Tracking the fake profiles used by scammers

My interest was grabbed by this weirdly mistranslated email, which appears to have been badly written in English and then put through a translator program that has stumbled over the original email's bad punctuation.

From:     mark dave [markdave440@gmail.com]
Reply-To:     markpetersloanfirm@gmail.com
Date:     6 January 2014 00:37

أنا السيد مارك بيترز مشروعة والمقرض القرض السمعة. نحن
شركة ديناميكية بقروض من assistance.We المالية إلى الأفراد
في حاجة إلى المساعدة المالية، التي لديها سوء الائتمان أو في حاجة الى المال
لتسديد الفواتير، للاستثمار في بأعمال تجارية ترغب في استخدام هذه الوسيلة لأبلغكم
أننا تقديم المساعدة موثوقة والمستفيد كما نكون سعداء لتقديم لكم
وloan.contact بنا عبر عنوان البريد الإلكتروني: markpetersloanfirm@gmail.com
وتشمل الخدمات المقدمة؛ إعادة تمويل، تحسين المنزل، قرض الاستثمار، السيارات
القروض، وتوطيد الدين، خط الائتمان، والرهن العقاري الثانية، والأعمال التجارية
القروض، والقروض الشخصية، قروض السيارات، قروض السيارات.

يرجى الكتابة الى الوراء اذا كانت مهتمة.

الاسم الكامل:
البلد والدولة:
المدينة:
الجنسية:
مبلغ القرض المطلوب:
الجنس:
الإيجار الشهري:
الاتصال الهاتف:
الرمز البريدي:
مدة القرض:
هل تتكلم اللغة الإنجليزية:

This translates roughly as:

I Mr. Mark Peters legitimate and reputable loan lender. We
Dynamic company with loans from financial assistance.We to individuals
In need of financial assistance, that have a bad credit or in need of money
To pay bills, to invest in the business want to use this medium to inform you
We provide reliable and beneficiary assistance as be glad to offer you
And loan.contact us via e-mail address: Markpetersloanfirm@gmail.com
The services provided include; refinance, home improvement, investment loan, car
Loans, debt consolidation, credit line, and a second mortgage, and business
Loans, personal loans, car loans, car loans.

Please write back if interested.

Full name:
Country and State:
City:
Nationality:
The loan amount required:
Gender:
Monthly rent:
Contact Phone:
Zip Code:
Loan term:
Do you speak English:

We are waiting for your responds. 

Obviously this is a scam, but it turns out the "Mark Dave" has a Google+ profile with the following photo:

So who is this a photo of? Well, if you haven't checked out Google Images you might not know just how good the reverse image search is. Clicking the camera icon allows you to upload an image or reverse search an image by URL:

The results for that photo are pretty revealing and lean heavily towards scams:

This thread on RomanceScam.com explains what is going on very well. The pictures belong to an innocent person called Stuart James who has had their online photo collection plundered by scammers in what adds up to a particularly cruel type of identity theft. It is perhaps an object lesson in not sharing too much online, and it seems to be a particular risk for anyone good looking and/or in the military.

ScamDigger also has a gallery of images commonly used by scammers, with the caveat that the people pictured are all innocent parties which makes interesting (but depressing) viewing.

A reverse image search is certainly useful sometimes at uncovering fake profiles, and it's something that anyone with basic computer skills should be able to do. Note that you can also use TinEye to do a similar search with a slightly different set of results, and I guess there are other reverse image search engines available. but between Google and TinEye you should be able to uncover fake profiles with ease.

Windows.old, and the Windows XP to Windows 8.1 gotcha

So I finally got around to the long over-due task of migrating my main system off Windows XP 32-bit (because it is going out of support soon) to Windows 8.1 64-bit because.. well, it's cheaper to go the Windows 8.x route than Windows 7 and 8 does have some interesting features.

You can't really upgrade Windows XP to Windows 8.1 in the traditional sense, it is basically a completely new installation but it does retain your original Windows XP data so you can get to it later. But there's a gotcha here.

Windows 8.1 is a free upgrade to Windows 8, and I already had a Windows 8 upgrade disk that I bought a few months back. Upgrading from Windows XP to Windows 8 does create a set of backup files in a folder called windows.old so you can recover your data, including what was in the C:\Documents and Settings folder. So, in theory you just copy the old data from that folder into your new Documents folder.

Here's the gotcha. If you're like me, you've probably been putting off the Windows 8 upgrade until you can have Windows 8.1 which brings back the Start button. So the obvious next step is to do that (although you need to install KB2871389 to show Windows 8.1 in the app store). You can then do the 3GB+ download to install Windows 8.1 over Windows 8 which runs pretty smoothly. But before you do that.. remember to take your data out of the windows.old folder!

The trap here is that when you upgrade from Windows 8 to Windows 8.1, the contents of the windows.old folder are deleted and overwritten again, destroying the backup data from Windows XP. 

Uh-oh. It's a good job that I'm paranoid about backups, so nothing was lost. But it's easy to see that people could lose data if they don't recover it from windows.old  before they did the Windows 8.1 upgrade.

It really, really is worth investing in some offline storage or other backup medium before you do this. I took the opportunity to clone Windows XP to a new SSD drive before doing the upgrade and I disconnected the original hard disk, and I also made an offline backup to be on the safe side. But if I had just ploughed on and done the deed then I would have lost irreplaceable data. 

Windows 8.1 is.. well, weird. But it does run very quickly on my four-year-old Dell Precision workstation with the SSD drive and a memory upgrade. Apart from the vanishing data it all went remarkably smoothly (if you are knowledgeable about Windows systems) and it didn't require any unpleasantness such as driver disks. The application troubleshooting is pretty awesome for apps that don't run properly under the new OS, and there are only a few really ancient 16-bit apps that I can't get to work that need recoding. Ah well, it should keep the computer up-to-date with security updates until 2023 which should easily be longer than the expected lifespan of the machine..

Odd "Wire transfer to your account" spam

Almost all spam tends to be some sort of scam or some sort of malware. I can't quite figure this one out though.

From:     Andrew Chukwu [andrewchukw@gmail.com]
Date:     27 December 2013 13:24
Subject:     Wire transfer to your account

Please review and follow the instruction to get your payment slip,
please get back to us as soon as you get it

Best of Luck

I know better than to open unsolicited .DOC files, so I put it through VirusTotal.. and it came out clean. Joe Sandbox, Malwr, and Malware Tracker all report it as clean too. In fact, the only thing it seems to contain is the following string:

file:///C:/DOCUME~1/AGV/LOCALS~1/Temp/New%20Invoice.htm

The metadata says:

Os: Windows
Version 5.1
Code page: 1252
Author: AGV
Template: Normal
Last Saved By: AGV
Revision Number: 1
Name of Creating Application: Microsoft Office Word
Total Editing Time: 01:00
Create Time/Date: Thu Dec 26 10:15:00 2013
Last Saved Time/Date: Thu Dec 26 10:16:00 2013
Number of Pages: 1
Number of Words: 8
Number of Characters: 48
Security: 0

The email originates from a Gmail IP address, and given the Nigerian sounding name it could simply be a scam email gone wrong, but I would strongly advise you not to open it in any case, just it case it is something far more malicious.

"Hearing of your case in Court NR#6976" spam

I've had quite a few spams with a similar payload to this that I can't even Unzip. Go figure. But this one is an interesting variation.

Date:      Mon, 23 Dec 2013 10:05:38 -0500 [10:05:38 EST]
From:      Notice to Appear [support.6@jonesday.com]
Subject:      Hearing of your case in Court NR#6976

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 9, 2014 at 10:00
   am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Alison Smith
   Clerk to the Court. 

There is an attachment Court_Notice_Jones_Day_Wa#8127.zip which in turn contains an executable Court_Notice_Jones_Day_Washington.exe which is presumably malicious, but I can't analyse it. The VirusTotal detection rate for the ZIP is 4/49.

Updated: a couple of other variants.. and the ISC have a report now too.

Date:      Mon, 23 Dec 2013 20:02:52 -0400 [19:02:52 EST]
From:      Notice to Appear [ticket_support.6@jonesday.com]
Subject:      Hearing of your case in Court NR#2682

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 15, 2014 at
   09:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Olivia Tailor
   Clerk to the Court.

--------------

Date:      Mon, 23 Dec 2013 11:21:46 -0700 [13:21:46 EST]
From:      Notice to Appear [ticket_support.8@jonesday.com]
Subject:      Notice of appearance in court NR#5365

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 19, 2014 at
   09:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Jennifer Tailor
   Clerk to the Court.

--------------

Date:      Mon, 23 Dec 2013 21:37:10 -0700 [12/23/13 23:37:10 EST]
From:      Notice to Appear [ticket_support.8@jonesday.com]
Subject:      Urgent court notice NR#31620

Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 11, 2014 at
   11:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Barbara Smith
   Clerk to the Court. 

Update 2 [31/12/2013]  in the past couple of days there has been a renewed spam run with some slightly different details. For some reason I cannot analyse the contents of the ZIP file, but you can be sure that it is malicious.

Sample emails:

Date:      Tue, 31 Dec 2013 06:45:59 -0700 [08:45:59 EST]
From:      Notice to Appear [support.7@lw.com]
Subject:      Urgent court notice No#14110

 Notice of appearance,
   Hereby you are informed that you are due in the court of New York
   on the 19 of January, 2014 at 10:00 am for the hearing of your case.
   You are kindly asked to prepare and bring the documents relating to
   the case to Court on the specified date.
   Please, download the copy of the court notice attached herewith to
   read the details.
   Note: The case may be heard by the judge in your absence if you do not
   come.
   Yours truly,
   Clark Murphy
   Clerk to the Court.

============================

Date:      Mon, 30 Dec 2013 17:03:29 -0400 [12/30/13 16:03:29 EST]
From:      Notice to Appear [aa.support933@jonesday.com]
Subject:      Notice of appearance in court NR#4723

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 17, 2014 at
   10:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Evie Mason
   Clerk to the Court.

============================

Date:      Mon, 30 Dec 2013 13:05:54 -0600 [12/30/13 14:05:54 EST]
From:      Notice to Appear [order.040@gibsondunn.com]
Subject:      Hearing of your case in Court No7712

 Notice to Appear in Court,
   This is to advise that you are required to attend
   the court of Los Angeles in January 11, 2014 for the hearing of your
   case.
   Please, kindly prepare and bring the documents related to this case to
   Court on the date mentioned above.
   Attendance is compulsory.
   The copy of the court notice is attached to this letter, please,
   download and read it thoroughly.
   ALLEN Walsh
   Clerk to the Court.

Sample attachments:
Court_Notice_Latham_and_Watkins__NY07550.zip
Court_Notice_Jones_Day_Wa#6152.zip
Court_Notice_Los_Angeles_No0216.zip

Update 3: [8/1/2014] another slight variation of this has gone out in the past day or so..

Date:      Mon, 06 Jan 2014 18:12:16 -0400 [01/06/14 17:12:16 EST]
From:      Court attendance notification [help151@perkinscoie.com]
Subject:      Court attendance notification #No597

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Louisiana in February 23, 2014 at 10:30 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Donna Tailor

============================

Date:      Tue, 07 Jan 2014 10:56:43 -0500 [01/07/14 10:56:43 EST]
From:      Pretrial Notice [notice_support.6@alston.com]
Subject:      Judicial summons No8365

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Atlanta in February 19, 2014 at 10:00 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Karen Mason

============================

Date:      Tue, 07 Jan 2014 A.D. 18:33:05 -0400 [01/07/14 17:33:05 EST]
From:      Pretrial Notice [support.3@alston.com]
Subject:      Judicial summons No3877

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Atlanta in February 20, 2014 at 10:00 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Mary Smith

============================

Date:      Wed, 08 Jan 2014 02:54:03 -0500 [02:54:03 EST]
From:      Pretrial Notice [notice_support.8@alston.com]
Subject:      Notice of appearance in court No96162

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Atlanta in February 12, 2014 at 09:00 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Alison Tailor

Sample attachment names:
Plaint_Note_Document_06_01#0478.zip
Plaint Note_06_01_2014_No2964.zip
Plaint_Note_Document_06_01#1619.zip
Plaint_Note_Document_06_01#6017.zip

This malware is detected by 28/48 scanners at VirusTotal, but the Malwr analysis of what it does seems pretty inconclusive.

QuickBooks spam / Invoice.zip

This fake QuickBooks spam has a malicious attachment:

Date:      Mon, 23 Dec 2013 07:54:35 -0800 [10:54:35 EST]
From:      QuickBooks Invoice [auto-invoice@quickbooks.com]
Subject:      Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 12/23/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Randal Owen

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 

Attached to the message is a file Invoice.zip which has a VirusTotal detection rate of 5/44, which in turn contains a malicious executable Invoice.exe with a detection rate of 5/49.

Automated analysis [1] [2] [3] shows an attempted connection to wifordgallery.com on 174.127.73.250 (Hosting Services Inc, US), it appears to be the only domain on that server so blocking the IP or domain itself may give you some protection against this current run of malware.

"FSA needed - 1800 GBP/month" fake job offer

This job offer is a fake..

Date:     19 December 2013 14:43
Subject:      FSA needed - 1800 GBP/month

Having seen your CV that we gained from a staffing agency, we'd like to offer you a job.

We are a small independent company located in United Kingdom. The main field of our business is IT outsourcing services, including the search of clients for potential employees and matching the most ideal candidate for each company's request.

We are happy to extend this opportunity to you. This position does not require any special experience and agents are hired on part-time basis for 1 month probationary period. During which the applicants receive online training and support.

Salary during the training period will amount up to GBP 1,500 and you will be entitled to a commission of 8% on all of your operations. You will be eligible to participate in our benefit program.

Requirements: internet, phone and e-mail availability, ability to work 2-3 hours a day Monday through Friday, PC user skills.

Candidates should send their electronic application to newcareer93@gmail.com.

To expedite the communication process, please fill in the required information below:

=====FORM=====FORM=====
Forename: _____________________
Surname:________________________
Country of residence:______________________
Contact phone:________________________
Preferred call time:_____________________
=====FORM=====FORM=====

Thank You,

Emma Wilkinson

The email comes from an IP address in Arizona rather than the UK. It's unclear what the so-called job is, but it is likely to be money laundering or some other criminal activity. Avoid.

"New Voicemail Message" spam from "Elfin Cars Sports"

This fake voicemail message from "Elfin Cars Sports" has a malicious attachment:

Date:      Thu, 19 Dec 2013 08:36:56 -0600 [09:36:56 EST]
From:      Voice Mail [noreply@spamcop.net]
Subject:      New Voicemail Message

New Voicemail Message

You have been left a 1:02 long message (number 1) in mailbox from "Elfin Cars Sports"
07594434593, on Thursday, December 19, 2013 at 07:20:02 AM

The voicemail message has been attached to this email - which you can play on most
computers.


Please do not reply to this message. This is an automated message which comes from an
unattended mailbox. This information contained within this e-mail is confidential to, and
is for the exclusive use of the addressee(s). If you are not the addressee, then any
distribution, copying or use of this e-mail is prohibited. If received in error, please
advise the sender and delete/destroy it immediately. We accept no liability for any loss
or damage suffered by any person arising from use of this e-mail. 

The attachment is VoiceMail.zip with a VirusTotal detection rate of 9/49, which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file, and this has a also detection rate of 9/49 (but with slightly different detections).

Automated analysis tools [1] [2] show an attempted connection to plantautomation-technology.com on 216.151.164.211 (NJ Tech Solutions, US) and anuudyog.com on 66.7.149.156 (Web Werks, US).

"VISA - Recent Transactions Report" spam / payment-history-n434543-434328745231.zip

This fake VISA spam comes with a malicious attachment:

Date:      Wed, 18 Dec 2013 14:32:50 -0500 [14:32:50 EST]
From:      Visa [Eddie_Jackson@visa.com]
Subject:      VISA - Recent Transactions Report

Dear Visa card holder,

A recent review of your transaction history determined that your card was used in
possible fraudulent transactions. For security reasons the requested transactions were
refused. Please carefully review electronic report for your VISA card.

For more details please see the attached transaction report.

Virgie_Cruz
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom


CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (Visa Europe Limited.) that
is proprietary, privileged, confidential and/or protected from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any
viewing, copying, disclosure or distributions of this electronic message are violations
of federal law. Please notify the sender, by email or telephone (+44 (0)20 7795 3492), of
any unintended recipients and delete the original message without making any copies.
Thank You 

Attached to the message is an archive file payment-history-n434543-434328745231.zip with a VirusTotal detection rate of 10/48, which in turn contains payment-history-n434543-434328745231.exe with a detection rate of 10/49. Automated analysis tools [1] [2] indicate a network connection to bestdatingsitesreview4u.com on 38.102.226.126 (PSInet, US). This appears to be the only site on that server, blocking either the IP or domain temporarily may help mitigate against infection.

Video: Parcel Reshipping Scams, Parcel Mules and Fake Job Offers

A brief presentation on how parcel reshipping scams work, and the role of parcel mules and fake job offers.