Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#265202 - 15/09/2005 10:54 I smell a phish?
pedrohoon
enthusiast

Registered: 06/08/2002
Posts: 333
Loc: The Pilbara, Western Australia
I just received the following email, purportedly from "payments-messages@amazon.com"

Dear xxxxx@xxx.xxx.au ,

Greetings from Amazon Payments.

Your bank has contacted us regarding some attempts of charges from your credit card via the Amazon system. We have reasons to believe that you changed your registration information or that someone else has unauthorized access to your Amazon account Due to recent activity, including possible unauthorized listings placed on your account, we will require a second confirmation of your identity with us in order to allow us to investigate this matter further. Your account is not suspended, but if in 48 hours after you receive this message your account is not confirmed we reserve the right to suspend your Amazon registration. If you received this notice and you are not the authorized account holder, please be aware that it is in violation of Amazon policy to represent oneself as another Amazon user. Such action may also be in violation of local, national, and/or international law. Amazon is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the full extent of the law.


To confirm your identity with us click here:
https://www.amazon.com/exec/obidos/flex-...-in-secure.html

After responding to the message, we ask that you allow at least 72 hours for the case to be investigated. Emailing us before that time will result in delays. We apologize in advance for any inconvenience this may cause you and we would like to thank you for your cooperation as we review this matter.

Thank you for your interest in selling at Amazon.com.

Amazon.com Customer Service
http://www.amazon.com

This message and any files or documents attached may contain classified information. It is intended only for the individual or entity named and others authorized to receive it. If you are not the intended recipient or authorized to receive it, you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately then delete it from your system. Please also note that transmission cannot be guaranteed to be secure or error-free.


Note that in the beginning they are concerned about charges to my credit card, but near the end they say
"Thank you for your interest in selling at Amazon.com"

The hyperlink takes you to a website that is a non-secure copy of the Amazon login page. There is no https: in the address bar, and the fonts appear smaller. My email address was correct.


Has anyone else come across this? If not then please be alert if you are an Amazon customer!
_________________________
Peter.

"I spent 90% of my money on women, drink and fast cars. The rest I wasted." - George Best

Top
#265203 - 15/09/2005 11:15 Re: I smell a phish? [Re: pedrohoon]
msaeger
carpal tunnel

Registered: 23/09/2000
Posts: 3608
Loc: Minnetonka, MN
I have gotten the same thing only they use paypal vs amazon.

Top
#265204 - 15/09/2005 11:20 Re: I smell a phish? [Re: pedrohoon]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
I always check the headers of messages like this, to check that they really originated from the supposed sender's servers. Much safer than opening any links included in the message.
_________________________
Remind me to change my signature to something more interesting someday

Top
#265205 - 15/09/2005 11:24 Re: I smell a phish? [Re: andy]
pgrzelak
carpal tunnel

Registered: 15/08/2000
Posts: 4859
Loc: New Jersey, USA
A definite phish. I received the same thing. If you check the headers, you will see that the source is not authentic.

Edit: Damn! For whatever reason, after reading this, thinking about the phish and fish, my mind went to the song "Fish Heads". Now I have the tune going through my mind, and I can't get it out!!!

Edit 2: Yes. I know. I need professional psychological help.
_________________________
Paul Grzelak
200GB with 48MB RAM, Illuminated Buttons and Digital Outputs

Top
#265206 - 15/09/2005 11:33 Re: I smell a phish? [Re: pgrzelak]
pedrohoon
enthusiast

Registered: 06/08/2002
Posts: 333
Loc: The Pilbara, Western Australia
Good point.
The message ID appears to be:

<20050915074609.23110.qmail@ebay.com>

and the return path is:

<aw-confirm@ebay.com>

If these emails are coming from ebay, is there a way to alert ebay to this and get some info on the offenders?
_________________________
Peter.

"I spent 90% of my money on women, drink and fast cars. The rest I wasted." - George Best

Top
#265207 - 15/09/2005 11:38 Re: I smell a phish? [Re: pedrohoon]
pgrzelak
carpal tunnel

Registered: 15/08/2000
Posts: 4859
Loc: New Jersey, USA
Most of the major players (ebay, paypal, etc.) have an email ID spoof @ companyname.com for reporting spoof email. Amazon, just to be annoying, uses stop-spoofing@amazon.com.

Just make sure you send the entire message with headers. Do not expect a reply back. I think they just like to have an archive of phishing attempts so that if someone is caught and tried, they can claim millions of counts against them.
_________________________
Paul Grzelak
200GB with 48MB RAM, Illuminated Buttons and Digital Outputs

Top
#265208 - 15/09/2005 11:47 Re: I smell a phish? [Re: pgrzelak]
pedrohoon
enthusiast

Registered: 06/08/2002
Posts: 333
Loc: The Pilbara, Western Australia
Righto, I will send it off, thanks!
_________________________
Peter.

"I spent 90% of my money on women, drink and fast cars. The rest I wasted." - George Best

Top
#265209 - 15/09/2005 12:03 Re: I smell a phish? [Re: pedrohoon]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Just looking at the message id and return path in the header is not enough, you can fake those.

You need to look at the list of received headers, to check that the message came direct from the sender's server to your (or your ISPs) server.
_________________________
Remind me to change my signature to something more interesting someday

Top
#265210 - 15/09/2005 22:54 Re: I smell a phish? [Re: andy]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
And don't be fooled by "Received:" entries below the first transaction with your server. They can also be spoofed. A spammer to my work address enjoys using dictionary-picked words to create fake hostnames for that part of the header.
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#265211 - 16/09/2005 06:14 Re: I smell a phish? [Re: FireFox31]
frog51
pooh-bah

Registered: 09/08/2000
Posts: 2091
Loc: Edinburgh, Scotland
Don't be embarrassed - most of the corporates I lecture to are fooled, including their IT departments. If you check out Antiphishing.org for information you may be saddened or amused by the figures.

Generally the rule of thumb is distrust all links in unsolicited email. Using proper email (ie no html!) also helps protect.

The upside is that phishing is slightly in decline. The downside is that spearphishing (targeted phishing is on the up) and the use of trojans to redirect is becoming very popular. These remove the need to fool people into clicking on a link - they actively redirect so you may type www.mybank.com into your browser and end up going to www.thebadguys.com.

More arguments to patch, use antivirus and get a firewall installed!!!
_________________________
Rory
MkIIa, blue lit buttons, memory upgrade, 1Tb in Subaru Forester STi
MkII, 240Gb in Mark Lord dock
MkII, 80Gb SSD in dock

Top
#265212 - 16/09/2005 07:13 Re: I smell a phish? [Re: frog51]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
Quote:
More arguments to patch, use antivirus and get a firewall installed!!!


...and to stop running as an Administrator if you can get away with it.
_________________________
-- roger

Top
#265213 - 16/09/2005 07:52 Re: I smell a phish? [Re: pedrohoon]
peter
carpal tunnel

Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
Quote:
The hyperlink takes you to a website that is a non-secure copy of the Amazon login page. There is no https: in the address bar, and the fonts appear smaller. My email address was correct.

It's alarming that you know that. Do not click on the links in these things. At the very least, your click-through validated your email address, making it more valuable than a non-validated address when sold-on to the next spammer in the line. At worst, these phishes can be used to drive traffic to viruses.

Instead, either look at the email in plaintext (non-HTML) view to verify that the link points to where it says, or hover the pointer over the link and see whether it shows you the actual destination of the link in the status bar at the bottom of the window. If your mailer supports neither of these safety features, uninstall it and get a better one.

Peter

Top
#265214 - 16/09/2005 12:09 Re: I smell a phish? [Re: peter]
pedrohoon
enthusiast

Registered: 06/08/2002
Posts: 333
Loc: The Pilbara, Western Australia
Oops!

Quote:
At worst, these phishes can be used to drive traffic to viruses.


I have Norton A/V and I/S on XP, would that be enough to stop nasties?

BTW I am using Thunderbird 0.1a as my mail client - it has a status bar but I can't find anywhere that gives me the option of viewing messages as text only. I have disabled the message preview pane, does that help?

Thanks.
_________________________
Peter.

"I spent 90% of my money on women, drink and fast cars. The rest I wasted." - George Best

Top
#265215 - 16/09/2005 12:17 Re: I smell a phish? [Re: pedrohoon]
BAKup
addict

Registered: 11/11/2001
Posts: 552
Loc: Houston, TX
View -> Message Source, or Ctrl+U to view the raw message text in Thunderbird.
_________________________
--Ben
78GB MkIIa, Dead tuner.

Top
#265216 - 16/09/2005 13:02 Re: I smell a phish? [Re: pedrohoon]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Quote:

I have Norton A/V and I/S on XP, would that be enough to stop nasties?



No combination of security software can guarantee that nasties won't get through. It is perfectly possible for some new security hole to be found that defeats all your security software and for it to be used against you before you have the latest updates/patches.

If you don't click on the link on the email then you never load the web page and it removes another potential risk.
_________________________
Remind me to change my signature to something more interesting someday

Top
#265217 - 16/09/2005 14:56 Re: I smell a phish? [Re: pedrohoon]
schofiel
carpal tunnel

Registered: 25/06/1999
Posts: 2993
Loc: Wareham, Dorset, UK
I would suggest you update to the current 1.0.6 release which has a number of security related fixes in it.
_________________________
One of the few remaining Mk1 owners... #00015

Top
#265218 - 17/09/2005 08:54 Re: I smell a phish? [Re: andy]
pedrohoon
enthusiast

Registered: 06/08/2002
Posts: 333
Loc: The Pilbara, Western Australia
Quote:


If you don't click on the link on the email then you never load the web page and it removes another potential risk.


If I was to do something silly like I did, but under another OS like Linux or OSX, would it have the same consequences?
_________________________
Peter.

"I spent 90% of my money on women, drink and fast cars. The rest I wasted." - George Best

Top
#265219 - 17/09/2005 08:58 Re: I smell a phish? [Re: schofiel]
pedrohoon
enthusiast

Registered: 06/08/2002
Posts: 333
Loc: The Pilbara, Western Australia
Yes, I really must get around to updating both Thunderbird and Firefox. I know it is not a big job but it is one of those things that seems to get put off for "tomorrow".
_________________________
Peter.

"I spent 90% of my money on women, drink and fast cars. The rest I wasted." - George Best

Top
#265220 - 17/09/2005 13:22 Re: I smell a phish? [Re: pedrohoon]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Only marginally relatedly, I just got a Nigerian spam that contains the line:

Quote:
His death decrease the morale of our National Team towards the up-coming 17th FIFA COUPE DE MONDE tagged KOREA/JAPAN 2002.

Not exactly timely, is it?
_________________________
Bitt Faulk

Top
#265221 - 17/09/2005 14:26 Re: I smell a phish? [Re: wfaulk]
tonyc
carpal tunnel

Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
Quote:
Not exactly timely, is it?

Even still, I'm sure someone out there fell for it.
_________________________
- Tony C
my empeg stuff

Top
#265222 - 17/09/2005 14:45 Re: I smell a phish? [Re: pedrohoon]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Quote:
Quote:


If you don't click on the link on the email then you never load the web page and it removes another potential risk.


If I was to do something silly like I did, but under another OS like Linux or OSX, would it have the same consequences?


Pretty much, yes. The severity of the extra risk that you introduce will be different on different systems, but you are still increasing the risk whatever system/software you are using.
_________________________
Remind me to change my signature to something more interesting someday

Top