Video Screencast Help

Question on email I just received...

Created: 04 Aug 2009 • Updated: 21 May 2010 | 11 comments

The subject line is  Fw: Wire Transfer Info for (and it has my real name here)

The content is:  For more details please download the invoice found on this link:

Then there's a link that starts:  http://163.20.160.24/~pc/templates_c/transfer etc etc etc with my name at the end.

Then below is what's supposed to have been a message I sent to the person, nancy@nisstrategies.com
There IS a Nancy who has such a company according to just one page I googled.
But I didn't send such a message to such a person about a wire transfer..........

Anyone run into this and is this something I should send our folks an alert about???

Comments 11 CommentsJump to latest comment

Thomas K's picture

Sound like a scam to me.

Ip lookup 163.20.160.24 returns
Record Type: IP Address

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 163.13.0.0 - 163.32.255.255
CIDR: 163.13.0.0/16, 163.14.0.0/15, 163.16.0.0/12, 163.32.0.0/16
NetName: APNIC-ERX-163-13-0-0
NetHandle: NET-163-13-0-0-1
Parent: NET-163-0-0-0-0
NetType: Early Registrations, Transferred to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: This range was transferred to the APNIC Whois Database as
Comment: part of the ERX (Early Registration Transfer) project.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-info/whois_search
Comment:
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse.
RegDate: 2003-04-15
Updated: 2009-06-01

OrgTechHandle: AWC12-ARIN

Registrant:

DNS lookup  for

NIS Strategies returns:
ATTN: NISSTRATEGIES.COM
c/o Network Solutions
P.O. Box 447
Herndon, VA20172-0447

Domain Name: NISSTRATEGIES.COM

Administrative Contact :
NIS Strategies
ev2fh6rx255@networksolutionsprivateregistration.com
ATTN: NISSTRATEGIES.COM
c/o Network Solutions
P.O. Box 447
Herndon, VA20172-0447
Phone: 570-708-8780

Technical Contact :
NIS Strategies
ev2fh6rx255@networksolutionsprivateregistration.com
ATTN: NISSTRATEGIES.COM
c/o Network Solutions
P.O. Box 447
Herndon, VA20172-0447
Phone: 570-708-8780

Record expires on 24-Feb-2014

Jeremy Dundon's picture

You are right to be suspicious

ShadowsPapa's picture

Good - issues here prevented a lookup - we are putting some new equipment and security into place, plus ran out of IPs, etc.
I wondered as a google search on parts of that URL came up with only asian characters as a response.

I think I'll contact the state security folks and alert them...........

Danny Pfeifer's picture

I agree, definetly a phising scam attempting to get you to submit personal information or get your machine infected with a keylogger of some sort

RickJDS's picture

ShadowsPapa, you've won the lottery!  Give them your bank account info and watch your money drain out! 

Seriously, it's a big time scam.  If you have the time and want a good laugh, read up on the "Tale of the Painted Breast" on the following link, you'll get a good kick out of it!

http://www.419eater.com/html/joe_eboh.htm 

Jason1222's picture

Rick,
 
Thank you SO much for that.  I have not laughed so hard in a long time.  I love scambaiters and it is about time that people started fighting back against these kinds of things. 

These really are the kinds of things that the 'media' should be covering more and more often. 

"Beware of e.mail scams".  So many people get taken in each year, by telemarketting fraud and e.mail scams, because they simply don't know better. 

I wish they would start to inform the general public more and more about "fake pills", "e.mail scams" and the like.

Anyways, a long read making for a good long laugh

Mithun Sanghavi's picture

Thats a Scam for Sure.......

Please Please Dont Provide any information....

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mithun Sanghavi's picture

Hi,

Check this:

http://ask-leo.com/how_can_i_trace_where_email_came_from.html

Might Help for sure... :)

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mithun Sanghavi's picture

In Outlook:

1. Open up the email
2. Click on View
3. Click on Options
4. You should see a lot of text in the window called Message header
5. Copy the last ISP number
6. Go to a DNS trace site listed above and put in the IP number
7. You should be able to at least determine the country, city or server the email sender is using.

In Groupwise:

  1. You have to first select "QuickViewer". That splits your
    screen so you can preview each message without actually opening it, much
    like Outlook Express.
  2. In new GW versions, a small subject window will then appear at the top
    of the preview window. There is a drop down list here. It will show you
    the MIME info.
  3. That's where the header info is located. Yours is listed
    below.
  4. Go to the trace sites listed above and put in the IP number
  5. You should be able to at least determine the country, city or server the email sender is using.
     

Outlook Express

  1. Highlight each email you received from the offending parties, one at a time. Don't open them. Just highlight them with your mouse
  2. Now right click on the mouse. You should get a menu
  3. Select the last item on the menu - Properties
  4. A property box should pop up. Select the second window - "Details"
  5. You should get a lot of technical gibberish. Copy everything in that box. Copy the text (highlight it with your mouse, then copy it and paste it into a Word document or email message
  6. Go to the trace sites listed above and put in the IP number
  7. You should be able to at least determine the country, city or server the email sender is using.
     

Here is an illustration of how to read a Message Header:

imagebrowser image

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Thomas K's picture

But as the writer of the site states:

"Email headers cannot be trusted, and not all email can be traced or authenticated. Legitimate mail typically can be traced, but for SPAM and virus-generated email it's difficult to say that the headers are absolutely trustworthy."

Cheers,
Thomas

Abhishek Pradhan's picture

It's pretty easy to spoof emails and their headers. I've demonstrated it several times when I was in Symantec tomy colleagues there, and even gave a live demo at Symantec's internal Tech Conference 2 years ago on how it is achieved.

@ Mithun: God writeup you've given and a thumbs UP for you, but if you remember my demo, you'll also remember iit's pretty darn easy to spoof anything in any part of the email if you have your coding basics right. I also agree with Thomas, hence a big thumbe up for him as well ! :D

I still maintain an online application whose code I continually update to test the effectiveness of the latest security and messaging systems, and still 60% of my test mesages still get thru inspite of all the rules in place. Security still has a long way to go, but we're geting there, with only a small hitch: even if we know all the originating servers, we cant simply take them out / NUKE EM (would be nice) ;) to prevent all this stuff from getting thru.

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org