Several days ago, I got an email from PayPal Support with the title: “We noticed unusual activity on your account”. The body of the email contained details of a suspicious transaction that allegedly occurred in my account and it invited me to click on the hyperlink “I Didn’t Authorize This Purchase” to dispute the transaction. At first blush, the email seemed well formatted and looked possibly legit.
I took a closer look at the embedded URL and noticed that it had the following shortened alias: http://bit.ly/1ml6nhf which resolved to: http://account-service-costumer.com/us/webapps/mpp/home. Taken together with the obvious Chinglish verbiage in the body of the email, it became apparent that this was not an actual PayPal address but rather a phishing site.
I must say, I was taken back by the quality of the site. Whoever was responsible for setting it up invested a lot of time and effort into it. In a departure from typical phishing site design where most of the bogus links either don’t work or are eliminated, this one had multiple layers of linkage functionality designed to make the site appear real. For example, when I clicked on the “Send Money” link, I was prompted to enter a transfer amount and my recipient’s e-mail address. Impressive functionality.
Structure and Functionality
In terms of navigational structure and content, the phishing site was almost an identical copy of the actual PayPal website. It had identical layout, images, and link names. It even had all of the streaming media. One note of interest is that even though the link names were verbatim, most of them just reloaded the phishing site landing page with the exception of “Investor Relations” and “Feedback Links” at the bottom which loaded external pages. This is a departure from the previous phishing practice of simply eliminating such links from the site altogether.
As far as the actual phishing exploit is concerned, the “Login” and “Sign Up” links are the core components. If you click on them they redirect to a fake PayPal login page where you are prompted to enter your user ID and password after which you land on a form intended to verify your identify which collects all of your personal information including DOB, SS number, phone number, and address. Double whammy!
Site Hosting and Publication
The site was registered in the US just two weeks ago via the Name.com web register and its IP is hosted on a dedicated server in the New Jersey/New York area.
This is somewhat unusual because most of the phishers tend to host from abroad on repurposed or hacked servers serving other legitimate content.
This was probably done in an effort to survive a cursory URL Whois check that would confirm that the hosting is in the US (which would be the case for the real PayPal servers).
Heads up! It appears that we are witnessing a revolution in phishing affairs through the escalation in quality and detail of these sites. Considering this, it may behoove payment industry providers such as PayPal to start utilizing image match search capability to detect and block the appearance of such sites in near real-time instead of passively waiting to receive fraud alert messages from their customers weeks after the phishing campaign has wrought its havoc.
© Copyright 2016 Yaacov Apelbaum, All Rights Reserved.
I recently received an email claiming to be from Microsoft Live. The email stated that due to some processing issues, they could not authorize my credit card and so I would need to login to their website to update my credit card information by clicking on their link.
Over the years, I have seen a number of these types of messages, but this was the first one targeting me personally. After skimming through it, I realized that it was a blatant phishing attempt, nevertheless, I still marveled at the ingenuity of the scammers.
Billing and Account Management
Dear Windows Live Hotmail member,
During our regularly scheduled account maintenance and verification procedures, our billing department was unable to authorize your current payment method information.
This might be due to either of the following reasons:
- A recent change in your personal information (i.e. change of address, credit card)
- Submitting invalid information during the initial Sign Up or upgrade process.
- An inability to accurately verify your selected payment method information due to an internal error within our processors.
Please use the following link to update your payment method information :
The above link may have been blocked for your privacy. To activate the link please look for the Show content link that is usually located on top of this message.
NOTE! If your account information is not updated within 48 hours then your ability to use your Windows Live Hotmail account will become restricted.
Thank you for using Windows Live Hotmail!
Please do not reply to this e-mail, as this is an unmonitored alias.
© 2009 Microsoft Corporation. All rights reserved.
Anatomy of a Phish
For the uninitiated, phishing (pronounced “fishing”) is a fraudulent attempt to acquire sensitive information from a user. Such information can be: credit cards, user IDs, passwords, and/or account information. It is often accomplished via email or phone.
Phishing falls into the category of exploits known as “ “social engineering”. Even though they are mostly low tech, (requiring neither sophisticated technology nor advanced programming), they can to be successful (especially the well executed and new exploits) because most people tend instinctively to do what they are told and will not challenge the authority and authenticity of what seems to be an official correspondence.
In a typical phishing scenario, the perpetrators (usually located offshore) send a simple email—claiming to be from the customer service department of a recognizable organization (like a bank, on-line service, etc.)—the email will inform you of some problem with your account. You are then instructed to provide details of your bank, email, or credit card account in order to correct this problem.
Even though, phishing exploits can have many variations, they can be grouped into the following are five usage scenarios:
1. Forged identities — In this exploit, the attacker creates an email address that is related to a reputable organization like “Windows Live Customer Support”. Even though on the surface, their email address looks legitimate (as in: firstname.lastname@example.org), it is not. If you’re not paying attention, it can be easy to mistake a message like this for a genuine customer support request.
2. Compromised accounts — In this exploit, the attacker uses a compromised user account to send an email to everyone in the address book for that account. An email you receive from a known account dramatically increases the credibility of that message, and therefore the likelihood of a successful phishing attack.
3. Direct phone calls — In this exploit, the scammer may contact you directly by phone, telling you that they work for some financial institution (may offer to lower your interest rates) or the fraud investigation departments. They will inform you that your account has been breached and will directly ask you for your account details in order to verify it.
4. Bogus websites — In this exploit, the attacker will send you a link to what seems to be a functional website. The site will include official-looking logos, language, or other identifying information taken directly from a legitimate websites. The address of the site will show resembles the name of a reputable company but with some spelling variations. For example, the name"microsoft.live.com" could appear instead as: “micorsoft.live.com”
5. Social Network Harvesting — In this exploit, a communication from a scammer will ask you for personal information. You may mistake it for an email from a friend wanting to reconnect. The email will include convincing details about your personal life which ware recovered from social networks such as LinkedIn, Facebook, etc.
In general, the objective of phishing is to recover your webmail credentials since the resale value of a legitimate web mail account on the black market can be as high as $2-$3—twice the amount they could get for a stolen credit card number. So for a phisher, breaching several dozens accounts a day can be a lucrative business, making $100K-$500K for the life of the scam.
In the case of my phishing email, when I followed the link in it, I was taken to a credit card entry form (Image 1). As I expected, the form looked genuine, it had all the right corporate trimmings: a Microsoft logo, copyright notice, and even a link to a help page (which ironically offered the following advice “You should keep this number secret, protect it, and never write it on your card.”)
Image 1: Phishing Credit Card Entry Form
As with most phishing sites, I was expecting to find some bogus or misspelled Microsoft URL, but instead I was surprised to see that the web address of the webpage actually belonged to a company called Human & Technology H&T (Image 2), clearly, htech21.com doesn’t even sound like Microsoft. I’ve checked the parent URL out and It turns out, that this company was at one point a legitimate Korean hardware manufacturer, than, two years ago, their CEO was arrested and the company became the target of one of the biggest class-action lawsuits in history.
So what is the connection between htech21.com and this phishing expedition? It appears that the perpetrators of this scam decided to cut some costs and instead of purchasing and hosting their own domain, they chose to break into the H&T corporate web site and place their credit card collection pages on it. At one point, our scammers discovered that Human & Technology has gone out of business (this could also have been an inside job) and safely assumed that this orphaned website (which has not been updated for 3 years) is no longer being maintained or monitored, and as such, was a perfect staging platform for a phishing operation.
It is also interesting to note, that the site’s help file focused on ATMs (Automated Teller Machines), strongly suggests that at least some of the phishing website contents have also been used in other scams.
Image 2: Phishing Host Website
It is hard to recognize legitimate customer service communications from phishing expeditions. This difficulty if further compounded by the fact that for many, using services such as Amazon, EBay, and e-banking has now become a a way of life. For most users, the potential inconvenience of being looked out of their favorite on-line services outweighs the risk of disclosing their account information. Unfortunately, the on-line services are not helping this situation either because most are either impossible to reach by phone or their offshore support centers are largely useless.
So how does one survive in the hostile jungle of email exploits? The following are my top 10 Do’s and Don’ts of email:
1. Do Not open emails that have a wrong or incorrect spelling of your name. Phishers often harvest email addresses in balk and may not have your full name. Because of this, they will try to guess your name from your email address.
2. Do Not open emails that are not addressed to you by name. Phishers will almost never personalize correspondences; they will refer to you as “Dear Customer” or “Dear Valued Customer” because they send balk solicitations to millions of email addresses.
3. Do Not respond to any account management email requests that come from your bank. If your bank needs to reach you, they will send you an official letter or leave you a voice mail with a valid callback telephone number.
4. Do Not open unsolicited emails. Nothing in life is free, this includes the invitation to view naked celebrities and the Prozac and Viagra offers in your inbox.
5. Do Not use email links to go to any financial websites. Type in the URL yourself and save it as a bookmark.
6. Do verify the website URL you are about to log into, check the spelling carefully before you provide your login details on any web page. Pay close attention to domain name following the “http://” section of the address. Many phishers will Intentionally create very long names to obfuscate the fake URL.
7. Do log in to your on-line accounts regularly and look for unrecognized transactions. Do the same with your monthly credit card statements.
8. Do Not send your account details via email to anyone. email traffic is unencrypted, so anyone on route can intercept the message.
9. Do check that the Internet connection you are using is secure. Look for HTTPS in the address field of your browser. You may also want to click on thepadlock to view the actual server certificate. This will help you verify that it was issued by a reputable authority and assigned to the company managing the website in question.
10. Do make sure that you have an updated anti-virus software and that your firewall is turned on.
© Copyright 2009 Yaacov Apelbaum All Rights Reserved.
You are Getting Sleepier
In Mortgage Refinancing Shysters, Part I I wrote about some suspicious refinancing solicitation letters I got from the Intercontinental Capital Group (ICG). After writing about it, I got several interesting comments. One cryptic comment came from what appeared to be a former employee who wrote:“I agree with your assessment on ICG and know this for a fact…” Now my curiosity was piqued. What was it that this individual knew?
I performed another search on the term “Intercontinental Capital Group and Fraud” but this time, the search returned many more postings about unscrupulous dealings. There were many negative comments regarding ICG, but I noticed that there were also a few positive ones written by apparently satisfied customers.
The details of the pro-ICG postings were interesting. They appeared to have come from bona fide customers. On the one hand, the language seemed to be unbiased acknowledging some bad online press while on the other hand the writers claimed that they were very satisfied with the quality of service they received from ICG and that the company was entirely above board. One example read:
…I previously cancelled an appraisal appointment that I had scheduled with this company because I read something online that got me nervous especially being a single mom that just got back to work after being injured. I checked out these links and feel a lot better. I am going to give them a call and hopefully the rates are still low because I really would like to get rid of this adjustable rate mortgage and lower my monthly payments.
by educatedconsumer August 6, 2009 5:13
Then last week, I myself received a similar comment on my blog posting from a user who identified himself as “Joseph.” He wrote:
I received one of their letters and refinanced with them. They did a fine job and got me a good rate. I agree that maybe it wasn’t the best way of soliciting business, but it’s a tough market. Either way, they did the job they promised to do.
by Joseph October 28, 2009 13:33
Now, I don’t know about most people, but I certainly don’t spend my free time posting positive comments on blogs trying to sway other readers to believe that allegations of fraudulent or contentious services are unfounded.
I suspected that Joseph had some vested interest in ICG. From the crux of the comment left by him, it seemed that he was so moved by his mortgage refinancing experience that he became overwhelmed with the desire to spread the good news about ICG to the rest of the world.
When I examined the comment source, I noticed that the e-mail associated with it was email@example.com. Now it is possible that Jennifer, following the romantic style of George Sand, was using a nom de plume. But on the other hand it was also possible that Joseph was Jennifer’s darker side, I have heard of stranger things before. So I did some more research, then I slipped into my feminine persona and contacted her via e-mail asking for mortgage refinancing advice.
It did not take to long before I received the following ICG e-mail:
Intercontinental Capital Group can probably give you a good rate and fast service. Their website is:
You should contact Brad Allen over there, he can give you the information you’re looking for. His phone number is 212.485.9655. His direct e-mail is firstname.lastname@example.org.
I hope they are able to help you!
I am looking into refinancing my home mortgage and would like to get more information about your services and rates.
Can you please provide more information about your offerings?
The Internet search confirmed my suspicions that Joseph and Jennifer Margulis were indeed one and the same (see image below). It also turns out that Jennifer was in fact an ICG marketing employee on a company mission to remove the rotten apples from the barrel. Apparently, she found my posting about her notorious company and decided to sprinkle some fluffy propaganda comments. To make them look more credible, her comments were disguised as coming from little Joseph, your all-American, happy and satisfied mortgage customer.
Deceptive solicitation letters, whitewashing negative customer feedback and impersonating legitimate users in order to lure customers have no place in any business, even less so, in financial organizations that above all should uphold integrity and honesty.
© Copyright 2009 Yaacov Apelbaum All Rights Reserved.
Your Trusted Advisor
You can’t miss him. He’s the guy with the freshly pressed $500 suit, designer silk tie, and imported Italian shoes. His stylish attire is elegantly complemented by an expensive fountain pen, a standard issue Rolex, the latest cell phone, and a brand new luxury car. His Physiognomy is unmistakable, styled hair, white teeth, and a nice tan; a modern day Cary Grant.
He’s a natural, standing out at every social gathering—in the fitness club, on the golf course, at church and synagogue. He is jovial and funny, the toast of the party, a real screamer. Always the first to introduce himself, reaching across the room with a friendly and firm handshake.
He loves sports and works out regularly. Which one is his favorite? Well, he loves them all. If you let him, he’ll talk to you for hours about the Super Bowel, the NBA, or the US Open.
If sports are not your thing, that’s ok, he’ll talk politics. But don’t get him started! He has an opinion on all matters domestic and foreign, and he’s not afraid to share them with you. He has strong convictions about capitalism, socialism, the government , the environment…you name it.
After just 10 minutes talking with him, you think “Wow, is this guy connected to the hilt!” He just got back from Washington D.C (important meetings with policy makers and various other movers and shakers). And then, there is his story about the White House—and check this out: a wallet sized group photo with the local congressman/senator/governor. And did I mention that he’s on texting terms with several high profile celebrities?
He’s not a loner; he frequently travels with the wolf pack. The lovely spouse is always nearby, ready to lend a hand. She will strategically join the conversation and make a joke or a teasing observation on his account (“Oh, my husband! He is such a Neanderthal. Ha, ha, ha!”), while your own wife whispers in your ear to check out his adorable son: “He’s only 7! Doesn’t he look mature in his tailored suit!” The kid, as if suddenly activated by some mysterious homing device, makes a B-line towards you for a handshake. “That’s my dad. He’s a financial advisor!” he says proudly.
By the time you’re done shaking hands with the kid, you realize that he’s dad has moved on. You watch him mingling with other guests working the room like a cowboy in a rodeo, quickly branding the fattened calves for follow up. Than he’s back, telling you a joke (about a CEO who signs a contract with the devil). Next comes the debriefing. What do you do? Who do you work for? Where is your office? Before you can say “Pocahontas”, he’s punching your e-mail and cell number into his Smartphone.
A few days later, as you are getting ready to grab a bite to eat, your cell phone rings. “Hey, how’s it going?” says the friendly voice “Who is this?” you answer confused. “It’s the CEO and the devil guy from last week,” he continues without skipping a beat. “Hey, I happened to be in your neighborhood and I’ve got something for you. Do you wanna do lunch? It’s on me.” “Sure,” you reply, wondering what he can possibly have for you.
During lunch, he goes over more of the same routine. You discover that he either knows some C Executives in your company or knows someone else who does and he hints that he can pull some strings for you. After lunch as you are preparing to leave, he springs a few expensive tickets for some sporting event and tells you that he and his significant other would love to have you and your significant other over in their private booth to watch the game. “Come on, its going to be fun!” A few days later when you come home from work, you discover a few boxes of toys and a bunch of CDs and DVDs on your dining room table. “What’s this, Honey?” you inquire. “Mr. CEO/devil’s wife just dropped them off. She said that their kids just love them and she thought ours would too!”
This goes on for several months, with lunches, family get togethers, tickets to see the Broadway show and offers to use his timeshare in Disneyland for free. You eventually let down you guard; clearly these are such nice people.
Then one lunch, your newfound buddy, with an intense look on his face, tells you about this amazing 3-month, double digit return investment opportunity. (But you have to act immediately!) “How much are we looking at?” you inquire. “Oh, not much,” he says, “just 100K.” You politely decline, telling him that you don’t have that kind of money to invest. He says, “can you borrow it from someone?” Sensing a high pressure sales tactic, you say that you don’t feel comfortable borrowing money from people. Your dining companion loosens up and assumes his collegial persona again and says “Hey, that’s not a problem, I’ll keep my eyes open for other opportunities for you, but I don’t know if they’ll be as good as this one.”
Then the conversation turns to your company and he starts debriefing you about acquisition plans, mergers, strategy, etc. His questions seem strangely reminiscent. Oh yeah, you just recently went over them in the corporate anti-trust and insider information certification course. Now you realize that he’s actually fishing for insider information.
In a moment of complete mental lucidity, you suddenly get it. This guy is a professional shyster and he’s been playing you like a violin. Now would probably be a good time to end lunch and this relationship. But its not as easy as that. By now, he has woven himself into your social fabric. Severing the relationship now would cause you and your family mental anguish and would probably require some form of unfortunate confrontation. And what about mutual friends; what do you say to them?
And then there is the doubt issue. Even though now you know he’s dishonest and deceitful, shouldn’t you give him a break? After all, he’s just a another guy with a family and a mortgage trying to make a living, isn’t he? So, what do you do?
The moral of the story is that this is all a scam. Don’t let your emotions get the better part of you. These individuals (and their accomplices) are cold blooded opportunists. They could care less about you, your family, or your financial well being. Their interest in you is purely financial and short term. As far as what you perceived to be generosity (the free tickets, lunch, gifts, etc.), they’re just a device to make you feel indebted and emotionally dependent.
Unfortunately, as many have discovered, few of us are immune from this type of relationship and manipulation. If you think that being scammed financially only applies to the ship of fools, check out the Who’s Who on Bernie’s list.
The majority of independent financial advisors\planners operate as one man shows and are not dissimilar to the elixir and snake oil salesmen of the Old West. To compensate for the lack of substance (i.e. breadth and depth of financial knowledge and operational know how), they rent an office at a respectable address, contract with financial service processor like Investors Capital, and purchase an off-the-shelf website that comes pre-loaded with content and functionality like whitepapers, newsletters, and financial calculators. The rest, is pure social engineering.
Despite the aura of legitimacy the financial advisor\planners industry is trying to assume (through certification and NASD regulation), the fact is that it is riddled with dishonest, unscrupulous confidence artists. If you need financial or investment advice, go with a large non-contractor or commission based company like Fidelity. They won’t be able to guarantee double digit returns, but they won’t lose your investment overnight either. If you are new to investing, do yourself a big favor and carefully read the information on the FINRA site. You can also use some of their tools to check out your prospective broker buddy.
Good financial advice is hard to come by. Since most of us are not savvy enough to distinguish between the legitimate advisors and the Madoff wannabes, you should stay away from all independent financial advisors\planners, regardless of how smartly they dress or successful they appear. This especially applies to the ones you know through your social circles.
If you do happen to use an independent financial advisor\planner, you may want to scrub him against the following list of the 7 deadly sins of financial conduct. If he fits one or more of these descriptions, it’s probably time for you (and your investments) to move on.
- Promising you any return on your investment (especially ones in the double digit range)
- Telling you about sudden investment opportunities that require prompt action
- Soliciting you for insider information and references for other potential investors
- Paying you in cash or using proxy accounts (like personal checks from a spouse)
- Exhibiting dishonesty of any type (i.e. asking you to attend financial sales meetings masked as social events or having any previous SEC or NASD history of complaints
- Showing willingness to spend money on you for no apparent reason (including free lunches, gifts for the kids, etc.)
- Having a history of contentious job loss with larger financial institutions and lawsuits or litigation involving trading irregularities
© Copyright 2009 Yaacov Apelbaum All Rights Reserved.
So you’re Looking to Refinance?
It may be true that David Hannum was the first to observe that suckers arrived in the delivery room at the rate of one per minute (ironically, he himself turned out to be a colossal sucker), but it took the marketing genius of P.T. Barnum (the man behind such novelties as the bearded lady) to turn gullibility into fortune. The world has changed significantly since the days of Barnum’s traveling freak shows where access to a new audience required lengthy cross country trips. Today, the Internet provides a virtual big top circus ripe with new ways to reel in and deceive, complete with unlimited seating for millions of new victims.
Eberhart and Kennedy in their excellent treatise "Swarm Intelligence" suggest that deception is quite common in social populations and they point out that all of us regularly practice it to one degree or another. In support of their argument, they discuss the well documented El Farol algorithm frequently used by individuals to effectively compete in social communities in order to gain material or social advantage.
I recently I had occasion to consider this maxim and even try it on for size. A practical and logical individual, I am by no means naive, so I was surprised—even blindsighted!—to discover that a certain financial advisor that I know personally is in fact a grade A shyster. This got me to thinking about the varying shades of dishonesty and gullibility and the gray area that exists between telling "the truth and nothing but the truth" and outright lying especially as it pertains to financial solicitations.
You may have noticed that over the last year as the economy has spiraled out of control, the number of mail offers for mortgage refinancing has increased significantly. The banks—which in the past were the traditional providers of such services—are still hemorrhaging profusely from the blunt trauma inflicted on them by the collapse of subprime mortgages. (I certainly don’t get any more solicitations for HELOC.) In what is further proof of the principal of horror vacui, it seems that the legitimate banking mortgage industry has now given way to a new breed of entrepreneurial ventures. These con-corporations have smelled the blood in the water and are aggressively following Mr. Bigweld’s motto: "See a need, fill a need".
Realizing that many of these solicitations were probably rip-offs, I decided to test the waters to see if I could find out who was behind one of them. As it happens, I didn’t have to wait long before receiving another mortgage refinancing solicitation letter. This one was from the Intercontinental Capital Group (ICG) and instead of sending it directly to my circular bin, I opened and read.
On the surface, the language and content of the letters (see both versions below) was drastically different from the one I’m accustomed to receiving from my bank. Whereas previous solicitations were factual and down to business, these were laced with crafty and deceptive language.
After examining the details I found the following noteworthy features:
- Disingenuous Claims of Previous Communication—In order to lower suspicions and fake familiarity, the letter claims to be a follow up on an already established relationship and ongoing communication.
- Design to Deceive—The letter contains what on the surface appears to be a legitimate application number, a "second notice" tag, a recognizable equal housing lender logo and acronyms of well known public and federal organizations. In fact none of these details has any significance and are there simply to create the semblance of legitimacy.
- Vague and Deliberately Confusing Language—The letter states that ICG is "unconditionally endorsed by the U.S Department of Housing and Urban Development". When I called the toll free number I heard: "Thank you for calling the FHA application processing center". ICG is certainly not a Federal Housing Administration (FHA) application processing center as the FHA neither issues loans directly nor has an application processing center.
- Skin Deep Corporate Internet Presence—On the surface the company web site appeared to be fully functional, but when I tried to use some of its key functionality (login, change password, etc.) I quickly discovered that none of it worked.
Being deceitful in marketing is not news (see Mortgage Refinancing Shysters II for more details), so respecting that any marketing campaign will always necessarily be laced with a certain amount of dishonesty (Seth Godin thinks that All Marketers are Lairs), I was ready to let this one go. Just before doing so, it occurred to me to Google "ICG" and lo and behold…it turns out that this shadowy and mysterious organization not only stretched their marketing collateral, they actually had some serious run-ins with at least one state banking regulatory agency (failure to submit financial statements and comply).
It appears that the vacuum created by the retreating lending banks is being filled in by old style confidence and run of the mill Internet scam companies. Be mindful of this and remember that "there’s no such thing as free lunch". If the mortgage refinancing offer you received looks too good to be true, it probably is.
© Copyright 2009 Yaacov Apelbaum All Rights Reserved.