Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 8 April 2012

Liberty Reserve investment spam

I received an e-mail on Feb 6th (yes I know, that was two months ago, but bear with me), claiming to be from Liberty Reserve. As I have Outlook show all e-mail in plain text, I didn't see what was going on at first. I fired up Pocketknife Peek, which allows the showing of headers and such, and looked at the original HTML version - which showed exactly what was going on - Liberty Reserves own affiliates have decided fraud just isn't enough - they want to go for good ole' affiliate spam too.

This particular one links to;

hxxps://sci.libertyreserve.com/?lr_acc=U1209005

The portion after lr_acc=, is the affiliates ID.

The e-mail originated from;

IP: 62.193.15.160
IP PTR: 62.193.15.160.dpi.ir
ASN: 5618 62.193.8.0/21 DPI DP IRAN

inetnum: 62.193.15.128 - 62.193.15.191
netname: DPI-Radcom
descr: DPI IDC: Radcom Co. Servers Zone
country: IR
admin-c: AA5428-RIPE
tech-c: AA5428-RIPE
status: ASSIGNED PA
mnt-by: DPI-MNT
source: RIPE # Filtered

person: Ali Amiri
address: DP Iran Co.
address: #216 , Nejatollahi Ave.
address: Tehran, 15987
address: IRAN
phone: +98 21 88903251
fax-no: +98 21 88901713
e-mail: amiri@dpi.ir
e-mail: amoghadam@dpimail.net
nic-hdl: AA5428-RIPE
mnt-by: AAM-MNT
source: RIPE # Filtered

% Information related to '62.193.8.0/21AS5618'

route: 62.193.8.0/21
descr: DP IRAN
origin: AS5618
mnt-by: DPI-MNT
source: RIPE # Filtered

% Information related to '62.193.15.0/24AS5618'

route: 62.193.15.0/24
descr: DP Iran
origin: AS5618
mnt-by: DPI-MNT
source: RIPE # Filtered


The headers;

Return-Path: <no_reply@libertyreserve.com>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 9.71
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.71 tagged_above=-9999 required=1.3
tests=[ACT_NOW_CAPS=2.211, BAYES_00=-1.9, FH_FROMEML_NOTLD=1.082,
FS_LARGE_PERCENT2=1.96, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001,
MPART_ALT_DIFF=0.79, ONE_TIME=0.714, RCVD_IN_BRBL_LASTEXT=1.449,
RDNS_NONE=0.793, RISK_FREE=0.001, SPF_FAIL=0.001,
SPF_HELO_PASS=-0.001, SUBJ_ALL_CAPS=1.506, TO_NO_BRKTS_PCNT=0.001]
autolearn=no
Received: from server144.dnslake.com (unknown [62.193.15.160])
by mail4.emailconfig.com (Postfix) with ESMTP id 1711739814F
for <[REMOVED]>; Mon, 6 Feb 2012 22:52:19 +0000 (GMT)
Received: (qmail 32531 invoked from network); 7 Feb 2012 02:20:43 +0330
Content-Type: multipart/alternative;
boundary="===============4901855315610602507=="
MIME-Version: 1.0
Subject: [SPAM] =?iso-8859-1?q?GUARANTEED_200=25_MONEY_IN_5_DAYS_!!!?=
From: =?iso-8859-1?q?no=5Freply=40libertyreserve=2Ecom?=
Message-Id: <20120206225221.1711739814F@mail4.emailconfig.com>
Date: Mon, 6 Feb 2012 22:52:19 +0000 (GMT)
To: undisclosed-recipients:;



The content of the e-mail itself;

============================================
Please note that in all e-mails from Liberty Reserve we will:
Always address you by your first name.
Never send you any links or attached files.
Never ask you to send us your password and/or login PIN.
============================================

Dear Members,

Liberty Reserve has made considerable progress and improvement, it has become the leading e-currency and its services are being improved continuously.

Recently we have estabilished a very important relation with leading Forex traders from Costa Rica and we decided to give a special offer to you:

GET 200% LR MONEY RETURN IN 5 DAYS !!!!

Example:

You deposit $100 we return $200

You deposit $1000 we return $2000

You deposit $5000 we return $10000

This opportunity will not last long, so you must react quickly.

Deposits are accepted until February 15.2012 00:00 (GMT).

One unit in this special program is worth 100 US dollars. The minimal deposit is 1 unit ($100), while the maximum deposit is 1000 units ($100000) per member.

You need to make a spend to: Liberty Reserve account U1209005 -https://sci.libertyreserve.com/?lr_acc=U1209005

The 200% payout will be made back to your LR account in 5 days.

The payout is AUTOMATICAL, GUARANTEED and there is NO RISK from losing your funds.

This is a TIME LIMITED ONE-TIME OFFER and you must ACT NOW!

Please DO NOT reply to this e mail.

For information and support please use our contact form in the help section of our web site.

Thank you.

2002 - 2011 Liberty Reserve S.A. All rights reserved.


So why am I mentioning this, given it is two months old and just a bog standard affiliate spam? Well, the content of the e-mail strangely enough. Or more specifically, two lines of it, that not enough people seem to keep in mind.

Phishing scams and bog standard e-mail scams generally have one thing in common - they rarely include the details you'd expect in the legit versions. For banks etc, and the likes of eBay, PayPal etc - a legit e-mail will ALWAYS include your real name, for other sites.

This e-mail specifically states LR will always include your real name and will never include links - yet this includes a link and doesn't include my real name (not surprising given it's spam - and I've never been a user of or registered with, Liberty Reserve).

I know most will shrug this off and then not keep it in mind the next time spam/phishing e-mails come in your inbox, but one of the main reasons people fall for phishing scams for example, is because they see the banks name, sites name etc, and rarely read what it's actually saying before clicking, and never check where it is linking to, before clicking - and worst still - never check the address bar in the browser, once the phishing site itself has loaded - this needs to change.

If necessary, pop a stick it on your monitor to remind you to;

1. Always fully read e-mails that come into your inbox
2. If an e-mail claims to be from your bank/ebay/PayPal etc - check it includes your FULL REAL NAME!
3. ALWAYS check where it is linking to, before clicking it (hover your mouse over the link to do this)
4. ALWAYS check the URL in the address bar, after it has loaded (assuming you've not done #3)
5. If an e-mail claims to be from your bank/ebay/paypal etc, and asks you to open an attachment - DELETE IT - IT'S MALICIOUS!

Remind others of this too.

/edit

Forgot to mention, there have been 2 additional e-mails since the one in Feb. Both in March and both with the same content.

Headers:

Return-Path: <www@icp.yaton>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 9.211
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.211 tagged_above=-9999 required=1.3
tests=[ACT_NOW_CAPS=2.211, BAYES_00=-1.9, DKIM_ADSP_DISCARD=1.8,
FS_LARGE_PERCENT2=1.96, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
NO_DNS_FOR_FROM=0.001, ONE_TIME=0.714, RDNS_NONE=0.793,
RISK_FREE=0.001, SUBJ_ALL_CAPS=1.506, TO_NO_BRKTS_HTML_ONLY=1.022,
TO_NO_BRKTS_NORDNS=0.001, TO_NO_BRKTS_NORDNS_HTML=0.001] autolearn=no
Received: from icp.yaton (unknown [211.152.9.115])
by mail4.emailconfig.com (Postfix) with ESMTP id E106D3981A2
for <[REMOVED]>; Wed, 14 Mar 2012 08:17:43 +0000 (GMT)
Received: from icp.yaton (icp.yaton [127.0.0.1])
by icp.yaton (8.12.8/8.12.8) with ESMTP id q2E6wpAW011996
for <[REMOVED]>; Wed, 14 Mar 2012 14:58:51 +0800
Received: (from www@localhost)
by icp.yaton (8.12.8/8.12.8/Submit) id q2E6wjoK011988;
Wed, 14 Mar 2012 14:58:45 +0800
Date: Wed, 14 Mar 2012 14:58:45 +0800
Message-Id: <201203140658.q2E6wjoK011988@icp.yaton>
To: [REMOVED]
Subject: [SPAM] GET 200% RETURN IN 5 DAYS
From: "no_reply@libertyreserve.com" <no_reply@libertyreserve.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-EsetId: B3625223B4977931E1270B



Same origin IP for both e-mails. Link in both e-mails led to;

hxxps://sci.libertyreserve.com/?lr_acc=U3399815

No comments: