 The Clarinet BBoard
|
Author: Mark Charette ★2017
Date: 2021-02-24 19:50
Just got an email from my friend "Jimmy Sclater" (a real acquaintance) asking for help. I asked him what he needed because it looked a bit suspicious
From: jsclater@comcast.net
...
Reply to: jscllater@gmail.com
Hello,
How are you? just checking up on you, hope all is well and I need a quick little assistance from you.
Do you have an account with Amazon?
Thanks
Js
Notice the Reply to has 2 l's in the last name. I didn't at first. So ... I replied:
What kind of help do you need?
and got a response:
On 2/24/2021 10:41 AM, JAMES SCLATER wrote:
> Good to hear from you, I've been trying to purchase a Google Play E-Gift card by email, but it says they are having issues charging my card. I contacted my bank and they told me it would take a couple of days to get it sorted. I intend to buy it for my Niece whose birthday. Can you help me purchase an Google play E-gift card over there from your amazon account? I'm only looking to spend $150 on it, I'll refund it to you once my bank sorts the issue out. I am just trying to put a smile on her face in this. Let me know if you can handle this.
>
> Thanks
> Js
From the gmail address. Dammit, not Jimmy, not by a long shot.
|
|
Reply To Message
|
|
Author: OneWatt
Date: 2021-02-24 19:56
Wow, a highly clever effort.
The Nigerian Prince who sends me my scams shows nothing like this level of sophistication.
A potential tipoff: "I intend to buy it for my Niece whose birthday." But even good friends produce typos.
Thanks for the heads up!
[Wishing Jimmy Scllater's Niece a very happy birthday.]
|
|
Reply To Message
|
|
Author: Ed
Date: 2021-02-24 19:59
Ugh, there is always a new one to keep track of. Thanks for sharing
|
|
Reply To Message
|
|
Author: kdk ★2017
Date: 2021-02-24 20:03
I got one of those sometime last year. Same request, just a different name (someone whose name I recognized). It seemed pretty clearly a scam, but I actually checked with the person whose name they used and got a response that basically translated to "Huh???"
Karl
|
|
Reply To Message
|
|
Author: Mark Charette ★2017
Date: 2021-02-24 21:03
Yup, they get more inventive. Got one at work that looked to be an email with a link to a shared file off our internal Sharepoint from a trusted cohort - but if you actually looked at the Sharepoint file link it was very close but not exactly our internal URL.
Scary - organizations can be infiltrated easily by this kind of "crockery". Only takes a second and you can get hooked and landed.
|
|
Reply To Message
|
|
Author: Fuzzy
Date: 2021-02-25 01:35
It is scary how automated this all is, yet - somehow - they were able to make a gmail account almost identical to the original. I would think automating gmail account creation should be met with some resistance by Google.
If it isn't automated, then the scope is fairly small at any given time, but the payoff is probably pretty good - as many people wouldn't catch the slight discrepancy in the e-mail address, and would need to catch the various grammar/translation glitches in the text of the e-mail.
It is only going to get worse, I"m afraid.
Fuzzy
;^)>>>
|
|
Reply To Message
|
|
Author: davyd
Date: 2021-02-25 03:04
How do they know that Mr. Sclater even has a niece?
|
|
Reply To Message
|
|
Author: kdk ★2017
Date: 2021-02-25 03:24
Fuzzy wrote:
> If it isn't automated, then the scope is fairly small at any
> given time, but the payoff is probably pretty good - as many
> people wouldn't catch the slight discrepancy in the e-mail
> address, and would need to catch the various
> grammar/translation glitches in the text of the e-mail.
>
I think the most basic solution, whether you spot signs within the email or not, is to contact the "sender" through some other channel. At the very least, send a query using *your* address book's entry, not by clicking "reply" on the email you've gotten, or by phoning if you have the person's number. Same goes with emails notifying you of a security breach in your credit card account - contact the CC company using the phone number on the card, not the one in the email. If the notice is legit, they can tell you.
Karl
|
|
Reply To Message
|
|
Author: OneWatt
Date: 2021-02-25 05:42
Davyd: "How do they know that Mr. Sclater even has a niece?"
... and more unsettling... that her birthday is coming up!?! ;-)
|
|
Reply To Message
|
|
Author: clarnibass
Date: 2021-02-25 09:27
>> I intend to buy it for my Niece whose birthday. <<
I guess it's possible that someone forgot to finish the sentence and there are a lot of typos or mistakes in real emails, but this is a pretty regular phrasing mistake in scam emails.
>> Notice the Reply to has 2 l's in the last name.
>> From: jsclater@comcast.net
>> Reply to: jscllater@gmail.com
How come the "From" and "Reply to" emails are different? Not just one L or two, but comcast.net and gmail.com.
There are a lot of scams where people pretend to be other people in emails, sometimes even taking control of someone's account. But when you reply to an email, it replies to the email address it was sent from... no? What is going on here?
|
|
Reply To Message
|
|
Author: spage
Date: 2021-02-25 17:00
> But when you reply to an email, it replies to the
> email address it was sent from... no? What is going on here?
No - in many mail clients 'Reply-To' will trump 'From' without even letting you know. In some instances it's useful - and in some it's not.clarnibass wrote:
|
|
Reply To Message
|
|
Author: jim sclater
Date: 2021-02-25 17:40
I sincerely hope none of my friends fell for this scam. Interestingly, someone sent me the identical scam about 6-8 months ago. Such a shame people have to do stuff like this.
jsclater@comcast.net
|
|
Reply To Message
|
|
Author: clarnibass
Date: 2021-02-26 10:18
>> No - in many mail clients 'Reply-To' will trump 'From' without even letting you know. In some instances it's useful - and in some it's not. <<
What do you mean? My email has "Reply" but I don't see a separate "Reply to" anywhere, so I guess I don't have it. Do some email programs have "Reply to" in addition, and in that case, what exactly does it do? Where does it get the address that it sends the email to? From what you say I guess it's not the one it was sent from. Can you (or anyone) explain more about this?
|
|
Reply To Message
|
|
Author: Mark Charette ★2017
Date: 2021-02-27 01:47
clarnibass wrote:
> What do you mean? My email has "Reply" but I don't see a
> separate "Reply to" anywhere, so I guess I don't have it. Do
> some email programs have "Reply to" in addition, and in that
> case, what exactly does it do? Where does it get the address
> that it sends the email to? From what you say I guess it's not
> the one it was sent from. Can you (or anyone) explain more
> about this?
Email has many attributes: some you see, some you don't, some mail clients let you set some things that can get sent along so a mail client can decide what to do with it.
For instance, a simple 3 or 4 line email from the BBoard to me shows:
Quote:
Return-Path: <clarnibass@gmail.com>
Received: from [74.208.5.21] ([74.208.5.21]) by mx.perfora.net (mxeueus006
[74.208.5.21]) with ESMTPS (Nemesis) id 1MAx8v-1l4qGz0vY9-00BKVY for
<charette@woodwind.org>; Fri, 26 Feb 2021 07:18:28 +0100
Received: from mout.perfora.net ([74.208.4.194]) by mx.perfora.net (mxeueus006
[74.208.5.21]) with ESMTPS (Nemesis) id 1MXYVH-1lJkFv0sdr-00Z1n0 for
<bboard@woodwind.org>; Fri, 26 Feb 2021 07:18:28 +0100
Received: from adserver.local ([173.255.238.97]) by mrelay.perfora.net
(mreueus002 [74.208.5.2]) with ESMTPA (Nemesis) id 0Lsjfz-1lvZNr33rV-012Fhy
for <bboard@woodwind.org>; Fri, 26 Feb 2021 07:18:27 +0100
Received: by adserver.local (sSMTP sendmail emulation); Fri, 26 Feb 2021 06:18:26 +0000
Date: Fri, 26 Feb 2021 06:18:26 +0000
To: The Clarinet BBoard <bboard@woodwind.org>
Subject: Re: New scam, pretty good.
X-Phorum--Version: Phorum 3.4.2
X-Phorum--Forum: The Clarinet BBoard
X-Phorum--Thread: 489495
X-Phorum--Parent: 489495
In-reply-to: <ab5ad4c46620299253ab165f0957b06b.TheClarinetBBoard>
From: clarnibass@gmail.com
Reply-To: clarnibass@gmail.com
Message-ID: <0MCKxT-1l72823Kj3-009B5G@mrelay.perfora.net>
X-Provags-ID: V03:K1:YyThDFWg+sBDeU45L07o0mIQqC7jII23ZFuXAARcqcgfm0b0NG6
9xk+k68NzTcMSpQOiTjTt2P9XjBAfz1ABvj8GmGVNzilNSgt0d0Gpf5dQjbG2KTpyV5z6TV
6x42y7aowX8wfx5HElqwnMQWR0ElqZOWs7/NwwFyShh+4ew4jRZmLymsUGUyemNJQFPGs8T
nailPqzP17u/r1/lRp8GQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:+WgKo2MSXG8=:8iKufnwbzpXq9v5SIadxWl
2CEjG8VhkRr3IVt0wOKN6I/E+pY3oqF87dnGbguOQEpSXzX49URUgPduDhfjiE6ESOPLY3VTV
1iT+GRCzQYTrmjFbWkgvnPnUAdoKTTaHkO7SWl68TWAjKn6CKeXO4oGwcHsUI6cVPHe10blJX
RJ8i4vcqbL7NhbouvMrdCZoqhQV1ntzpb4uLxhSDJ1Ulp6R+SaDcuFDnG354LVqoGLb9H7O6f
jxYwAzTCMzQY2MQnWyzheVANBYNdTOvlQj1fw1I0lU08ZqugBOnj4JQ3MvhojdEif4PHVF4PW
DEzTtkxBQmg+hlaqk/LXXmeUZKTxep3GLSKHLrtabkGrgXcISYZ/AJLVEfq4QpBjsc7RHD6YV
KkJx3SW0Ul/LbG5Kjz4qAoAeHsJUh3t6MSRsicXTNjhxgHz+kAsmkePZTVYjEhcrvffquTEoB
2HLe/+d6KP5zlnd4BtGC8hQZAou6zHbTlEHTtXV7/DJDtu+CPlsW
Envelope-To: <charette@woodwind.org>
X-Spam-Flag: NO
X-UI-Filterresults: notjunk:1;V03:K0:N3kLvEEkM90=:+TO78w1ReW6axUOb1IT1JscTYW
lCCtPjb+mgT0mmn281NwdBhQ1TbSpQWQlQtvRDLJsWJY6GyKXB6TiAjePPZgezrjkGBz7EhxL
AFBjbqNbN5lQq6PmFTsDYI1NEFLo4/DbaNOwWhLjzbF4MvJGZk0BdHO+AwWnqmZehSnlD1XyL
Vh0uRU/JwsZBUdsftNOoVUZS75QVUqJQrNM6bjyTSnh8gMayWM+HIjyrdve+OajftwrZklXio
G7W777bpgz4IGHNz/f4ZrOXz+rlYJgtr7jljh7erMgwc5hLEMSIWlhiv+pTUCzySf3TP57d19
UAs2QBVXEHVCCip4LmrLhmlpJRmJa+ChKk3QUsORxjiPihV0PfaoJKLlDopAfgL72zSqfIacV
gvkgvQoldYOdV0gHRQRj18TU/Q2pl0/OV4b9Unbwi+sQQHUycJUFcO/tMMIOpxF0knz0r18fF
CFq9BQTxAcmHnRAPsXqM/ZH4+aNmjb4pLK6NrtLV9q44+Bv7tP3epY5VDE3znq6h/9CvBAvls
BocpU/Tx8dgMl34LVwysy2TA/yEhY2kfELbGog5zeSGM3Xh3lktG/nCosWrI9Z5ERr+LcRcy6
zXJH6tzL1lBvivhGbQo+1sQEIkpclwInY0x+fLw3GOwtm8bSwgRfjybUtX0Ojw0fPAcOj2DXh
qvPdt9wR+cwmFsFv55dINGToRfxKAuCfKb3ZR5WD5XYWslhqLrOCKvEPsKz4oH8AlnsD/VaTe
f4Yac+AQujEr+8SJPrGOe86SzfB/VwzP1WNjvpa/w2v7DhiznCXjoDpooZuAmUQUJXZ6Rp0uG
uu9ZcyP/JXBYnC+nK4vfr1DXMLLjsgwjjV3tkpYx1GXZiGLpGGw2tTth8e7g4vi0U+NQck5+8
+L8WQAB8wmedqdMqyyhFbQDfDXzxMn1PKxq3DsXGs2irADy9gGntiGrMEP7fMjkNV/CyNIn45
iT4iHVhLzTBoUV9LibNDvMNDYuviShnC0tMCXYGj1qttGRR1j4mrjRp4n7fhjNcf/bG9FPVKr
1AoazoY7RaEMyiy3LL6SP5bLUVw/M7ajSrr8e6v6bCwMfAUwnezlRPaPlACT/KvqpLoDHVItj
IY5AmcD9js8Oy7Qr4gjSc0glF5Pj3V8AzKpKEjRQnVfBoRvBcGyYl5Xa/xWgUhbMCVnSHYgbc
vQjVYygSjo1JD6AbIg/iG/QNM0hdV2w60iRaQnhThlUstnpYt3zg8A4YakSdokV4YjI9hAc6n
NN2gEyUieNpHwxILWGwSph+W+xlMwjyyMIbvyUK44FJMHfTbExajZHCkIc55ZP9hRHUvtYn2+
L4xQXuOVbVpAB5gBYCwah5gLjeYJ18MqHE8lqIw9fEukw6F4KMBSATGd2KP5HL60tNsrq+Vpf
3kJqnXxEwh2LH4+JaW2qolXk0C1y7GGt0ggQiT4F66RruL3InYgTDzDzSLOXkZVbLCwuLDh3H
UrlzP3NxusKAktMjVX8p0abS8S1jxve0KD2IHES4pExDfKxbgaFIT4oQ+Nh4ULZiFEBnIXelY
pqcIdHxAqCATByZgv+Ln2riIGDMhtLAlT22qKuWTdraBiua4mhU0fhrBDEaw27KCdjSuBNWvX
dXmx5CQZg2r5cgUxnEbIKBuELb3pYYEkd+1FyGexknrqaNhU9Xs47dwmFKpaan2d/I0/Roc9Y
zIe6Rdv7eo+oj1xr+/fPfQ2cUULMZD9mM6f7MdgQUqXaoJeCh3i9PQ9klPFd/aHyU+heM3G2r
v7cG2dT96//O7Phe2BE/cYFNET0RrIgrE2t/zYcVMTwiAWZzl3pGpUGvvLHk2Ardrv9mcrsva
WFNPSQrhgG85KsKltzqX7NaayFpLaTotjV0BIrNkmIK2p/hg0LrMbFK4IQb80LRoPZOK1UsJ+
csBQ1CjbAU8fOQ9TuNPmErtM5X/Pvo69HImSQdUcWXhP79TudfCuIpl7FesJ
which tells me who generated the post, what path did it take getting to me, when, subject, where was it mailed to, how did it pass the spam filters, The BBoard Phorum marked it, the data for the the post is in there, etc.
The total email part was:
Quote:
This message was sent from: The Clarinet BBoard.
http://test.woodwind.org/clarinet/BBoard/read.html?f=1&i=489533&t=489495
----------------------------------------------------------------
>> No - in many mail clients 'Reply-To' will trump 'From' without even
letting you know. In some instances it's useful - and in some it's not.
<<
What do you mean? My email has "Reply" but I don't see a separate "Reply
to" anywhere, so I guess I don't have it. Do some email programs have
"Reply to" in addition, and in that case, what exactly does it do? Where
does it get the address that it sends the email to? From what you say I
guess it's not the one it was sent from. Can you (or anyone) explain more
about this?
----------------------------------------------------------------
Sent using Phorum software version 3.4.2 http://phorum.org
There's a lot of information packed in the headers most people will ignore, but for those of us who have to administer the emails the headers are invaluable.
FYI - I have set up the BBoards to email Karl and I for every post. That's how we can see what's going on without having to be continually logged into the BBoard.
|
|
Reply To Message
|
|
Author: spage
Date: 2021-02-27 15:54
> There's a lot of information packed in the headers most people
> will ignore, but for those of us who have to administer the
> emails the headers are invaluable.
Or for those of use who had to read 'em, and system logs and suchlike, for work. I won't say I love full headers or system logs but they are interesting in Orl Sorts Of Ways :-)
But this is absoloutely not clarinet-related so I'll wave and go out the door!
|
|
Reply To Message
|
|
Author: Ralph Katz
Date: 2021-02-27 20:37
These kind of things are very common. Anything that mentions Gift Cards or PayPal is liable to be suspect. They prey on grandparents a lot.
4 years ago or so, major corporation Chief Financial Officers started getting e-mails spoofing their CEO's asking for multi-million dollar wire transfers. A number actually started the wire transfer process before thinking, "wait, shouldn't I check this out first?"
15 years ago, an ISP owner in Michigan told me his servers got multiple port scans every minute, 24x7, and it has to be worse now. All it takes is one server without up-to-date patches, and the hacking starts.
My identity was stolen 4 years ago, but I noticed right away because we had never, ever seen two days in a row without any USPS mail. I went to our local Post Office and had the mail forward order cancelled, but they wouldn't tell me where it was forwarded to. Then the credit cards they had applied for started coming in. If this happens to you, cancel the credit cards first - they paid for my permanent credit freeze with credit reporting agencies Experian, Equifax and and TransUnion. Then I setup PIN's with all three.
We were in our 60's and don't need more credit, so things have been relatively good. But many seemingly simple things require credit checks, so I open my Equifax account for a day and then close it again. This has only happened a couple of times.
Personal computers and the internet were not initially designed with any particular security in mind, therefore most existing security really just exists as an after-thought. So you should be very careful with every e-mail and text, and on every website.
But also, many apps, that have attracted 10's of millions of users, were really written by amateurs, such as the one that allowed archiving all those videos of insurrectionists in the US Capitol. Facebook is another good one that, at least originally, could be readily hacked.
You don't need to be paranoid, just really, really careful.
|
|
Reply To Message
|
|
Author: SecondTry
Date: 2021-02-27 23:44
I don't think you people are being fair.
Just the other day I got an email from the Crown Prince of Menzlabi, a poor country in the 3rd world asking me to help him in securing millions in funds tied up but for a mere $100 transaction fee he lacked and ask for my help with.
After I immediately gave him the $100 the Prince was so grateful that of the $75 million in funds released to his family he gave me $70 million.
You people are cynical; you DO know everything posted on the internet is true, don't you?!
It's a rule. My across the street neighbor who tries to swat flies outside in the middle of winter told me so.
Post Edited (2021-02-27 23:44)
|
|
Reply To Message
|
|
Author: Mark Charette ★2017
Date: 2021-02-28 23:46
I get between 10 and 30 THOUSAND attempted logins every day and i hold absolutely no financial information. Root login is disallowed, only one user account is allowed, and 2 unsuccessful attempts bans the IP of the client permanently. I had to switch to a database from text files for the ban list a couple years back. There are about 12 million banned ip BLOCKS - when someone tries to crack the server I block the surrounding 256 ip numbers at a time (really the class c subnet containing the offending ip, but you know what I mean)
No one has ever emailed me complaining that their ip number was blocked.
|
|
Reply To Message
|
|
Author: Ralph Katz
Date: 2021-03-01 02:53
Hi Mark,
You are certainly a lot more proactive than most.
Real security on the internet would bake this kind of blocking in at a more global level.
Thanks,
Ralph
|
|
Reply To Message
|
|
The Clarinet Pages
|
 |
.jpg){kind=small}
.jpg){kind=small}
.jpg){kind=small}
.jpg){kind=small}
.jpg){kind=small}
.jpg){kind=small}
