed).
It’s important to tell your web hosts, so that at least they know it isn’t you that’s sending the spam. In some cases, if web hosts receive complaints of junk mail spamming, they may deactivate your hosting. In my case, I asked my web hosts to confirm that they wouldn’t be suspending my hosting or email over this, as the spam was not coming from the account itself. They replied, ‘No, unless we get serious complaints regarding it, in which case we will speak to you first.’ - not 100% reassuring, but at least it would give me the chance to make alternative arrangements.
So the next thing to do to protect your hosting (not to mention your personal or business name and reputation!) is to prevent these complaints by publishing information and an apology for any irate spam recipients that come to your website looking for an explanation. I’ve discovered several companies that have done this, and following their examples, I have posted my own page here: ‘Email Spoofing - please read on’, with a link from the start of my home page text as the email spam is so recent.
Click here for lots of useful advice from
Risky Thinking: Advice on how to protect yourself from Email Identity Theft.
This white paper from Artic Soft covers more technical information on
security and various kinds of spoofing threats.
Useful security tools, downloads and information.
This article from Webtech explains email spoofing in clear and friendly terms.
In rare cases, email spoofing is part of a coordinated deliberate attack of personal revenge or competitive sabotage, known as a ‘Joe Job’ after the first company that was closed down in this way. Here is advice on preventing and coping with a Joe Job.
Having read more about this recently, it appears the problem can become massive. So far, (fingers crossed), there has been nothing here on this scale yet, so I’m hoping the legal actions mentioned may have put spammers off using any domain too intensively, and also that the measures taken may help avoid the worst and keep us out of legal action ourselves.
Click here for a list of Spam lawsuits or legal actions.
Back in November I applied to be an Amazon Associate, and was lucky enough to make about £20 from the Christmas shopping season.
Later in January I received an earnings report from them, and when I logged into my Amazon Associates account it said they had paid me 2 weeks earlier, but nothing had arrived in my bank account.
I emailed customer support and we went back and forth 3 times with them asking me to check my account again each time in case the payment had turned up. In the meantime, I had figured out what must have happened.
My bank account, which is at one of the biggest banks in the UK, has a seven digit number. Many e-commerce websites apparently assume an eight digit number. In some cases, eg TradeDoubler, the company that owns the website obviously knows about this and either provides instructions or deals with the shorter account number in its own way, but in either case it works. In other cases, such as when signing up for PayPal UK, the data entry form includes data validation that does not allow a ‘non-standard’ account number to get through. The first time this happened, I emailed my bank’s technical support and got a helpful reply telling me to add an extra zero at the beginning of the number, and this has also worked. But the Amazon Associates UK application form just took my number without saying anything, and then 3 months later when it was time to pay me it didn’t work.
So I suggested to customer services that this could have been what happened, and I re-entered my bank account number with an extra zero at the start, and my query was eventually passed to the finance department.
A few weeks later I logged into my Amazon Associates account again and saw they had posted messages telling people about problems with bank account numbers, and that they should update their details if there had been payment problems they would email if a repeat attempt at payment didn’t go through. But I still hadn’t received my payment. So I updated my details again in case that would trigger off some new automated process that they had set up to deal with this sort of thing, and the message went away.
And then it took ages for my bank statement to arrive. Nothing had changed in my Amazon payment record, but when I eventually got my statement I found the payment had gone through on 4th April.
I was massively relieved, because I’ve heard of other big companies that just have a policy of not paying people.
I don’t know what was going on behind the scenes at Amazon UK - their application form obviously had a serious data validation error, and I never heard anything from their finance department, but to be fair their initial customer services people were polite and helpful, they kept their associates informed as a group, and they did get there in the end with the payment. I’d say my faith has been restored - perhaps I’ll go for the aStore after all!