click picture to enlarge
however, when we mouse over the red box where it says "Ver meu Cartao" (which we have no clue what this means btw) the first thing we notice down in the status bar -- bottom left in our picture -- we see the true url: mimundo.americaonline.com.ar/atualizaorkut10/investigador.exe and notice that it ends in .exe -- a .exe file extension is an executable file "whose contents are meant to be interpreted as a program by a computer." hackers can use .exe files to install and launch viruses, trojans, worms and what not to take over your computer. we think that the particular crime gang thats behind this is building a botnet. this particular email does not contain any attachments. its cleverly designed to trick you into thinking that its an ecard. so you click the link in that box thinking you are going to fetch your ecard but instead you are taken to a website and thats where the .exe file is installed on your computer.
====
Reply-To: wesawthat@gmail.comFrom: wesawthat@gmail.com>
To: TosWeb@aol.com,reportphishing@antiphishing.org
Cc: spam@uce.gov
Subject:Você Recebeu um Cartão OCarteiro.com.br
Date: Fri, 8 Dec 2006 00:07:26 -0600
AOL.COM: this spam was sent to advertise a phishing website that you host that is tricking computer users into installing a .exe file please would you terminate
service to:
http://mimundo.americaonline.com.ar/atualizaorkut10/investigador.exe
====
related posts
Enjoyed your post - thanks for your fight against phishers. I wanted to add a couple of things about this particular phishing attempt that jump out to me.
ReplyDeleteAs you correctly point out, the domain belongs to America Online but it registered in Argentina. What makes this odd is that the email you received is NOT written in Spanish. It appears to be written in Portuguese. (I'm fluent in Spanish and can read some Portuguese because it is somewhat similar.)
Anyhow, the email appears to say:
I have a gift for you.
Hi, look at the card I prepared for you.
http://www.ocarteiro....
See your card (in red block in middle)
It's essentially a good faked copy of an email from a legitimate service. "Ocarteiro" means something like "card man" or "carder" (as in someone who makes cards). The ocarteiro.com domain is registered to:
Cristina Costa Santini
Cristina Santini
Rua Fonte da Saudade, 71/802
Rio de Janeiro, RJ 22471-210
BR
I know this is long. I just thought it was interesting that the phishing email is about a Portuguese card service registered in Brazil but references a file located on a website in Spanish registered in Argentina. This just goes to show it is a world wide problem.
It is impossible to keep up with all the scammers, virus writers, phishers, etc out there. And the fact that we're connected to a WORLD WIDE web means there are a LOT of them trying to get into OUR computer. Thanks for being vigilant and reminding us to be vigilant as well.
Sincerely,
Nathan
thanks for your comment and the translation. also -- sorry to learn about your friend rev donny granvel passing away.
ReplyDeleteThank you, wst. Donny was a unique individual. He worked hard to advance the community, and especially worked hard for seniors. In fact, he was working on the roof of one of the senior citizens in his church when he had the accident that ultimately lead to his death. He called me that afternoon and asked me to preach for him the next morning because he wasn't feeling up to it. I was honored to get to preach in his pulpit, which I was priveleged to do on several occasions. I'll always remember him with fondness and admiration.
ReplyDelete