Scam | The IT Nerd

Archive for Scam

Here’s A Fido Text Messaging #Scam That You Should Be Aware Of

Posted in Commentary with tags Scam on August 29, 2024 by itnerd

It’s been a while since I’ve seen a text messaging scam cross my desk. This specific one that I am bringing you is from a threat actor that claims to be Rogers flanker brand Fido:

If you look at the web address at the bottom of the text message, it’s not something that is related to Fido as Fido’s web address is http://www.fido.ca. That of course is ignoring the fact that Fido would never contact you in this manner to accept a payment. They would simply credit your account and you would see it on your next bill. But let’s follow the link (which to be clear, you should never do):

Ah yes. This is a scam that is meant to swipe your banking credentials so that the threat actor can log in and steal your money. This is confirmed when I choose a random bank to see what happens next:

I will admit that this is a very good replication of the CIBC website. But it’s not the real CIBC website as evidenced by the fact that one look at the address bar shows that it’s not going to cibc.com. It’s still going to the threat actors website. I didn’t go any further as it’s pretty clear what the game is here. Which means that if you get this text message, delete it and move on with your life.

Leave a comment »

A VERY Convincing Microsoft 365 Refund #Scam Email Is Making The Rounds

Posted in Commentary with tags Microsoft, Scam on August 17, 2024 by itnerd

A reader of this blog sent me this email that he thought was a scam email:

Now a bunch of things make this scam email very convincing:

The email address that this was sent from appears to come from Microsoft.
If you click on the “Go To Microsoft 365 Admin Center”, it actually takes you to the real Microsoft 365 Admin Center.
The look and feel of the email is very much like one that Microsoft would send.

The only thing that gave it away in terms of being a scam is that there is a phone number for a support helpline. Microsoft does not have any phone support.

So what this means is that this is likely a refund scam. Meaning that threat actors send out emails claiming that you’ve been billed for a product or service to thousands of people hoping that some will call in. At that point the threat actors will connect to their computer and try to steal as much money as they can.

What intrigued me is how were the threat actors able to get this email to hit this reader’s inbox. I asked the reader for the email header as any email that you send has information that details its path from end to end along with other information that would be useful to an email server in terms of determining if an email is spam or something like that.

Thus in an effort to illustrate what’s going on here, here’s the full headers that I received with some information redacted:

Delivered-To: REDACTED
Received: by 2002:a17:504:3f94:b0:1bfe:977f:4147 with SMTP id g20csp1188908njn;
        Fri, 16 Aug 2024 06:43:30 -0700 (PDT)
X-Forwarded-Encrypted: i=7; AJvYcCV81SM/CRIsstE+ArzN39KoZ2oigx7zrrZ3+m8LcY0IHa8JHgHjidVCkJMvWWgc3bLi9abUQ9NE1KZNlZYTgvg=
X-Google-Smtp-Source: AGHT+IH23r3S25jCDA4KiCgZLcKnxrY4PqFqTc+KWz26TvPfAwn3gdXuUuwUmIlHlMeZu6BPt9gf
X-Received: by 2002:a92:c261:0:b0:39b:3241:e982 with SMTP id e9e14a558f8ab-39d26d745b0mr34961605ab.25.1723815810010;
        Fri, 16 Aug 2024 06:43:30 -0700 (PDT)
ARC-Seal: i=6; a=rsa-sha256; t=1723815809; cv=pass;
        d=google.com; s=arc-20160816;
        b=TfuSWcu4LauRnn2B2HInZaZytDUWMqMeVrDW+IA3B1AC5XpzIZogn7S12MTujPs3DB
         EDgIRK2QGFcIBjEICnoXtC5OuT+LKCJPVk+vjc4VzrC5qG6yLfCat5+YdFIIlJWadG5M
         JwrQOk/YAYrAjNDHfbfDqAKplAlTbhwmXrCr2ZMf3XgTceCHnm+QI7HaHf8AA/OFFUXI
         F/Uhz+x7AgGL/P9ZqwLYeOMzPDWjVzlXpNJO5D8oIifP21nU5EdYKgeryWp9UH9xQBdX
         HBCXqvoCO2LLJ/kmECxqA9A91L6hhXpnnn+Z0bmwPWzFBLHFFkscprpVZvj0Jc4ARGmI
         Q4vA==
ARC-Message-Signature: i=6; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:to:message-id:subject:date:from:dkim-signature
         :dkim-signature:authentication-results-original:resent-from;
        bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=;
        fh=u+4NNM9FiVktfFoWhpPOc5WraBPqVPVZz8is6x3rkA0=;
        b=fOYFPO+LNDgcdd4ziNW8ibjuWZUb46rsiiVAQw9a47aqIcQMvpf2tZCUlhPrONwF3e
         JtSPWIALpXuQN5LCkpK+1+IjTf2pvlE/fidSYyxN6IZ4t/xp0KucMQaSAC0bGuUWcNZ5
         xj+YpqPRcDPuyNDIpotxI/6xdSQp088EYf0CoEV3Ei9Ot/d3i0z4IyHR6CMeyGRqi8JR
         0m23FRK/PybVME5TjpxAQikH3/yt3v/yAGGYp+y20agpYpJf3z88hPGSDflrc5+/06zj
         sW22lg3r0OwwQ52vJ6BUFg1BVxIdW/RzeSkuvcNAMUlP5m7p6yAwxyvw/jQGL89A3G0A
         WTSA==;
        dara=google.com
ARC-Authentication-Results: i=6; mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;
       dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;
       arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
       spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
Return-Path: <bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com>
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on20724.outbound.protection.outlook.com. [2a01:111:f403:2415::724])
        by mx.google.com with ESMTPS id 41be03b00d2f7-7c6b636fff7si3568330a12.599.2024.08.16.06.43.29
        for <REDACTED>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 16 Aug 2024 06:43:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) client-ip=2a01:111:f403:2415::724;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;
       dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;
       arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
       spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender) smtp.mailfrom="bounces+SRS=yjgOw=PP@netorgft13999698.onmicrosoft.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
ARC-Seal: i=5; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=Ji0CyJSU2sA3+SpLxEZlkgamoXDki55de/cEK9H75PDf/IzMNo28o7SlxBAcxWydkvqnmHecf02ksBav3pTHx7BQwMCdUtXqFVXu1gqUWMr+aD0DAD3I+YvolOdpnFltIlZM4P59AYRCW1QFgTRgMBbN1E+FOl/Eg16yPjnCCI9jKLabr8cDxoXpNIxhv4dPaiZ30YnE4ur6m5wP7y8Lvkn29G14L+X9bVjGjP6S/btJWxk/K9fAr1b9zzoL8MdrzVc8FHmJwT4aAeJRJ/sHC87kQ+SHlENzETQ9AP26yBD3f2DlmJi/ZqUMdJxZBCi7XoYjdLw/GE4otr2UBaTJLQ==
ARC-Message-Signature: i=5; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=d8TPu7A2Hu2WXRveGLV3o5pIZ3eBrghj/xxi6j9f7nRO5yJGW3WvJCyPX/yMmBGYzpTApu3VkL1lFsHmtSt7SbCOOr0Q2Kmovlz2XPpUJ2Os1dMLdnhse785WQ6Ii4tCEcccjg8OPm61meRW86Gn5btBjD2uqe7Yu8BtJbKWX4qnb8MXD/YAL+x6ACQzoluy89RBSLKlADSSQ3M7ayQKIPvaxkbVrAezUHA7xiezIskXdcG5zUIL07vf7PdBOqvrXV6vuCNuGw1ma8gqPhpy4v3Ejy8ZPBVmHc8mHN27URCPotDU3lx8nn+swDvDpSXRdUv0+KOl+X8D+4JTZJ0hJg==
ARC-Authentication-Results: i=5; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com])
Received: from CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) by PH8PR11MB6976.namprd11.prod.outlook.com (2603:10b6:510:223::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19; Fri, 16 Aug 2024 13:43:21 +0000
Received: from DM6PR11MB4187.namprd11.prod.outlook.com (2603:10b6:5:19e::32) by CH0PR11MB8190.namprd11.prod.outlook.com (2603:10b6:610:188::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:43:18 +0000
Received: from DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2]) by DM6PR11MB4187.namprd11.prod.outlook.com ([fe80::e455:f44c:3b7e:8ea2%6]) with mapi id 15.20.7875.016; Fri, 16 Aug 2024 13:43:18 +0000
ARC-Seal: i=4; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=IyivTBoWjDP5+EzGuqcuiDvrPTg2W3eAad7T3RaNS1BeMpjj1ISfpO767jFhJo+hFSm3gtQR+5zgsS14eMw0cVplcYkrfv0jsPu8ZqfGJfFfnJM2WDZEDg6BCdos+wZDt3Vy5CRD0enXrpFb3YpI84pqw501bdCC7arcZDKU5Cfm/340RqOsA1D7QKLlCrEzEcR2IAricypAEehKx8W/yeKLvYcl0EqnhioY6ltQXxBr1NEp7fFQBzCyKHgSU3jijWoPewIH4b3UbE1nKaSNRJDJyE/+p9uKofj5l9JSeV0QtqHQvB1plXxSG2wJ3d19tSOcx6NQsrOdQM5y6X+CIA==
ARC-Message-Signature: i=4; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=r5Ds9OwJEG1UyAqy6AQhqBmivg51YDYg+BbHZKDecD+rC7FQ9Kq+r1qhZeZy+QIZRHu2oupl/7MS4XcU4gcwxujf4EQ8H97Jue0jBqoPEv5jkIly+pUWV+zL4siAsgx8SpFldBSfM1NM0Y/MEKT80baOqTx1vMAKTg22zvd/Q4jKy4aLv94b0HLpUytUjTY74XrN1yMm2ePX+GoW32v7KQqu0QCncH8Pjp1LXPu+3SkyKPAETkngi5HAYwbkkqLJkPjgxun+IoRfVhqvDRmhPe4co89+fRCWBfXsCez44KZ2Oscvx0ummBbDHm2uDW81DI7ukZ9JNXT+RmomXGe8qg==
ARC-Authentication-Results: i=4; mx.microsoft.com 1; spf=pass (sender ip is 40.107.237.100) smtp.rcpttodomain=trendequity.org smtp.mailfrom=merchantsales.onmicrosoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,3,smtp.mailfrom=microsoft.com] dkim=[1,3,header.d=microsoft.com] dmarc=[1,3,header.from=microsoft.com])
Received: from BYAPR11CA0083.namprd11.prod.outlook.com (2603:10b6:a03:f4::24) by DM4PR11MB6360.namprd11.prod.outlook.com (2603:10b6:8:bd::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Fri, 16 Aug 2024 13:36:58 +0000
Received: from SJ1PEPF000023D8.namprd21.prod.outlook.com (2603:10b6:a03:f4:cafe::54) by BYAPR11CA0083.outlook.office365.com (2603:10b6:a03:f4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33 via Frontend Transport; Fri, 16 Aug 2024 13:36:58 +0000
Authentication-Results: spf=pass (sender IP is 40.107.237.100) smtp.mailfrom=merchantsales.onmicrosoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of merchantsales.onmicrosoft.com designates 40.107.237.100 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.237.100; helo=NAM12-BN8-obe.outbound.protection.outlook.com; pr=C
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (40.107.237.100) by SJ1PEPF000023D8.mail.protection.outlook.com (10.167.244.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.4 via Frontend Transport; Fri, 16 Aug 2024 13:36:57 +0000
ARC-Seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=isJzNOZrZwA7Xr5bxG0qOy4ivJq/v9mA7WtOqMOZHPzIxIoTd5pxuMC/Lq36JLVhzEJG5EBz4e7NsuCjguzlN0t2ylLhmS4f8AiLe2mHJ61ynJ28A7ivXe0MEfkG9F6WokjNOH/1nKKiYxETfoQJAk60uND6oT9AcY+QkIKafmyo7q6jiQc08VRSuTjQc0l8wAH1MswjQeNeKY2gvTvMkkMGInT2pxJ2guGgRZ9UTRgofPYvuuCSDZAkCjUQ7oM7cqtyoG4V4gK00Bg6PR1kq7awWmci6NQ03QMXa96H7aiygnMxQph4kL4dKbQqrBJu1Keqsiyi7I72D7sV73gkIA==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=JLGf+Jw4DoZkWn07nHEf4c/xF0JjA6mtEGPc1F4Q8k44xFoHkTwIaXbMFF5DaLK4EaEOcURD+VsGwaSS19D0Y89om1l4ICzOntk6O0D6+UZG4lN5M15SUYwTS1EAsdXIgcLf8zChpu83TzjmDnozAZznzOZU5KEXp/bkocEBc5L3zlYjBaULkXltR2VJT9p4eRMW3K4bqERT0TZ5CZD4im3/4GiftPTsfx99l1Jav9teubV14MvOEywvxlmjugLIQAjz1HiphAep/RxAG5DIxCzXZUgJAHkC/beSDqYNG585/ObL/LEB40wOwQmUeg0PNtr4JJQycULGEkYxHhEIPw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com])
Resent-From: <notification@merchantsales.onmicrosoft.com>
ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=DRrt4WaGKyoiMML6eb3SUwKLOq08R8bGVYB/L0QVlm3wcdm1XF/iQrj/RUS7YLnKlbIg0GH3KQNtpyOOzQnrCfm1mwbufpgpEcbjvFjEqAEtzzOU4V9ypfzuQEVEm7Cc78qZfdzJ50Hd8LgyA5vzscQFOJ8J1FQnb/S4M4AyVuhTYAtw8LFASe6GrJM82xQNWucTz82hmjBX1BONDgxYeeqVSBb6A+kmbj3M+5wcdQqXoZN5TC7R/cxuqZ40rCBYz2vz6+s74Z1X+SzYJnwZ21MDocRRX7fQhBwHwsdUKtckZMdk8UAdW5qjaDogoZzdTyI59J91KzvKD+gdfJn2Ug==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=g44v04/jeUniwLVld3n/6yh2nL45f+/OxI7yaXQedI85nRqtFrffhDNyMDl5Cj940rCVZZdViy0T9NosHJB9X4FGMV5g8NmrDoRwMCQIqunPNtG55KFuDGxAJscrZQcns/2zuiqgl1aq7Ei0g977GG8XQa9fivDMY8f+VNpeNCEID2ibd6YyXsOrH/Okb5OoGqr8BmXLzZorgM52sf3YJwluPUab7pLsxJOGZff+u4PoVhlJ+BFPKXJgC7cy6VRbJs3AIM2u6w/rWwfz4x0Tanp1Uy+AOKI+suaK6wSt2atjMAhMF6NbxsdmmriB8qikoDybhtNZb4SkX0/Ea85Vyg==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 52.101.61.136) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=microsoft.com] dkim=[1,1,header.d=microsoft.com] dmarc=[1,1,header.from=microsoft.com])
Received: from PH7P220CA0015.NAMP220.PROD.OUTLOOK.COM (2603:10b6:510:326::20) by PH7PR22MB5062.namprd22.prod.outlook.com (2603:10b6:510:312::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.18; Fri, 16 Aug 2024 13:36:51 +0000
Received: from MWH0EPF000A6733.namprd04.prod.outlook.com (2603:10b6:510:326:cafe::2) by PH7P220CA0015.outlook.office365.com (2603:10b6:510:326::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.19 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000
Authentication-Results-Original: spf=pass (sender IP is 52.101.61.136) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 52.101.61.136 as permitted sender) receiver=protection.outlook.com; client-ip=52.101.61.136; helo=DM1PR04CU001.outbound.protection.outlook.com; pr=C
Received: from DM1PR04CU001.outbound.protection.outlook.com (52.101.61.136) by MWH0EPF000A6733.mail.protection.outlook.com (10.167.249.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:51 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AvyM0FlxgT9SVxijT8tW0np3V9uiRpjFfHotFChyp9BMlncIf4Hl00T9mxKzXH56MByamyvAnJ5GBhvaHhoYHr+j04+w6DCt0gxFHptIuYoVa5b89ZPtcrrhukV3WQ1eJJ9pR+C26Ud7xzLBtR/fq0lJXBLVLexID8Cza0nFJoYej2fgA/2QL7mpU6chmw8D3+CLBRGO7IXVh6jTuD2U8Ls20N+gtQCu+siwP2AAw0O+zkbn9Y0bwFWz382Z/Jy5SB0VQhfdBatnM6eTQu+0uHe+SryGxVpDbtA7xKPLaYl/Cy45tGXiNLFGiP/1YWF4krqSrNz6JZblYIjl/zYFfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=sWSleCpJwWIGLaz4N9y0Lthfugbg4WYoWQibVxI9g4yb++6KOYO97mXz3VMgHcwBPKL7i6yEg4UQH7EpJrpFYSprjtZ//3gqrP0nNZuWaWGN8br09mqbUz0hIViKQhuNBlCEEBYspyV9b8ZE1JGGipETP6qKqkpEGulu3iId0sFAYcIddJQxyW7UkArwNdPVarRVhZ643HbWPuiEYgSXemcsxmkoH5CHPBZ6rv7/cAw/sbwKdoBI2W/Bj6GzjKRNHhP2Fzkaz31XNjNAYBgOKY5Od6zfSYe+pKAfPOp/EUYm3O1lQoKsOuIVY1jW4VfsoJXSvgz8yvVQpPFARzwXRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 20.97.34.221) smtp.rcpttodomain=merchantsales.onmicrosoft.com smtp.mailfrom=microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=V0jLNQ7LkoODwqICDAY2ZF7ia+g4glgQr9DQ/TKgmcnmgTnE8sMj3avExUXePg15WGgI4HgfXMM8hiBb4ic7GGY8cOyVkf82RqWoKsj8gu39myRpIeKtZORbvek4N0BOv1TufeYdn3oLUVvywhkFojX4KTesm0ALLhDzCBpZzpI=
Received: from CH0PR04CA0113.namprd04.prod.outlook.com (2603:10b6:610:75::28) by DM4PR21MB3345.namprd21.prod.outlook.com (2603:10b6:8:6b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.11; Fri, 16 Aug 2024 13:36:46 +0000
Received: from CH2PEPF00000144.namprd02.prod.outlook.com (2603:10b6:610:75:cafe::b4) by CH0PR04CA0113.outlook.office365.com (2603:10b6:610:75::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.23 via Frontend Transport; Fri, 16 Aug 2024 13:36:46 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.97.34.221) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 20.97.34.221 as permitted sender) receiver=protection.outlook.com; client-ip=20.97.34.221; helo=mail-nam-cu04-sn.southcentralus.cloudapp.azure.com; pr=C
Received: from mail-nam-cu04-sn.southcentralus.cloudapp.azure.com (20.97.34.221) by CH2PEPF00000144.mail.protection.outlook.com (10.167.244.101) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Fri, 16 Aug 2024 13:36:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; c=relaxed/relaxed; i=microsoft-noreply@microsoft.com; t=1723815405; h=from:subject:date:message-id:to:mime-version:content-type; bh=1DRVH/p+Ncb0nmWC1EV3IUNwyNv4hoYQDPSQRvl39kg=; b=UBZKKpiYDf2p/KxxPFGwvnXMRjaNpMAU2QLNOgp/jX2IL6YC9/C+iC9TOKPNzv6ZMZ/VbQT8FSu OTbgm3nlE2Z4QNDEVPhg0dtlxEIq0ekPNMunTXNMKbvCmOEbsTwfCwyCcK5bXUiqMiX/qmBo+I/jY 2S6RuDg7SlC/vbvAfNU=
From: Microsoft <microsoft-noreply@microsoft.com>
Date: Fri, 16 Aug 2024 13:36:45 +0000
Subject: Your Microsoft order on August 16, 2024
Message-ID: <1f146af7-4393-4815-958b-64498d68a06f@az.southcentralus.microsoft.com>
To: notification@merchantsales.onmicrosoft.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-QmAKbw7keMAjIz55DOIJ/Q=="
Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com
X-EOPAttributedMessage: 2
X-MS-TrafficTypeDiagnostic: CH2PEPF00000144:EE_|DM4PR21MB3345:EE_|MWH0EPF000A6733:EE_|PH7PR22MB5062:EE_|SJ1PEPF000023D8:EE_|DM4PR11MB6360:EE_|CH0PR11MB8190:EE_|PH8PR11MB6976:EE_
X-MS-Office365-Filtering-Correlation-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|240411011799012|36860700013|69100299015|376014|82310400026|1800799024|36002699022;
X-Microsoft-Antispam-Message-Info-Original: X7O+VKtnAGxSUxUJT3g+8GXKOWyRASZFTRv8T75FA+rkgVX8GpH5jnwaIOFWMr15esuql8JQhn/H2xixXEbEZWhtFmmrCJEHnz09rpWWlgwCChijJTZKq7U5pMBKCLrYqtZdxMQW+3lJK4iGR8pcyAzG2gn3uDeNAeLREJW7RmN/++UPcS0TNWIKxkWCpg7mpaUEmMPN931KiC0cbYH7Wq8WbAl3eUpSoZqG8jhHxm7lpfaADJZcLN/Yu/l5EL4gjElyizRL8H8ryFDXIkGgrARhq8NOez4ur7K7MkezZ/7g+/0QtZNeZi0Q6QSgD1RH+15Fk5KPMGdv0N2sagaxw2jXSaLyjX1IvE+lIR6RG4dPboGl3gSOsE5URGNQ9c74gY+gwLK3wOZKEWpRGtf34k+4ATDPP/q4RNK8KxUDGlMyHZ4gwq/R6LFb8lNyvyB164lXQjYbpAZaxf2OFgrldw6wqqnemUNxVpxhDeL7Z7NOCCEVD0kUF+nkdwoeReUZwJhG5BzJwrn2L7lMxSZOtuHAVawEWkxOmmnAHci+an5uAT1eCQFY0ZY3AXRdf5lc3AS61ati0GxQd5smS6KIsisyer5tUyclV2IIecLSw4sXawcveRlrgmtLZKNyBlvxetndu5ISF4dGiNpZA8JfiKSlm+xsHgp5SX74j/v/uQt1sZPK8+6srdJFBCxtsSCIcFm28SjeuaNL5xQjvUWx68KMQMhtGldEnaEdZIhFf9KVkfuqCqzv793IDPi9JHFTILvpXmEabigWnwTNMa7+HC12pLCjXEEP0lvr8rPFm9LTM29Ccg9IRP6FdnD3yYUin4r334spxLnp4MhfqDiGj+BtVtiCcajz2mKJ+BRctNOWeLoe6Q0TB5rljqcb0slk6yTbxXQGxogPXivoZFsMVT1t9nva+xybM6RsRxajvYdVxvQ/GVxbb3uclZSNZudbN63m/iKO7fPZxEEnXi3HesaMm4XH7ZKGYlxruCRHx3umVW2FaiKZ/pidYYworh2IdTXjUbdGhsx2N5E4DycQWmuHB2GqTO12xCVC1sj5X+vrcJDWK92ayoLlADSIj35BbjzxHa6nWN46+Gghdg/p4e2yj33hSC1kVVC5fMx2WuCJTtVHLGo29VBguIxwW35wTuCXkdAxmdRctApmcw7NRZhkmF+uUkN9rBh4cCUzLDbUJ41lKPpb5j2DJvmatcvGpl6eFa5jMi8AD7WDTWqBE7HBcy9f74Easlf6fAPtp9ULETPMf0t2fyrTxYfdvudxWQRyvFeAAQGJH9/hgwEpCdaDMDvLw/nH/1v6JIEKBaSvpqNDxI5rcf4jzfQSZ01l8MrhwR10nNqIJuM92nAMJgCs5LnuVc5tQNmQ+U9z/+RLcKg/ch5noRf53H8i+0+HeS1DTzjZFDrTFnJG+uHRZmSOxxXIjSwCvJla8o7/Ey0=
X-Forefront-Antispam-Report-Untrusted: CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR21MB3345
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MWH0EPF000A6733.namprd04.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: MWH0EPF000A6733.namprd04.prod.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 5c556704-ff26-4c12-336c-08dcbdf87910
X-LD-Processed: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b,ExtAddr,ExtFwd
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|34036016|586017|7416014|376014|35042699022|48200799018|61400799027|69100299015;
X-Microsoft-Antispam-Message-Info-Original: 7onlANrFwwsDGY5F4zLxXslD7h/4HXiAJr1HfIVQtB49dE+55iPq6IU9rXYnP0UDnVCczyfAh3qZveVDvO5ZJ6qfGLNySlPbHV+XOeyfevWxBIXUVx0c++6JDXS1K2YJCmgs4CkqMaLLn67FucboHF3tNOQ61Xu4xZjohzn6bKOMjDtzOb+At3Mo3j5look9tc1Rha88pspFHVVTHvJ5gLWnmOziBfsZ1ZYSodqDuLQtG0t1JoLOOfSquxXesfSHrWE7jp04QlIPJCvFNfOquHta02DOb20A6A9tpOYnom6iKqTq6Vrvjhsic94faGO9V13j3gzaXxH8QOCMjUBft7Sab1jo00CyYxf9t+QRg70BhxwjALiD6KyfSZVmJr5h1Akg75Kb6w5Rv0Dr+pO2qmgkGvZeggT+ubz7Im2gTHwllBhOJ6UF1ZFxv5z3WwI6pm9Itab7zDvDAPMdEwQpLH/kQDh4d7ABDYv3OGYRJEzOByKYorkuuus3wZgR4JBWZGRb0u6L7+gMYGY8h8UWr/yzBa81zzWHKidq1xRbmpp+sN/tAF5davLrh7+pTWoohq4j3VcYJBUVRkcTtNqfVetg8bzh07Px4GddsYzMl0cPk1KBD0zPbVDCBmDppH5fbpwepZi3XPszzGHYvarHzjatwmvR3nX3pXaC1L0WzPLJ8DFKBUSl6ipT1DAEKNc5l4l9B9A2SYCi4wQRRzVy7JdakYtjLU1IghbP2i7239Ef9BxnoQGQ/gstbR1ETDId572sPyVRb/B4RvBYblcpL1m4fnp2E98K7HqAzDUmuzC75Sz11ZZ0oDVuQQmpXAyKUMNEyBZOsGP4H8+k3IP/RE0H+Zj94pCsSMAcQAKICvDroxQhy2f4361IaxVZhrVXrjKndXrHdhwB+FxVWtqqxKsGgp/lv0agtJeX63R9dC/w71/mA//JKWN+MOzOtSmhw8Z8dC+r4wr8fxo1ccxFsV+NJBswZ2NXd15a+04IwJ0YTJXkQW4d1sZScCWMSq9tRIj3TupWgxmh2jDySGOVQTi2SYs/2mg0wMNzu7yf4BY9XuH+CAJr8HbPWW57ss+mqKxEGARh8hmChw5pE0nm/5Nmf4EMuJEJrYpZgdbb1ndvo5uyKPTBWBpWZZKfFV/UdOjAvVTluApVc6hGmhOEY1X/clkHqyhmrAe8RN/6QWtaM51qFmZpW2AbxCK+ZqWU2874CKZXGfAFFp4q/NnMFX0kv0LKC+/AJYr4+jN3OzSuAe1p6XbRvUQ8YB/KFMZ7rj6mJn1nG7CJnJLMh7+Bj0YVpeJ1KJrqgWNu8EHpVAnJCWAVXZK56YY6+aY6helBWEv2kvmVP2f34EkDsXscbPrUs/eAJwMeA94yvsNts10KiLTxcB0vH5+tk1aD8Vft
X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102;
X-ExternalRecipientOutboundConnectors: 229e6f25-d8cf-4d00-bedf-3f6513ec3f0b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR22MB5062
X-EOPTenantAttributedMessage: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2e33bed3-db7e-4df2-aca6-08dcbdf87c30
X-Moderation-Data: 8/16/2024 1:43:16 PM
X-LD-Processed: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0,ExtAddr
X-Microsoft-Antispam: BCL:0;ARA:13230040|35042699022|48200799018|69100299015|61400799027|376014|7416014;
X-Microsoft-Antispam-Message-Info: 7PZuOGfIkCRZ2+vcoHQQhEJ0pcPulG3Nz6uM+iP8rAzMUk1OC7zOe5PQ4OhDxlTib/wr18Y6X2HY9eQsFILJ7yot1v8tN1sq4G9LEw1rlDbkB2UJUNeGw8caK0m1wADs79nwxX2zhMNYuftHqJKzD2HpdqW2+ZJygT8wrco7KCdxSLiWxjVEQUvB7TjVv4mP9i9r70azuEqbRq58R8VUSxamyfzDh4MaSQG0eyvt1GYjAOzNuCmerWw7WCwT/yXThcS0BQzVmNH+rvQPHlHABs3kLayc2atQETPixErH8ayw7v+/7rbhuadk31nqeaJjMqM9KGLdK9kotDZHyFS71lf1jHsDh3lEDEAeKIk/Z9RLBFpKi3Qe5HDrO6UYCT5kvu67fJortW52T+hEIPwXPk7Lxiou2T+ecM+fa8dFRWEa0nlxLV5hBie5TBgJM0rqyLyN9HrneBA7xWUuUG6zYL28TXj3GpcNZ3ZXoysqZ/aaFHsQcqCY3FqB/adOM5LFITuUsD34IGvOiDf+72b+t3WPqmfa9OkQ8LOG9fZ8h4tYry6vgmu0QeRnuNGvxwh49g2fdL8CSzbELotfDyJvYI84tWPyo8ouLiawmL1lDRxlOXGJKPUDJdXEBrf10Y/2V28I70puRd9FvAIcRPeAtuj071nLNh5dxwJln9uiptk4Y6SRvKKgsxsH6lvsK9QYv4Ux4d/8NLgrlXfnkqhpg2Ya5TUW8f+Mu8EHmUFDMD184gRI3tj6CY31k92L9JpcBmjX7Dz+YPIEHRB67skZ22wXP441H/LoJjpUTn4ypoGg5V/j4NohxUICvmYJDtQRgJxLdnUJFKMQBb2tJi63yl3PiqGiVIw1biieqQPWxgpzNxFvKYDNa4M54jedoSw8yzSKYjZF946BHorYQcSVW+9hUJt37SWuddaRBdQye6YGkg7ucv6Lx7K48cdiLiMCjBGd9PY0KZnt38CpsQbMRgSb9J3+ZENcEpazUfk5SLM8yXC17z5/6oEG7aGAxFHrlblR9+SNZ28RIxKlwq/u5M7v7iXWyet18BAV1rymBOH/kgX67Xe2Xz5FpZel0Pc1M5DOO+yV35Fp5eVeItyF0sPbDpQYBy3fWX46Sx+LXMIuOAdN5xcivcUQolN2tC/KkAJT9/Xq2nvxaZhR4GS335DJYnMa/R+nudZihDSy/S/wsGCIly+zoGX7/2YMwJXV/DuWn2qKjfkqIp8+HSxyv3igYJx42BKfHxVauOPpksyfSgM0g9sAhPTr5zkADIqVuHjHHOAxxGMfUhkY/L4AGB9RmL/jWeL1HRp6UYAOgWAfzjvgkyRovkVRTPOvc57+pEzxPjBa/6QfNyw/rF5Abg==
X-Forefront-Antispam-Report: CIP:40.107.237.100;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM12-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam12on2100.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022)(48200799018)(69100299015)(61400799027)(376014)(7416014);DIR:OUT;SFP:1102;
X-OriginatorOrg: NETORGFT13999698.onmicrosoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 75dbd73f-d123-4351-d9a3-08dcbdf88006
X-MS-Exchange-CrossTenant-Id: 35163b8b-4c4e-4e19-b243-f07c1a6a27f0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;Ip=[20.97.34.221];Helo=[mail-nam-cu04-sn.southcentralus.cloudapp.azure.com]
X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000023D8.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2024 13:43:18.4797 (UTC)
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: TNqK0lMTbi5b9cLoJTq/GHEbYe4wyHYBhmT/1ejLVVqUrkYvOp19tSX71DdMDrGM9MvLXtV17oPeyLQiXpE+TUD9aAQPT1RQ4791E6c+gJaiRzGnp0fhqPj2msilb1c8Gepa3+KYNaDh5dIr7TI20sGkcYqilLDhHWJFtGRMMNtrcm2OXKZwAGSx/79mel9dvow4DbPSMu+bc8chuPwp8wxfxutdb4dnOpQ/6UGAAYyHbJNN0NhrYiHJfNTuQEgUS0PzWnX9mbCP11mngn02pA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6976

There’s a lot of information here that is meaningless to most of you. But I am going to point out a few clues that indicate how the threat actors are pulling this off. Starting with this:

Return-Path: reply+SRS=Vuioy=PP=microsoft.com=azure-noreply@merchantsales.onmicrosoft.com

The word Azure is a big hint as it suggests that the threat actors are sending this using an Azure hosted environment. Azure is Microsoft’s cloud infrastructure. Similar to Amazon Web Services or AWS. There are similar hints that this is case. Such as this one:

X-Forefront-Antispam-Report-Untrusted: CIP:52.101.61.136;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM1PR04CU001.outbound.protection.outlook.com;PTR:mail-centralusazon11020136.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(34036016)(586017)(7416014)(376014)(35042699022)(48200799018)(61400799027)(69100299015);DIR:OUT;SFP:1102;

This hints that it took a trip through Microsoft’s Forefront product which checks inbound and outbound emails for threats such as viruses. Note that it rated this email as “untrusted”. Then there’s this one:

CIP:20.97.34.221;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;PTR:mail-nam-cu04-sn.southcentralus.cloudapp.azure.com;CAT:NONE;SFS:(13230040)(240411011799012)(36860700013)(69100299015)(376014)(82310400026)(1800799024)(36002699022);DIR:OUT;SFP:1102;

The sn.southcentralus.cloudapp.azure.com is part of Microsoft’s Azure infrastructure. If I remember correctly, it’s somewhere in Texas. I could go on, but I think you see where I am going with this. In short, the threat actor has used a Microsoft Azure instance to set up the outbound email part of this scam knowing that because it’s coming from Microsoft’s own infrastructure, it will hit the inbox of the recipient. This is confirmed here:

ARC-Authentication-Results: i=6; mx.google.com;dkim=pass header.i=@microsoft.com header.s=selector2 header.b=V0jLNQ7L;dkim=pass header.i=@microsoft.com header.s=s1024-meo header.b=UBZKKpiY;arc=pass (i=5 spf=pass spfdomain=merchantsales.onmicrosoft.com dkim=pass dkdomain=microsoft.com dkim=pass dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);spf=pass (google.com: domain of bounces+srs=yjgow=pp@netorgft13999698.onmicrosoft.com designates 2a01:111:f403:2415::724 as permitted sender)

This part of the header indicates because this scam email is being sent from Microsoft’s own infrastructure, it’s going to pass DMARC, SPF, and DKIM checks which would filter this sort of thing out. As evidenced by this:

Results: spf=pass

This:

dkim=pass

And this:

dmarc=pass

I have to admit that it is crafty for a threat actor to use Microsoft’s own infrastructure to send scam emails. And it illustrates how threat actors are evolving to try to bypass any guardrails and safeguards that might exist in order to try and get you to fall for their scam.

As for the phone number, I called it. You shouldn’t. But I did. I found that nobody picked up my call. A major company like Microsoft would have picked up the call. Highlighting that this is a scam.

After looking at all of this, I told the reader to report send the email that he got as an attachment to abuse@microsoft.com so that they can look at it. The reader also used Google Workspace’s “report phishing” option as he’s a Google customer when it comes to email. By doing both, I hope this scam gets shut down ASAP as I can see people falling for it.

5 Comments »

A New And Slightly Different Canada Post Delivery #Scam Email Is Making The Rounds

Posted in Commentary with tags Scam on July 22, 2024 by itnerd

Today in my inbox I got a new Canada Post delivery scam email that I want to share with you. Let’s dive in.

Let’s start with what’s wrong with this email. For starters, Canada Post would never send you an email like this. Besides that, that there’s no name, address or tracking number on this email. Those should be immediate red flags. Then there’s this:

An email address that isn’t Canada Post. #Fail.

So far this is a pretty low effort scam email that is likely to have a success rate that is close to zero. But what would they be after. Not that you should, but I clicked on the “My Package” button and I got taken to this website.

The first #Fail with this website is that if you look at the address bar, this website isn’t Canada Post as the real website is https://www.canadapost-postescanada.ca. So that should scare you into running from this website as quickly as possible. But let me go deeper to find out what their game is.

I haven’t typed in a single thing and it somehow knows that a delivery attempt was made. How is that possible? It isn’t is the correct answer. But if you ignore that, I apparently owe $2.99. Seeing as there’s nothing that identifies me, I don’t know how that is possible as well.

First it asks for your name and address. You can see that I filled in some information.

And here we go. It’s asking for my credit card info. That’s interesting seeing as the email that I got said this.

I guess they’re hoping that you won’t notice that part. Now I couldn’t get past this point as this website had code to validate that the credit card was legitimate. But I think that you get the point. It’s one of many Canada Post delivery scams that has a slightly different flavour in order to fool you. Thus if you see this email hit your inbox, delete it and move on with your life.

Leave a comment »

Ticket Heist fraud gang uses 700 domains to sell fake Olympics tickets

Posted in Commentary with tags Scam on July 11, 2024 by itnerd

Quo Intelligence has put out a report detailing a massive fraud campaign run by a group known as Ticket Heist that has over 700 domain names is likely targeting Russian-speaking users looking to purchase tickets for the Summer Olympics in Paris among other events:

Our main takeaways and key findings in this article include:

As of July 2024, QuoIntelligence identified 708 domains linked with Ticket Heist campaign targeting mainly Russian-speaking individuals across the globe.
The Olympic Games Paris 2024 and UEFA EURO 2024 events are at the highest level of risk at the time of reporting given multiple domains part of Ticket Heist luring users into buying tickets from untrusted and unofficial platforms.
The impacts of such campaign are multifaceted, impacting both individuals and event organizers with financial losses, reputational damage and loss of trust.
The fraudulent ticket sales extend beyond sporting events to various activities, including musical festivals featuring famous musicians.

Rogier Fischer, CEO, Hadrian had this to say:

Major sporting events have always been the targets of cybercriminals, with motives ranging from the trivial to the critical, noted Rogier Fischer, CEO of Netherlands-based cybersecurity service Hadrian.”Hackers targeted the Winter Olympics 2018 in Pyeongchang, causing disruptions during the opening ceremony as retaliation for Russia’s ban due to doping, while in 2009, a hacker intercepted the Super Bowl XLIII broadcast, just to air inappropriate content,” he explained.In the case of large public events, we expect the organizers to enhance network security with regular audits, secure Wi-Fi networks, and multi-factor authentication etc. However, when it comes to scams like these, the real defence lies with the end user, he said.”Always use official sources for purchases, enable multi-factor authentication, and be cautious of unsolicited offers, ensuring you regularly check for unauthorized transactions. To spot fake offers, verify the URL, look for comprehensive contact information, assess website quality, search for reviews, and ensure the website accepts secure payment methods,” he suggested.

All of this is good advice as the only way that you can be caught out by one of these campaigns is to not be on your toes in terms of looking out for them.

Leave a comment »

This Pop Up #Scam Victim Is Very Lucky

Posted in Commentary with tags Scam on June 20, 2024 by itnerd

A couple of days ago I was working on site with a client when I get an email saying that a home client of mine had been “seriously” hacked. I dropped what I was doing and tried to phone them. But there was no response. I also responded to the email with some contact info. No response. An hour later, my client called me back in a complete panic. But by that point, I had already made arrangements to return to Toronto as I was out of town to assist with this.

When I arrived later that day she handed me her MacBook Pro, and I saw this:

Now if you’re wondering why I left the IP address visible, Bell rotates those IP addresses so often, that it simply doesn’t matter if it’s displayed or not. In any case the client told me that she was surfing the Internet and this screen appeared. It was making lots of noise and she couldn’t close it. So in a panic she phoned the number. That response isn’t a surprise because this is a pop up scam. The pop up makes you think you have some sort of critical issue with your computer, and they often play noises like sirens which when added to the text on the screen makes you more likely to call the number. And if you’re wondering how the pop up gets onto someone’s computer, scammers plant these all over the Internet using a variety of means that I won’t get into here. From there it’s just the law of averages in terms of if you hit one of these by browsing to a legitimate website that has for lack of a better word been “boobytrapped” with a pop up like this one.

Pro Tip: The way you deal with this is to try and close the pop up. If you can’t close it, press and hold the power button to turn off the computer. Then turn it on again. If the pop up returns after that, call a computer professional for assistance. But under no circumstances should you call the number that’s on the screen.

Unfortunately in this client’s case, she called the number. And according to her, the scammers at the other end of the line who were pretending to be Apple Support convinced her that her bank account and “all her personal information” had been hacked as he could see it right on his screen. They asked her what kind of computer she had, and when she replied that she had a Mac, they surprisingly didn’t try to connect to it (I confirmed that this was the case when I examined the computer). But instead launched into executing the scam. The fake Apple Support rep then got another person on the line who pretended to be her bank to help her to “secure her account.”

Now there’s three things about this interaction that I should point out. First, Apple would never, ever connect you to your bank because they don’t have the ability to do that. Second, at no point was she asked about which bank she dealt with. Which means that it would have been impossible for this fake Apple Support rep to again connect her to the right bank even if they did have the ability to do that. Nor would it have been possible for them to see on their screens that her bank account was hacked. But the reason why she was falling for it was that they were weaving a story that was convincing to someone who was under a lot of stress. And the stress was created by them via the pop up and what they have said to this point. Scammers do that because it stops you from critically thinking. Which means you’re more likely to make less rational decisions and fall for the scam.

Now let me cover the part about the scammers not connecting to her computer as that was unusual. The typical scammer behaviour is that they want to connect to your computer using a tool like AnyDesk or TeamViewer. But once connected they will often use a piece of software called ConnectWise Control which operates in the background without your knowledge and allows the scammers to come and go from your computer as they please. Which put another way means that they are always watching you and can steal personal information at will. The other reason why they do this is that they will use this to watch you while you log into your bank account so that they can steal money right from your bank account if they can, or figure out how much they can get you to withdraw from it so that you can send it to them. My only thought as to why they did not connect to her computer is that they either didn’t know how to do all of that with a Mac (which is ironic as they were pretending to be Apple Support), or they didn’t want to deal with trying to talk her into installing the software that they would need to pull this off as that would have requires an admin password that she may or may not know. Thus they went right to executing the scam.

At this point the fake bank employee started to add to this story that someone at the bank branch that she went to was stealing money from people’s accounts, and they needed her to “secure her account” so that she could avoid being the next victim. Thus they needed her to take out as much money as possible and then put them into “secure encrypted cards” in order to protect her funds. Now I am going to assume the scammers were using the term “secure encrypted cards” to cover up the fact that she was going to be told to buy gift cards so that the scammers could get the money easily.

Let’s dissect this. Major banks don’t need your help to hunt down bad actors who work for them. So if you hear this sort of thing from anyone claiming to be a bank employee, they are lying. Next, no bank on this planet would ever require you to “secure your account”. If there was some sort of fraud issue caused by a bad actor inside a bank, it would be dealt with by the bank. And no bank, government agency, law enforcement, etc. would require you to buy gift cards for any reason.

The final part of this scam was that she was also told that her entire network was hacked and she shouldn’t tell anyone about what was going on. And any attempt by anyone to do things like email for help or make a phone call would be seen by the hackers that they claim were hacking her. This is an attempt by the scammers to stop the victim from calling for help as that would disrupt the scam and result in the scammers not getting paid.

Back to the scam, all of this would have worked out for the scammers as this client had completely bought in. But unfortunately for the scammers, the client’s daughter in law came home and upon hearing what was going on, quickly put an end to the scam by making the client hang up the phone. So the client didn’t lose any money. But even though she got lucky and had a good outcome, if there is any such thing in a situation like this, she was really freaked out. Which is understandable.

By the time that I arrived, she had gone to her bank who confirmed that she had not lost any money. Thus all I had to do was examine her computer to make sure that it was not compromised and reassure her that everything would be fine. And that’s the thing that really bothers me about what these scumbags do. They leave people in a state where they are shaken, upset, and not trusting of anything and anyone. That is part of the reason why I turned over all the information about these scumbag scammers, and the story behind it to the Scambaiting community. Essentially Scambaiters are digital vigilantes who take this sort of information and use it to collect intelligence about scammers that are passed on to others in the community, and they use that intelligence to disrupt the scammers operations. Because I want the scumbags behind this to pay some sort of price. Ideally that price should be jail, but since the Indian authorities (The scammers had significant Indian accents, so it’s a safe bet that they are Indian), are known for not seriously going after scammers unless forced to, then vigilante justice is the next best thing.

I have it in my calendar to follow up next week to make sure all is well with this client. But frankly, we should not be living in a world where scammers can operate as freely as they do. Scammers should be treated like cockroaches, and exterminated from the face of the Earth. And I will do my part to make sure that they get what’s coming to them.

Leave a comment »

It Appears That I Was Targeted In Either A Pig Butchering #Scam Or A Romance Scam On Mastodon

Posted in Commentary with tags Scam on May 29, 2024 by itnerd

Before I do anything else, let me explain what a Pig Butchering Scam is. Wired will help me with this part:

Pig butchering scams originated in China, where they came to be known by the Chinese version of the phrase shāzhūpán because of an approach in which attackers essentially fatten victims up and then take everything they’ve got. These scams are typically cryptocurrency schemes, though they can involve other types of financial trading as well.

Scammers cold-contact people on SMS texting or other social media, dating, and communication platforms. Often they’ll simply say “Hi” or something like “Hey Josh, it was fun catching up last week!” If the recipient responds to say that the attacker has the wrong number, the scammer seizes the opportunity to strike up a conversation and guide the victim toward feeling like they’ve hit it off with a new friend. After establishing a rapport, the attacker will introduce the idea that they have been making a lot of money in cryptocurrency investing and suggest the target consider getting involved while they can.

Next, the scammer gets the target set up with a malicious app or web platform that appears trustworthy and may even impersonate the platforms of legitimate financial institutions. Once inside the portal, victims can often see curated real-time market data meant to show the potential of the investment. And once the target funds their “investment account,” they can start watching their balance “grow.” Crafting the malicious financial platforms to look legitimate and refined is a hallmark of pig butchering scams, as are other touches that add verisimilitude, like letting victims do a video call with their new “friend” or allowing them to withdraw a little bit of money from the platform to reassure them. The latter is a tactic that scammers also use in traditional Ponzi schemes.

Though the swindle has some new twists, you can still see where it’s going. Once the victim has deposited all the money they have and everything the scammers can get them to borrow, the attackers shut down the account and disappear.

As for the romance scam, the RCMP will help me with that:

A romance scam is when a person creates a false identity and pretends to have romantic feelings for a victim to gain their trust and affection for the purpose of obtaining their money. The scam usually unfolds like this:

Step 1: Fraudsters research potential victims online, including reviewing their social media posts, to develop a tailored strategy for each victim and improve their chances of success.

Step 2: After developing an online relationship and gaining the victim’s trust, the fraudster usually fakes a scenario where they need quick money — such as a crisis or an investment opportunity.

Step 3: The scammer then requests money, cryptocurrency, gifts, or investments. They might also send money to the victim to build further trust or engage the victim as a money mule or courier in an illegal transaction. Eventually the victim becomes aware of the scam, many times after they’ve handed over thousands of dollars, at which point the fraudster stops communicating with them.

So with those explanations out of the way, let me explain why I feel I was targeted in one or the other type of scam.

Early today I got this message over Mastodon after I got followed by this person:

Now I was immediately suspicious right out of the gate as this fits the hallmarks of either type of scam. But in the interest of science. I played along. But at the same time, I poked around this Mastodon profile. In short:

They had been a member of Mastodon since October 2023
They had 14 posts.

Those are sort of red flags. But I needed more evidence to confirm what I was suspecting. And after interacting with this person for a while, I got it:

Scammers will often try to take you off the platform that you meet them on to a place like Telegram to continue the conversation and lead you down the path to separate you from your money. Thus this confirmed that this was some sort of scam. As a result I blocked this person on Mastodon. Honestly, I am surprised that something like this hasn’t happened sooner on Mastodon. Or maybe it has and I wasn’t aware of it. I say that because these scams are easy enough to perpetrate on other types of social media. But the decentralized nature of Mastodon make it way easier to pull something like this off because if a scammer gets caught out, they can set up another account on another Mastodon server and try again.

Regardless of what social media platform that you use, you need to be aware of this sort of thing so that you don’t become a victim. And now, back to your regular scheduled programming.

Leave a comment »

Printer Tech Support #Scams Are No Laughing Matter

Posted in Commentary with tags Scam on May 10, 2024 by itnerd

Fun fact. Or perhaps not such a fun fact. More and more companies have done away with having a phone number that you can call for technical support. Having a tech support line and staffing it with competent people is a cost that businesses want to avoid. So these businesses have moved to doing email or online support such as a chat bot as that’s much cheaper. But many consumers are used to calling someone for help with their tech. Scammers know this and have filled in the void by creating technical support scams that are easy for the unsuspecting to find via a Google search. What I mean by that is that scammers will poison Google search results so that their scams pop up first as the natural human tendency is to click on the first, second or third result in a Google search. Then if the unsuspecting person calls the number, bad things will happen to them.

That’s what happened to an elderly couple yesterday. They had their Bell Fibe modem replaced yesterday and everything was fine except their Brother printer which was wireless wouldn’t print. So they Googled for a tech support number for Brother and somehow ended up in the hands of a company called Stallions Geek Solutions. More on them later. But what happened over the next hour or so was that someone who provided this couple his first name and employee number (Top tip: If a tech support person gives you only their first name and employee number on a phone call, that should be a red flag that something might be up as no legitimate tech support organization would ever do that) used TeamViewer to connect into their Mac to attempt to fix the problem. When the printer still wasn’t working, he claimed that this was a “driver issue”, and then said that he would have to escalate this to someone senior who would call them back, and it would cost them $200 to fix the problem. But first the couple would have to fill out a form that was asking for all sorts of personal information. The couple did start to do that but got suspicious and hung up the phone. That’s when I got a phone call that made me drop what I was doing to drive to their home and investigate.

Now the actual problem with the printer was really simple. The printer as I said earlier was a wireless one. So when Bell replaced the modem, nobody updated the printer’s wireless configuration so that it knew how to connect to the new modem. That’s why it wouldn’t work, and that took me a grand total of four minutes to sort out. Any person with even a basic understanding of how this stuff works who listened to the situation should have come to that conclusion. But clearly these scammers weren’t competent enough to do that. Or they were simply too focused on putting on a show so that they could execute their scam.

When I examined the Mac, I found a copy of TeamViewer. And based on the TeamViewer logs, it looks like the scammer tried to set it up so that they could connect to the computer any time they wanted. But they failed miserably in doing so. I didn’t find any evidence of any other remote access software like ConnectWise which is a favourite of scammers these days. So while I have to follow up with them in a few days, I felt confident in saying that their Mac was clean. And I think what saved them from something much worse happening was that the scammer didn’t really know his way around a Mac, and they refused to give the scammer their admin password for the Mac. If they did, he could have done anything he wanted. But they didn’t which limited what the scammer could do.

So, who are these Stallion Geek Solutions people? Using the number that they called, I managed to hunt down their website. Now I won’t post the URL for the website, but I will show you what it looks like:

It looks pretty. But to be totally honest, it’s one of the worst websites that I have ever seen. The text on it would make an English teacher cringe. It was clearly written by someone whose first language wasn’t English and the text that is there seems to be there to fill in space so that it makes this business look legitimate. Or put another way, they’re likely hoping that people won’t look at the details of the website and come to the conclusion that this business isn’t who they say that they are. To add to that, some of the links on the website go nowhere, which for a company who claims that they do web design among other things is pretty bad. For fun I checked their domain registration and found that the domain was registered in Europe. But all the administrative and technical contact info had been redacted for privacy. That isn’t unusual in isolation. But it combined with what else I am going to serve up makes this company look suspect.

This company had a Canadian address, but when I looked at it on Apple Maps, it was in a home in suburban Toronto. Again, by itself that’s not unusual. But when I checked to see what “Printer Services” that they offered, this made it unusual:

This was on the same page as their Canadian address. So are they in Canada or Australia? I’m guessing that they’re at neither place. Or maybe the Canadian address is some sort of front for the company as Apple Maps lists the company as operating out of the home that I spoke of earlier. And the company is elsewhere on the planet.

Finally, the phone number that the couple phoned has been implicated in a pop up scam back in 2022. I discovered that by running the number through a number of Scambaiter websites and getting a few hits. Such as this one:

In case you’re not familiar with the term, scambaiters are basically people who go after scammers by pranking them and doing everything that they can to disrupt their operations as it’s difficult if not next to impossible to get scammers arrested. Thus they feel that vigilante justice is better than no justice.

There’s enough evidence here that I think that I can conclude that this company was out to scam this couple. And that this company likely are some sort of scam operation. As part of this incident I submitted the log files from TeamViewer and passed them along to TeamViewer so that they can take action against these scammers. Which means that TeamView can use these logs to remotely disable their software so that the scammers can’t use it. That will put them out of business for a bit until they find some other remote access software to use.

Now if you need tech support for some piece of tech, Google is not your friend. Like I said earlier, scammers will do things to ensure when the search results pop up, they appear ahead of legitimate companies. Thus my recommendation is to go directly to the official website of the product manufacturer and only use their official channels for tech support. And if they don’t have actual phone support, don’t go hunting for some sort of phone number. That will only end badly for you because there are no “secret” or “unpublished” phone numbers for tech support, despite what you might have heard.

I’ll be updating this story with new information as warranted. But for now, consider this situation a cautionary tale of what can happen if you are not careful in terms of how you’re looking for tech support for the tech that you own.

1 Comment »

A New Bell Telephone #Scam Is Making The Rounds

Posted in Commentary with tags Bell, Scam on May 9, 2024 by itnerd

I’ll say right up front that I am still investigating this, thus details are a bit light. But having said that, I wanted to make sure that this new scam involving Bell Canada is out there so that you are aware and can protect yourself accordingly.

Yesterday, my home number (as opposed to my business number) got a call which went to voice mail as nobody was home at the time. When I played the message back, it was a pre-recorded message that was claiming to be from Bell Canada. And that they were disconnecting my Internet and TV “line” temporally. I was then prompted to press one to get to a representative or press two to get to technical support to “address the unusual activity on your line.” So what the scammers are hoping that you will do is freak out because your Internet is being disconnected or that you have “unusual” activity on your connection and engage with them. Then they can execute whatever their evil plan is, which at this point isn’t clear.

Now while Bell Canada is our telco provider at the moment, I knew right away that this was clearly a scam. For starters, the audio quality was horrible. No telco would ever have an outbound message with audio that was that bad. That made me think that it might be the same threat actors that were behind this Bell Canada scam from a few weeks ago who clearly haven’t improved the approach to this scam. The second thing was the number that they calling from. It was from an 847 area code which is in Illinois and not Canada. So clearly the number is spoofed, and the threat actors aren’t smart enough to use a Canadian area code. Though there were two other things that tipped me off that this was a scam. But I am not going to disclose those at this time as I don’t want to give the threat actors ideas in terms of improving the effectiveness of the scam.

Now related to this, I did find on DSL Reports that there’s a slightly different version of this scam making the rounds as well, which I suspect is from the same threat actors. You can read about that here. Clearly there’s an active scam campaign out there that while it won’t get non-Bell Canada customers, some Bell Canada customers will fall for whatever version of this scam that hits their phone. I’ll be reaching out to Bell Canada later today to see if I can get some comment and some advice so that you can better protect yourself from this scam. But if you get a call from someone claiming to be Bell Canada, I feel safe in saying that you should immediately hang up and call 310-2355 and verify that the call that you received was real. Chances are, it wasn’t.

5 Comments »

A Rather Bad iCloud #Scam Email Is Making The Rounds… And It Has A Twist To It

Posted in Commentary with tags Scam on May 4, 2024 by itnerd

Scammers are really not even trying anymore. I say that because for the second day in a row, I am writing about a scam where the scumbag scammer doesn’t seem to be putting in any effort into making the scam convincing enough that someone would fall for it. It starts with this email hitting your inbox:

If these scumbag scammers are trying to copy Apple’s look and feel, they’ve failed miserably. Assuming that this email which I am certain isn’t in the same star system as Apple’s in house branding guidelines doesn’t scream scam. This might:

That’s not an apple.com email address. Total #Fail. Besides those two things, I’ll point out that Apple lets you have 5GB of storage for free. After that, iCloud storage costs you money as evidenced by this link. So what the people behind this scam are trying to do is leverage the fact that the next jump in terms of storage capacity is 50GB, and that is normally a paid tier of storage that if you buy into the email is now supposedly “free”. Plus the added incentive for you to click through is that bad things will happen to you if you don’t do so. As in your files will get deleted. Which is false as Apple will never delete anything in an iCloud account. What will happen is that you will not be able to save anything into an iCloud account that is out of storage. But what’s already there will remain there.

I’m pretty sure that 99% of people who get this email will simply delete it. But as I have said numerous times, scams don’t have to be successful in volume to be successful. Thus let’s see what the 1% who click through see:

This fake iCloud website is only slightly more convincing than the email in terms of trying to copy Apple’s branding as well as their look and feel. And by the way, seeing as I haven’t logged into anything, how could this website know that my iCloud storage is full? It can’t which is further evidence that this is a scam. But let’s go down the rabbit hole. Clicking continue gets you this:

There’s this questionnaire that they want me to fill out. Why? What relevance does the following have to my iCloud storage:

Where am I
Gender
Age

Logically, Apple would already have this information if I logged into my iCloud account. Which I haven’t. Oh, by the way, this scam website makes reference to Apple’s “loyalty program”. News flash, Apple doesn’t have one. Then there’s the countdown clock to entice you to click through and do what the website wants you to do. Apple would never do that. Finally, if you look at the address bar, that’s not an Apple website as the address doesn’t end in “apple.com”. So yeah, this is still a scam. Anyway, the website once you answer these dumb questions will say you’ve qualified for the upgrade of your iCloud storage.

Yee haw.

Here’s what happens next:

You can already guess where this is going. The scumbags want to swipe your credit card details along with possibility your iCloud username and password. Let’s see if I am right:

So it appears that I am right about the fact that they want to swipe your iCloud credentials. Why I don’t know. But other than faking that this is a legitimate site, which they didn’t even try to do earlier on in this scam when they perhaps should have to make the scam more convincing, there doesn’t seem to any other reason that I can think of for this to exist. So I entered some bogus credentials into this site to get to this:

And here’s the part where the unwitting type in their credit card details so that these scammers can go to town at your expense. And look at the top right corner. This transaction is Verified By Visa and MaterCard. Sure it is. Anyway, the page has logic in it to verify the card number. Thus I wasn’t able to go past this screen. But you get the point.

In my opinion, this is a pretty unconvincing scam that maybe 1% of the population will fall for. But I guess that these guys are fine with a 1% success rate as that could be hundreds or thousands of dollars every time someone falls for it. I’ll be reporting this scam website to Google, Firefox and Microsoft which means that this website will have even less traffic.

Before I go, there’s one more thing. If you go to this site using Google Chrome (I used Firefox for the screenshots above), you get this:

Great, this is one of these scam websites that is going to be a pop up hell. And sure enough:

It seems I am correct. Just because I have nothing better to do, I will click on the McAfee one and see what happens:

It sent me to another website that pretended to scan my computer and it pretended to find all sorts of viruses. What’s hysterical about this is that it says that my phone is damaged by viruses. But I was running macOS inside a virtual machine when I did this. What losers. If I click “renew subscription” it kicks me to the real McAfee website via an affiliate link which would allow the scumbags behind this to make a few extra bucks. So in short, they are trying to get you in any way they can. Just to rain on their parade, I reported this website to Google and Microsoft as well so I can put an end to their fun. It’s the least that I can do to help keep the Internet safe from scumbag scammers.

Leave a comment »

A Text Message #Scam Using Scotiabank’s Name That Is Run By Incompetent Scammers Is Making The Rounds

Posted in Commentary with tags Scam, Scotiabank on May 3, 2024 by itnerd

Now that tax season is over in Canada, I guess the scumbag scammers of the world have moved on to text message based phishing scams. Take this one using the name of Scotiabank:

Now this should stretch the boundaries of credibility right out of the gate because it references the first four digits of a Scotiabank debit card number. Why is that important? Every Scotiabank debit card starts with “4536”, which means that the scumbag scammers are hoping that you won’t pay attention to that rather than saying “if this were meant for me specifically, they would be using the last four digits of my debit card as that’s unique to me.” Another area where this text message loses credibility is the website that the scumbag scammers want you to go to. Scotiabank does not own a domain called “Https://auth-scotiabankcanada.com” nor would any communication coming from Scotiabank have a capital H in it. So who owns this domain? For giggles, let’s have a look:

Hmmm…. This traces back to .ru which is Russia the last time I checked. Maybe that’s accurate. Maybe it isn’t. But it sure isn’t Scotiabank.

So right there, we have more than enough evidence to say that this is a scam, and that you should delete this text message. But because that’s not how I roll, let’s see what happens when I click on the link which by the way you should never ever do:

Well, I see that it’s amateur hour with this particular scumbag scammer. I say that because whomever is behind this scam can’t set up a website that uses SSL encryption properly. That means that 99% of people will not get scammed because these clowns are too stupid to set the scam up properly so that a web browser can get to the scam website. More on how they screwed that up in a second.

So after figuring out where they went wrong with their website, and passing by a CAPTCHA (which seems to be a thing with these phishing websites as of late) that even snagged my IP address:

I got this:

I wonder how that compares to the real login screen for the real Scotiabank website…..

It’s a very, very good copy of the real Scotiabank website. Though the real site uses SSL encryption as evidenced by the padlock in the address bar at the top left. And the fake one doesn’t use SSL encryption at all. This is noteworthy because the text message that the scammers send you uses “HTTPS” in the link that is in the text message. That means that if you click on it, the web browser will request an SSL encrypted web page. And when it doesn’t get it, the browser throws an error message like the one that I took a screen shot of. Now this combined with the fact that web browsers in 2024 want only deal with SSL encrypted web pages, and warn you when they don’t get one as it’s a bit of a security risk, shows you that these scumbag scammers really didn’t do their homework. Thus as a result they screwed up the execution of this scam.

Regardless, I can see how someone might be fooled by this scam website. Not to mention the fact that if you look at the address bar, you’ll see “https://auth.scotiaonline.scotiabank.com” which is very similar to the scammer’s website which is “https://auth-scotiabankcanada.com”. This is an old trick that scammers use where they will come up with a URL that unless you’re paying attention, you might not notice that it’s not the same as the website that you are used to going to. That highlights the fact that you need to look at the URL closely before you type your credentials into a website. Or better yet, bookmark the websites that you go to and only use your bookmarks so that you know that they can be trusted.

Back to the scam. I entered some bogus credentials and got this:

Based on the questions, it looks like the scumbag scammers are running an identity theft scam for starters. I am basing that on asking for your mother’s maiden name which is a common security question. I entered some bogus info and got this:

So it’s not just your identity that they’re after. They want your card number right down to your ATM PIN number. That suggests to me that anyone who is unlucky enough to fall for this scam might be dealing with a group of scumbag scammers who are going to use this info to drain your bank account dry. Possibly by going to an ATM with a card that they create with this information. That implies that the scammers might be in Canada. And the Russian registration may be a ruse.

So, given the incompetence of the scammers behind this, combined with the fact that I reported this scam website to Google via this link, and to Microsoft via this link, I suspect that this website will have few if any victims. But it illustrates that you really need to question the legitimacy of anything and everything, along with doing some detective work if required to stay safe online. I say that because even incompetent scumbag scammers like these ones can get lucky and get a great payday at your expense.

Leave a comment »

The IT Nerd

Archive for Scam

Here’s A Fido Text Messaging #Scam That You Should Be Aware Of

A VERY Convincing Microsoft 365 Refund #Scam Email Is Making The Rounds

A New And Slightly Different Canada Post Delivery #Scam Email Is Making The Rounds

Ticket Heist fraud gang uses 700 domains to sell fake Olympics tickets

This Pop Up #Scam Victim Is Very Lucky

It Appears That I Was Targeted In Either A Pig Butchering #Scam Or A Romance Scam On Mastodon

Printer Tech Support #Scams Are No Laughing Matter

A New Bell Telephone #Scam Is Making The Rounds

A Rather Bad iCloud #Scam Email Is Making The Rounds… And It Has A Twist To It

A Text Message #Scam Using Scotiabank’s Name That Is Run By Incompetent Scammers Is Making The Rounds

Pages

Blogroll