As web-masters for a growing number of companies in town, we are often asked about the validity (or dangers) of emails certain received. Especially the info@ and webmaster@ addresses are under attack from viruses and phishing, often twice or trice a week, so asking is is the right thing to do! What happens?
A legitimate looking email arrives from one of your contacts, a potential client, paypal, facebook, twitter or even from your own email server (see below). Something is wrong with your account and they need you to login and verify your password. Click here. Or one of a thousand other reasons why you would want to follow the link they provide.
This link is false. As is this one: http://www.client-x.com/cpanel
Hover over it with your mouse and see it links to an entirely different place on the internet. There, you’ll be greeted by your familiair (but fake) logon screen where you enter, or verify your name and password . These are now, of-course, in someone’s database, along with your IP address and possibly email address. The site might then send on your credentials to the real site and log you on so you will never even know the difference.
Or, you might not even fill in anything but an applet, or script, hidden on the page you were sent to has installed a virus, trojan or Adware on your PC. The possibilities are endless, take for example this example I was asked about this morning by client X.
Subject: your mailbox has been deactivated Date: Mon, 16 Nov 2009 21:52:46 +0100 From: notifications@client-x.com To: We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility. Best regards, client-x.com technical support.
Now luck has it, we are actually technical support for client X and we sure had not sent the email. When the client wanted to forward the email to us, their anti-virus solution gave a first indication of trouble, the attached ‘utility’ contained a virus.
So how can you know what emails to trust? It is impossible to be 100% sure. There are, however, a number of red flags and things you can do yourself.
Red Flags & What to Do
- Read the email closely. Does it make sense? Why would a system that you own ‘lock you out’?
- Look closely at the ‘from’, and possibly the ‘reply to’ addresses. On close inspection, are they real? In the above case, the notifications@client-x.com address does not even exist.
- Is there a link to click? Don’t. First hover over it and see where it will take you. Is this the same location as it looks to be? You can copy and paste the link into word or notepad if you cannot see it on hovering over. Is it really a link at facebook.com ? Or if you look better, does it actually goto facebook.com.23789myserver.ru ? If the link looks legitimate, BEFORE you fill in any personal information, check the URL or location bar in your browser. Do you see a lock indicating a secure connection? Again, are you really on facebook?
- Copy a bit of the email and paste it into Google. If anyone else has writen about it, anywhere in the world, you’ll know. I copied the first line of the above virus into Google and got 16,700 hits.
- And do we need to say? Don’t run any attachment. And if you have to, make sure your anti virus software is up to date and running!
And if you’re worried at all, DO contact us. We probably either heard already, or can find out about it.
UPDATE 8/12/09: The ever useful on-line magazine LifeHacker just posted an article on this subject with lots of useful info and links. Find it here…
UPDATE 25/01/10: Another email in our inbox, another variety of the same scam. We’ll be adding them as comments to this post as they come in…
#1 by Webmaster on January 26, 2010 - 11:31 am
Another scam doing the rounds, looking to be an innocent message from AIM, AOL’s Instant Messaging Service. The email below, then at the bottom how you can spot it’s fake & dangerous…
From: AOL Instant Messenger [mailto:no_reply_instant_messenger@aol.com]
Sent: Saturday, January 23, 2010 7:43 AM
To: info@myclientname.com
Subject: Your AIM account is flagged as inactive
Dear AIM user,
Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.
If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.
In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.
Thank you,
AIM Service Team
This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.
The signs? Well the email looks authentic (the FROM: address originates at AOL.COM). However, email headers can easily be faked and in this case, the message does not originate from AOL at all. So what gives it away?
In the original email, where it reads “In order to install the update use the following link”, the last 3 words are a hyperlink. Hovering over this link (and NOT clicking it), reveals that the actual link is:
http://update.aol.com.oijeazxcom.pl/products/aimController.php?code=26760816627501960482324357915365863132494086742&email=info@myclientname.comLook closely; though at first site the link appears to be at update.aol.com , in reality it will send you to oijeazxcom.pl – a website in Poland. When you visit that site, the first thing that happens is that you confirm your email address (at the end of the link), adding it instantly to hundreds of email-spam-lists. Secondly, you’ll be asked to install the ‘updated AIM client’ which, you’ll have guessed it, installs spyware and/or a virus on your pc.
Again, NEVER click on a link before inspecting it properly. Use a safe browser such as Google’s Chrome or Mozilla’s Firefox. And never, never, install a piece of software just because someone asks you by email.