baguznet blogs

Tiba-tiba pagi tadi, seawal jam 6 pagi handphone aku berbunyi, SMS masuk. Aku pun baca la sebab kot kot member aku anta nak jumpa ke apa. Bila tengok, nombor penghantar yang keluar, dah tentu bukan member aku yang anta

Info Penghantar: +6281586205149

Info SMS: Maklumat! Anda telah Memenangi dari SHELL MALAYSIA. Caj tunai RM17.000, Sila dial No, telipon Office: 00628161108627 Penghantar: Shell Malaysia

Nampak sangat penipuannya. Baca ayat SMS pun dah nampak susunan bukan daripada rakyat Malaysia, apatah lagi daripada Shell Malaysia kerana tidak mencerminkan profesionalisme. So, abaikan je lah. Ni semua cubaan untuk menipu untuk mencuri duit orang sebenarnya. Kes ni memang dah lama, sebelumnya rasanya dah sepi, ni mungkin mula nak aktif semula. Jadi berhati-hatilah semua.

Howdy All,

This morning when I checked my company’s email, I found an email showing as coming from Google Adwords Team, asking for my immediate action to reactivate my account. What the heck! Sent to my company’s email. I don’t have any account for that. In fact, if I have any, I will not sign using my company’s email as this is personal, not company-related works. Let’s take a look, where is the email came from and the content. Below is the message header.

Return-path: <fmanatt@uark.edu>
Received: from [81.200.21.17] ([81.200.21.17])
 by my.company.com (my.company.com)
 (MDaemon.PRO.v7.2.3.R)
 with ESMTP id md50001221873.msg
 for <emailID@my.company.com>; Wed, 16 Apr 2008 06:07:20 +0800
Received: from [81.200.21.17] by mx5.uark.edu; Wed, 16 Apr 2008 01:07:17 +0300
To: <emailID@company.com>
Subject: Please Re-activate your account
Date: Wed, 16 Apr 2008 01:07:17 +0300
Message-ID: <01c89f5e$369f7060$1115c851@fmanatt>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=”—-=_NextPart_000_0CCC_01C89F5E.369F7060″
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcgJyXC2PCEIZSJ68676UV16I9LZSX==
Content-Language: us
From: “AdWords-NoReplay” <adwords-noreply@google.com>
X-Lookup-Warning: MAIL lookup on fmanatt@uark.edu does not match 81.200.21.17
X-MDRcpt-To: emailID@company.com
X-Rcpt-To: emailID@company.com
X-MDRemoteIP: 81.200.21.17
X-Return-Path: fmanatt@uark.edu
X-MDaemon-Deliver-To: emailID@my.company.com
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11)
X-Spam-Report:
 *  0.1 HTML_MESSAGE BODY: HTML included in message
 *  4.0 BAYES_70 BODY: Bayesian spam probability is 70 to 80%
 *      [score: 0.7933]
X-Spam-Status: No, hits=4.1 required=5.0 tests=BAYES_70,HTML_MESSAGE
 autolearn=no version=2.64
X-Spam-Level: ****
X-Spam-Processed: my.company.com, Wed, 16 Apr 2008 06:07:24 +0800
 

See the Return Path that I bold above, it shows that the email not coming from Google. And below is the content of the email. Please do not click on the link provided. The site is either infected with virus, or if you follow the instruction on the web, they are just trying to still your personal information.

———————————————————————————
Dear Google Adwords Customer, Your ads have stopped running because we were unable to process your billing information.
To activate your account and start running your ads, enter your billing information.

In order to activate your account and start running your ads, enter your billing information.
Pease sign into your account at http://adwords.google.com/select/login, and update
your billing information.

Once your account is reactivated and your billing information has been processed, any your ads and campaigns can begin running immediately on Google.

———————————————————————————-
This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message.

———————————————————————————-

Google Adwords Team 

If you just simply look at the content and the link visually, yes it looks like it is a valid email from Google. Unfortunate, the message header shows that it is not. So, it is good to make a practice to check for the message header when you receive any unusual email.

Howdy All,

This morning I received a pishing email claimed as from HSBC but I know it is not from them as I never use my company’s email for any personal matters. As usual, I just have a check on the actual URL from the URL given by looking at it source. I share with you the content of the email that I received below. PLEASE DO NOT CLICK ON THE LINK GIVEN BELOW!!!

Dear HSBC bank customer,

We would like to inform you that we are currently carrying out scheduled maintenance.
In order to guarantee the high level of security to our business customers, we require you to complete “Business Internet Banking Form”.
Please complete BIB Form using the link below:

http://business.hsbc.com/system_directory/isa/file.aspx?session=49230617355387080224840852072630111989207537

Please do not respond to this e-mail.

Looking at the content it seems nothing wrong but wait, please look at the actual message when you view the source. The source will show you the actual URL set for the link given.

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML><HEAD>
<META http-equiv=Content-Type content=”text/html; charset=iso-8859-1″>
<META content=”MSHTML 6.00.2800.1141″ name=GENERATOR></HEAD>
<BODY>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”>Dear HSBC bank
customer,</FONT></P>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”>We would like to inform you
that we are currently carrying out scheduled maintenance.<BR>In order to
guarantee the high level of security to our business customers, we require you
to complete “Business Internet Banking Form”.<BR>Please complete BIB Form using
the link below: </FONT></P>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”><A
href=”http://business.hsbc.com.nuifjje.es/system_directory/isa/file.aspx?session=49230617355387080224840852072630111989207537″>http://business.hsbc.com/system_directory/isa/file.aspx?session=49230617355387080224840852072630111989207537</A></FONT></P>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”>Please do not respond to
this e-mail.<BR></FONT></P> 

Please look carefully at the full URL beginning from <A href=> tagging. It shows that the actual domain is not hsbc.com but instead nuifjje.es and of course, it is not a valid domain for HSBC. So it is definite not a valid email from HSBC but just a pishing email trying to steal HSBC customers’ personal information. Sometimes, it is an attempt to get you infected with some viruses, worms or trojan.

Howdy All,

In my previous posting, I informed everyone about the pishing email sent to people to steal their login info. This time, I received an email, sent to my company’s email, trying to steal the information. For me, I’m not worry about it since I do not have any account with Google but it is good to remind others. I share with you the content of the email that I received below. PLEASE DO NOT CLICK ON THE LINK GIVEN BELOW!!!

————————

Dear Google AdWords Customer!

In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information. Your account will be reactivated as soon as you haveentered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.

Sincerely,

The Google AdWords Team

————————

This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions after following the steps above, please visit the
Google AdWords Help Center at https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US to
find answers to frequently asked questions and a ‘contact us’ link near the bottom of the page.

————————

I know it is a pishing email because the link given is not pointing to the said URL as we see it but it is actually pointing to a sub-domain created similar as google’s sub-domain for a domain a country of China - fgreo3.cn

You can also verify the email by looking at the original message (its header parter specially), it is not from Google. Please see below

Return-path: <firewalker434@yahoo.com>
Received: from [92.112.35.159] ([92.112.35.159])
	by my.acctrak21.com (my.acctrak21.com)
	(MDaemon.PRO.v7.2.3.R)
	with ESMTP id md50001165699.msg
	for <abrahman@my.acctrak21.com>; Sat, 22 Mar 2008 21:01:39 +0800
Received: from [92.112.35.159] by e.mx.mail.yahoo.com; Sat, 22 Mar 2008 16:01:37 +0300
Date: Sat, 22 Mar 2008 16:01:37 +0300
From: “Google Adwords-noreply” <adwords-noreply@google.com>
X-Mailer: The Bat! (v3.62.03) Home
Reply-To: firewalker434@yahoo.com
X-Priority: 3 (Normal)
Message-ID: <048989728.86776683630043@yahoo.com>
To: abrahman@acctrak21.com
Subject: Please Update Your Billing Information
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary=”———-{nHEX}”
X-Lookup-Warning: MAIL lookup on firewalker434@yahoo.com does not match 92.112.35.159
X-MDRcpt-To: abrahman@acctrak21.com
X-Rcpt-To: abrahman@acctrak21.com
X-MDRemoteIP: 92.112.35.159
X-Return-Path: firewalker434@yahoo.com
X-MDaemon-Deliver-To: abrahman@my.acctrak21.com
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11)
X-Spam-Report:
	*  3.0 BAYES_60 BODY: Bayesian spam probability is 60 to 70%
	*      [score: 0.6079]
	*  0.1 HTML_MESSAGE BODY: HTML included in message
	*  0.1 HTML_TITLE_EMPTY BODY: HTML title contains no text
X-Spam-Status: No, hits=3.2 required=5.0 tests=BAYES_60,HTML_MESSAGE,
	HTML_TITLE_EMPTY autolearn=no version=2.64
X-Spam-Level: ***
X-Spam-Processed: my.acctrak21.com, Sat, 22 Mar 2008 21:01:44 +0800

————{nHEX}
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

————————

Dear Google AdWords Customer!

In order to update your billing information, please sign in
to your AdWords account at https://adwords.google.com, and update your
billing information. Your account will be reactivated as soon as you have
entered your payment details. Your ads will show immediately if you
decide to pay for clicks via credit or debit card. If you decide to pay
by direct debit, we may need to receive your signed debit authorization
before your ads start running, depending on your location. If you
choose bank transfer, your ads will show as soon as we receive your
first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with
the most effective advertising available.

Sincerely,

The Google AdWords Team

————————

This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions after following the steps above, please visit the
Google AdWords Help Center at
https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US to
find answers to frequently asked questions and a ‘contact us’ link near
the bottom of the page.

————————

————{nHEX}
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

<br>————————<br><br>Dear Google AdWords Customer!<br><br>In order to update your billing information, please sign in<br>to your AdWords account at <a href=”http://adwords.google.com.fgreo3.cn/select/Login/” target=”_blank”>https://adwords.google.com</a>, and update your<br>
billing information. Your account will be reactivated as soon as you have<br>entered your payment details. Your ads will show immediately if you<br>decide to pay for clicks via credit or debit card. If you decide to pay<br>
by direct debit, we may need to receive your signed debit authorization<br>before your ads start running, depending on your location. If you<br>choose bank transfer, your ads will show as soon as we receive your<br>first payment. (Payment options vary by location.)<br>
<br>Thank you for choosing AdWords. We look forward to providing you with<br>the most effective advertising available.<br><br>Sincerely,<br><br>The Google AdWords Team<br><br>————————<br><br>This message was sent from a notification-only email address that does<br>
not accept incoming email. Please do not reply to this message. If you<br>have any questions after following the steps above, please visit the<br>Google AdWords Help Center at<br><a href=”https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US” target=”_blank”>https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US</a> to<br>
find answers to frequently asked questions and a ‘contact us’ link near<br>the bottom of the page.<br><br>————————<br><br> <br></div><br>

</BODY></HTML>
————{nHEX}–

Can you see the email for return path? Google never practice such thing, in fact. I think I should report to you about this pishing email for their further action. Also, see the actual URL that appear at the last part of my quote? It is not going to google’s domain but somewhere else. So, the next time when you received such email, do not immediately click on it but have a check first to verify the email for safety reason.

Howdy All,

I just would like to let all of you know that there are attacks to Gmail users by sending a pishing email, claiming that the email is sent by Google. I share with you the content of the email that I received below. PLEASE DO NOT CLICK ON THE LINK GIVEN BELOW!!!

Dear members

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have acces and use of your Gmail and to ensure a safe Gmail experience. We require all flagged accounts to verify their information on file with us. This is the right link for update account page After you verify your information, your account shall be returned to good standing and you will continue to have full use of your account. Please note that if you don’t verify your ownership of account
in 2 x 24 hours we will block/ susspend your Gmail.

Thanks,

The Gmail Team

OK. How could I know it is not from Google? Very easy actually. First thing is I did not immediately click on the link provided, in fact, I just point the cursor on it and check what is the actual URL for the said link. And it is pointed to a domain us-gmail.com (you can see, it is not as the usual domain - gmail.com). Now, lets see the original message (Gmail has this feature, to view the original message. Using this you can see the detail for every section defined - header, body and footer.

Delivered-To: baguznet.com@gmail.com
Received: by 10.114.134.3 with SMTP id h3cs46696wad;
Thu, 6 Mar 2008 11:11:20 -0800 (PST)
Received: by 10.78.201.8 with SMTP id y8mr527386huf.18.1204830677972;
Thu, 06 Mar 2008 11:11:17 -0800 (PST)
Return-Path: <zeus@saturn.nswebhost.com>
Received: from saturn.nswebhost.com (saturn.nswebhost.com [66.246.72.132])
by mx.google.com with ESMTP id g11si4460827gve.6.2008.03.06.11.11.16;
Thu, 06 Mar 2008 11:11:17 -0800 (PST)
Received-SPF: pass (google.com: domain of zeus@saturn.nswebhost.com designates 66.246.72.132 as permitted sender) client-ip=66.246.72.132;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of zeus@saturn.nswebhost.com designates 66.246.72.132 as permitted sender) smtp.mail=zeus@saturn.nswebhost.com
Received: from zeus by saturn.nswebhost.com with local (Exim 4.68)
(envelope-from <zeus@saturn.nswebhost.com>)
id 1JXLMU-00077n-94
for baguznet.com@gmail.com; Thu, 06 Mar 2008 13:02:38 -0600
To: baguznet.com@gmail.com
Subject: Gmail is different. Here’s Our New Security Protector Please Update.
X-PHP-Script: zeusbiz.com/ok.php for 202.152.243.162
From: Gmail Team <Gmail Team <mail-noreply@google.com>>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1JXLMU-00077n-94@saturn.nswebhost.com>
Date: Thu, 06 Mar 2008 13:02:38 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - saturn.nswebhost.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [33405 1906] / [47 12]
X-AntiAbuse: Sender Address Domain - saturn.nswebhost.com

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />
<title>Untitled Document</title>
</head>

<body>
<p>Dear members</p>
<p>Your account has been randomly flagged in our system as a part of our routine <br />
security measures. This is a must to ensure that only you have acces and use <br />
of your Gmail and to ensure a safe Gmail experience. We require all <br />
flagged accounts to verify their information on file with us. This is the right <br />
link for <a href=”http://secure.us-gmail.com/”><strong>update account </strong></a>page After you verify your information, your account <br />
shall be returned to good standing and you will continue to have full use of <br />
your account.Please note that if you don’t verify your ownership of account <br />
in 2 x 24 hours we will block/ susspend your Gmail. </p>
<p>Thanks,</p>
<p>The Gmail Team </p>
</body>
</html>

Please look at the quote that I have bold. It indicates that the email is not originating from Google or Gmail team, instead it is a fake email from someone claiming to be from Gmail, or what we call as Pishing Email. The main reason of this is to steal your login information and hijack your account.

So, please be careful when ever you received an email claimed as from Google. DO NOT simply click on the link provided, have a check first, verify the message and confirm it before you take any further action.