post

Scammers Are Getting Smart

(Updated)
Here’s an email I received this morning:

Dear xxxxxx,

Thank you for your subscription to
http: // polarstaryouth.org/scken1578.html  (link removed for my readers protection)

You have been billed as KRBILL LLC for the amount of:
3.95(USD) for 3 days (trial) then 34.95(USD) recurring every 30 days .
Your new subscription identification number is:xxxxxxx,
Your membership access information is:
Username for your subscription: xxxxxxx
Password for your subscription: xxxxxxx
E-mail: xxxxxxx
Membership website: http: // polarstaryouth.org/scken1578.html (link removed)
Thank you for choosing KRBill as the eMerchant for your subscription!
Customer Support/Cancel Your Subscription 28/08/2006 07:06

 

Obviously scammers are getting smart: reading you’ve just been billed, wouldn’t you instinctively click to clarify/cancel?  We’re all getting smarter about scam, but the sense of urgency can easily trigger a kneejerk reaction, forgetting all precautions, and that’s exactly what the scammer counts on. However, there’s two safety precautions I strongly recommend to everyone:

  • No card to charge: I only ever use throwaway, virtual credit card numbers on the Net, so scammers can bill all they want, they can’t charge my card
  • Protected Email address: I have specific email addresses for subscription lists and online orders,  another one for financial activity (banks, brokers), yet another for the blog…etc.  I don’t ever use online my “real” email addresses that I want to protect. So when scam arrives to the protected email, I can rest assured they don’t have any of my data, the email is harmless junk.

Any other good ideas?  Please leave them in a comment below.

Update (8/28):  Polar Youth appears to be a non-profit, not selling anything. However, the full URL (I did not click it, but retyped it) leads to a page where one can supposedly by a software product, and the licence terms refer to Intuit.  Since it’s obviously forgery, perhaps someone from Intuit will chime in here.

Update (9/1):  Wow… apparently this scam was first insignificant enough that only I posted about it, thus getting the #1 postition on Google for the search term “Krbill”… than it got widespread enough that a lot of people are searching for it… I am getting a lot of hits.  I also may have become the target of the scammers revenge: the appear to phish my email as sender.  I received emails asking for explanation, even one asking for a refund of any money charged to them.  Rest assured: the scammers could not get your money, unless you provided them with data.

As a commenter points out below, the websites the scam email leads to contain hidden iframe that attempts to download malware on your computer.

Tags: , , , , ,

Comments

  1. quickly looking at that page it appears that it is using an iframe to exploit a vulnerability described in MS06-014

    http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx

    prolly will give you a dose of spyware if you are not patched and running IE 😉

  2. Suggestion: Live in a country where banks carry the liability for fraudulent transactions.

    In South Africa this is the situation, and, as a result, we have very, very good bank and transaction security. If the customer queries a transaction on their card, the bank has liability for the payment unless they can positively prove that the customer authorised the transaction.

    About six months ago one of the Big Banks locally had a problem where scammers stole a bunch of money using stolen credit card details. The bank had to carry all the costs because they were unable to show that the real clients had authorised the transactions. Cost them a bundle!

    Of course the banks are trying to weasel out of it by getting the laws changed, but that’s another story…

  3. Thank for the info about the scam. My wife recieved the email on Aug 29th. She did not do the knee jerk reaction and click on the link. Thanks again for the info!

  4. I received almost the exact same e-mail, only it stated I had subscribed to http://carolvilla.org/scken1578.html (notice the last portion is the same as the one you were sent) and listed the same exact amounts for the bill. Carol Villa is apparently a homeowners association in Montgomery, Alabama, and are probably oblivious to this scam.

  5. I had the same thing, but as a full-time webmaster, I’m right on top of these sorts of scams. My solution was to run the link through one of those “examine your code for errors” scripts found on the various webmster sites. It grabs the source code, and displays it on your screen (so that it can highlight non-compliant tags, etc.) without you ever having to actually go to the site.

  6. Thank you ALL for posting the info about this one. I received a similar one, and googled a portion of the text to confirm it as scam, finding this blog. The scammers aren’t the only ones getting smart.

    TM

  7. It uses JS/Wonka and tries to drop down1.dll and ipv6mons.dll in the Windows\System32 folder. This is a spyware monitor that attempts to grab all sorts of info from your PC.

  8. I just got the same email with a supposed subscription to a website … maneri6…. which i checked out and it is a bunch of pictures of 6 guys started by a guy named maneri… i did not click the actual link in the email, just investigated carefully… is there any chance that they will bill my card? what is the purpose of these emails? i am using OSX and have never had a virus before… Thanks

  9. The version I got pulls up a page on Intuit software, apparently at the actual site referred to (an Art Gallery in Utah); I typed it in. Have they been “zombied”?

    The Intuit page is generated by very simple Java Script that just seems to unscramble a long string. Can’t see any reference to down1.dll etc. It’s just messing with text.

    Can you say more about how it works?

  10. I have a web site TheStudioGallery.net and someone just emailed me referring to the same message and it was from my site. The web page was on my server. I have no idea how it got there and took it down rightaway and changed the password to my admin and ftp.

  11. you mentioned “I only ever use throwaway, virtual credit card numbers on the Net, so scammers can bill all they want, they can’t charge my card” – how does one gain access to these throw-away cc #’s? I’ve never heard of that before.

  12. your domain, TheStudioGallery.net, and the domain in the blog above, polarstaryouth.org, appear to be hosted at the same location startlogic.com/ipowerweb.com. They might have an issue with the security their on the servers.

  13. Citibank has been offering this for several years now, so I suppose several other banks should, too.

  14. Thanks for your reply. I have another site hosted by startlogic but it is on different servers and not affected. I notified startlogic about the situation this morning because I thought they might have a worm. Also, all the emails have been coming from Austrailia so I will probably be flooded by tomorrow.

  15. I got this email too, I clicked on the link :-O, will they be able to access my bank details? I didn’t give any info or anything and have run adaware straight away afterwards.

    Darn, I am normally so careful about this stuff!

  16. Could you please help to give an example website on how to test the grabbing of those source code ? Thanks a Lot !

  17. I also got this email and clicked the link =/ usually Im careful with things like this. >:|

    Thanks for the the warning about it though it coulda been worse.

  18. I received a similar email yesterday morning. This one came from an apparently “real” person’s email in the Legal Faculty at Monash University in Melbourne, Australia, so it looks as if the university’s internet security may have been breached.

  19. I just received two versions of this same scam email (with a different subscription name given on each). I too found the inuit software information when I went to the link. Any idea what kind of virus softwear one might need to protect against the spyware attached to this thing?

    Thanks for posting this blog…it has been very helpful.

  20. Me too.. same sort of email but telling me to go to genesis-tours which I investigated but not by clicking on the link through the email. Seems like a legit business. The ending of the link said scken3184.html. I called bigpong technical advice and they were hopeless. They could not even tell me it was a scam. They just said not to worry as they will not bill my bigpond account. I wanted to find out who KR Bill was so I can tell them off. But this website solves my problem. Ill delete the email. THANK YOU SO MUCH

  21. Thank you very much for posting this on your blog. I received this tonight and it worried me a bit. The website I was given was spacebox.info/scken4184. html and I recently downloaded a piece of virtual astronomy software for teachers, so I wondered if it had come from there. I didn’t provide any banking details, but I wondered if the software had trojans or something in it.

    I googled it (yes, Google Australia) in case it was a scam and found your blog. So thanks again – really appreciate it!!!

%d bloggers like this: