26Nov2011 – “Hi we have detected you are missing files from your computer”

Hi Everyone,

Have you had one of those calls, someone who says they are from Microsoft tells you that they have detected missing files an your PC and need access to fix it? I have, last year I think it was. And I know someone a few weeks ago who had one as well. However they were busy and said to call back later and speak to their son because they had to go out. They did not call back. Funny that.

You should be aware, that nobody is going to have access to your PC across the internet unless you have given them access. That is something you should _not_ do. Unless of course it is someone you know and they are going to help you with a problem with your PC. Someone you can trust. Someone you have already told about the problem you are having with your PC.

If they claim they are from Microsoft they are lying. Unless you gave them your number. Why would Microsoft keep an eye on your PC and let you know when it has problems? That would have all sorts of implications. But that is a subject for an other post.

Unfortunately some people fall for these scams and end up with their PCs being infected with key loggers, password stealing trojans and other malware. the more people read this the better. If you know about this scam but know people who may not, then please let them know. Tell them, nobody is going to be able to tie together their PC to their phone number (except of course for their ISP if they provide their phone number and broadband or they provide broadband and have their contact details).

It boils down to this – anyone can call you and pretend to be anyone they want if it will get them access to your PC, or even your house. Just because someone calls you and says they are from company XYZ does not mean that they actually are from company XYZ.

This also applies to people who call from, say, your bank. Do _not_ take their word for it, call the bank back on the number you know is the banks number.

And yes, I know some people who may fall for something like this so I try to make sure they don’t. And one way is to put posts like this on my blog. This blog.

Thank you for reading. have a very good day. And night.

14Oct2011 – scam email supposedly from the Co-Op bank

Just had another phishing email, this time for the Co-Operative bank. They don’t stop do they? The email address to send scam or phishing emails that are ‘supposedly’ from the Co-Op Bank is ihaveseenascam@co-operativebank.co.uk. The headers are included after the email. The link to click on leads to http://anahaberler.xx/xxxxxxx.php. The email comes from spant@ptd.net. I have seen a few coming from ptd.net in the last few days. Maybe someone will shut them down quickly.

Surely the banks out there should send emails to their customers giving them info on this sort of thing and how to avoid them. And don’t click on links in emails. It is just as easy to type the address in if it is one you know to be safe, like http://www.co-operativebank.co.uk.

Email :

We are receiving complaints from our customers for unauthorised use of the Cooperative Online banking accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud. Due to this, you are requested to follow the provided steps and confirm your Online Banking Details

At Co-operative Bank, we take the job of protecting our customers very seriously, so for your protection we are proactively notifying you of this activity.

To restore access to your online banking please click on the link below.

http://www.co-operativebank.co.uk

Kind regards
Jayashree C
Co-operative Internet Banking Customer Support
Because email is not a secure form of communication, this email box is not equipped to handle replies.
If you have any questions about your account or need assistance, please call the phone number on your statement or go to Contact Us at www.Co-operative.co.uk

Headers :

——– Original Message ——–
From: - Fri Oct 14 01:31:37 2011
X-Account-Key: account4
X-UIDL: AIa97k0AABuNTpa0DgXBvSKOjfU
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: xxxxxxx@xxxxx via 77.238.189.134; Thu, 13 Oct 2011 09:49:02 +0000
X-YahooFilteredBulk: 204.186.204.106
Received-SPF: pass (domain of ptd.net designates 204.186.204.106 as permitted sender)
X-YMailISG: karg6QQWLDv4FIfjyZm9qld_zjzLBijj_KLI_kNi14f6UJ8e RVSf_T6zGSIjuHvJk4d56aGVz6I5iV.x5CsgWBPAXbMhyI4BJM1mi2QzgZo. 9LhEgwBC_kyks068SD2TcxVnczm1ZkLMq3XjH4jRBycHsesf_OlvH8KI4hEP oUrQgxeCNldq2.mSRPoBJQNAkiS7VQBR5hHc8tZqXoFseZU7dhvdyGGPqBZL jE_TMY1dOEvxy61XL_E0sT6oT1vw3EuzBRT2D6QXT2F7Ab1szRVF6GGmgYgS ekSLy6C3.LMz8CcpPUmxktfFDPhTTAGcjUZCHOe8qkOTMlVlYm4ncTRD7b0w QQYeGg_Qqez5GwDkqc.7jUuOPrz1fG6HlU9XZT2teQG_Elw7SSLyzoitHm2L Hc2IaBRRXv5zrx_Xn.p7AuJ6D8BQSED1CRWmMtguTumwgN9XH75t8X9WH7iB FIErJf6l5cVv.aE65odZpgVX2jIqZ22_tzNZJvMeQdNGo8Lgn0P.bfIommQp RCPikEtdQ5V999ys8qvxylSME0kZ2tx8ANOtdMpeHARVLR73QfeFmYH0GnCV VFo3_6PrPrnrLrg7BkfgXHQw81JcoJnYCDcaYj2Gsjf6.SS7Kx1DB4qNyK4n ncm2OhrLQrgV7HJ_lWwJFAYLl9kp9X3i7qaUSqlfY94y8v1lcFMpNeUwAXB8 BjIso0hSBAXDw_vNlmrVEq9Y31rEdJeqjSAjWr6ib8GRUv3HJqKmmPNm0RUZ jRaJHMjL7smXPBEAPqMFcV48c3cRdDcel7etS43MFsfVIsGB54I6RoaHz9vf IQyHKxASZkSgflT2hmYNMZgRxtfdoEfaNL.lLDpz0ptMqDFfr2VYxXil8dRM DVdEm5P0NajaBc3ZyRDv4l_93UsMd141G0e4i9U6cFEn7OIzUyOhopSNv7tJ 4oQPleeUxjNKZbXLa3TSOfu.KHwbhyYJWdAC6f4yb466PaoOdLGbK6SO6Es5 DUnoTpytzHgY06ZDVyOpfV4rxEjFMXKDtdfB_DwTptMaFnnWeKqYnVVOfPDK 4L6YCgbPvDmZgltF9CvGff.uQDA7OkpVnaPmh5isSA3ODvlQb0FQt28WMFg1 QkzmWSKRmBeV7tXBZBr9BBJT2Sp1A9ce8XFxQqAZG0FYQuTsTAInZnUcjblP otyxwZhHFqHNj6YxuZNx0npDdZBRa4M3oyKlTUv.XgVJMIQQy0zspDdttHJm n6jUbcckikKEafU-
X-Originating-IP: [204.186.204.106]
Authentication-Results: mta1063.mail.ukl.yahoo.com from=ptd.net; domainkeys=neutral (no sig); from=ptd.net; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO proxyz14.mailnet.ptd.net) (204.186.204.106) by mta1063.mail.ukl.yahoo.com with SMTP; Thu, 13 Oct 2011 09:49:00 +0000
Received: from localhost (localhost.localdomain [127.0.0.1]) by proxyz14.mailnet.ptd.net (Postfix) with ESMTP id 5741D1108F33; Thu, 13 Oct 2011 05:48:58 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from proxyz14.mailnet.ptd.net ([127.0.0.1]) by localhost (proxyz14.mailnet.ptd.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnavupgvx3wx; Thu, 13 Oct 2011 05:48:57 -0400 (EDT)
Received: from User (unknown [95.56.94.194]) (Authenticated sender: tjhe) by proxyz14.mailnet.ptd.net (Postfix) with ESMTPA id 68E8D1108F42; Thu, 13 Oct 2011 05:48:20 -0400 (EDT)
From: The Co-operative
Subject: [Bulk] Important Message From Co-operative Internet Banking
Date: Thu, 13 Oct 2011 10:48:43 +0100
MIME-Version: 1.0
Content-Type: text/html; charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id:
To: undisclosed-recipients:;

12Oct2011 – Money mule time

Hi to anyone reading this.

I have had an email today from someone who wants to offer me a job as an Accounts Payable Clerk.  Obviously someone wants a money mule.  Full or part-time.  One odd thing – they actually addressed me by my full name in the email.  So here is the email, the English looks OK but it is obviously a dodgy email.  If you want to learn more about money mules I suggest having a look at Brian Krebs excellent blog, http://krebsonsecurity.com.  Well worth it.  No my name is not Firstname Lastname, I just changed it.  For the more technically minded and curious the headers are after the email, at the bottom.

Hello Mr Firstname Lastname:

See below the job opportunities currently available:

Recent Jobs: Accounts Payable Clerk
We have a current opening for a full time or part-time{depending on the individual case}
Location: All UK Locations
Category: Finance
Minimum Education/Experience Required:(No Experience Required*)

Our Jobs are available to any person who is:
a)Male / Female, Age 18 years old or above
b)Above-average oral and written communication skills
(English; written & verbal)
c)Willing to start asap!

*We offer:
a) Free Education and Training Courses
b)Accounts Payable Clerk Program-APC02

ANNUAL BASE SALARY:
FULL TIME :£22660+
PART-TIME :£18650+

Email back and We will send you an email with information on how to continue.

HR Manager
Tanya Glover
BVF Internship Group

 

Headers :
From: – Wed Oct 12 15:11:48 2011
X-Account-Key: account4
X-UIDL: AIa97k0AAAVgTpWNKwD1WFFsbjk
X-Mozilla-Status: 0003
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: nnn@nnn via 77.238.189.134; Wed, 12 Oct 2011 12:50:51 +0000
Received-SPF: none (domain of bvfgroup.net does not designate permitted sender hosts)
X-YMailISG: JtcSRWMWLDuPzMFmihqlMSx12J_RMM.oGWM2_GObDAZl80Fy wjRZR4xVxjsvB2CmvChNEf2dd.PXtvAjvAH_O_HhSYweRXSa6wPxWXCpJ8dm IIRrCcqmgSFpwAu3PIeJJztg9ENQoU90HvowGnGwPDOzVpfGk0I.cPrvyaUS 8JAndaGaXezKQglcpUdMqv9ScwWxgbK0T6ckzFweWF6XQIVddqwc8HiW6SdX G5nIXs3i.q9hQRB.eKGP1bjVzVZ_LmepGSOs6B4.z3gydUMP.va1Z3tVv.6P lEcU00SJx2ZjDQs5urZn7wE9Djmo78zBwC27n6iO0igBkMcTbmfDShuIXore pCvUknARtubBd918ctNwZZXldJas3yWYl8HrkvgPGncxHgf_DHW.0AItlIOB 9Bv4coV6k80jVRm3Pb8LueTNyMs6PIQIy4mDb0lgY5bNrbzhP97w0zWPe0mh CvksuNYIXAExd.Wzo8Q4cWbEqwBcBJqzqdl.Co4aXREU.mJ6CwulLMZWSW14 RWe791ayuNx_BTrc3BFrBaFcWTL2Mrmwi0pHVCZWvgbAtsUm_YvWDY9W0g4W 216bJosGCBn7COJXJKBt_j339YWp3OLvZyTnjSDNmuvzk7SMRxRDdq.VFvKV Kg8_WpyuwrF0elPW5cX7uoI7c3nNxVstcJdKwYIzOp2SgXVunzp3_ZGNU9Lr S2LOhp.62Ui9efhw_abFQPWxZD3OD9ALKm5U35r5FZEUQATKqldWkpr90P_3 pIOhQpDCzVnKvmxufpU9ZnQqmCrIUMVlDl0OKMzjPFtmVNU1duQ6yxjnR3wm hCkb6ukuEkJpo8XEwMSXhx5ASzaPVbCo2wjP8kWrVBMmn3mMArhoZlu09q6o qoCPEcvvusSJPL6OCy6fygI8tdVwJXaUXJNa3WNexk9uzkPak7nMBiGeJJvZ PsTIoHXmvygy4J2LzTvuv3zHhvnZ3_vqZTa2bs4FtigfLvpdPavfoiPVHtyr WidjDKLYHFgmMEzWWz9vwiU1FVKScUfBSHGLOfmD7TMpR_R2B2tr0iSVq82W IfVKcN.lWN8M1MLwv1QELsfKhkdm6q7hSDXiRf_mogMjnEnda_prUNW17gC4 YQaMzkWgwFy6lgw-
X-Originating-IP: [98.139.213.136]
Authentication-Results: mta1089.mail.ukl.yahoo.com from=bvfgroup.net; domainkeys=neutral (no sig); from=yahoo.com; dkim=pass (ok)
Received: from 127.0.0.1 (HELO nm11-vm0.bullet.mail.bf1.yahoo.com) (98.139.213.136) by mta1089.mail.ukl.yahoo.com with SMTP; Wed, 12 Oct 2011 12:50:50 +0000
Received: from [98.139.212.152] by nm11.bullet.mail.bf1.yahoo.com with NNFMP; 12 Oct 2011 12:50:50 -0000
Received: from [98.139.212.210] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 12 Oct 2011 12:50:50 -0000
Received: from [127.0.0.1] by omp1019.mail.bf1.yahoo.com with NNFMP; 12 Oct 2011 12:50:50 -0000
X-Yahoo-Newman-Id: 146786.83107.bm@omp1019.mail.bf1.yahoo.com
Received: (qmail 28937 invoked from network); 12 Oct 2011 12:50:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1318423849; bh=CI8DnZMeFu3uWCLjma5NZ31NqxsKSaDBS9kYZN4sRj4=; h=X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:Organization:To:Message-ID:Subject:MIME-Version:Content-Type; b=ZDeiasVW/yv5vFeOGlQnpE/TjrdQSYCKVBkPfHY9HALGAbCxRQI1oxewZIVJxpz/lMn4V7IPK0I6FMeHd75meaKoZ/VbnzvOfXKTda3wsWaAJ/6CSPXyTCvhT/zqEd4PXJeCiWvPxhaGy6rrMuTB083N9rTVbwOSQ5gGuEV+7XU=
X-YMail-OSG: TwA2OsAVM1mcOIGlLPFBe5bBiSksuNn8uHvX.DFstgpv7BK d1Q_Ij9NyDZwkgrmMhhpLhK8yIa6A7pld3AEYOCjklsm6WL5KIpBssrA7WM0 03yvGrnu34U2kwHPY7gk_TYBeRMY1Jk3X8xkBqsSEEtQ7Ce8AE6Z3OWcM5fH KdE5NB52bV_cxWnK_tOJGdNpx5SWndJKl8IkBAdjVG7XkeNdVrc0eQ5WZDaC PBqoh3UPe3r2PTSL0hI52ko.KqI.0a33rQePyo0SBW4VblMzG8hA76u6yRKr HVupyit3qq5tI7JaxbZ62g2duHsk_zzYaPDkWxr43R8HCSXhcQ7bG1Xr0wz7 jWBEerMYLoGLl3XWlIHKzdHftak4QRlJ8OHhoefkJnIy6XQpSnw–
X-Yahoo-SMTP: tnWndQmswBA8_ZAyJQetwV5x_lYJDNaK9fdmiQ–
Received: from [68.142.200.11] (office@77.100.247.80 with plain) by smtp114.biz.mail.mud.yahoo.com with SMTP; 12 Oct 2011 05:50:48 -0700 PDT
Date: Wed, 12 Oct 2011 10:42:58 +0100
From: Tanya Glover <office@bvfgroup.net>
Organization: BVF Internship Group
To: Mr nnn nnn <nnn@nnn>
Message-ID: <785517467.20111012104258@bvfgroup.net>
Subject: For Mr nnn nnn: Look for available job opportunities
MIME-Version: 1.0
Content-Type: text/html

16Aug2011 – Hey! I’ve got a job with Agro Seafood Inc in Texas!

Yes Folks,

Without even applying I have been sent a letter saying I’ve got a job with Agro Seafoods Inc.  All I have to do is send a scanned copy of my International passport and two size photographs by email for their review.  And the email address to send them to?  Surely an email address at Agro Seafood?  No.  It is jobintexas@hotmail.com.

Wait a minute – I never gave them my email address so obviously it must be a scam.

OK, so it is a scam.  Look at the jobs in the email below they want filling – (f)  lobsters.  So, how many lobsters will apply I wonder?  There is information on http://www.consumercomplaints.in about Agro Seafood Inc.

A search for the company brought this link up – http://www.manta.com/ic/mtqdbxl/ca/agro-s-seafood.  There is some information on this page about a company by that name, but it is Agro Seafoods in Ontario, Canada,

So here is the email, with headers.  See the from address – john@s1b.uklinux.net – that is spoofed.  The real from address appears to be john@mail.mptz.co.tz.  More of an analysis below the email.

*** Headers ***

From – Tue Aug 16 21:04:38 2011
X-Account-Key: account3
X-UIDL: 46c13a4a000006cb
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <john@mail.mptz.co.tz>
Received: from mptzex01.MPTZ.CO.TZ (mptz.co.tz [196.41.60.146])
by s1b.uklinux.net (8.12.11.20060308/8.12.11) with ESMTP id p7GK198G009252
for <xxx@xxxxxxxxxxxx.uklinux.net>; Tue, 16 Aug 2011 21:01:50 +0100
Envelope-To: <xxxx@xxxxxxxxxxxx.uklinux.net>
Received: from User ([14.98.205.100]) by mptzex01.MPTZ.CO.TZ with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 16 Aug 2011 22:57:14 +0300
Reply-To: <jobintexas@hotmail.com>
From: “Agro Seafood, Inc.”<john@s1b.uklinux.net>
Subject: Interview With Employers
Date: Wed, 17 Aug 2011 01:26:30 +0530
MIME-Version: 1.0
Content-Type: text/plain;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <MPTZEX01uQPXXxCvJJA00005512@mptzex01.MPTZ.CO.TZ>
X-OriginalArrivalTime: 16 Aug 2011 19:57:34.0625 (UTC) FILETIME=[BDABA910:01CC5C4E]
Status:

*** End of headers ***

Agro Seafood, Inc.
Head Office
1432 Apple Street•Dallas ,
Texas 75204-5201 • USA
Tel: +1 940 560 6959
Fax: +1 940 560 6959
Email: jobintexas@hotmail.com
OUR REF: ASF/JB/VOL/0864/11

Dear Sir/ Madam,

Agro Seafood, Inc. is an operated company with many years experience in the seafood industry. Our name stands for Quality, Dependability, and Service.We seek to write to your response on a Job opportunity.

The company need about 400 workers to sum up the already registered one because many workers will be leaving the company cause of the expiration of their contract with the company.

The Company has the following vacancy:
A) Fish Packing (b) Fish Cutting (c) Company Security (d) Office Cleaner (e) Laborers (f) Lobsters (g) Drivers (h) Cook.Store manager (i) Sales Executive (j)Store Keeper (k)Branch Manager.

There will be no interview required since this is manpower job where anybody is fit to work excepting at the health and management Sector where the company required at least first degree holders in job related.

Email your CV`s to : jobintexas@hotmail.com  with Scan Copy of your International passport,and two size photographs by email for our review.

BENEFITS, PACKAGES AND ENTITLEMENT:

This is the Entitlement, Benefits and Packages from the Company. Paid airfares, Transportation, Quality single or family housing accommodation in company community, free medical/dental care, Excellent educational assistance benefits, Life Insurance and Paid vacation and Maximum security in work environment and housing community.

The company will give the applicants (employer) an accommodation that will last him for the period of two years in which their contract will last and it’s liable to renew it upon the company’s agreement.

The salary for the post of Fish Packing jobs is US22  (Twenty Two Dollars)per hour and you will work for 8 hours per day and also there is a chance for overtime if you have the strength.
Candidates are expected to sponsor their travel expenses excepting air ticket, which will be sent to the applicant as soon as the applicant confirmed his work permit visa and all these fees will be reimbursed to the applicants after three days you joined the company and other emolument for your up keep in the first month once you show your payment receipt to the company.

WORKING HOUR =8HOURS
VISA TYPE: 2 YEARS WORKING PERMIT
CONTRACT: 2 YEARS
JOB SITE: 1432 Apple Street,Dallas Texas 75204-5201 • USA
FLIGHT TICKET TO USA IS SPONSORED BY THE COMPANY.

And other related disciplines. CONDITIONS/SALARY INDICATION:
(A) 40,000.00 – 100,000.00 US(quarterly) depending on qualifications and experiences negotiable.

(B) All contracts are meant to last for 24months (2year) and liable to upward review on expiration of the contract engagements… Send Resume/Detailed Curriculum Vitae, telephone number via email attachment to the Contract/Project Administrator,

The relevant reference number should be stated on left – hand corner of any mail being sent in relation to this Job offer. We will enter into correspondence only with Short listed applicants or expatriates.

Regards,
Agro Seafood, Inc USA.

Analysis

Searching for the address mentioned, in Texas comes up with their website which doesn’t appear to load  – www.agroseafoodtx.com/default.htm.

s1b.uklinux.net is the name of Uklinux’s email server, so john@s1b.uklinux.net is spoofed.

mptz.co.tz [196.41.60.146] appears to be the mail server where the email originated.  I say appears to be.  Remember the from email address was spoofed so this could be spoofed as well.  Perhaps someone out there could correct me on this.

This page has more info – http://www.robtex.com/dns/mptz.co.tz.html.

One thing to point out – _never_ send scanned copies of passports to be sent via email.  Email is insecure.  Really.  Never send sensitive information via email.  To anyone.

21Apr2011 – Student Loan Payment Processing Error! phishing email

Hi,

It has been a while since I last added a post. Today I received a phishing email for Student Loan Payment Processing Error!. It supposedly came from notifications@slc.co.uk. Obviously a forged email address, especially when you look at the full headers.

If you get this email don’t click on any links, just forward it to phishing@slc.co.uk preferably with the full headers. Remember – never click on a link in an email unless you really do know where it has come from and the source is trusted, say like when you get a password reset email from your one of the websites you regularly log into, eg WordPress

The body of the email is below. At the top there was a box which says undefined in it, so definitely an error there.

Email :

This is a message for all students receiving grants and loans from the Students Loan Company. You are required to verify your account information in order to avoid any delay in your loan/grant payments. Do this here now by visiting http://www.studentfinance.direct.gov.uk/

Yours Sincerely
Student Finance England

Please do not reply to this email as it has been automatically produced from an address which cannot accept incoming mail.

*******************************************************************************
The information from the Student Loans Company Ltd contained in this e-mail is private and privileged. If you have received this e-mail in error be advised that any use is strictly prohibited. Please notify us and delete the message from your computer. You may not copy or forward it or use or disclose its contents to any other person.

As internet communications are capable of data corruption it may be inappropriate to rely on advice or opinions contained in an e-mail without obtaining written confirmation of it. This footnote also confirms that this email message has been swept for the presence of computer viruses, however we do not accept any liability or responsibility for resultant virus infection. Opinions and views expressed in this e-mail are those of the sender and may not reflect the opinions and views of The Student Loans Company Limited.

The Student Loans Company Ltd registered office is at 21 St Thomas Street, Bristol, BS1 6JS and it is registered in England Company No. 02401034, VAT No. 556 4352 32.
********************************************************************************

End of email

For those who may be interested, here are the headers form the email. I have replaced my email address with me@myemailaddr.ess :

From – Thu Apr 21 09:14:36 2011
X-Account-Key: account3
X-UIDL: 46c13a4a000005ba
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path:
Received: from smtp4.clear.net.nz (smtp4.clear.net.nz [203.97.37.64])
by s1b.uklinux.net (8.12.11.20060308/8.12.11) with ESMTP id p3L8G2Zm009040
for ; Thu, 21 Apr 2011 09:16:38 +0100
Envelope-To:
Received: from User
(host86-136-96-98.range86-136.btcentralplus.com [86.136.96.98])
by smtp4.clear.net.nz (CLEAR Net Mail)
with ESMTPA id for
me@myemailaddr.ess; Thu, 21 Apr 2011 20:11:16 +1200 (NZST)
Date: Thu, 21 Apr 2011 09:11:14 +0100
From: Student Finance England
Subject: Student Loan Payment Processing Error!
Reply-to: webmaster@slc.co.uks
Message-id:
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/html; charset=Windows-1251
Content-transfer-encoding: 7bit
X-Priority: 1
X-MSMail-priority: High
Status:
X-P3Scan: Version 2.3.2 by /

I hope this stops anybody getting their details robbed and their bank account emptied.

Andy.

05Jan2011 – Lloyds TSB and more phishing emails

Hi Everyone,

The phishing emails are doing the rounds again, this time for Lloyds TSB. If you get an email that looks like it is from your bank it shouldn’t be asking you to click on a link or provide any of your banking details or personal details.

Here is the email I received :

From “Lloyds TSB Bank”
To

 

Our Valued Customer,
You have (1) Unread Secured Message !
Sign In To Online Service
Thank you for helping us to protect you.
Security Advisory
Lloyds Security Team

So now they are trying a different format. Usually it is one that states you must sign into your account or it will be disabled, or, it has been accessed from aaa.bbb.ccc.ddd (an IP address) and you just login to confirm your security details.

Unfortunately some people do follow those links. Don’t. If in doubt call your bank on a number that you know will definitely get you through to them.

Always treat these emails with suspicion. Never click on links in them. Don’t let these emails bully you into doing something you shouldn’t and don’t let them make you fear the consequences of not clicking on the links. You could ask friends or call the bank. It doesn’t take long.

Andy.

15Dec2010 – keep getting called by 07589 000595

Hi All who read my blog,
Soem of you may have had calls from the number in the subject, 07589 000595. I have searched for that number on the net and only found entries for it at WhoCallsMe.

It starts with a recorded voice saying he is calling from the approvals team and wants to chat about your loan. Press 5 to continue. I need to call my telco and see if they will block the number as I am treating them as nuisance calls. If I have to, I will get the Police involved.

Have any of you out there had calls from this number? Found out who they are? I suspect the numbers that are called are computer generated. The Truecall would probably stop them. Might have to invest in one to stop these nuiscance calls.

11Dec2010 – Ideal World and their online ordering system

Hi Everyone,

A slightly different topic today. Ideal World’s online and telephone ordering system. I know someone today who tried to order something from them today but had problems at the checkout. It says on their site that items should be in your basket for at least 30 minutes. However, when she was at the checkout, 20 minutes after adding the item to her basket it disappeared.

I wasn’t watching at the time, but I know she can order from the QVC site very easily indeed, so it seems to me that Ideal Worlds online ordering system is perhaps not as user friendly as it should be.

If you order by telephone you have to call 09056 48 48 48 which costs 20p per minute which is damned expensive. You can see their info on phone calls on their Contact Us page which states :

Telephone Numbers:

08431 680 680 – Ideal World Customer Services (Open 24 hours a day, seven days a week)

09056 48 48 48 – Automated Ideal World OrderLine (Calls cost 20p per minute from BT landlines, other networks and mobiles may cost more)

08431 681 000 – Create and Craft Club Member Helpline (Open 10am to 4pm, Monday to Friday)

I have searched for alternative numbers and there don’t appear to be any. The usual site I check for alternative numbers is Say No To 0870 but there are none on there except the alternatives for 0870 numbers. Alternative numbers for Sky are on there as well (for UK residents), very useful if you don’t want to pay stupidly high prices for phone calls to Sky.

When you call the orderline to order, you are speaking to someone in India apparently. Not had to do it myself.

Feedback I have been getting is that a lot of people won’t order from their website because it is so difficult to use. And if you do decide to call, that’s 20p per minute. I wonder if anyone from Ideal World will be reading this. Perhaps they could reply to this post as to why it costs 20p per minute to call their helpline/order line? Another tv retailer (QVC) has freephone numbers and their website is easier to use. Perhaps someone at Ideal World should take note. It won’t be the developers, it will be the business people who decide how the website should look and how it should work. You’re the people who take note. Yes, you sat behind your desk who thinks he knows it all and this is how websites should work. Listen to what your customers tell you and act accordingly.

If you don’t listen to your customers, they go elsewhere. No customers, no business. And bring your call centre back into the UK, with free, or, at the very least very cheap rate numbers.

There, I’ve had my say. Publishing this a couple of days late, but I’ve been busy. So, who is going to be first to post a reply? Go on, it’s easy. Let’s see if this is going to be a big discussion. Maybe Ideal World will sit up and take notice, especially as this is on the net for all to see.

Go on, you know you want to have your say.

19Nov2010 – scam Facebook email with trojan

Hi Everyone,

Another scam email about your Facebook account sending spam and being locked out. Here is the email :

From (apparently!) : support.nr.7921@facebook.com
Subject : Facebook Support. Your account is temporarily blocked. ID302

Body text :

Good afternoon.A spam is sent from your Facebook account.
Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Thank you for your attention,
Facebook Service.

The attachment is called Facebook_document_Nr2509.zip. Accoridng to GMX’s antivirus it contains Trojan.Sasfis. According to Clamav 0.96.4 it contains Suspect.Bredozip-zippwd-3. Either way it’s a Trojan.

If you get one like this delete it. You know it makes sense.

Now for the technical stuff, the full headers, for thpose who may be interested :

Received SPF fail (mta1002.mail.ird.yahoo.com: domain of support.nr.7921@facebook.com does not designate 66.238.61.123 as permitted sender)

XYMailISG o9UN4wEcZArqRdBZKYHiGCJeYcPyix2g_RvTxanQClvkpAxu bBtnTBUs3j8DwNQjwc2TOzLDNo5WGbDsIeXONI4zF2PpCWc05vPxiIDEDiQT 1zdhUKHz5QKev_1bxJqSFwwRdLNDk7a2PHD0qVZQZksH8reHHyBnf.Fq8l1D wo2lgHfQPgNM9d8ADs60Rz3wz20azgWicJxwm65UEAeAAcZjCvizyYcjAqQU VHgVMINkYS1SX4t4iMlWEqOJmIhLez8zKJ4HqLHlRLgNUUoyrdtH1rBqrPmZ kU6mgBt_PnDIFK9pTBFd.uORxzhlOBuYh7jAnWtdfnNjMBkQjNa.nHjC6gQt k7joEoGnYagx2yHGBzjrCD980SL_q3Q2mJmkIYuZn3nNLDHGsdO8k4H2JTk1 BWS2thTn8Qr7ziMWYKa6iF_Q.hVyZG04.MLnuRtUovGKhcBCH63GlgCYWR1Q jMgm_LKPI0pNiyVbytZ2Q.3TCilYnJlacPZSx_BRwWLWsCdyfGH5WLIlLA2x AIcNH1n.rpZeoMND7d7n9Obk1ZH5KVKuI4BaihxGUI8bLFuRhUFzXdEx1j__ 0DDXkutG1Lu3l7alL9lIxpM_Wmctp7GKYeR3x6tWM5XKqzsA8eIShtxytRa_ 8co5E6beYCofny1_X1lgqHqobL9wXD.oLzTW1MAFpWY3Quox_rekGgpGU5wO .gCNfwE2FsHUEacP2XFIImrciFTkuz4XLLMU48rMQcfQtdBrQcjnCMquqgT5 WMvttSvhdMzj.7gWqoemaea1JbBQ_iFr5rQThaPV946F1SpQfTw93g_Y9NBU CUldx4rJnI6LUCaXisPIU8IdA63_3Ht63SW0ZKB_12CtA24JunOuNQVHQH7I xqEskx1l60SdDT.QR4clDMR2x9HFqWkvVR57PxhB6FLaw4X2ptIYswS0ZSR9 MEsphqDhjforigLdUcuyVEWyosqvbZA7XbNHgPAZTQQpI05Ti1xtFPNphQns f._7nz.D.kKibbPQTS49m1PiAR31h8SWhv4bNW8C0iBod8So9z8E.9BpsqjE .nGNeYPEA56SoRDPy3p9LxNZciKsQpEMqlyH9UcOHfL3y1EU52RSvjrjWZRR VxZHo_orb7YE3jkPZMus4R7O0SCl0BPaaIBCzJSQ1EMj15S0SvSBFxqDyxBg waYjONMbyY4nIOXSFnaWl2jMMwl9WhzrUOUIL2Wwz7w-

X-Originating-IP [66.238.61.123]

Authentication-Results mta1002.mail.ird.yahoo.com from=facebook.com; domainkeys=neutral (no sig); from=facebook.com; dkim=neutral (no sig)

X-Mailer Microsoft Outlook Express 6.00.2900.2180

So, it looks like it was sent form a Windows PC, infected no doubt.

Dragonnefyre.

01Nov2010 – another scam job offer email

Hi Folks,

I had another job offer today.  Not many details in this one. Here is the email, sent, apparently from skillingdvx3c@yahoo.com with a subject of “Job advice – id : 1288587292″ :

Good day.

We are happy to offer you a part time job.

Requirements :

- Location : UK
- Adult age

If you are interested, please reply to : taviegu@gmail.com with your contact details.

Truly yours,
Robert Grant

There seem to be a lot of scam job emails with similar a subject, ie Job advice – id : followed by a long number.

As has been pointed out in a comment on my post on 12July2010,  if it comes from a common email account such as Yahoo, Hotmail or Gmail, then it is definitely suspect, so beware.

Andy.