New Spoof: Is It Coming From Within Yahoo?

[salomon741]

(No intentions of discrediting Yahoo they are one of my favorite companies. This just seems suspicious)

A new email out there is being sent with a new spoof of Citibank. The email is html and looks exactly like a professional warning. It states that there is identity theft involved with your account and you must log on immediately. Here is more:

FROM: CITI
SUBJECT: ATTENTION CITIBANK CLIENT

The message is not text, but instead sent as an image, something obviously done to prevent spam programs from picking it up. Also, the entire image is linked. I have to admit, someone actually took an extra minute working on it.

I received it myself, and I am not sure if they really think I am that dumb to click on a bank that I have never even banked with before.

So why am I suspicious that my email was hacked? Maybe because this email address doesn't exist to anyone except me! I sent a message to myself from a Yahoo account on another computer in attempt to transfer some files. This is the first email the address had ever received. This email was BIG and surely grabbed attention.

What worries me is evidence that there could be a Yahoo employee (or even one at my host) spamming email addresses. I am not joking, this email address didn't exist until yesterday, and the spoof was sent awfully timely. There has already been an issue with an AOL employee, could there be more?

I decided to do a little investigating myself, so I clicked on the image anyway. I really have nothing to worry about (my army of spam programs crushes everything). I will try to follow up and let you know if anything turns up.

Can anyone confirm this? Have they received similar emails with the same circumstances? Does anyone think this really could be an employee?

[salomon741]

Here is the source code for the email. Anyone want to tell me what he was thinking?

<html>

<font face="Arial"><map name="FPMap0"><area coords="0, 0, 610, 395" shape="rect" href="http://%32%31%31%2E%39%37%2E%32%34%38%2E%36%30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68%74%6D"></map>[img]cid:part1.02060101.08090008@supprefnum7763871162@c itibank.com[/img]</a></font></p>

<font color="#FFFFF5">in 1832 in fact What's the difference? no more in 1985 The Bible Israel & Palestine It'll be better in 1905 Believe It no doubt Final Fantasy Rap Lyrics ok deal O.K. Niki Taylor in 1951 FTP going to let me add No, i'm sorry in 2000 in 1908 in 1866 not at all </font></p></html>

[wslover]

This is a common scam and is categorized as Phishing. Not only do these scammers use CITI Bank, they also use Paypal more frequently. They set up sites to look identical to the financial institution pages and even call the images in from the real site.

They even make the links appear to be to the financial institution within the email. However, when you view the source, you can actually see they are spoofing the email address with Java scripts so a different address appears in your status bar when you roll over the link. When you click these links, they even spoof your address bar.

The easiest way to determine if this is a real email at first glance is, who is the email addressed to? I know Paypal will send you an email using your real full name. Such as:
Dear John Jones,
Where these phishing scams will be addressed to:
Dear Customer,

If you think an email is "Phishy" (pardon the pun) simply type the real site into your browser and log into your account to see if you really need to update any information.

If you are technically advanced and know how to get the hosts address by using the ip numbers in the link when viewing the source code, shoot the hosting site an email notifying them of the scam that is being run from their servers.

Also, if this is a Paypal Phishing scam, forward the email to spoof@paypal.com and they will take action as well.

Just as a side note. I have the latest MacAfee virus scan and they quarantine these emails automatically.

This coming from a Yahoo employee? Who knows? Anything is possible. Everyone has a price! Would be real messed up though if it was.

Hope this helps!

Bill

[dMc]

I think this is happening everywhere, im in New Zealand and we get these same mails from all our main banks. including the citibank and paypal versions.

I also believe that this is merely a variation of an old school scam where people would obtain a bank/credit card then physically phone the card owner claiming to be a bank rep and asking for their pin number as verification of identity.

[freeman.hunt]

I get at least one of these emails a day. They use lots of different logos. Most often for me it's Citi, Suntrust, Citizen's Bank, PayPal, or eBay.

Seems like a silly scam to me. I can't imagine falling for that.

The PayPal and eBay ones are especially ridiculous. They go so far as to say that your account will be banned forever if you don't click through the link and validate your information immediately. Why would anyone believe something like that?

[salomon741]

I see that spoofs are more common than I thought.

But is anyone seeing the inconsistency here? I didn't get the spoof until about a couple hours after I sent an email to myself from Yahoo. And I am not exaggerating, for this is an email address that didn't exist anywhere on the web (this was an address set up for me to send files specifically to myself). It is strange that I didn't receive any spam until I sent an email to myself from Yahoo.

It scary to think that people could be getting addresses from within Yahoo. Am I missing something here?

[AzGoldPros]

Salomon, like freeman.hunt says, I receive at least 1 to 4 of these daily, but then I have around 60 email accounts. Most are poorly done but they are getting better and they even like using the Logo's too in order to make them appear more authentic. I guess the easiest way for me to know it's BS is I don't have an account with them, lol, so let whoever is going after my money in their institution have all they can get, lol.

In regards to it being sent to a new vigin account only a few hours old, my first thought is of the old horror movie where someone keeps calling and hanging up and the police finally trace the call and they call the victim back and when the victim answers they say "The call is coming from within the house!" I would place a bet that your machine is infected before placing one that a Yahoo employee is to blame. Be sure to get an anti-virus/trojan program(s) installed, updated and run or use a free online service. Chances are your machine is infected and that's how your addy was phished so quickly. You are sending yourself bad mail is most likely the culprit as this is how these malware type programs work, they take addys off people's machines and use them for their vile efforts. Good luck in finding and removing this problem and always be suspect of emails that discuss your financial well being, especially those that regard your personal banking accounts.

[salomon741]

I know I am being a little stubborn, but here is why I think that... Maybe I need to clarify a bit...

I sent the email from a Yahoo account to one of my domain emails addressed @sunnie.tv. Both of these computers are scanned daily for trojans, spyware, malware, viruses, and McAfee is updated almost daily. I literally have an army of malware destroyers. Both the Yahoo account and all of my email addresses @sunnie.tv have never received spam the entire time they existed! What I hate about domain email forwarding is that anyone can send something to *.*@sunnie.tv and it will end up in Outlook.

All of my other addresses in Outlook have existed for YEARS. Proud to say not once have I received spam until now.

You have a valid point, AzGoldPros, it could very well be a virus, and the more I think of it could be one that hasn't been updated in the virus definitions. Tonight I will update my definitions and scan my system yet again.

To follow up by the way from my first post, this has been the only spoof received on my computer, and I haven't received anymore since. Neither have I received any at all on my other email addresses. It just seems strange that I only get one spoof and no other spam. (I clicked on the link, too, I wanted to see if it would "validate" that address to the spammers.)

This will be my last post unless I get more.

[maskedmerchant]

Just becarefull I have receieved the same from both one claiming to be pay pal and one one from bank of america.
The Pay Pal scam looks at a web site and sees that a mail address is the pay pal account then sends an email looking just like correspondence from them asking to verify by giving a pw. Pay Pal has mentioned that they will not send mails like that. The mail came also from inside yahoo which I was told the address could be verified.

[rickkershner]

Many spammers employ random address generators that (for example) hit up every 16 letter or less combination at Yahoo (or MSN or Excite or ...) in an attept to find email addresses that they don't have. It sounds like it hit on your new yahoo address that way. If your spyware / adware / anti-virus is good I would expect you were just "lucky" to be where the random generator found you - if you want a more secure email address try Minor servers that random generators don't target (no reasonable return in looking for a 300 member email host when there are 100,000 + hosts out there).


This particular email trick has been going on for some time - if you are angry or bored enough - the ascii values "%32%31%31%2E%39%37%2E%32%34%38%2E%36%30:%38%3 7/%63%69%74/%69%6E%64%65%78%2E%68%74%6D"
translates to:

%32 2
%31 1
%31 1
%2E .
%39 9
%37 7
%2E .
%32 2
%34 4
%38 8
%2E .
%36 6
%30 0
: port
%38 8
%37 7
/
%63 c
%69 o
%74 t
/
%69 o
%6E n
%64 d
%65 e
%78 x
%2E .
%68 n
%74 t
%6D m

Whois says this CHINESE site is owned by
inetnum: 211.94.0.0 - 211.103.255.255
netname: CNNIC
descr: China Internet Network Information Center
country: CN
admin-c: HQ1-CN
tech-c: MW1-AP
tech-c: WZ2-AP
remarks: confederation CNNIC
mnt-by: MAINT-CNNIC-AP
changed: 19991214
status: ALLOCATED PORTABLE
source: APNIC

person: Hualin Qian
address: Chinese Academy of Sciences
address: Computer Network Center
address: P.O.Box 2418-26
address: Beijing, 100081
address: CN
phone: +86 1 2569960
e-mail:
nic-hdl: HQ1-CN
notify:
mnt-by: MAINT-NULL
changed: 19950419
source: APNIC

person: Mao Wei
address: China Internet Information Center(CNNIC)No. 4 of South street ,Zhongguancun,Haidian District
address: Beijing,100080
address: P.R.China
country: CN
phone: +86-10-62619750
fax-no: +86-10-62559892
e-mail:
nic-hdl: MW1-AP
mnt-by: MAINT-CNNIC-AP
changed: 20010319
source: APNIC

person: Wenhui Zhang
address: China Internet Information Center(CNNIC)
address: No.4,South Fourth street,Zhongguancun,Haidian
address: Beijing,100080
address: P.R.China
country: CN
phone: +86-10-62553604
fax-no: +86-10-62559892
e-mail:
nic-hdl: WZ2-AP
mnt-by: MAINT-CNNIC-AP
changed: 20020408
source: APNIC

...................... from www.whois.sc

if that makes it any clearer - didn't think so. They are in China and you are not likely to find them.

[mikmik]

I was concerned with something going on in another forum where I am admin, so doing checks and what not, I got similar results for tracing an IP to China.

This is what one of the others pointed out:

Quote:

CNCGROUP is not a company, they are like a Chinese Government Regulator (like the FCC, FTC, etc. rolled into one). They handle all Internet issues and domain registries like our Internic (or whatever their name is) registrar that handles the dot-com database. True there are a lot of spammers coming out of China -- Russia is even worse, and they have been pounding this board for quite some time.

This was for netblock 218.56.0.0 - 218.59.255.255, so I imagine the same applies to the 211.94 to 211.103 block, China Internet Information Center(CNNIC).

rickkershner, thank you for a very informatitve post. I know there are ways of extracting some info from message headers, and I like your example.
Thanks :O)

[mikmik]

PS I have read that the average Phishing site stays up for 54 hours before it either moves, or gets shut down.
I always veiw the message source to see that the urls and the link text coincide, and many of the eBay spoofs I have seen have hotlinks to the graphics in the real sites. But invariabley, the 'hidden' URLs point elsewhere.

As said above, no reputable site will ask you to 'comfirm' anything with an e-mail request out of the blue.

As an aside, and on topic LOL, I get more spam from yahoo than any other accounts, hotmail, webhosts etc., but this may or may not have to do with my history of signing up for newsletters. It just seems worse from yahoo, but can also be due to people out there with my Yahoo address on their infected computers!

I don't know what to say, salomon741, you seem to have a very good grip on the situation. I hope you report back to us :O)

[webtech]

As was posted, spammers do use random generators to find "itsme123@ypurisp.com", that is clear with some poorly written generators that don't even cover thier own tracks. On your yahoo account usually clicking the [this is SPAM] button over the email will redirect the email to the bulk folder. The more insidious type to worry about is when the only content is the word 'test' or a silly question like "what is your country" being in the body. These people are either looking for non-bounces or your reply to register your address as a valid address.

Now if the address you own domain you must take common sense steps from the moment you publish your new site to the web. Never use a direct HTML mailto link to your domain mail, obfusicate or pass through a reputable script. Turn off the unlimited email aliases. Manually create each address you want to use then(if you use CPanel{tm}) select sending all non-specified email addresses to 'blackhole' or 'fail'. Without doing this, if the spammers did get your domain email you would need SpamAssasin or a similar server-side filter to dump the flood of junk mail you would get.

[salomon741]

Previously on my last post I said I would not post anymore messages unless I got more. But guess what, ITS BACK!!!

Sent again to the same email address. To repond to webtech, the only direct link to my domain emails is on my regular site (see below) and since its not finished I had it removed from Google and other SE's so that wouldn't happen. It's not even the same address as the one with the spam, but there are risks to be assessed. Although spammers can still crawl and find it (like here), I still haven't gotten any spam until that message I sent from Yahoo.

Thanks for reminding me webtech, though, because removing the link was on the "todo" list, but now its a priority.

By the way, the spam I just received was the same one as before: generated as an image. It seems to be a new technique to avoid anti-spammer software, and to cover it up the text hidden in the message is legit sounding to programs. Here's the code, and let's see if we can trace it to the same Chinese company again!

<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body bgcolor="#00000F" text="#00000E">

[img]cid:part1.06010205.07080403@jphwbjrynucmjj@hotmail .com[/img]</p>

<font color="#00000B">HotBot The Bible in 1843 Baseball</font></p>

<font color="#000000">Geena Davis It was nice</font></p></body></html>

[CLBridges]

This reminded me of something that I was going to post about here but forgot.

I helped register a domain name with Network Solutions a few months back for a computer illiterate friend of mine. He was composing a letter to someone with an "idea" he had and the domain name was his suggestion for the project name. He had never used this name before for anything else, no business ties to it or anything. It was pretty much a spur of the moment thing

He also used the project name as his "company name" when registering it and his cell phone number. The very next day, (before he had even mailed the letter) he received a call on his cell phone from someone trying to sell him web design or hosting services or something of the sort. Confused, he asked them why they'd be calling him and their response was "This is (the company name) isn't it?"

Now I know when someone applies for a business license, it's a "public record" and every day, there are numerous companies and/or individuals reviewing these new licensees, adding them to their lists to use for their own telemarketing solicitations etc. Get a business license and you are overwhelmed with calls from companies selling everything from business cards to credit card processing services.

But is there the same sort of "list" made available of newly registered domain names? Like the one you can get at the County Clerk's office for new business licenses?

We know it wasn't a Network Solutions rep calling him either. The number was still in his cell phone and when we tried calling back, it went directly to voicemail with "You have reached ### - No one is available to take your call..etc"

Sure seemed suspicious to me! Anyone had a similar experience?

Thanx!

Carrie**

[mikmik]

salomon741, let's see if we can trace it

Quote:

Domain Name: DONTSTOPMYRX.COM
Registrar: STARGATE.COM, INC.
Whois Server: whois.stargateinc.com
Referral URL: http://www.stargateinc.com
Name Server: NS1.DNS25.COM
Name Server: NS1.STANDARDTECHS.COM
Status: REGISTRAR-HOLD
Updated Date: 11-oct-2004
Creation Date: 27-sep-2004
Expiration Date: 27-sep-2005

That's it. Must've been closed, or is hidden (no kidding, mikmik!)
No traces,ping, get etc.


Looks like they may be fishy anyways, or were:
http://www.webmasterworld.com/forum25/1781.htm

There are definitely bulk mail servers operating through them.

[mikmik]

stargateinc.com registrar has forgery/spoofer

Quote:

Received over a dozen of these today from unitedonebank dot com that is registered with stargate.com. I left a message with that U.S. based company that they sold a bulk account to someone who is violating US law.