• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

BMW phishing

Rolfe

Adult human female
Rolfe
Joined
Sep 11, 2003
Messages
53,753
Location
NT 150 511
Just found the following in my inbox. This is one I haven't heard about before. The domains seem to be right - both bmw.co.uk and bmw.com are genuine domains belonging to the Bayerische Motor Werken. So, assuming that I haven't just won a fortune in a competition I have no recollection of entering, how does the real geek spot that it's a scam? (Well, apart from the fact that they can't spell "lottery".) And given that they haven't asked me for either money or bank details, what's in it for the scammers?

Rolfe.

THE INTERNATIONAL AWARENESS
Ellesfield Avenue Bracknell RG12 8TA,
United Kingdom. Phone:, +44 7024079542
Fax:, +44-7024-079542.
Reference Number: BMW:2551256003/23
!!!CONGRATULATION YOU ARE A WINNER!!!.
The Board of Directors, members of staff and the International Awareness
Promotion Department of the BMW Automobile Company, wishes to congratulate
you on your success as the STAR PRIZE WINNER in this years'BMW Automobile
International Awareness Promotion (IAP) held in may/june 2007,in United
kingdom.
This makes you the proud owner of a brand new BMW 5 Series, M Sport Saloon
car and a prize of Five Hundred and Fifty Thousand (550,000) pounds.
The car comes with a special BMW Insurance Cover for one whole year
warranty,that is, till the next promotion in may/june 2008. It also comes
with a one year warranty and FREE repairs at any BMW AUTOMOBILE depot or
service station worldwide. As a winner you are responsible for the legal
charges for the notarization such as documentation Shipment Fees.
DESCRIPTION OF PRIZE VEHICLE.
YEAR: 2006, MODEL: 530i M Sport Saloon The selection process was carried
out through random selection in our Computerized Email Selection System
(C.E.S.S.) from a database of over a
millione mail addresses from the world wide web. Each email address was
attached to a ticket number and your email address with ticket number:
5647600545188 and serial number: BMWP/556543450906was randomly selected as
the star prize winner amongst other consolation prize winners.
For you to collect your prizes, kindly fill the verification form below
and send it to the Claims Manager, Mr.Eddy Van Bakker of our claims
department through email,stating your receipt of this notification. He has
been mandated to offer you assistance and facilitate the urgent delivery
of your prizes,Kindly reply to the e-mail below.
Claims Manager:
Mr. Eddy Van Bakker.
BMW Claims Department
EMAIL:bmw.automobilesclaims@yahoo.co.uk
TEL: +44 7024079542
VERIFICATION FORM:
1.) NAME
2.) SEX:
3.) PRESENT ADDRESS:
4.) PRESENT ZIP/POSTAL CODE:
5.) PRESENT STATE/PROVINCE:
6.) PRESENT COUNTRY:
7.) PRESENT PHONE:
8.) OCCUPATION/POSITION:
9.) COMPANY:
10.) EMAIL ADDRESS:
11) AGE:
Congratulations once more,and keep trusting BMW Automobile for top quality
automobiles.
Engr.Peter M. Reed
DIRECTOR OF PROMOTIONS,
INTERNATIONAL AWARENESS PROMOTIONS,
BMW AUTOMOBILE.
THE BMW INTERNATIONAL AWARENESS PROMOTION
COPYRIGHT ©2007. ALL RIGHTS RESERVED
www.bmw.co.uk


----------------------- Internet Header --------------------------------
Sender: bmw.automobile.lottory@bmw.com
Received: from host.m7tango.net ([65.254.48.10])
etc....
Click to expand...
 
well, you are to reply to bmw.automobilesclaims@yahoo.co.uk, which is the major giveaway.

As for what is in it for them, I'd guess "As a winner you are responsible for the legal charges for the notarization such as documentation Shipment Fees."

And then the rest of the grammer and typos reflect the usual Nigerian scam.
 
Last edited:
A couple of clues, one the return e-mail address is bmw.automobilesclaims@[B]yahoo.co.uk[/B]
(my bold), the second is that they only offer your one congratulation, BMW would have offered you at least 2 congratulations ;)

There are several things the scammers could get, some may just be looking for personal information sell onto other scammers/ spammers, including conformation that your e-mail address is real. The other possibility is that if you responded to this e-mail they may start asking you for "prize claimant fees" or "upfront taxes".
 
As a winner you are responsible for the legal
charges for the notarization such as documentation Shipment Fees.

Leaving aside the fact that documentation and shipment fees are not notarization and that documentation shipment fees are more commonly known as a postage stamp, you don't expect to get your BMW before you pay these fees, do you?
 
I find it odd/neat that the email header includes a real address, while the message itself has the yahoo address. That right there though is a tipoff, because obviously if you replied to the header, they wouldn't get the mail.

Of course, it is a trivial execise to spoof the email header*, but still, I haven't come across that often.

*: I had to write an email spoofing application a couple years ago at university. I then used it to spoof the registrar so that I could mail myself a fake schedule to prove I had dropped a class so I could return a book. I had purchased the book the day before, and it was still wrapped in plastic, but they wouldn't let me return it without proof. :D It was the most usefull thing I had ever written.
 
roger said:
well, you are to reply to bmw.automobilesclaims@yahoo.co.uk, which is the major giveaway.

As for what is in it for them, I'd guess "As a winner you are responsible for the legal charges for the notarization such as documentation Shipment Fees."

And then the rest of the grammer and typos reflect the usual Nigerian scam.
Click to expand...
666 said:
The fact that the contact number (+44 7024079542) is for a mobile phone is another giveaway.
Click to expand...


Now I hadn't actually noticed either the yahoo email address or the mobile phone number. I just saw the legit address in the email header, and the www.bmw.co.uk at the bottom of the letter. (I was looking in the email header for the sender's address, but obviously they managed to spoof that). The fact that they've used the international dialling code is quite a cute way of obscuring that it's a mobile number though. In fact I didn't look that closely, and just assumed they'd used BMW's real postal address and phone number. I wonder what you'd get if you called that number!!

Yes, I'd realised about the "shipping charges", I guess that's the scam. That and getting details I suppose. I thought actually that the grammar and spelling of this one were streets ahead of the usual examples though, so I wonder if they'll fool some people.

The sheer size of the prize on offer, for a competition one doesn't actually have to enter, surely should be enough to alert people though. And the fact that they actually ask you for your name! And why shouldn't they pay the shipping costs if they're going to pay the insurance and give you half a million cash on top of it!

I wonder if BMW knows about this?

Rolfe.
 
One other blatant give away.

Would BMW give away last year's models? Not as a special customer appreciation promotion, they wouldn't.

Obviously it's been circulating for a year or more and the scammers are too lazy to update it.
 
Similar to this one, which I got the other day. This one is a bit more blatant, as it specifies MONEY! w00t!

I've bolded the "Hmmmm..." points that I could find:

UK INTERNATIONAL LOTTERY
PO BOX 1011
LIVERPOOL, L70 1NL
UNITED KINGDOM.
FROM: THE DESK OF THE PROMOTIONS MANAGER,
INTERNATIONAL PROMOTIONS/PRIZE AWARD DEPARTMENT,
REF: EKS255125600304 AND BATCH NO: 54/1017/I
AWARD NOTIFICATION
We are pleased to inform you of the announcement today, 8th of July,
2007 of winners of THE UK INTERNATIONAL LOTTERY PROGRAMS held on 7th of
July 2007 as part of our second quarter of the year bonanza.
You have won the UK International lottery; your ticket number
034-1416-4612 750, with serial number 6521-11 drew the lucky numbers
31-51-22-24-39-43, and
Consequently won the lottery in category C.
You have therefore been approved for a lump sum pay out of US$1.2Million
in cash credited to file REF: EKS255125600304. This is from total prize
money of
US$16,800,000.00 shared among 14 winners
in this category. All participants were selected through a computer
balloting system drawn from 25,000 names from Middle East, Asia, Africa,
Canada, Europe and North America and Oceania as part our International
Promotions Program, which is conducted annually.
CONGRATULATIONS!
Your fund is now deposited with EQUITY INVESTMENT LIMITED, a finance company,
insured in your name. Due to the mix up of some numbers and names, we ask
that you keep this award strictly from public notice until your claim has
been processed and your money remitted to your account. This is part of
our security protocol to avoid double claiming or unscrupulous acts by
participants of this program.
We hope with a part of your prize, you will participate in our end of year
high
Stakes US$1.3 billion International Lottery.
To begin your claim, please contact your claims agent;
MR. PAUL CHARLES
EQUITY INVESTMENT LIMITED,
132 BLACKBURN ROAD,
BOLTON BL7 9RP ENGLAND,
UK.
TEL:447031901944
EMAIL: equitylondon@hotmail.com
for due processing and remittance of your prize money to a designated
account of your choice.
Remember, you must contact your claim agent immediately, if you do not
contact then, all funds will be returned as unclaimed. All correspondences
to MR. PAUL CHARLES, should be sent by email, and must have this EMAIL
sent along with it and also, your FULL ADDRESS, YOUR COUNTRY OF RESIDENCE
and your EMAIL ADDRESS to which this email is sent, should be clearly and
BOLDLY WRITTEN IN YOUR RESPONSE with your claims agent.
NOTE: In order to avoid unnecessary delays and complications, please
remember to
quote your reference and batch numbers in every correspondences with your
agent. Furthermore, should there be any change of your address, do inform
your claims agent as soon as possible.
Congratulations again from all our staff and thank you for being part of our
Promotions program.
Sincerely,
SHIRLEY JENSEN.
THE PROMOTIONS MANAGER,
THE INTERNATIONAL LOTTO UK
N.B. Any breach of confidentiality on the part of the winners will result to
Disqualification. Please Contact your claim agent at: [EMAIL="equitylondon@hotmail.com"]equitylondon@hotmail.com[/EMAIL]
Click to expand...

And one other thing: Why would a UK lottery pay out in dollars?
 
If you look up the details of the SMTP protocol, you'll see just how easy it is for anyone to send a mail which appears to come "from" anyone@anywhere.org. The entire system is built on trust. This was probably valid back in 1969, but since then you no longer need Top Secret clearance to use the Internet. :)
 
You can get some idea of where a message actually originated by looking at the raw headers. Here's an example from an actual spam I received today:
Code: 
Received: from mycompany.com ([3.0.0.195]) by dinobot.mycompany.com with Microsoft SMTPSVC(6.0.3790.0);
	 Sun, 15 Jul 2007 01:24:34 -0400
Received: from powerpipe.mycompany.com (powerpipe.mycompany.com [3.0.0.4])
	by mycompany.com (8.12.11/8.12.11) with SMTP id l6F5MMWJ021530
	for <grmcdorman@mycompany.com>; Sun, 15 Jul 2007 01:22:23 -0400 (EDT)
Received: from dandi.mycompany.com ([1.1.1.1])
 by powerpipe.mycompany.com (SAVSMTP 3.1.3.37) with SMTP id M2007071501241415895
 for <grmcdorman@mycompany.com>; Sun, 15 Jul 2007 01:24:14 -0400
Received: from olnrnpbe (d3-87.rb2.jax.centurytel.net [69.29.154.87] (may be forged))
	by dandi.mycompany.com (8.13.8/8.13.8) with SMTP id l6F5Muiu023781
	for <grmcdorman@mycompany.com>; Sun, 15 Jul 2007 01:22:56 -0400 (EDT)
Message-ID: <000701c7c69f$d771af00$0100007f@lkbtb>
Date: Sat, 14 Jul 2007 22:22:23 -0900
From: "Henry Morris" <so-able.com@paybyescrow.com>
To: <grmcdorman@mycompany.com>
Subject: Buy OEM Software
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.2600
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.0000
X-Greylist: Delayed for 00:11:54 by milter-greylist-3.0 (dandi.mycompany.com [204.92.193.26]); Sun, 15 Jul 2007 01:22:57 -0400 (EDT)
Return-Path: barcoding.com@nightillusions.com
X-OriginalArrivalTime: 15 Jul 2007 05:24:35.0062 (UTC) FILETIME=[6E47E160:01C7C6A0]
(names and IP addresses of my company changed to protect the innocent).

What's of interest in the message is the Received: lines. When a an e-mail is sent through the internet, it's forwarded through a series of computers ("relays") from the originator until it reaches the computer you get your mail from (not your computer, by the way, unless you're a networking geek).

Each of these computers adds a 'Received' line giving its name and address. So you can peel these lines off one by one to trace the message backwards until you reach the first one - or until you reach an impossibility, because spammers often create the message with a few, initial, faked 'Received' lines.

In this case, the first 'Received' line is:
Code: 
Received: from mycompany.com ([3.0.0.195]) by dinobot.mycompany.com with Microsoft SMTPSVC(6.0.3790.0);
	 Sun, 15 Jul 2007 01:24:34 -0400
dinobot.mycompany.com is an internal mail server in my company, and the machine my mail program connects to to get my mail. Its internal address (on our network) is 3.0.0.195. It says it got the message from mycompany.com, which has an address of 3.0.0.195. That's also an internal server address.

The second line is:
Code: 
Received: from powerpipe.mycompany.com (powerpipe.mycompany.com [3.0.0.4])
	by mycompany.com (8.12.11/8.12.11) with SMTP id l6F5MMWJ021530
	for <grmcdorman@mycompany.com>; Sun, 15 Jul 2007 01:22:23 -0400 (EDT)
This is the internal server, mycompany.com[/b], receiving the message from powerpipe.mycompany.com - which is, again, a server in my company. Its internal address is 3.0.0.4.

The third line is still my company servers:
Code: 
Received: from dandi.mycompany.com ([1.1.1.1])
 by powerpipe.mycompany.com (SAVSMTP 3.1.3.37) with SMTP id M2007071501241415895
 for <grmcdorman@mycompany.com>; Sun, 15 Jul 2007 01:24:14 -0400
Here, powerpipe.mycompany.com is saying it received the message from dandi.mycompany.com (which, again, belongs to my company). (I'm not sure what the SAVSMTP is, by the way).

Finally, the last line is paydirt:
Code: 
Received: from olnrnpbe (d3-87.rb2.jax.centurytel.net [69.29.154.87] (may be forged))
	by dandi.mycompany.com (8.13.8/8.13.8) with SMTP id l6F5Muiu023781
	for <grmcdorman@mycompany.com>; Sun, 15 Jul 2007 01:22:56 -0400
This is the machine in my company which actually connects to the Internet. It's saying it got the message from a machine which called itself olnrnpbe, and this machine had an address of 62.29.154.87. If we look up what 69.29.154.87 actually corresponds to - using ip-lookup.net, for example, we get d3-87.rb2.jax.centurytel.net. (This was actually done by the dandi.mycompany.com server, by the way, hence the '(may be forged)' - which is exactly the case.)

d3-87.rb2.jax.centurytel.net, by the way, according to ip-lookup.net, is: CenturyTel Internet Holdings, Inc.
100 CenturyTel Drive
Monroe, LA
71201
USA

So presumably they've got a compromised machine there.

If you can do a view source or view full headers or something similar with your mail program, you can do the same thing. Virtually all spam will start showing inconsistencies in the Received: line; either the name given won't match the real name at all, or won't match the address of the sender (here, paybyescrow.com - which turns out not to be real at all, according to ip-lookup.net).

It's also interesting in this message that the supplied 'From:' ("Henry Morris" <so-able.com@paybyescrow.com>) doesn't match the 'Return-Path:' (barcoding.com@nightillusions.com). The latter is where your e-mail program is supposed to send replies to the message. nightillusions.com, by the way, does exist.
 
grmcdorman said:
d3-87.rb2.jax.centurytel.net, by the way, according to ip-lookup.net, is: CenturyTel Internet Holdings, Inc.
100 CenturyTel Drive
Monroe, LA
71201
USA

So presumably they've got a compromised machine there.
Click to expand...

CenturyTel is an Internet service provider. My guess is that the machine which sent the spam is a compromised PC sitting in the study of a home in the Jacksonville area, where the owner gets his or her Internet access from CenturyTel.
 
Foolmewunz said:
One other blatant give away.

Would BMW give away last year's models? Not as a special customer appreciation promotion, they wouldn't.

Obviously it's been circulating for a year or more and the scammers are too lazy to update it.
Click to expand...


Well, in that case I won't bother to forward it to BMW - they probably already know all about it and don't care.

I get the full internet headers at the end of every message. I imagine careful scrutiny of the lot would be instructive. Yawn! But I still think tis was one of the better efforts I've seen. I wonder how many they fooled?

Rolfe.
 
International Awareness Promotion Department A ridiculously awkward name for a department in a major corporation.

BMW Automobile Company How hard would it have been to use the company's correct name?
 
Does your actual name appear anywhere in the body? If not, it's likely a phish.

I'll bet a donut the message starts with "Dear rolfe@youremail.com..." instead of your actual name.

I send to the dumpster anything whose message body starts with, "Dear BPSCG@myemail.net..." or "Dear Valued Customer..." You don't know my name, but you want me to validate my account/claim a car? Yeah, right.
 
You must log in or register to reply here.

Back
Top Bottom