- Home
- Phishing Scam
- I did not buy that !?
I did not buy that !?
- By Jay HS
- Published 04/12/2007
- Phishing Scam
-
Rating:
Let's take a look at source of the email (i.e. 'view source') below, and the picture of the email we received originally. We have highlighted our text in blue to separate it from the email attachments.
----Attached----
Return-path: <mdimengo@integracom.net>
Delivery-date: Thu, 12 Apr 2007 05:18:21 -0500
Received: from [124.248.31.38] (helo=mail.integracom.net)
(envelope-from <mdimengo@integracom.net>)
id 1HbwNh-0005rd-EQ
Received: (from root@localhost) by mail4.integracom.net (8.11.3/8.11.3)
id k4V0OhN38045; Thu, 12 Apr 2007 18:34:27 -0800 (PDT envelope-from root)
Message-ID: <0fe901c77d72$1c27c2a0$8be0324c@VWXNAA>
Date: Thu, 12 Apr 2007 18:34:27 -0800
From: "Customer Support" <mdimengo@integracom.net>
X-Header-CompanyDBUserName: hpccm
X-Header-MasterId: 355317
X-Header-Versions: Hewlett-Packard.8t7bn0nd1.fk@us.newsgram.hp.com
X-Auth: 3-DES
X-Auth-bits: 74374166807466723011212670
Subject: Support Request
<html><body>
<p>Thank you for using the digital locker at Windows Marketplace.</p>
<p>This email confirms that you have successfully purchased:</p>
<p>Microsoftr Windows Vista Ultimate UPGRADE<br/>
Quantity: 1<br/>
Reseller: Circuit City</p>
<img src="http://218.106.165.181/rnd.gif.php?jpg=XXXXXX@XXXXXXXXXX.com">
<p>You can now access your license or licenses that have been delivered to your digital locker.</p>
<p>To download your new software, open your <a href="http://g.msn.com/WMHFUSEN/102146">digital locker</a> and choose a download method. We recommend that you use the digital locker assistant to help you download and install your software, make a backup CD of the software, and view your license information. Learn more about how to use the digital locker assistant <a href="http://g.msn.com/WMHFUSEN/102150">here</a>.</p>
<p>If you'd like to use your Internet browser to download the software instead, click Use Browser File Download in your digital locker to download software.</p>
<p>Learn more about using the digital locker and read the answers to frequently asked questions <a href="http://g.msn.com/WMHFUSEN/102152">here</a>.</p>
<p>If you need to change your billing information, contact information, download preference or other digital locker information, visit your <a href="http://g.msn.com/WMHFUSEN/102148">Profile page</a>.</p>
<p>For assistance with your digital locker account please contact our <a href="http://g.msn.com/WMHFUSEN/102091">Support Team</a>.</p>
<p>Thank you again for using the digital locker at Windows Marketplace.</p>
<p>Enjoy your new software!</p>
</body></html>
----End Attachment----
The
email actually looks like this:
----Attached Picture----
----End Attached Picture----
Observations:
The blue links are links to the original msn.com website. For example, http://g.msn.com/WMHFUSEN/102152, actually opens the help page at Windows Marketplace. This is the only thing that is real in the entire email. The rest are scams.
1) Obviously, the receiver did not buy the software in most cases. If he did, it could be just plain lucky that he receives a scam email about the product he just bought.
2) As you can see in the attached picture, my email software automatically rejects loading the picture from the site. From the view source, we see that the image file is actually '<img src="http://218.106.165.181/rnd.gif.php?jpg=XXXXXX@XXXXXXXXXX.com">'. A check on the IP whois leads to a server in Beijing, China.
The picture is actually a PHP script file. We can foresee the least it can do is to confirm that you are reading your email, and that they can spam you even more. Or it can probably do more than that.
3) The IP address, 124.248.31.38 in the header leads us to a company in Beijing, China.
Anyway IP address tracking does not always imply that the scammer is located at the same place. The scammer could have used compromised server there and send out mails via proxy.
Lesson Learnt:
In most cases, I would have deleted the email as similar ones are often badly written. In this case, the email appears to be copied from the original email that could have been issued to a real customer. The scammer simply inserted his code into the email, setup the file, and send out the mail as spam.
----Attached----
Return-path: <mdimengo@integracom.net>
Delivery-date: Thu, 12 Apr 2007 05:18:21 -0500
Received: from [124.248.31.38] (helo=mail.integracom.net)
(envelope-from <mdimengo@integracom.net>)
id 1HbwNh-0005rd-EQ
Received: (from root@localhost) by mail4.integracom.net (8.11.3/8.11.3)
id k4V0OhN38045; Thu, 12 Apr 2007 18:34:27 -0800 (PDT envelope-from root)
Message-ID: <0fe901c77d72$1c27c2a0$8be0324c@VWXNAA>
Date: Thu, 12 Apr 2007 18:34:27 -0800
From: "Customer Support" <mdimengo@integracom.net>
X-Header-CompanyDBUserName: hpccm
X-Header-MasterId: 355317
X-Header-Versions: Hewlett-Packard.8t7bn0nd1.fk@us.newsgram.hp.com
X-Auth: 3-DES
X-Auth-bits: 74374166807466723011212670
Subject: Support Request
<html><body>
<p>Thank you for using the digital locker at Windows Marketplace.</p>
<p>This email confirms that you have successfully purchased:</p>
<p>Microsoftr Windows Vista Ultimate UPGRADE<br/>
Quantity: 1<br/>
Reseller: Circuit City</p>
<img src="http://218.106.165.181/rnd.gif.php?jpg=XXXXXX@XXXXXXXXXX.com">
<p>You can now access your license or licenses that have been delivered to your digital locker.</p>
<p>To download your new software, open your <a href="http://g.msn.com/WMHFUSEN/102146">digital locker</a> and choose a download method. We recommend that you use the digital locker assistant to help you download and install your software, make a backup CD of the software, and view your license information. Learn more about how to use the digital locker assistant <a href="http://g.msn.com/WMHFUSEN/102150">here</a>.</p>
<p>If you'd like to use your Internet browser to download the software instead, click Use Browser File Download in your digital locker to download software.</p>
<p>Learn more about using the digital locker and read the answers to frequently asked questions <a href="http://g.msn.com/WMHFUSEN/102152">here</a>.</p>
<p>If you need to change your billing information, contact information, download preference or other digital locker information, visit your <a href="http://g.msn.com/WMHFUSEN/102148">Profile page</a>.</p>
<p>For assistance with your digital locker account please contact our <a href="http://g.msn.com/WMHFUSEN/102091">Support Team</a>.</p>
<p>Thank you again for using the digital locker at Windows Marketplace.</p>
<p>Enjoy your new software!</p>
</body></html>
----End Attachment----
The
----Attached Picture----
----End Attached Picture----
Observations:
The blue links are links to the original msn.com website. For example, http://g.msn.com/WMHFUSEN/102152, actually opens the help page at Windows Marketplace. This is the only thing that is real in the entire email. The rest are scams.
1) Obviously, the receiver did not buy the software in most cases. If he did, it could be just plain lucky that he receives a scam email about the product he just bought.
2) As you can see in the attached picture, my email software automatically rejects loading the picture from the site. From the view source, we see that the image file is actually '<img src="http://218.106.165.181/rnd.gif.php?jpg=XXXXXX@XXXXXXXXXX.com">'. A check on the IP whois leads to a server in Beijing, China.
The picture is actually a PHP script file. We can foresee the least it can do is to confirm that you are reading your email, and that they can spam you even more. Or it can probably do more than that.
3) The IP address, 124.248.31.38 in the header leads us to a company in Beijing, China.
Anyway IP address tracking does not always imply that the scammer is located at the same place. The scammer could have used compromised server there and send out mails via proxy.
Lesson Learnt:
In most cases, I would have deleted the email as similar ones are often badly written. In this case, the email appears to be copied from the original email that could have been issued to a real customer. The scammer simply inserted his code into the email, setup the file, and send out the mail as spam.
Spread The Word
Related Articles
- Lottery Scam: Toyota National Lottery
- US$10million for Immediate Transfer
- $8million in Fixed Deposit in South Africa
- Cross-Site Scripting Scam on eBay
- Paypal Phishing Scam - Nov 06
- Donate in the name of GOD?
- Fake Citibank Security Update Email
- US$12 Million of Iraqi Money in Chiang Rai, Thailand
- US$38.5 million Nigerian Scam - HOT!!!
- Dealing with Emails
7 Responses to "I did not buy that !?" 
|
said this on 08 Mar 2008 8:38:26 PM CST
Realmente o digital locker é realmentwe EXCELLENT!! Com enorme rapidez faço downloads.
Obrigada pelo ótimo presente que me enviou. |
Author/Admin)|
said this on 18 Apr 2008 6:57:46 PM CST
I did not order anything off the web... i do not know who did but i don't want it
|
|
said this on 01 Jun 2008 12:14:36 PM CST
Now I AM confused. I purchased Vista last Aug. and it donwloaded but I did not get Locker Assistant. Keeps giving me all kinds of instructions, that do not respond , like can't find E-Mail address, or,g.msn.com/WMFUSEN/102146 This is as close a I have been able to come and that does not help much. At this point I'd be sartisfied to quit Vista and go back to XP Pro.
your help would be appreciated. rexb@vtc.net |
|
said this on 15 Sep 2008 11:44:16 PM CST
It is a good wake up call.
|
|
said this on 09 Nov 2008 3:51:41 PM CST
Your text is in english. I can't understand it in totality ; so I wish find it in french. Thank you
|