Spam filters are pretty good these days. They filter out unwanted publicity, annoying mailing lists and emails that try to steal your money.
Typically it’s very easy to figure out if an email is legit or not, however they’re getting better and unfortunately enough people fall for these schemes, which is why criminals keep sending them.
Today I received another great sample of a fraudulent email and I thought I’d share it, as well as showing you how to avoid loosing money and time.
Let’s have a look at the actual email I just received:
At first glance, this looks like a pretty reasonable invoice.
The links at the bottom of the message really do point to the Intuit domain. Intuit is a company that create financial software (e.g. Quicken), so this looks like something that could be sent through one of their products – in this case “quickbooks“. That’s the part of the email that is supposed to make it look more legit. It’s no coincidence.
However, when I right-click the “Print or save” button, to copy the link (never click on links and buttons directly!!!), and paste it into a text document, it shows that it forwards to a strange link with an “app” subdomain of “chirodestiny dot com”, on a page with a php script. That’s weird.
Next, the top of the email says “Elite Guardian Solutions, LLC”. This has nothing to do with Chirodestiny, which seems to be a totally different company.
The full text of the email reads:
Dear <(this part contained my email, typically you would expect they at least use your name)>,
Your invoice is attached. Please remit payment at your earliest convenience.
Thank you for your business – we appreciate it very much.
Elite Guardian Solutions, LLC
DUE 06-10-2020 $665.06
Print or save Powered by QuickBooks
Elite Guardian Solutions, LLC19 Front Street Suite 203 Salem, MA 01970(978)745-8080
If you receive an email that seems fraudulent, please check with the business owner before paying.
© Intuit, Inc. All rights reserved.Privacy |Security |Terms of Service
The company Elite Guardian solution seems to be a real company and their address seems to check out. It may or may not be a real company. That’s actually not that important. It’s totally possible that the spammers just picked a random company to make the email seem more legit. Or they set up the website themselves. Who knows. (Their website was registered in 2007, as you can check when you search for the domain with a service like whois.com).
What’s the first clue that this invoice is fake?
First, the obvious – I never had any business with Elite, so that’s an easy one.
Second, if you paid attention to the e-mail header, it states that the email was sent from “Great Lakes Power, Inc.”.
But that’s a totally different company! Weird, ey?
Funny enough Great Lakes Power is also an existing company, however it has nothing to do with Elite Guardian, resides in a different state, has a different business model… it’s almost as if somebody took random company names and threw them into a database, which then sent out random emails.
The third clue is when you actually dig into the details. When I check the sender name (right clicking on the sender’s email address), I see this:
Aha! Very obviously the real email address that sent us the invoice has nothing to do with Great Lakes Power, nor Elite Guardian Solutions. If we do a quick check on whois, we see that the real domain was registered somewhere in France! Sacrebleu! We even find the first and last name of the person who registered it, including a phone number.
Did we just find our criminal mastermind?
Unlikely. Too easy. It’s more likely that somebody hacked into that persons domain and used it to send out these kind of messages. It’s very common.
The fourth clue obviously was the “Print or save” button, that linked to the Chiropractic’s website (which is the third! company mentioned in this fake invoice email). Are they in on this? Are they just trying to get more views on their website? Unlikely. They could’ve just sent out normal spam, but I’d say their website was hacked and a subdomain was used as a server for the transactions of the true criminal.
Also, another clue: Did you notice how the invoice number in the subject and the message content are completely unrelated? Like, they didn’t even try to make them look similar.
So I could be wrong, but without doing any more digging into this, my gut feeling tells me that:
- Somebody’s web server was hacked and a malignant script was installed on a subdomain
- Some random company names and addresses were automatically scraped by a script and inserted into a database
- An illegal list of emails (or public available emails that have been automatically scraped from random websites) were inserted into a database
- Some software automatically constructed an invoice, based on a real Intuit quickbooks template, linking to the malignant script
- The email was automatically sent to everyone in the database from a hacked email account (hiding its original domain), unbeknownst to the person owning the domain name.
I don’t know if the link to the subdomain actually contains a harmful script. I see that the link points to a php-file and I don’t dare to navigate to it. Maybe it’s a page asking you for the payment online. Maybe it attempts to download a file. Maybe it’s just a proof of concept. Who knows. People do a lot of stuff when they have a lot of free time and a computer in front of them.
So, that was my story. What can you learn from this?
Usually you can figure out with just a few clicks and some common sense, that these emails, even though they start looking more and more convincing, are just a pile of b*****t.
This would be the moment that I should try to sell you some awesome product that promises to protect you from every thread and make you look better in the process.
I have nothing to sell. Just remember: Don’t click on links. Use common sense. Peace out.