Tuesday, January 18, 2005

 

Beware! Email scams, and phishing.

I don't know how this happened, but this is what I think... Last year, I had a hosting service, not the best, but far from the worst. I had many pages up there, an online journal, information, whatever. I was a hit by lightning. Well, not me exactly, but the power transformer down the street which is closest to my house. By the time the surge got to my house, it was enough to blow out all of my electronics, but not start any fires, unlike the house closest to the strike, where they had fire shooting out of all the outlets. I was not home at the time as I was out of town on business. I came home to a dark house, totally black inside. Before I leave for a few days, I turn off certain circuit breakers at the box in the garage, the stove, the water heater, most of the unoccupied areas of the house. I flip my automatic electronic smart thermostat to OFF which means it goes into a freeze protect mode and will kick on the heat if it gets below 37 degrees. So, I come home and find darkness has invaded my space. I dug out my flashlight from under the driver's seat and went inside, and immediately smelled the unique odor of integrated circuit electronic death, the smell of the darkness which is contained inside an IC and suddenly gets out to let the light in when the IC dies a horrible death from overload or overheating. If you have ever smelled this particular odor, you will know EXACTLY what I mean. Anyway, I got the house back up and running and determined what exactly had fried, which included all of my computers and video equipment. And that was when I decided to go walkabout. My domains went static, I wasn't able to change anything and I was going to go away, maybe for long periods of time. All of my email to my domains went into the bit bucket. I set up an autoresponder referring people to rvgetsla at yahoo dot com and sent out a mass mailing to my regulars informing them of the change. The autoresponder was in case I missed anyone, which of course, I did. The autoresponder said my email address just like I did above, in text, not as a recognizable email address which a bot could interpret. Prior to this lightning strike, I got maybe 10 or 20 spam emails a day, easily filtered out by my email software. While I was on walkabout, I checked from time to time to see if my domains were still up, but I didn't change anything. After a while. one of my domain hosts, for 3 of my 4 domains, dropped off the line. I set up a domain parking page with my registrar for all 3 domains. And then a few months ago, my remaining domain host dropped off as well. Well, didn't drop off, just lost all of my files. So, a couple of weeks ago, when I decided to come back from walkabout, I changed registrars, and acquired a new hosting service for all 4 domains. I put up some temporary pages and configured the email services. And that is when it started, I was getting several hundred spam emails a day! I set up an autoresponder again, to reply to every email with a short note about the email being dropped into the bit bucket sight unseen and information if a person read the reply which would point to yahoo which a real person could interpret. The funny thing, is the email ID I used for the autoresponder from my former hosting is now being spammed which tells me replies to email spam is a way to gather addresses. No matter. My autoresponder drops every email into the blackhole and I never see them, not a single one. For a couple of weeks, I let the email gather in the inbox so I could examine what it was I received rather than drop each into the bit bucket. The sender could not know this. I examined the source text of each message, not previewing or displaying it in the regular manner so I could not activate a virus attachment. Guess what, about 20% were in fact email virus programs! Another 20% were Nigerian scams and 10% were phishing expeditions. For those of you who may not know, a phishing expedition is a false email from a bank or credit card company which spoofs the real bank or credit card site. In the body somewhere is a link, an HTML anchor tag, which says it goes to the bank site but really points to an IP address where the false site is located. They then ask for account verification information incliding PIN numbers and other data which they then can use to apply a fraudulent charge to your account. I know my bank never does this, send an email to verify anything, ever, so anything I receive from a bank or credit card company is immediately suspect as a fake. The Nigerian scams are a whole other thing entirely. The Nigerian scams all purport to be a representaive of a bank or institution somewhere, not always Nigeria. I've seen Singapore, China, Nigeria, and several other places, but what they all have in common is that they say they have an inactive account with millions of dollars just sitting there unclaimed and they want you to be their representative to get the funds, usually promising a percentage of what they can get in return for impersonating a relative of the person who is the account owner. OK, so this is conspiracy to commit fraud by claiming to be a relative of a person who you are not, but they want you to do this to get the money which is unclaimed. There are several variations on who they want you to be, a relative, a business partner, whatever. Again, they all promise to provide the supporting documents. All you have to do is put some of your own money in "good faith" to show you are serious in helping them get this unclaimed money. Don't do it. All they will do is keep your money and eventually they will disappear. As a lark, I decided to reply to a few just to see how long I could string them along without providing any money. I created a free email account at a provider in Italy, several in fact, one for each scam email. I then forwarded several of these spams to those accounts, one to each. I then replied from each saying a friend had forwarded their email to me thinking I might be interested. I was able to play this up for several back an forth emails, each making an excuse for not being able to send any money. Several accounts had me being the wife of a businessman and my husband controlled my finances, a teenager, a desperate single mother, a finacially strapped lawyer, a homeless guy, a lonely housewife, a rich investment banker, but whoever I was, I really wanted to help and well, you get the idea. I loved stringing these people on! It was exciting to do some roleplaying in this manner. I discovered how easy it is to fool someone and these people seem to be desperate enough to want to believe I was going to help them and that I would send them money, even a 14 year old girl in high school!. I was shameless in my roleplaying, I admit. It was just, SO entertaining, to play the parts I chose for each scam email. I had to keep a notebook to keep everything straight for each person I was playing a role for and not make any obvious mistakes in continueity. you know what continueity is, it is how a movie makes sense even though each scene is filmed out of sequence in real time. Finally, each gave up and did not reply to my bogus emails, even after repeated attempts on my part to keep things going. I guess they figured out I was a dead end eventually. Well, I did get something out of all this, a whole lot of serious amusement!

Do not try this at home.

I am what you call an expert.

Your mileage may vary.

Posted by: Rowlfe - at: 1/18/2005 08:42:00 PM

Comments: Post a Comment