Thursday, September 9, 2021

Spotting a Scam

 I received an e-mail (actually, the second one to a different address triggered this, but I'm hitting the first one).  Obviously, it's a scam.  Let's take a look :

First, an e-mail address takes the form of username@domain.  In this one, the "From" address doesn't match who they are pretending to be (they have pconfermations@gmail.com with a name of "Produts Confermations").  The @ portion (the domain) is "gmail.com".  No self-respecting business will send from a domain that is not owned by the business.  That would mean that McAfee e-mails would come from @mcafee.com, not @gmail.com .  The username doesn't even spell things right.  We know from the start that this isn't from McAfee, and whomever it is can't spell to save their life.

Second, the "subject" of the e-mail has awkward characters in it.  Beware of crap that has emoji's or other things in them - they are definitely unofficial.  Underscores in a subject are nearly unheard of with real businesses.

Next, into the body of the message, we find mis-spellings and bad grammar throughout.  More underscores in "Dear-Values-Customer"?  Yes, please.  "Antivirues"?  Okay, enough on that.  Let's just check and see if we can find the origin.  Open the message source (this will depend on your mail client, you might need to open a browser window and search the Internet for "view email source" and the name of your client to find out how).

At the top of an e-mail source are what can be referred to as "headers".  There will be no empty lines in this area.  These headers are keys and values, separated by a colon, the key on the left.  When an e-mail is received by a server, that server is supposed to tack onto the leading front any source information such as "Received".  This means that if we find each of the "Received" headers as we scroll down, we are actually taking a look at the messages history and going back in time.  We want to know the origin, so lets scroll to the bottom of the headers, and then work our way back to the top.

You'll see all of the "Subject:" and "Bcc:" headers - these are what your mail client displays when you open a message.  Shortly above this is our first "Received:" header.

Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
        by mx.google.com with SMTPS id j5sor2873717lfe.26.2021.08.29.18.18.32
        for <email@gmail.com>
        (Google Transport Security);
        Sun, 29 Aug 2021 18:18:33 -0700 (PDT)

What I am interested in is anything that is four numbers separated by dots (no spaces, and not more than four numbers).  Here, that is "209.85.220.41", and it's called an IP Address.

When you are doing this, if the IP addresses start with 192.168., or 172.16., or 10.0, or 127., these are called "private networks" - though they can give us an idea of what the networks are built like, they won't help us, so if your first Received: header contains an address like that, simply move to the next one.

In our case, the IP address is not an internal, or private network.  So, open your web browser and do an Internet search for that.  (If you have Linux, you can also simply run a "whois 209.85.220.41" and get results).

Well, that sucks.  That address is a giggle address (spelling is intentional).  It's one of the gmail.com addresses.  I know, we could have looked at the domain name for it in the "Received" header, but I wanted to go through the exercise.  Google USED to show the source for the e-mail, even if it was done via gmail.com's website and not an e-mail client.  Just for kicks and giggles, scan all of them.

So, what CAN we do?  Actually, not much with this one.  Let's look at the second one.

Bugger.  It's also from a gmail account.  Still, the spelling of the name is atrocious, the spelling and use of symbols and underscores in the subject is a fast red-flag to know this is not official.  In the body, we have the usual grammar errors, and capitalization issues that alert us that the sender is not a standard english speaker.  Remember, a big business will have additional people proof-reading their e-mails and templates.

Then, there is the killer.  They couldn't even spell the company name right that they were trying too poof.  They had "MAcfee" instead of "McAfee".  Unfortunately, this one also had a gmail IP address :

Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65])
        by mx.google.com with SMTPS id h7sor653174ljc.46.2021.09.09.03.18.39
        for <email@gmail.com>
        (Google Transport Security);
        Thu, 09 Sep 2021 03:18:39 -0700 (PDT)

So, like the detectives when all of the toilets were stolen from Scotland Yard, we have nothing to go on.

Still, on a positive note, they left two phone numbers.

1  (747) 600-1278 
+1 640-900-2247

If you Internet-search those numbers, you'll see that they have a scam reputation.  Still, I am tempted to call them just to see.