Another in the Scams and Spam series.
This one showed up in the moderation queue. That happens when a new name or IP or name / IP combo shows up. (Why some of you who are ‘white listed’ can find a comment in moderation… something changed your IP#, like going on vacation with your router shut off, then the DHCP times out and on return you get a new number…)
So I can’t just “toss them”…
This one I’d put in the category of “suspicious address construction” along with “mindless comment”. There are many that are “mindless comments”, but most of them end up in the SPAM bucket as enough folks tagged it that the WordPress SPAM filters are already killing them. So, for example, on a posting about “cars” you get a comment about the benefits of cold cream for your complexion, or the more generic (often with poor grammar and diction) gratuitous compliment (or inquiry) about something generic. Clearly made to almost sort of fit all sorts of topics, but not referencing any.
So first up, we look at the name. “Candida Pfeffer” Really? A yeast and German Pepper? Then the email return address has “James”(and some crap). OK, maybe “James” is using a “cute” net handle… but the warning flag goes up:
Sorry to say, but gmail addresses are their own minor flag. Yes, many fine folks use them (including some in my family) but they are a bit of a yellow flag. So we look a little. Searching on “Candida Pfeffer” (with the quotes so as to remove all the references to yeast infections) doesn’t find anything. It’s an odd person that has NO tracks left in the world’s search engines. Moving on to the email address also returned no hits on duckduckgo. Even Google, who ought to know, didn’t find “him”:
Did you mean: james firstname.lastname@example.org
Your search – email@example.com – did not match any documents.
Gee, fake name, fake email address, and wants me to click a link… Where’s that IP located?
[me@ARCH_pi_64]# nslookup 18.104.22.168
22.214.171.124.in-addr.arpa name = dsl.126.96.36.199.pldt.net.
So a DSL user. Older telco somewhere?
Then search on pldt.net. and what do you get?
Philippine Long Distance Telephone Company
The Official Website of PLDT™ – The Philippine Long Distance Telephone Company is the leading telecommunications provider in the Philippines.
So someone in the Philippines is using a fake name and probably bogus email address to get me to “click a link”…
Now lets look at the body of the message (I’ve broken the http link):
Nice commentary ! For what it’s worth if people require a OH STEC B , my colleagues edited a blank form here
Now this was in “tips”, so right off the top we know it is clueless about the context. The very overly generic “nice commentary” falls into that “gratuitous compliment spam flag” and another flag goes up. Then a cryptic reference to an OH STEC B. A search on that gives:
Ohio Blanket Exemption Certificate – SalesTaxHandbook
Printable Ohio Blanket Exemption Certificate (Form STEC-B), for making sales tax free purchases in Ohio.
Gee, an Ohio Sales Tax form. So a very narrow pitch, but this spam / scam is broadcast widely and indiscriminately. OK… I ‘accidentally’ hovered over the link and the browser popped a popup window (it does that, against my will, and Yet Another Crap Feature I’ve not learned how to turn off… yet…) That mini-window showed something like a dialog box with PDF and “prove you are a human” prompt. Likely where the phishing begins. IFF you click anything, that can set off all kinds of malware attacks on your box. Or maybe they just start asking you things like your name and address. Who knows. (I’m not going to find out unless I boot a “disposable system image” to explore it, as ANY touch of that page will mean a scrub of the box doing the touching. (Why I like multiple systems and the ability to ‘reset’ a system image in BerryBoot ;-)
For a forensics effort, you would do exactly that. From a secure sandbox (preferably on an isolated network – I’d boot up my WiFi Hotspot and use it so at most they get the generic IP of a telco) boot a disposo system and click the link. Gather intel, and when done, ERASE EVERYTHING ON THAT SYSTEM IMAGE.
But I don’t care enough to do that. This isn’t a forensics run, just a SPAM preening. I already had enough to toss it at the address issues…
Oh, and that goo.gl address? .gl is Greenland. It is being made to look sort of like Google, but is missing an ‘e’ at the end. From a simple search on “.gl domain”:
.gl – Wikipedia, the free encyclopedia
.gl is the country code top-level domain (ccTLD) in the Domain Name System of the Internet for Greenland. The domain is available for Internet services worldwide and …
Domain hack – Wikipedia, the free encyclopedia
A domain hack is a domain name that suggests a word, … 2009 Google launched its own URL shortener under the domain goo.gl using the country code top-level domain …
So it is a legitimate URL shortener, being “cutesy”, but hiding where the link really goes. Again, if I cared enough I could fish out the real URL, but that would require I boot my sandbox…
And folks wonder what I’m doing when I don’t approve their comments fast enough or answer the email in minutes ;-)
With this one done, I’m back to cleaning out the Moderation, Spam, and Deleted queues…
(Yes, when you delete things they go to the deleted queue where you get to really really delete them… Ah, WordPress…)