Dissecting An Email Scam
Posted on: November 20th, 2008
Yesterday I got a sample of a UPS scam email. I instantly recognized it, having multiple glaring signs of a faked email. However it might be not that easy for a layman to see these sign. So I wrote up this article to show, in detail, what signs you can look for.This email was ideal for this article having almost all of the telltale signs that indicate a faked and malicious email.
Here’s the labeled screen shot of the email. I’ll explain all the indicated parts as to what these signs are:
A: A faked email address. The sender’s email address is very easy to fake. So having a UPS email address in the From field does not mean at all that it came from UPS.
B: The receipient’s email address is not mine, it’s somebody else’s. This indicates that the spammer used the blind carbon copy (BCC) method, where he put one email address in the To: field and the rest in the BCC field. The people listed in the BCC field will receive the email but they only see the email address(es) listed in the To: field.
C: Grammatical error. A well known company, like UPS, would pay attention not to have such a grammatical error. This error makes me think that the person sending it was not a native English speaking person.
D: Foreign character. This indicates that the characters in the email were encoded using a code table not common to English speaking countries. I looked into the raw code of the email and the code table that used was the Central European.
E: Another grammatical error. Another clue that the sender was from a different country – from a country that puts its currency after the amount.
F: An alarming statement prompting the recipient to open the attachment(s). Also another grammatical error in the sentence.
G: An unusual closing for an “official” letter.
H: Two attachments in .zip files. They used the zipped (compressed) version to avoid detection by software that scans emails for viruses.
The things that are missing: The email does not contain any signage, no UPS logo, no links to their website, no phone numbers listed. These things you’d expect from a professional company. I’m pretty sure the sender used plain text email to increase the chances of avoiding spam filters.
Also stop here for a moment and think about the message of the email and use common sense:
This is just few of the glaring illogical things about this email. This one is actually very dumbly constructed, but there are some much smoother, trickier emails.
The stable data when in doubt about an email that seems to be from a company that you do business with, is to contact the company directly using your phone. Don’t do anything with the email, especially don’t open any attachments! Emails are easily forged and frequently used for less-than-honest purposes so any reputable company would not use email for sending out important/time sensitive notifications – their email might just end up in a junk folder.
Now, let’s see what’s inside the ‘package’ – i.e: the attachments. I just opened one of them. Here’s my step by step process:
A: The saved attachment looks like this in normal icon view.
B: After double-clicking the zip file we see the content. The icon indicates that it’s an executable file! It’s not a document of any kind.
C: Switching to detailed view.
D & E : As I mentioned in point B, the file inside the zip file is an executable file, also called an application. It’d execute a program if you double-clicked on it.
And here is what AVG has to say about this file:
I tried to look up what this Trojan horse would do when it’s allowed to infect the compuer but found not much on it, except for that it showed up about 2 weeks ago.
This concludes the little detective work. I hope you learned some useful knowledge from this article.
Did you find this information useful?
Please consider donating.