How to check out fraud emails
Posted by The Technocrat | Filed under Geeky
So I got an email today from “JPMorgan Chase”. Thunderbird marked it as a possible scam. Let’s check it out:
Dear JPMorganChase Customer,
Due to recent fraudulent activities on some of our online accounts we are launching a new security system to make Chase online accounts more safe and secure. In order to protect your information against unauthorized access, identity theft and account fraud we earnestly ask you to renew your account.
To renew your account go to Customer Center.
Please note that you will not be asked for sensitive information like routing numbers and/or PIN numbers. Beware those sites that ask you for this particullary informations.
Also note that your account was suspended for security reasons until you renew it by proving that you are the rightful owner.
Regards,
Account Renewal Team.ABOUT THIS MESSAGE
This message was delivered to you as a Chase credit card customer to provide you account updates and information about your card benefits. Chase values your privacy and your preferences.Your personal information is protected by state-of-the-art technology. For more detailed security information, view our Online Privacy Policy. To request in writing: Chase Privacy Operations, 451 Florida Street, Fourth Floor, LA2-9376 Baton Rouge, LA 70801.
If you wish to unsubscribe from e-mail promotional messages from Chase, click here.
Please note that you will continue to receive service related e-mail messages that directly concern your existing Chase products and services. Please allow up to ten business days for us to process your request.
Please do not reply to this message as the “reply” function is not equipped to handle customer service inquiries.
This email was sent to: @gmail.com
© 2006 JPMorgan Chase & Co.First of all, the first thing I’m going to look at is the links:
‘Customer Center’ is linking to:
http://38.113.128.24/0/JPMorganChase/sso_form.php?cmd=login&fromLoc=ALL&LOB=COLLogon
‘click here’ (unsubscribe) is linking to:
http://email.chase.com/W1GH054F863E5C29D5C3632ED04110
The email link is pointing to my own email address, apparently so I can email myself if I wish.
So let’s take a look at the first link. I’ll try to surf to 38.113.128.24. No go, that’s not a good sign. So we’ll look up who owns that IP address with ARIN. They come back with a ‘Performance Systems International, Inc.’ :
OrgName: Performance Systems International Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US
I can also see that they control the IP address range from 38.112.0.0 to 38.119.255.255. That’s over 500,000 public IP addresses, which makes it seem like they’re an ISP, since no normal business would have that many addresses, save for someone like Google.
Alright, so it’s looking like this email came from someone’s machine on an ISP’s network. It’s possible that Chase is using this ISP, although unlikely. Let’s look up Chases’ info:
NetRange: 159.53.0.0 – 159.53.255.255
CIDR: 159.53.0.0/16
NetName: BANKONE-159-53
NetHandle: NET-159-53-0-0-1
Parent: NET-159-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.JPMORGANCHASE.COM
NameServer: NS2.JPMORGANCHASE.COM
NameServer: NS05.JPMORGANCHASE.COM
NameServer: NS06.JPMORGANCHASE.COM
Alright, so now I know something is up. If the email had come from Chase, it would have links in the body to jpmorganchase.com, chase.com, or an IP address in their own range which is in Columbus, Ohio, not the IP that was listed, which are assigned to an ISP Washington, DC.
So where did the email come from? In Thunderbird, I open up the email and select view > headers > all. Then I get all of the information on how this email got to me. Here are a few interesting lines:
Return Path: bill@kahless-ro.org
Received: from kahless-ro.org (wsip-24-234-125-84.lv.lv.cox.net [24.234.125.84])
X-Mailer: PHP v4.4.6
Mmkay. That’s not Chase. kahless-ro.org is a web site about some Star Trek Klingon fan club in Las Vegas. The maintainer of the site is seq’dogh, er, I mean Daniel Davidson, but that’s not really important. Cox.net is an ISP, so this guy probably just has a machine in his house an is using it as a web server for his club. Opening up a command prompt and giving it a tracert 24.234.125.84 Shows that the route between me and the, er, Klingons go from my local router, to my ISP’s router, to a connection in downtown Chicago, to Los Angeles, to Las Vegas, then back down through local routers to the web server. I can even scan the web server to get an idea of what it’s set up to do with a port scanner. I get the following ports that the server is actively listening on:
TCP: 24.234.125.84 [21-ftp]
TCP: 24.234.125.84 [25-smtp]
TCP: 24.234.125.84 [22-ssh]
TCP: 24.234.125.84 [23-telnet]
TCP: 24.234.125.84 [53-domain]
TCP: 24.234.125.84 [110-pop3]
TCP: 24.234.125.84 [80-www-http]
TCP: 24.234.125.84 [111-sunrpc]
TCP: 24.234.125.84 [143-imap]
TCP: 24.234.125.84 [587-submission]
Port 25 tells me this machine can send email. Port 111 tells me this is a Sun-based Linux or UNIX system that is advertising its ports and services (security problem!) Port 587 is open to accept email submission.
Basically, what this seems to be is what’s called a ‘mail relay’. The Klingons probably don’t know it, but someone most likely has access to their web server (Port 111), and the server is set up to accept scam emails on port 587, and send them out through the normal SMTP port.
Taking a wild guess here, but the website is in HTML, and the email was sent via PHP. If the web server owner doesn’t have PHP installed, they might want to check again… It’s porssible that someone broke into this older UNIX-based machine and installed PHP. If I were a scam-email-sender, I would have the server set up to receive a list of email addresses and bogus email content, then have the server send out the emails for me. This would require some scripting, hence the PHP.
In any case, I think we’ve found the problem. This machine (or mor likely, the machine’s router/firewall) is not locked down properly, and someone is using that vulnerability to send scam emails. The idea would be that I would go to the fake web page listed in the email, it would look just like a normal Chase web site, I would enter in my Chase username and password, and they would then have it to do with as they wished…
On the other hand, there might be someone with the address bill@kahless-ro.org with some malware on his machine. In this case, it’s a legitimate user that’s “sending” these emails. Definitely a possibility these days, as spyware is on pretty much every machine… Only way to fix this is to make sure the machine is clean. Have you scanned yours lately?
So let’s let our Klingon friends know that they are an open relay, since there’s not much we can do about someone’s machine being infected, they just need to clean it:
To: seqdogh@kahless-ro.org
Subject: Hello!
Body: I wanted to let you know that I received a JPMorgan Chase scam email from your web server. You might want to look into it. Maybe we can get it fixed? I’ve posted my findings in a tutorial here. Thanks, Dan
Well, that’s boring. I’ll send this instead:
To: seqdogh@kahless-ro.org
Subject: Transmission error
Body: Attention Klingon of sector ‘Las Vegas’. This is Captian Dan of the Federation Starship Technocrat. We have received a transmission from your coordinates which we believe to have originated from the Borg alliance. We are sending a report from Engineering as to this infestation. We request your assistance in dealing with this matter by stardate -317215.75. Captain Dan out.
I hope they don’t think I’m a nerd… 
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec libero. Suspendisse bibendum.
Cras id urna. Morbi tincidunt, orci ac convallis aliquam, lectus turpis varius lorem, eu
posuere nunc justo tempus leo. Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec libero. Suspendisse bibendum.
Cras id urna.
March 17, 2006 at 1:34 pm
A few hours later, and port 587 is closed! See people, this is how you do it.
You don’t need spamcop, you don’t need legislation. Just learn what to look for, and contact the people yourself.
In most cases, the people don’t even know they’re being used. Sometimes they’ll thank you for taking the time to write them, and not just reporting them as a spammer. Sometimes they’ll give you an attitude because they’re embarrassed. Sometimes you won’t hear back from them at all. Either way, if they fix the problem, that’s one less machine on the internet that is enabling spammers and con artists.
March 21, 2006 at 6:13 pm
Hi
I’m interested to see you’re moving over to blogger. I’ve just moved away to an open source .NET platform called presstopia (i don’t work for them). http://www.presstopia.com
While I can see some of the reasons why, I can also see many reasons why not. e.g. your delicious tags are getting bigger and has strarted moving your homepage around.
I had problems like this on blogger, plus no real trackback functionality and no RSS on the free platform. What extra features do you feel blogger gives that have prompted the move?
March 24, 2006 at 12:11 pm
Hi Chris! Thanks for commenting. Sorry it’s taken me a bit to get back to you. As you can see, the tags are fixed, it was a layout problem on my part. You can limit the tag sizes very easily, as I have done, so it shouldn’t be a problem in the future – I just set them to all be 15px.
As far as other reasons, I’ve been swamped lately, but will definitely be posting very comprehensively on the move back to blogger. Stay tuned!
May 12, 2009 at 3:28 pm
I saved this page to my favourites
March 11, 2010 at 1:30 pm
Just landed on this place via Google search. I love it. This post switch my perceptual experience and I am fixing the RSS feeds. Cheers Up.