another pfishing scam

Bill Ford · Post by **Bill Ford** » 1 Mar 2012 9:38 am

Got this email this morning, don't recall making any such transaction..It included a pdf link, Google said it was a scam/pfishing thing...Bill

The Electronic Payments Association
Dear Customer,

We have to notify you, that Direct Deposit payment could not be completed, because of discontinued receipient account.

Directed Deposit request rejected

Richard Sinkler · Post by **Richard Sinkler** » 1 Mar 2012 2:27 pm

I get crap like that fairly often. I don't even open the email. I know that I have nothing that is direct deposit.

Wiz Feinberg · Post by **Wiz Feinberg** » 1 Mar 2012 7:25 pm

Guys; this is not a phishing scam. If only it were...

The links in these ACH, NACHA and FDIC failed bank transfer/deposit transaction scams lead to the Russian Blackhole malware exploit kit.

Bill;
Thank your lucky stars Google warned you not to go to that website. If you have any out-dated version of Java, Flash, or Adobe Reader installed on your computer, you would have been botted, plus the Zeus bank account stealing Trojan would be installed.

I have blogged many times about these scam emails in my weekly spam analysis reports. Read them regularly on Wiz's computer and website security blog.

Bill Ford · Post by **Bill Ford** » 2 Mar 2012 5:27 am

Wiz,
There was a PDF file link, is that a form to give them your banking info (account #s etc)or can just opening the link do damage?

As always, thank you for your help...Bill

Wiz Feinberg · Post by **Wiz Feinberg** » 2 Mar 2012 10:06 am

Bill Ford wrote:Wiz,
There was a PDF file link, is that a form to give them your banking info (account #s etc)or can just opening the link do damage?

As always, thank you for your help...Bill

Bill;
Listen up Pilgrim!

If you still have that email, open it again. Find the link to the file and hover over it with your mouse pointer. Read the details about the link in the bottom status bar of whatever program you are using to "do" email. Chances are high that the actual link will lead to a .htm, .html, or .php file, as shown in the status bar. The link you saw displayed in plain text was octopus ink to fool the unwary.

Let me show you how this works. The following link claims to go to a .pdf file on my website. Hover over it and read what the URL really is in your status bar.

http://www.wizcrafts.net/articles/details1.pdf

The actual link code goes to: http://www.wizcrafts.net/blogs/spam_issues/

Code: Select all

[url=http://www.wizcrafts.net/blogs/spam_issues/]http://www.wizcrafts.net/articles/details1.pdf[/url]

Use this system to reveal all links before clicking on them, whether in a web page, IM, or email. If the revealed code is different than the printed text link, treat it as hostile until proved otherwise.

Note: many spammers use URL shortener services to conceal the true destination of their links. There are only a few add-ons that will reveal the actual destination of these shortened links, so don't click on them automatically. If the message comes from a stranger, or a source with which you have had no previous contact, treat it as hostile unless proven otherwise.

Wiz Feinberg · Post by **Wiz Feinberg** » 2 Mar 2012 10:26 am

Here is a code example of how cybercriminals conceal the actual link destination, while showing their victims what they want to see:

Code: Select all

<a href="http://www.wizcrafts.net/blogs/spam_issues/index.html">Transaction Report</a>

The victim only sees a link claiming to go to "Transaction Report" ...
Transaction Report

If you hover over my link, you'll see where it actually leads in your browser's status bar (bottom-left).

Bill Ford · Post by **Bill Ford** » 2 Mar 2012 11:28 am

This is on the form, leading you to fill out the proper info so they can "send you the money"...Yea right..

Thank you Wiz.

Please print out the transfer correction request below to submit the correct recipient information. The next box was Transfer Status, then a string of numbers, and letters that highlighted as a link.

Wiz Feinberg · Post by **Wiz Feinberg** » 2 Mar 2012 11:33 am

Bill Ford wrote:This is on the form, leading you to fill out the proper info so they can "send you the money"...Yea right..

Thank you Wiz.

Please print out the transfer correction request below to submit the correct recipient information. The next box was Transfer Status, then a string of numbers, and letters that highlighted as a link.

Why don't you forward it to me as an attachment? If you don't know how to do that, read my sticky article at the top of this forum. Send the attached original to me at wizardodelasteel at hotmail dot com