Today, something
suspect slipped through the Gmail spam scanners, and made it into my
Inbox. That is highly unusual. I decided to take a closer look to try
and discover why. Along the way, I’ll point out the obvious clues
to these fake job offers.
Why does someone want to offer you a job?
Not just someone, a complete stranger.
They do not want to pay you any money. That much is certain.
They are more interested in what they can get from you. These emails are generally phishing attacks. They are phishing to see what they can get from you:
They do not want to pay you any money. That much is certain.
They are more interested in what they can get from you. These emails are generally phishing attacks. They are phishing to see what they can get from you:
- Personal details if you send them your resume they’ll generally gain a lot of useful information. This may lead to them having further communications with you and asking further questions, particularly if you have recently worked for an interesting employer.
- Professional knowledge – assuming that you recently worked for an interesting corporate or government client, the scammers might start asking questions about your time there, in a hope that you might be clumsy enough to disclose information that may allow them to attempt attacks against that organisation.
- Banking details – to start working they may ask you to make an initial payment for registration, or to pay for supplies, or they may ask for your bank details to be able to initiate payments. Never do this unless you have verified who they are, and that they are a legitimate employer.
- Time – they may offer you a trial period, likely they have no intention of offering you permanent work. They just want to make the most of your efforts during the trial period, then you’ll never hear from them again. They just wanted you as a temporary digital slave.
- A combination and as much of all the above as they can possibly get.
You have mail!
Well, I have an odd
email. It appears to be from someone named “Virginia Wolf”.
Wasn’t she a famous author? Even if this was the author, there is
no reason for her to be contacting me. The use of this name is to
trick the unwary into thinking that possibly they may know the
sender, and hence open the email.
The second oddity
that sticks out is that the subject of the email is my name. I like
my name. A serious employer who is genuinely interested in a
professional arrangement with me would make sure that they get my name right,
including appropriate capitalisation.
So What is this?
As I am using a web
based email service to view my emails, I know that I can go a little
further in investigating these emails. If I was reading this through
Outlook on my desktop, or another desktop email client such as
Thunderbird, where the email and any potentially nasty payload has
downloaded to my computer already, I would simply delete the email at this point. Since I am
viewing the email as it is opened on a server somewhere else in the
world, I feel a bit more comfortable about reading further.
Immediately I see
the email address of this supposed “Virginia Wolf”.
‘torresczrsandragz’ is the first part of the email address. Lets
stop and think, what serious business person is going to have an
email address like that? No one. It is too hard for people to
remember, too difficult to tell them quickly. This may be a real
email address, but it does not belong to anyone conducting a
legitimate business, unless they are brain dead. Furthermore, the domain part of the email is
“@outlook.com”. This tells me that they are not emailing me from
a business email account. They are using a randomly created email
account, or pretending to be using an Outlook webmail account.
Perhaps the first impressions were bad, but it can only get better, right? Wrong
If you can do so
safely, reading through the email a little can provide further clues.
The whole text is
bogus, and poorly written. Let me pick some particularly good
examples:
We are one of the top international distributors of the variety of goods
At no point is any
identification of an organisation/employer made. If this was a
legitimate offer, the employer would disclose their corporate
identity, particularly if they were a big international company.
There is also no definition in the email of a group, set or category
of goods that this supposed employer markets – so “the variety of
goods” is both a lie and bad grammar.
If you are sure enough to try and become a member of one of the most prospective enterprises in Australia,
If you are sure
enough to what…? This sentence is very poorly worded. If they were
a large international employer serious about doing business in
Australia, they would pay one of their staff to get the wording
correct, or at least pay for an outsourced resource to do a quality
job.
Unfortunately, we are not able to invite the applicants outside Australia. Thus you have to be either a resident, or a legal permission to work for applying.
“we are not able
to invite the applicants outside Australia” could mean a number of
things. Might mean that there is not any international travel
involved in the job. “Thus you have to be either a resident”, of
Australia we assume. “or a legal permission to work for applying”,
this makes zero sense in so many ways. How can a person also be a
form of legal permission? And the sentence structure is defective at
best.
Your tasks will involve:
- communicating with customers from the USA, Asian and European countries, assisting to build the trading process as smooth as possible for them; again, very bad grammar- processing the information, mostly related to the sales;processing ‘the’ information… bad grammar- assisting the sales office with different problems;
- and, last but not least, offering the articles. offering articles?
We are ready to provide a monthly rate of 8000aud per month for a job on a permanent basis. If you prefer to be more flexible, you can choose the short hours type of a job...“type of a job” - bad grammar, with the wage up to 4000aud per month. These figures do not involve various encouragements to be obtained for excellent results.
You must pass a test period before being employed permanently.
This line is the clincher.
What it should tell you immediately is that at best you will work
your butt off for the trial period, then you will not pass the test,
and they will never pay you.
Your skills should include:
Our chief demand is good access to the Internet from your PC or laptop.
Lets read that
again, “our chief demand is good access to the Internet from your
PC or laptop”. This is the single most truthful statement in this
email. These scammers want to gain access to and control over my
computer. What for? Don’t know. But the next sentence might tell us
a bit about how they would do it.
You must have certain MS Excel skills as well as the software programs installed.
This reads as if
you don’t have Microsoft Excel installed, do not apply. Most likely
that this email is first stage of a campaign, the second stage is
that when someone applies for the job the scammers are almost guaranteed that the
applicant has Microsoft Excel on their computer, and there is
the chance that the scammers could send an Excel spreadsheet, possibly a timesheet, which happens to have embedded malware.
We are waiting for receiving your reply...
bad grammar again
and we are eager to give your career a good start in a wonderful and creative team guided by a charismatic leader.
Is this an invitation for a job or to become a
member of a religious sect?
Not convinced its a scam? Check the finer details
Still think a
complete stranger from a mystery organisation, who has English
writing and comprehension skills less than that of your average
sixth-grader, is offering you full-time employment from the comforts
of home for $96,000 a year? Perhaps you should look into the
technical details of the email. Let’s explore the source of the
message.
Now we are looking
at the finer details. Let’s get some data about who this is coming
from. Looking at the source data of the email, we can see that there
is an IP address of the sender.
Let’s take that IP
address (40.92.12.18) and see who owns it. Using the IP Lookup tools at
www.ip-address.org.
If we
type in the IP address and search, it comes back with what looks to
be the name of what might be a legitimate email server in Microsoft’s
Outlook.com infrastructure. However this does not match the
server/domain details given in the message ID of the email:
BY2PR12MB0292.namprd12.prod.outlook.com .
So, lets look at
this problem the other way and do a Reverse IP Lookup. Initially the
full server name of "BY2PR12MB0292.namprd12.prod.outlook.com" does not
resolve to an IP address. Piece by piece we strip it down -
“namprd12.prod.outlook.com”, then “prod.outlook.com” - still
no resolution to an IP address. Finally “outlook.com” resolves to
Microsoft Azure in Des Moines, Iowa, with an IP address of
40.97.128.194 . Given that Outlook.com is a well known webmail service provider, this is an expected result.
But this is odd. Our IP Lookup and our Reverse IP Lookup results give conflicting
information. Whilst there is an outside chance that it is all
legitimate, there is a greater chance that these scammers have
managed to successfully spoof the IP address from the Microsoft
infrastructure and apply it to their own server, or worse, they have
hacked the Outlook.com servers. Suffice to say, these results do not
give us a warm and fuzzy safe feeling.
If my assertions regards the address spoofing are even close to being correct this is likely why the GMail spam scanners did not send this email straight to my spam folder.
What to do next?
The next thing to do
is to report this scam. At a bare minimum, this should be reported to
your ISP or webmail provider. This will enable your webmail/ISP provider to block such emails better in future. Gmail provide an easy way to do this.
I would however,
encourage you to go further and report such emails to your relevant national cyber crime authorities. In Australia that is
ScamWatch.gov.au. If you have already fallen victim to such an
email, gather what evidence you can and report it to ACORN.gov.au - the Australian Cyber-crime Online Reporting Network.
