Wednesday, January 7, 2009

Detecting Targeted Email Scams – The New Phishing

The souring of the global economy has in a two-factor way encouraged the growth and success of three new email and internet scams known as targeted scams. These scams are called targeted scams because the phishing form sent generally not only contains the name of a legitimate company of which you are familiar, but also contains your personal name. In addition, the email, letter, website or pop-up page so closely copies a real one that detection of the scam is almost not possible until you've been 'had.' This blawg will identify to the lay-user and busy professional ways to identify these scams before becoming a victim.

As evidence of the growth of the success of the new spam email, both the American Bar Association (1), and the esteemed publication, American Banker (2), recently sent out memorandums warning their professionals of these new and ingenious scams. In addition, a user of the online network Linkedin.com, recently posted a warning about domain name owners receiving emails pretending to 'warn' the domain name owner of a registration problem. (3). The responses indicated that this is a common occurrence. This author has received similar scam letters.

The first factor in the success of these scams, is that the spam emails are more convincing than ever, as is discussed below. The second factor, is that the victim lacks good anti-spamware, or fails to recognize the email as spam. An apparent ancillary factor may be that with anti-spamware in place, the victims were perhaps are paying less attention in looking for scams. Regardless, the number of successful scams is rising.

The new scams, however, do share traits with their less complicated brethren. We'll first review the scams noted by the ABA, American Banker, and the domain name scam, and relate them to common scam forms, along with ways to detect the scams.

For legal professionals, the ABA warned of usual phishing and spoofing emails, and of an interesting, and yet bizarre set-up that makes the "Nigerian scam" (4) seem like child's play. In a targeted scam, the email pretends to be from a legitimate company seeking assistance in receiving payment from another person. What makes the scheme so peculiar, is the email may provide for a fee agreement, confidentiality agreement, etc., and so seems completely legitimate. Once the 'paperwork' is finished, the attorney receives a check (maybe even a cashiers check), along with a separate request from the seemingly legitimate company asking for a quick transfer of the funds, less the attorney's fee. Complying with the client's request, however, proves to be costly when the lawyer learns that the check is phony, and that the contact and wire transfer information had nothing to do with the legitimate company.

Some people may already be familiar with this scam from emails promising a person to work at home as an escrow agent, or 'representative,' of a sort, and earning a "commission" by receiving checks and then sending on the funds. As with the "Nigerian scam," either the check is not good, or the goods are poor quality, or never shipped. Either way, the representative is left alone to explain the scam to the police.

American Banker, on the other hand, directed it's warning to computer professionals. In its memorandum, American Banker said that computer professionals who handle domain name registration were receiving letters advising them to change information about a domain name. The change would, in effect, allow the sender to hijack the domain name. While we would hope that the computer professionals would be alert to the scam, they are busy people too, and sometimes details get missed.

This brings us to the third scam, which may involve a domain name, or more often a financial account. In this scam, the email or letter warns the recipient of a problem that must be immediately resolved. For domain name owners, the alleged problem is often that someone else is trying to register the recipient's domain name, or that the domain name is going abandoned for some reason, and that the recipient must pay the letter sender immediately to avoid losing the domain name. In other cases, the financial account will be locked or closed unless action is immediately taken.

In reality, a close look at the email or letter will reveal one or two, if not more, scam clues. If the letter addresses a domain name issue, the letter sender is likely NOT the same company with whom the domain name was last registered. As with the Nigerian scam, the funds are not spent to your benefit.

The second scam clue is more common, in that domain name is somehow different from the registered domain name. For example, we are used to seeing domain names like nikon.com, kfc.com, or cocacola.com. In one scam form, the domain name may include a couple of extra letters at the end, such as nikon.com.cn, kfc.com.cn, or cocacola.com.cn. In this case, the '.cn' means that the domain name is registered in China. Similarly, the end letters '.ru' stand for Russia, '.ca.' is Canada, and so forth, for the well-over 200 country codes called top level domain names. If you have a world-wide business, you might want to register these domain names in those countries, just as did Nikon, KFC, and Coca-Cola. If you do not plan to have a world-wide business, why worry about it? (5)

Another form of the second scam clue includes a familiar company name, with other words in the domain name. One example is http://paypal.confirm-updates.com/login.php. In this case, the email seems to be from paypal, but is in fact, directed to a website called paypal.confirm-updates.com, which is NOT paypal.com. You can see the difference from a link on paypal's website, such as https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run. All the special code is AFTER the '.com.' There are even examples of the two scam forms appearing together, such as one I received to immediately go to a website with a true link of:
http://www.login.chase.com.ru/sossaht?e=5BbuujDubwwjCrKNjrSzz9UzC.
This one has both a Russian registered domain name, and a phony chase.com-like domain name.

The second scam form is more likely to appear in an email, as it is easier to hide, which brings us to the third way to discover a spam email, which is to look at the true link in an email.

This clue is a little more difficult to detect, as the email reader has to find the way in which the email program shows the true link in an email. For many email programs, you can simply place the cursor over the link show in the email, then look at the lower left corner of the program window. For example, in one case, I received an email saying there was a disputed transaction, and that I should click on the link, which looked like this:
https://www.paypal.com/login?secure=ssl32?caseid=7YW39066PT601?=disputeTRANSACTION.

In the lower left corner of the program window, however, the true link was shown, which was http://paypal.user-data-confirmation.com/index.htm. As noted above, the website, "paypal.com" is not the same website as "paypal.user-data-confirmation.com." In other words, caveat lector (reader beware).

Not all email programs readily show the true link and it is possible to block display of the web address from the lower left corner of the email or browser. In such a case, you may be able to determine the true link by opening the Properties command in the menu. You may need to click a Details tab and then Message Source to see the actual web address. This is tedious in some cases, but is at least, safe. The safest way, of course, is to visit the web site as you usually do, and look for a message or alert on the website.

Safe Browsing.


(1) "Three Internet scams and solutions lawyers should know about," Your ABA, American Bar Association, November 2008, http://www.abanet.org/media/youraba/200811/article12.html
(2) "Data Hackers Shift to Phishing for Domain Name Credentials," American Banker, January 2, 2009, http://www.americanbanker.com/article.html?id=20081231QS6OX4TQ.
(3) "Solicitations mails .. from china claiming to be a domain name registration authority," Intellectual Property Professionals, 1/ 5/2009, http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&gid=89700&discussionID=922425 (Registration and login may be required.)
(4) Nigerian scam, Snopes.com, 9/6/2003, http://www.snopes.com/crime/fraud/nigeria.asp.
(5) This is not to suggest ignoring possible foreign trademark protection. The interested reader is encouraged to contact the author or other competent trademark authority for more information.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.