1. Scammers quickly exploit Hurricane Sandy disaster
Email scammers quickly jumped to take advantage of the effort to aid communities in the northeastern U.S. hit by super storm Sandy last week. Sadly, such scam emails that impersonate charities such as the Red Cross are an expected part of the aftermath of any disaster that makes world headlines these days.
An email account monitored by the AVG Web Threats Research group received the below email from an anonymous Tor Mail email account.
Tor Mail is a Tor Hidden Service that allows anyone to send and receive email anonymously. It is produced independently from The Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.
The free @tormail.org accounts include webmail, smtp, pop3, imap access. So, basically it’s a fully anonymous, fully reputable email addresses.
It should be clear to anyone with any experience on the Internet that this email is bogus. The text looks authentic, since the scammers have copied most of the Red Cross’ own professionally written text, however, legitimate organizations and businesses don’t use anonymous or web mail (Yahoo, Gmail, etc.) services
The email was delivered to an Australian ISP’s mail server from the IP address 18.104.22.168 which has a reverse DNS name of grantw2.lnk.telstra.net.
It seems very unlikely that the Red Cross would be sending legitimate emails through a major Australian Telco’s server to get a message to a UK email address.
The fact that the email account that received the scam posting was never on any Red Cross mailing list is further evidence that the email was a fake.
2. New “FBI” ransomware page designs spread
The AVG Web Threats Research group found several new ransomware page designs recently. In the first one, the “case number” and name of the alleged FBI agent’s name changes. In the second, the scammers have borrowed from the MoneyPak fraud alert text. The third plays an audio file with the message: “FBI warning: your computer is blocked for violation of federal law.”
Ransomware that makes a victim’s machine unusable and claims to be the action of a major law enforcement agency (the FBI in the U.S. or Metropolitan Police in the U.K.) is often downloaded onto victim’s machines through a Blackhole exploit kit installation on a compromised web server. We’ve seen a variety of designs since the most recent spate began earlier in the year. They all demand payment of a “fine” – usually $200 US – through an untraceable payment system such as MoneyPak®.
If a victim is naïve enough to pay the $200 fine and enters the MoneyPak code, the following page appears:
The second page we found has an interesting alteration of the usual MoneyPak fraud alert. The ransomware page carries the usual warning “Use your MoneyPak number only with businesses listed at MoneyPak…” but adds “…and United States Federal Bureau of Investigation.”
The REAL MoneyPak page with tips for protecting users from fraud is here:
The third variant is similar the other two, but has the line “VIDEO RECORDING” with a note in clumsy English: “Your video stream is transferred in our bureau.” The page features the non-standard use of a U.S. dollar sign (“200$”) twice, although it also contains the standard usage: “$4.95” when referring to a service fee.
– AVG Threat Research Group