Thursday, March 26, 2009

The Crooks Are Getting Smarter

The Crooks Are Getting Smarter

And no, I don't mean the ones that work for President Obama. Daily (hourly?) we all get emails that purport to be a security alert, or request for clarification that asks you to login to a bank's web page. When you get to that web page, you are asked to enter account information. The goal is to get you to tell them credit card information or personal details that will let them either run up your credit card, or steal your identity.

Most of these aren't very well done frauds. There will be a web page link that says something like "http://www.bankofamerica.com" but if you move the mouse over the text, you will see that the link actually takes you to an IP address based web page, not a domain name web page, like http://18.242.20.30/index.html. Unless you look very carefully at the browser's address line, you won't notice that the page, which may actually be a copy (in most respects) of the real institution's web page, isn't where you think it is.

Today's more clever than usual fraud purports to be from the Kansas City Police Credit Union. Since I have no account with them, I knew that the email was fraudulent:

We recorded a payment request from HostGator - www.hostgator.com - Professional Web Hosting to enable the charge of $ 18.20/month on your account.

Because the order was made from an African internet address, we put an Exception Payment on transaction id #POS 718493-5 motivated by our Geographical Tracking System.

THE PAYMENT IS PENDING FOR THE MOMENT.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "HostGator Professional Web Hosting".

If you didn't make this payment and would like to decline the $ 18.20 billing to your card, please follow the link below to cancel the payment:

Cancel this payment (transaction id #POS-849035)

NOTE: Because email is not a secure form of communication, please do not reply to this email.
If you click on the "Cancel this payment" line, it takes you not to an IP address-based web page, but one with a plausible domain name: http://www.kccpcuhb.com/. If you go to the actual Kansas City Police Credit Union web site, it is similar enough that you might believe that it is the real thing. But the real institution's web site is kccpcuhb.org, not .com.

So I did a WHOIS to find out who owns the www.kccpcuhb.com domain name:
Domain Name.......... kccpcuhb.com
Creation Date........ 2009-03-26
Registration Date.... 2009-03-26
Expiry Date.......... 2010-03-26
Organisation Name.... Cally Nichols
Organisation Address. P O Box 99800
Organisation Address.
Organisation Address. EmeryVille
Organisation Address. 94662
Organisation Address. CA
Organisation Address. US

Admin Name........... PrivateRegContact Admin
Admin Address........ P O Box 99800
Admin Address........
Admin Address........ EmeryVille
Admin Address........ 94662
Admin Address........ CA
Admin Address........ US
Admin Email.......... contact@myprivateregistration.com
Admin Phone.......... +1.5105952002
Admin Fax............

Tech Name............ PrivateRegContact TECH
Tech Address......... P O Box 99800
Tech Address.........
Tech Address......... EmeryVille
Tech Address......... 94662
Tech Address......... CA
Tech Address......... US
Tech Email........... contact@myprivateregistration.com
Tech Phone........... +1.5105952002
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Interesting problems. The creation date: today? That's a clue that this is a fraud.

Whoever registered this domain obviously doesn't live in California, or they wouldn't have spelled EmeryVille with a capital V.

The phone number? Putting a period between the country code and the area code--but no periods between area code and phone number--tells me that this wasn't done by an American. And if you call that number, it goes directly to voice mail--and the mailbox is full!

But I do give them credit for having the wits to register this domain to an American address, although it's a bit odd that the registrar is "Current Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE".

No comments:

Post a Comment