Don’t Fall for this Phishing Scam

Phishing refers to a technique by which someone or something pretends to be something trustworthy in an attempt to get you to voluntarily give up important information such as passwords. Here’s a story about a phishing scam that I’ve seen three times in two weeks. Don’t let it happen to you! But first:

Take this Phishing Quiz and see how the bad guys try to trick you. Use a desktop computer or an iPad for the best experience.

I received an email this weekend that appeared to be from my friend Pat. It definitely came from her email account, and it had her usual email signature at the bottom. The body of the email read:

“Hi,

Check out this Foreclosed properties good for investment, CLICK HERE and log in with your email.

Pat xxxx
xxxxxxxxx
xxx xxxxxxxx x
xxxxxx xxx xxx, xx
xxx-xxx-xxxx (office)
xxx-xxx-xxxx (fax)
www.xxxxx.com”

(Here, I’ve replaced Pat’s real info with a bunch of x’s to protect her identity.)

Because I’d seen that same email from someone else earlier this week I was instantly suspicious. I checked out the link and found that it led to what looked something like the Remax real estate site, but as you can see from the picture below, there were clues that this wasn’t the Remax site at all. (Note: in this screen shot, I’ve already clicked the “Gmail” button near the bottom of the web page.)

The first clue is in the URL. The thing to notice is that the “.com” part is preceded by something called “matchellen” rather than “remax”. That means that this is “matchellen.com” and not “remax.com”. It doesn’t matter that the word “Remax” appears in the URL. What matters is the part attached to the .com. So, that’s clue number 1.

Another clue is that the titles of the page is “Remax – Secure Login”. Any site that claims to be “secure” should start with “https” rather than just “http” so you can see that this is not a secure site. There are plenty of sites that ask you to sign in without being secure, but the fact that this site claims to be secure when it obviously is not tells you there’s something funny going on here. Another clue is the lousy English– Pat’s better than that.

There’s one more big clue: “Remax” is asking for my GMAIL PASSWORD. Why would Remax need that? The answer, of course, is they don’t. Remax does have its own username-and-password requirements for logging in, and it happens that the Remax username is your email address… but when the Remax login screen asks for a password, it’s not asking you for your actual email password. They’re asking you for the password you created when you signed up for a Remax account. They ought to be different.

Unfortunately, Pat wasn’t as suspicious as I am and she “signed in” and gave the bad guys her email address and her email password. And then the bad guys sent out hundreds, maybe thousands of pieces of mail, using Pat’s account, telling us about the “foreclosures” asking us to “log in with your email.” Pat may as well have handed the bad guys the keys to her house. “Come on over and rob me! You won’t even have to break in. Just use the key.”

You might wonder why anyone would go to the trouble of trying to fool Pat this way– after all, what’s to be gained by reading her email? Turns out that reading her email gave the bad guys a pretty good idea of who Pat is, who her friends are, and who she banks with. The bad guys found a chain of correspondence that Pat had had with someone at the bank, and they sent him an email– from Pat’s account, with Pat’s email signature– to wire some money out of Pat’s account and into their own. Fortunately, the bank was suspicious and didn’t send the money.

The first thing to do in a case like this is to quickly change your email password, and “quickly” is the key. If you’re slow about it the bad guys may change it to suit themselves, locking you out of your own account. They don’t usually do this because a password change is something you’d notice because your Mac, your iPhone, and your iPad would not be able to get mail and you’d probably figure out that something was up. The bad guys would rather you remained unaware.

The second thing to do in a case like this is to contact me so we can go over what happened. Connecting the dots, I can figure out whether you were hacked surreptitiously or simply made a mistake and handed someone the keys to your email (as was the case here).

I checked with “whois.net” to find more info on “matchellen.com.” I found out where that site was hosted and contacted the people providing the service there, and they shut the site down quickly. Here’s what it looks like if you click the CLICK HERE link today:


(Click anywhere on the picture to go to Google’s explanation of phishing. Worth a read.) Note that while a warning has been placed on the “matchellen.com” site the bad guys will simply move to a new server. And, keep in mind that the warning doesn’t keep you from clicking “Ignore Warning” and going to the site, even now. Advice: if you see a warning like the one above, leave that site. If on a Mac I’d go as far as restarting it. If on a PC I’d shut down completely and then turn it back on. Take these warnings seriously!

If I Were You
I would not use my email password for anything but my email account. If I had two email accounts I would use different passwords for each. I know it’s a pain but so is giving someone a master key to everything– email accounts, shopping sites, online banking, etc. It will take some work to change your passwords but it’s for your own good and it’s definitely worth it.

UPDATE: see my article about using OpenDNS to filter out phishing sites.

by


8 thoughts on “Don’t Fall for this Phishing Scam

  1. Thanks for posting this for others protection. RE/MAX is aware of this phishing attempt and looking for resolution. We believe someone is targeting various businesses with the same 'secured login' pointing to various hacked wordpress sites. I believe they have been scraping e-mails from agents and then further obtaining client contact information from those individuals who have provided their credentials unknowingly. I encourage others to post the received-from e-mail headers from phishing attempts you may receive, and report them to your mail provider as abuse.

    Here is an example:
    ———————————————–
    Received: from unknown [205.209.142.93] (HELO mx6.bizcn.com) with SMTP id(envelope-from
    );
    Return-Path:
    YmailServer-SMTP-Logined: sales@jxleiyuan.com
    ———————————————-

    Hello ,

    Check Out these properties,there are quite cheap

    (link to similar phishing site was here)

    Regards
    Mark Scuderi
    Remax.com

  2. A similar problem has happened to my mother in law. I received the email from her, so i told her to change her password immediately. The information from my problem is

    Hello Everyone,
    Im checking out houses in the real-estate and i'd like your opinions. Please click here to view them and let me know what you think by posting your comments on the website. You will be required to sign in so please go ahead.

    Thank

    xxxxxxSignaturexxxxx

    The link takes you to http://radioglsparty.com/remax/index.htm . I checked the whois and it is as follow:

    Domain: radioglsparty.com
    Nameserver: ns1.realhost.com.br
    Nameserver: ns2.realhost.com.br
    Created: 20110222
    Updated: 20110804

    Registrant:

    Name: Ivanildo Neres Santos
    Organization: Ivanildo Neres Santos
    E-mail: ivneres@uol.com.br
    Address: AVENIDA GUARAPIRANGA 586 BL19 AP34
    Address: 04911005
    Address: SAO PAULO – SP
    Phone: 55 11 41155175
    Country: BRASIL
    Created: 20110222
    Updated: 20110222

    Can you help me figure out what to do next?

  3. Changing the password was smart. You can contact "realhost.com.br" and tell them that someone is using their server to do scam emails– that would be of interest to the web hosting company.

    Be sure your mother-in-law avoids using her email address for anything confidential, at least for the time being. The trouble is, whoever the bad guys are, they have already had the chance to read all of your mother-in-law's email. Thus, they have a list of contacts that your mother-in-law has written to. Not good.

    Best thing: create a new email address for your mother-in-law and have her tell everyone NOT to use the old one anymore. A lot of work but that's the right thing to do.

  4. The answer to that is "no."

    There really is no "hacking" involved here. Just trickery. They are basically trying to trick you into handing over your email address (which of course is probably public knowledge) and your email password (which of course should be protected like crazy).

  5. This just happened to my mom – makes me so mad. She's changing her password immediately. Any other measures other than a new account?

  6. You have to be VERY careful here. When your mom changes her password, it will send an email to her "contact" email address saying something like this:

    "Hi Mom,

    The password for your Google Account – mom@gmail.com – was recently changed.
    If you made this change, you don't need to do anything more.

    If you didn't change your password, your account might have been hijacked. To get back into your account, you'll need to reset your password. "

    Then there will be a link to reset the password. So… IF the bad guys have gotten into the account and have changed the email address that such messages are sent to, they'll just change the password to something else. In fact they may have changed it already. This can go around in circles– Mom changes it, the bad guys reset it, Mom can't log in so she resets it, etc. Better to get a new account and start fresh.

Leave a Reply to graeme Cancel reply

Your email address will not be published.