Beware tech support emails
by David on Tuesday 13th October, 2009 at 14:10 COMMENTS (0)
It is disturbing when you receive an email that looks genuine and has a ring of truth to it containing a link to an urgent update, and in the blink of an eye you click and suddenly you are infested with virus and spyware.
Just one second is all it takes in this day of Gigabit Broadband, click and before you know it the file is downloaded, installed and running spamming or hacking codes or even copying your entire file system out to a remote server for use later by some unscrupulous criminal.
Beware of these emails, here is one I opened this morning thinking it was genuine and from a hosting company, but hold on I am the host running the servers, why is someone telling me when I will be carrying out server updates and also why would I have to run a patch for a server that is not even on my system???
Unfortunately to someone who knows nothing about hosting and server issues it would be easy for them to click the patch thinking they are being good and following correct procedures.
I urge anyone who receives emails regarding any updates or patches or links to other websites, please check with your host company before clicking any links.
Here is the email; I have removed the link so you do not accidentally click it.
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
updates.xxxxxxx.xxx.secure. updata-1.net/core/id=1234567890-xxxxx @ xxxxxxx.xxx - patch123456.exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
The important piece of this link is updata-1.net as this is the actual web address that is being visited.
From here it is then asking to load a patch file which may give this website owner details of who the link originated from, you and your computer.
The giveaway is the end bit .exe which is an executable file containing the nasty virus or spyware, you should never load these from the Internet unless you know the source is genuine and valid.
It sometimes is possible to find out who the owner of a domain is by checking with a domain registration company such as 123-reg, for the domain updata-1.net I found it was registered in Leningrad, Russia.
To be safe use the latest Norton Anti-Virus or Internet Security system.
Be aware and be careful.
UPDATE
A client has contacted me to say they received an email similar to the one I mention above, the email appears below but I have replaced my clients details with my own.
Dear user of the xxxxxxx.xxx mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (xxxxx@ xxxxxxx.xxx) settings were changed. In order to apply the new set of settings click on the following link:
http://www.xxxxxxx.xxx/owa/service_directory/settings.php?email=xxxxx @ xxxxxxx.xxx&from= xxxxxxx.xxx&fromname=xxxxx
Best regards, xxxxxxx.xxx Technical Support.
As you can see it looks like you are visiting a page within xxxxxxx.xxx (or your domain) to allow you to make some changes to your settings.
As this is a HTML email it can hide the link, the displayed text is slightly different from the actual clicked link, looking at the link that is visited when clicked you get http://www.xxxxxxx.xxx.nerrasssx.eu/owa/service_directory/settings.php?email=xxxxx @ xxxxxxx.xxx&from= xxxxxxx.xxx&fromname=xxxxx
The only difference in the displayed link and the hidden actual link is in the first bit;
Displayed link: http://www.xxxxxxx.xxx.nerrasssx.eu
Visited Link: xxxxxxx.xxx
This is a big difference as the displayed link looks like my domain but the visited hidden link is to a totally different website.
Break this down as before into each of the parts;
http://www.xxxxxxx.xxx.nerrasssx.eu - The domain
/owa/service_directory/ - folder location within the website
settings.php - name of web page to load
?email=xxxxx @ xxxxxxx.xxx - passes the email address to the web page
&from= xxxxxxx.xxx - passes the domain to the webpage
&fromname=xxxxx - passes the name of the user to the webpage
The actual domain being visited here is nerrasssx.eu but the inclusion of my (or your) domain at the front http://www.xxxxxxx.xxx.nerrasssx.eu makes it look like your domain and therefore more valid. Same technique used for all phishing scams.
FURTHER UPDATE
Another new email has been received by several clients today. Thanks to Barry for contacting me before opening.
Barry said that he thinks this is a distinct advantage having direct contact with Dr Adept is that he can phone at any time and ask any question and get an immediate response, not having to rely on support tickets and email system as the email he received looked genuine.
Here is the email:
Best regards, technical support.
This email looks genuine enough again, simple and easy and believable, and comes with an zip attachment which if opened produces a file called utility.exe, this file will undoubtedly install spyware, scareware or virus on your system most likely to turn your computer into a spam zombie to send more of these infernal emails.
Stay Safe and don't believe any emails of this kind, always check with your techies or support team direct before installing any attachment.
David Radisic is an Essex based web designer
No Comments posted yet
![[Valid RSS]](images/valid-rss.png "[Valid RSS]"){kind=small}
