Endpoint Protection

 View Only
Expand all | Collapse all

Question on email I just received...

  • 1.  Question on email I just received...

    Posted Aug 04, 2009 03:28 PM
    The subject line is  Fw: Wire Transfer Info for (and it has my real name here)

    The content is:  For more details please download the invoice found on this link:

    Then there's a link that starts:  http://163.20.160.24/~pc/templates_c/transfer etc etc etc with my name at the end.

    Then below is what's supposed to have been a message I sent to the person, nancy@nisstrategies.com
    There IS a Nancy who has such a company according to just one page I googled.
    But I didn't send such a message to such a person about a wire transfer..........

    Anyone run into this and is this something I should send our folks an alert about???


  • 2.  RE: Question on email I just received...

    Posted Aug 04, 2009 03:41 PM
    Sound like a scam to me.


    Ip lookup 163.20.160.24 returns
    Record Type: IP Address

    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU

    ReferralServer: whois://whois.apnic.net

    NetRange: 163.13.0.0 - 163.32.255.255
    CIDR: 163.13.0.0/16, 163.14.0.0/15, 163.16.0.0/12, 163.32.0.0/16
    NetName: APNIC-ERX-163-13-0-0
    NetHandle: NET-163-13-0-0-1
    Parent: NET-163-0-0-0-0
    NetType: Early Registrations, Transferred to APNIC
    Comment: This IP address range is not registered in the ARIN database.
    Comment: This range was transferred to the APNIC Whois Database as
    Comment: part of the ERX (Early Registration Transfer) project.
    Comment: For details, refer to the APNIC Whois Database via
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-info/whois_search
    Comment:
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment: for the Asia Pacific region. APNIC does not operate networks
    Comment: using this IP address range and is not able to investigate
    Comment: spam or abuse reports relating to these addresses. For more
    Comment: help, refer to http://www.apnic.net/info/faq/abuse.
    RegDate: 2003-04-15
    Updated: 2009-06-01

    OrgTechHandle: AWC12-ARIN

    Registrant:

    DNS lookup  for

    NIS Strategies returns:
    ATTN: NISSTRATEGIES.COM
    c/o Network Solutions
    P.O. Box 447
    Herndon, VA20172-0447

    Domain Name: NISSTRATEGIES.COM


    Administrative Contact :
    NIS Strategies
    ev2fh6rx255@networksolutionsprivateregistration.com
    ATTN: NISSTRATEGIES.COM
    c/o Network Solutions
    P.O. Box 447
    Herndon, VA20172-0447
    Phone: 570-708-8780

    Technical Contact :
    NIS Strategies
    ev2fh6rx255@networksolutionsprivateregistration.com
    ATTN: NISSTRATEGIES.COM
    c/o Network Solutions
    P.O. Box 447
    Herndon, VA20172-0447
    Phone: 570-708-8780

    Record expires on 24-Feb-2014



  • 3.  RE: Question on email I just received...

    Posted Aug 04, 2009 03:54 PM
    You are right to be suspicious


  • 4.  RE: Question on email I just received...

    Posted Aug 04, 2009 04:21 PM

    Good - issues here prevented a lookup - we are putting some new equipment and security into place, plus ran out of IPs, etc.
    I wondered as a google search on parts of that URL came up with only asian characters as a response.

    I think I'll contact the state security folks and alert them...........



  • 5.  RE: Question on email I just received...

    Posted Aug 04, 2009 04:48 PM
    I agree, definetly a phising scam attempting to get you to submit personal information or get your machine infected with a keylogger of some sort


  • 6.  RE: Question on email I just received...

    Posted Aug 04, 2009 05:41 PM
    ShadowsPapa, you've won the lottery!  Give them your bank account info and watch your money drain out! 

    Seriously, it's a big time scam.  If you have the time and want a good laugh, read up on the "Tale of the Painted Breast" on the following link, you'll get a good kick out of it!

    http://www.419eater.com/html/joe_eboh.htm 


  • 7.  RE: Question on email I just received...

    Trusted Advisor
    Posted Aug 04, 2009 07:00 PM
    Thats a Scam for Sure.......

    Please Please Dont Provide any information....



  • 8.  RE: Question on email I just received...

    Trusted Advisor
    Posted Aug 07, 2009 02:15 PM
    Hi,

    Check this:

    http://ask-leo.com/how_can_i_trace_where_email_came_from.html

    Might Help for sure... :)


  • 9.  RE: Question on email I just received...

    Trusted Advisor
    Posted Aug 07, 2009 02:21 PM

    In Outlook:

    1. Open up the email
    2. Click on View
    3. Click on Options
    4. You should see a lot of text in the window called Message header
    5. Copy the last ISP number
    6. Go to a DNS trace site listed above and put in the IP number
    7. You should be able to at least determine the country, city or server the email sender is using.

    In Groupwise:

    1. You have to first select "QuickViewer". That splits your
      screen so you can preview each message without actually opening it, much
      like Outlook Express.
    2. In new GW versions, a small subject window will then appear at the top
      of the preview window. There is a drop down list here. It will show you
      the MIME info.
    3. That's where the header info is located. Yours is listed
      below.
    4. Go to the trace sites listed above and put in the IP number
    5. You should be able to at least determine the country, city or server the email sender is using.
       

    Outlook Express

    1. Highlight each email you received from the offending parties, one at a time. Don't open them. Just highlight them with your mouse
    2. Now right click on the mouse. You should get a menu
    3. Select the last item on the menu - Properties
    4. A property box should pop up. Select the second window - "Details"
    5. You should get a lot of technical gibberish. Copy everything in that box. Copy the text (highlight it with your mouse, then copy it and paste it into a Word document or email message
    6. Go to the trace sites listed above and put in the IP number
    7. You should be able to at least determine the country, city or server the email sender is using.
       
    Here is an illustration of how to read a Message Header:


    imagebrowser image



  • 10.  RE: Question on email I just received...

    Posted Aug 07, 2009 02:25 PM
    But as the writer of the site states:

    "Email headers cannot be trusted, and not all email can be traced or authenticated. Legitimate mail typically can be traced, but for SPAM and virus-generated email it's difficult to say that the headers are absolutely trustworthy."

    Cheers,
    Thomas


  • 11.  RE: Question on email I just received...

    Posted Aug 07, 2009 04:21 PM

    Rick,
     
    Thank you SO much for that.  I have not laughed so hard in a long time.  I love scambaiters and it is about time that people started fighting back against these kinds of things. 

    These really are the kinds of things that the 'media' should be covering more and more often. 

    "Beware of e.mail scams".  So many people get taken in each year, by telemarketting fraud and e.mail scams, because they simply don't know better. 

    I wish they would start to inform the general public more and more about "fake pills", "e.mail scams" and the like.

    Anyways, a long read making for a good long laugh



  • 12.  RE: Question on email I just received...

    Posted Aug 09, 2009 10:18 AM
    It's pretty easy to spoof emails and their headers. I've demonstrated it several times when I was in Symantec tomy colleagues there, and even gave a live demo at Symantec's internal Tech Conference 2 years ago on how it is achieved.

    @ Mithun: God writeup you've given and a thumbs UP for you, but if you remember my demo, you'll also remember iit's pretty darn easy to spoof anything in any part of the email if you have your coding basics right. I also agree with Thomas, hence a big thumbe up for him as well ! :D

    I still maintain an online application whose code I continually update to test the effectiveness of the latest security and messaging systems, and still 60% of my test mesages still get thru inspite of all the rules in place. Security still has a long way to go, but we're geting there, with only a small hitch: even if we know all the originating servers, we cant simply take them out / NUKE EM (would be nice) ;) to prevent all this stuff from getting thru.