I recently received the following email, supposedly from MSN, is it
legitimate?
No, it’s not.
Let’s have a look at that email, and the various signs therein that tell us
that it’s not legitimate. Looking for those same kinds of things in other
emails can help you decide if something is safe, or a potential phishing
scam.
]]>
An Example of (Bad) Phishing
First, here’s the complete email:
To: *****@hotmail.com From: VIV0RB@billing.microsoft.com () Subject: Account updates!!!!! Below is the result of your feedback form. It was submitted by (VIV0RB@Billing.msn.com) on Tuesday, July 27, 2010 at 08:16:37 --------------------------------------------------------------------------- : Dear Member. We Here at MSN, are sorry to inform you that we are having problem's with the billing information on your account. We would appreciate it if you would go to our website and fill out the proper information that we need to keep you as an MSN member.Please Update your account information by visiting our updates web site below. (You may have to click on the Show content Link first). James Brady. Updates Center Account Team. msn Number.HCIDYW <br>http://msnhotmailive.tk/<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>RZAZHZ ---------------------------------------------------------------------------
An Email Chock Full of Bogus
There are many, many problems with this email. I’ll run them down from top to bottom:
-
Format: – that this message is in plain text is at least suspicious. Hotmail, MSN, Windows Live – these services, and most other, typically send email notifications in “rich text” or HTML formats. Basically, any deviation from what a service normally does should at least raise a little suspicion.
-
To: *****@hotmail.com – Most of us have display names associated with our accounts. If you do, you should expect to see that on email from the service. For example, in my case I would expect to see my name, either by itself or with the email address following in a format more like this: To: Leo Notenboom <*****@hotmail.com>.
-
From: VIV0RB@billing.microsoft.com () – this is in all likelihood a bogus address. “VIV0RB” makes no sense – normally this will either be someone’s name or a department name – something readable. Similarly I’m fairly certain that “billing.microsoft.com” doesn’t exist as a mailing address. Even if it does, the folks who run Hotmail/MSN/Windows Live don’t normally use “microsoft.com” email addresses for official notifications – they typically use addresses relating to the actual service itself. And there are never stray parenthesis “()” at the end of their email names.
-
Subject: Account updates!!!!! – The subject line is somewhat meaningless, but the biggest indicator here are the 5 exclamation points. Official business correspondence would never be that informal or use that as some way to get your attention.
-
“Below is the result of your feedback form.” – Bad grammar is always suspect in notifications like this. (If you’re not a native English speaker, ie should read something like “Below are the results of your feedback form submission.”)
-
What feedback form? – The fact that you never dealt with a feedback form should be a huge red flag.
-
“It was submitted by (VIV0RB@Billing.msn.com) on Tuesday, July 27, 2010 at 08:16:37” – this is kinda funny: this email was received before the form was supposedly submitted. Naturally, another sign of a potentially bogus email.
-
“: Dear Member.” – no idea what the “:” is doing there, it would not appear in an actual notification. If the email is supposedly for you about a specific issue with your account, then the email should name you by name, not as “Member”. Hotmail has never referred to it’s users as “Member” either. Subscribers, users, account holders … but never member.
-
“We Here at MSN …” – Microsoft has rebranded MSN as Windows Live. You should never see official email from “MSN” relating to your account. For all practical purposes, MSN doesn’t exist any more.
-
“We Here at MSN …” – multiple grammar errors, odd capitalization, odd line breaks are all great signs that this is a completely bogus email.
-
“…visiting our updates web site below.” – Asking you to click a link is a sign to be wary. The proper way to do this is to not provide a URL, but rather just instruct you to go log in to your account for more information.
-
“(You may have to click on the Show content Link first).” – instruction explicitly suggesting that you bypass your email’s anti-malware protections are suspect.
-
“msn Number.HCIDYW” – If MSN still existed it would be capitalized in any official email. MSN never had numbers. “HCIDYW” is not a number.
-
“<br><br><br>…” – A random string of HTML would never show in an official email, plain text or otherwise.
The Big Clue
http://msnhotmailive.tk/
That URL should be an immediate clue that this is a very, very bogus email.
Anyone can throw the words “msn” “hotmail” and “live” into a domain name and register it if it’s not been registered already – that doesn’t make them Microsoft, or MSN or Hotmail or Windows Live for that matter.
Also, since MSN Hotmail has been rebranded Windows Live Hotmail, MSN and Live would not appear together in a legitimate domain related to the service.
Only go to domain names that you recognize: live.com, hotmail.com, microsoft.com, msn.com. If it’s not one of those, (for something MSN, Hotmail or Windows Live related) it’s probably bogus. Know the domains that your service uses, and view all others with great skepticism.
The Biggest Clue
.tk
That domain ends in “.tk”.
From Wikipedia: “.tk is the Internet country code top-level domain (ccTLD) for Tokelau, a territory of New Zealand located in the South Pacific.”
Microsoft, MSN, Windows Live, Hotmail – or for that matter Yahoo or Gmail or whatever service you’re probably using – does not send their customers to “.tk” domains. Tokelau? I don’t think so. (No offense to the fine people of Tokelau. It’s likely that the phisher isn’t even in your territory.)
Someone registered the domain, set up a phishing site, and sent some really bad phishing emails in the hopes that you would fall for it, visit that site and then proceed to give away your real Windows Live Hotmail login information.
Don’t go there.
Not All Are This Bad
This particular example is really, really bad. Full of grammatical errors, obvious misrepresentations, clear inconsistencies with current product names, and more. It’s easy to see that this is phishing.
While many are this laughably awful, many are not.
In addition, while many of the “clues” I list above are mostly true, they are not hard and fast rules. Perhaps an legitimate official message has a typo, perhaps a service does send you to another domain that they actually do own, perhaps they really do use obscure email names like “VIV0RB”. All of those clues, and others, should be just that: clues. Clues that cause you to be suspicious. Clues that cause you to scan carefully for other clues.
Clues that, when they all add up, point to phishing.
In which case: press Delete, and get on with your life.
In fact .. Mail providers never actually send people important messages for any reason really .. you must be expecting an e-mail from your service provider to examine the message at all i think :)
I’ve gotten some very professional phishing emails. One for example was purporting to be from PayPal. It was flawless and when I clicked on the link, it sent me to a great replica of the real PayPal website. I filled in some fake log on data, and when I clicked log-in I immediately was sent to the real PayPal log-in page. This would have raised very few suspicions as the person trying to log in would most likely thing they just got their password wrong and try again. Bottom line: assume all “Official” e-mails are suspect and NEVER EVER click on a link in an “Official” e-mail.
Bank of America sends me a monthly e-mail telling me to click on a link to download my monthly statement. This is legit but stupid. I’ve e-mailed them about this warning them that they are sending a bad signal to their customers, but they, being a know-it-all multinational, ignored me. Anyway, even though I know it’s legit I still log in through a bookmark I’ve saved so as not to get into a bad habit. Let’s just hope the phishermen don’t figure out how to spoof bookmarks on your browser.
29-Jul-2010
I, being the owner of numerous domain names, get literally dozens of these e-mails, supposedly from “support@my.domain”. That makes it immediately obvious (hopefully) to anyone who owns their own domain.
You forgot to mention that many of these scams include a Windows executable, or a link to download one which, hopefully, would never be done by any legitimate provider.
Mark Jacobs… Does the bank at least give you some “personally identifiable” information in the e-mail? For example, e-mails from my bank include my full name, and e-mails from my credit card companies include my name as it appears on the card and the last 4 digits of the account number.
I recently wrote some similar articles on my blog. (I don’t think including this link is disallowed here, as it’s a single link to a related article.)
http://blog.runonfriday.com/2010/07/do-people-really-fall-for-this-part-2/
Interestingly, the first clue I spotted was “problem’s”, possessive instead of plural. I guess I am just a grammar geek.
As the first comment suggests, I make a point of filling in rubbish information when I recieve such emails. When I say rubbish, i mean something that looks credible but completely fictional.
As a trained software engineer, I was taught that there is only one thing worse than loosing data and that’s ‘Bad Data’ i.e. not knowing if your data is good. If everyone who received such emails took it upon themselves to fill in a single entry of rubbish it might make the task of spotting hacking attempts by the likes of GMail easier.
I am STILL amazed that people fall for this stuff. Simply put, if you don’t recognize the sender, you should just delete the thing. Any “real” email program will send it to the spam folder anyway. And on THAT matter, why are people STILL writing to Leo about their stupid Hotmail/Yahoo/Gmail accounts??? They’re free (you get what you pay for, so don’t use them for important email, use the email that your ISP provided you for important email (which ISP doesn’t provide at least 7 email addresses nowadays)). There is NO customer support with free services, so why should Leo continue to waste his time answering the SAME questions week after week??? How do some people make it through the day??? lol.
What Leo didnt mention -is if you get an email like this that is suspicious, you should call your bank -or use your own link for your bank -or whatever company the msg. is supposed to be from. They will set you straight as to whether the email msg. is a fraud -or not.
LOL!!!!!
Forgive me the laughter. But I literally laughed out loud, because I could tell — just from the title — that this E-Mail was totally bogus. LOL!!!!!
It’s the exclamation marks what give it away, dude.
Nobody, and I do mean nobody, sending a serious business E-Mail, is going to send a subject line with five exclamation marks in it… like, LOL!!!!! :)
Your response to this rather clumsy phishing expedition is amusing, but it does not address my concern: If I receive an e-mail request from an organization that I really do business with, and it appears to have no grammatical or formatting errors, should I respond to it? These phishers will, eventually learn how to write well. Should I simply ignore e-mail messages form my financial institutions?
In summary: never click a link in or reply to email unless you’re positive it’s legit.
09-Aug-2010
It’s amazing how many people STILL do not understand Rule One.
For the uninitiated, it’s simple:
Rule One: NEVER, ever, click on the ‘link’ in an email supposedly from your bank, credit union, building society, ISP, email provider or ANYONE who is asking for your details, passwords or any other security information to be confirmed.
If you think there may be a chance that it’s real, go to the company’s website by typing in the URL, by hand, yourself – the one you always use, not by copying the one in the email (some people ARE that dumb) – then if you want to change your information you can do so. When you get there, look up how to report a spoof or phishing email, then do it.
Remember, legitimate organisation will NEVER ask you to supply security information, and will NEVER ask you to follow a link to do so; they may advise you to login to their site and update your information, but never by following a link.