Message:
Please find attached INVOICE number 224245 from Power EC Ltd
Attachment:
Word document
YOU SHOULD ALREADY KNOW AT THIS POINT THAT THE EMAIL IS MALICIOUS
Email verification:
Using tool http://tools.email-checker.com/ showed that the from email address was not a valid email address. ie. it does not exist or has been suspended
Message header:
In Outlook, you open the email, click File/Properties then copy the section Internet Headers. Other email programs will be different.
Pasting the header into the tool http://www.iptrackeronline.com/email-he ... alysis.php show the source of the email to be Roseau in Dominica
Malicious email confirmed
Please find attached INVOICE number - with analysis
-
kevsboredagain
- Posts: 3207
- Joined: Sat Jan 20, 2007 9:32 am
- Location: France
- Contact:
Today I got this one:
Good afternoon,
Your order #95108242335 will be shipped on 16.12.2014.
Date: December 08, 2014. 01:32pm
Price: £171.59
Transaction number: 59A1972F717649
Please find the detailed information on your purchase in the attached file order2014-12-08_95108242335.zip
Kindest regards,
Sales Department
Esmeralda Burka
+07877-189894
attachment:
email address is item at penstamps.co.uk
No, I didn't open the attachment - put the thing straight into the bin.
Kev, your email checker tells me it's a catch all email address. Not that it matters....it was obviously malicious - to me anyway. Possibly someone who'd just ordered some Christmas gifts to that value might click on the attachment without thinking.
Good afternoon,
Your order #95108242335 will be shipped on 16.12.2014.
Date: December 08, 2014. 01:32pm
Price: £171.59
Transaction number: 59A1972F717649
Please find the detailed information on your purchase in the attached file order2014-12-08_95108242335.zip
Kindest regards,
Sales Department
Esmeralda Burka
+07877-189894
attachment:
email address is item at penstamps.co.uk
No, I didn't open the attachment - put the thing straight into the bin.
Kev, your email checker tells me it's a catch all email address. Not that it matters....it was obviously malicious - to me anyway. Possibly someone who'd just ordered some Christmas gifts to that value might click on the attachment without thinking.
-
kevsboredagain
- Posts: 3207
- Joined: Sat Jan 20, 2007 9:32 am
- Location: France
- Contact:
There's no doubt the email was malicious at all but that domain name looks to be genuine to me and registered in 2006. Having a catch all email is not a problem and most hosting companies will allow you to do this.
Therefore, in my opinion, the email address has been faked and quite likely belongs to an innocent company, who have nothing to do with the email you received.
So now when someone searches Google for that company, they could easily stubble upon this thread. In fact, it already does.
There's always the possibility that this company has an infected machine sending these out but analysis of the header should reveal if that were the case.
Therefore, in my opinion, the email address has been faked and quite likely belongs to an innocent company, who have nothing to do with the email you received.
So now when someone searches Google for that company, they could easily stubble upon this thread. In fact, it already does.
There's always the possibility that this company has an infected machine sending these out but analysis of the header should reveal if that were the case.
So now when someone searches Google for that company, they could easily stubble upon this thread. In fact, it already does.
I'm not very confident trying to copy the IP address from headers into trackers....etc....etc...so the first thing I always do when suspicious is google the company and/or the email address. I can't find any website or company with the same name.......?
I'm not very confident trying to copy the IP address from headers into trackers....etc....etc...so the first thing I always do when suspicious is google the company and/or the email address. I can't find any website or company with the same name.......?
-
kevsboredagain
- Posts: 3207
- Joined: Sat Jan 20, 2007 9:32 am
- Location: France
- Contact:
Actually, you're sort of correct. The domain was regsitered in 2006 but is now for sale. Some cached pages are listed on Google. I'm fairly sure the scammer has not owned this domain since 2006 and has been successfully using it for his email campaign for 8 years.tavi wrote:So now when someone searches Google for that company, they could easily stubble upon this thread. In fact, it already does.
I'm not very confident trying to copy the IP address from headers into trackers....etc....etc...so the first thing I always do when suspicious is google the company and/or the email address. I can't find any website or company with the same name.......?
If your company email was faked in this way, would you be happy for it to be posted as a scammer to aid people searching for the same fake email address?
PenStamps.co.uk is for sale!
The owner of the domain you are researching has it listed for sale at $938.
I get two or three versions of this kind of thing every day at work. The main red flag is are you expecting an invoice/debit/credit/whatever from this company or organisation? Ninety nine times out of 100 you don't have to do anything other than just instantly delete the damn thing because it smells so fishy you need a peg for your nose. I have sometimes Googled the companies concerned and most often they come up as a blank (unless linking to a scam reporting site 
) but on the rare occasion that there is a legit company by that name it's pretty damn obvious that they've been hijacked and are not behind the spam campaign. People ain't altogether stoopid.
) but on the rare occasion that there is a legit company by that name it's pretty damn obvious that they've been hijacked and are not behind the spam campaign. People ain't altogether stoopid.If your company email was faked in this way, would you be happy for it to be posted as a scammer to aid people searching for the same fake email address?
But in this case, Kev, surely our Googling indicates that there is no legitimate company by this name operating at present?
Like Cass, I get other versions of this sort of stuff often. If I'd found a real company of that name on Google I'd still know that the email I got was not from them because I know I haven't ordered anything. And of course I wouldn't bother posting that email address to warn people - though I might post the body of the rubbishy message which would be much more useful to everyone.
Which, of course, is your point in the other threads on the subject
But in this case, Kev, surely our Googling indicates that there is no legitimate company by this name operating at present?
Like Cass, I get other versions of this sort of stuff often. If I'd found a real company of that name on Google I'd still know that the email I got was not from them because I know I haven't ordered anything. And of course I wouldn't bother posting that email address to warn people - though I might post the body of the rubbishy message which would be much more useful to everyone.
Which, of course, is your point in the other threads on the subject
When it's corporate it's pretty obvious that the hijacked company is just a victim and no one thinks "Hell, I've done business with that company for years and LOOK! they're scammers!!!!" It just does not happen. Period. Potential clients? If they Google at all the wealth of routine stuff is going to outweigh the spurious, particularly when the hijacked spamming is bound to be referred to somewhere along the line as a hijack - god bless the internet for offering up both the negative and the positive. There was one firm I received several 'invoice' emails from, and to be fair it did begin to pi$$ me off. I Googled them and they were a genuine company so I didn't bother to enquire any further. I knew it wasn't their fault. Their orbit was one that I would never connect with, which was one of the reasons why their repetitive contact was so unlikely, but did I tarnish them? No. Do I even remember the name of the company in question? No. I just jogged on.
-
kevsboredagain
- Posts: 3207
- Joined: Sat Jan 20, 2007 9:32 am
- Location: France
- Contact:
There is a currently registered, legitimate domain name, which is now for sale and has been used since 2006. It still belongs to someone. It may be no longer trading but it was most likely NOT the source of the scam email and therefore should not be implicated as such.
My post was not made to show how you would identify this as a malicious email, which for most people would be fairly obvious. I chose a simple email as an example and was the only one I had available at the time.
My post was an attempt to show how you might use some tools to determine that the source was fake and therefore avoid making an public accusation of an innocent person or company. If the email comes from joe.blogs@aol.com, a Google search is not enough to prevent false accusations.
My post was not made to show how you would identify this as a malicious email, which for most people would be fairly obvious. I chose a simple email as an example and was the only one I had available at the time.
My post was an attempt to show how you might use some tools to determine that the source was fake and therefore avoid making an public accusation of an innocent person or company. If the email comes from joe.blogs@aol.com, a Google search is not enough to prevent false accusations.