A couple of students have recently been targeted in what I’m assuming is a ‘make lots of money working only a few hours a week’ scam. The students who passed the info along to me were contacted individually (though not by name) by a person claiming to have part-time work available that can be done from home or college. It’s a pretty vague message, but it is not an obvious mass mailing, which can make it seem more legit.
One helpful student, on applying for further information, found out a bit more about the job: ordering mailing supplies ‘like envelopes and files’ for ‘agents in the UK’ who will email you and let you know when to order materials for them (see below).
My suspicion is that you would be told only to order from a specific ‘supplier’ – a web site that is either owned by the scammer or that has been hacked to get your credit card details. I suspect it’s a long-term scam in that you would be told that your salary and the sum of your own money spent ordering these supplies will be refunded to you… and then, the next month, ‘Oh, sorry, we’re having trouble with the HR office. Don’t worry, it’ll all be refunded next month!’, etc., etc. Either that or they’ll cut and run the moment you place your first £300 order.
So… How do we know this is a scam? Let’s have a look at the message:
Return-Path: <email@example.com> Received: from <cambridge server> (<cambridge server> [<ip address>]) by <cambridge server> (Cyrus v2.3.14) with LMTPA; <date and time> X-Sieve: CMU Sieve 2.3 X-Cam-AntiVirus: no malware found X-Cam-SpamScore: sssss <snipped SpamAssassin info> Received: from [18.104.22.168] (port=38546 helo=bestgallery.co.kr) by <cambridge server> (<cambridge server> [<ip address>]:25) with smtp (csa=unknown) id 1OZj6P-0008CQ-2l (Exim 4.72) for firstname.lastname@example.org (return-path <email@example.com>); Fri, 16 Jul 2010 12:29:21 +0100 Received: (qmail 7707 invoked by uid 99); 16 Jul 2010 20:28:34 +0900(KST) Date: 16 Jul 2010 20:28:34 +0900(KST) Message-ID: <firstname.lastname@example.org> To: <email address> Subject: Work From Home/School Part Time Job Offer From: Kelly Price <email@example.com> Reply-To: firstname.lastname@example.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Hello, Please permit us to write you. We would be interested in offering you a part time work from home or school job that can be done between the hour of 7pm and 10pm. You don’t need any professional skill in doing the the job. Kindly get back to us for more details if you have interest in knowing more about our company and the job. Best regards, Kelly Price
The very first thing that sticks out to me is the first line:
The email address in the return path is not only not the same as the ‘reply to:’ address (Reply-To: email@example.com, which we’ll talk about in a minute), it is from a whole different country and appears to be from the administrative user on a Linux or UNIX-based server. The admin (or root) user on a Linux server is never (for a given value of never) used to send email. Especially emails offering jobs. This, and a couple of other things, makes me suspect that someone has managed to hack into a mail server.
Let’s look at the Reply-to line:
A few things wrong here… A) It’s using a free email address and B) it has nothing to do with where the message originates, which is a server in Korea. There’s also C) the company name is incorrect (but you don’t know that yet! ;) ) and D) interesting that her name is capitalised correctly.
Lastly, there’s the wording and phrasing, though this might be the first thing that a non-IT geek would notice. The spelling is mostly correct, but the syntax and phrasing is unlike that of a native English speaker (even American or Canadian variations!). I can’t pinpoint most of the reasons why, except that it seems more like what you might read in a phrase book or a school book. Also, ‘You don’t need any professional skill in doing the the job.’ feels awkward. It just makes me suspicious!
So… we’ll move on to the second message:
Return-Path: <firstname.lastname@example.org> <snip non-useful stuff> References: <email@example.com> <snip non-useful stuff> Message-ID: <AANLkTinyojhYcXXkBSRckq2U_a5OmxKHK7XkHS4de34E@mail.gmail.com> Subject: Re: Work From Home/School Part Time Job Offer From: kelly price <firstname.lastname@example.org> To: <person> Hello <person>, Thanks for getting back to us in regards the job. We are Canada based company that offer incorporation service to our clients all over the globe, read more about us on our website /www.corporationcentre.ca We have 16 Agents in UK that are working for the company, they will be needing materials like envelopes and files to do the jobs. Your job is order/acquire materials for them from the stationary supplier to do their job weekly, the agents will email you whenever they need materials, it is now your duty to contact the supplier through email to make order for the materials and also state the quantity that should be posted to the agent address through the post.. we are employing you just to reduce the workload for us and for our clients. The job is done online and it is between Mondays to Fridays. Salary/wages term: you shall be paid 180pounds weekly. We will always email you guidelines and instructions to follow in getting your job done perfectly when you start working. If you still care to proceed with the job, get back to us with your information listed below then we can proceed from there. 1, NAME: 2, CONTACT ADDRESS: 3, MOBILE: 4, AGE: 5, SEX: Best regards, Kelly Price
The second message makes this more obviously a scam. The English syntax and phrasing has deteriorated slightly and alarm bells are ringing a bit more insistently after seeing the web site address and the proper return email address. The return path is now more legitimate: Return-Path: except for the fact that it’s still a free email account and it’s obvious that the company has their own domain. Also, oddly, even though it’s supposedly from the same account, ‘kelly price’ is in all lower-case. That’s just a little thing, but it does suggest that the initial message was sent in a dissimilar manner to the second. So, why would someone who wants to hire you not use their work account to do it? Also, why would a company that has its own web domain (corporationcentre.ca) not have email addresses to go with it? Even my hosting account has ten free email addresses… Why isn’t there a ‘email@example.com’ address instead?
Secondly, looking at the email address and the web domain – which appears to be a legitimate company (though, I suspect, wholly unaware of what was being done in their name) – I can see that they’re different. It’s subtle enough to the glancing eye, but if you take a second to look properly, it’s obvious: corporationcentre.ca is the legitimate web address and corporation.ca is the email address. Even if a company *did* have to use a free email service, I would have expected a user name that matches the web address.
The slightly off English speaks for itself, but do note the list at the bottom. The first thing that seems off is the use of commas instead of full stops after the numbers. The second thing that struck me was that they used the outdated term ‘SEX:’ instead of the now almost universally used ‘Gender’.
I may not have noticed some of these things if I didn’t suspect it was a scam, but much of it is pretty easy to spot once you start looking. :)
Be suspicious about these things. Think about what seems off and also why you might think it’s legitimate. If it sounds too good to be true, it probably is.
On the other side of things, here’s an unsolicited job email that is probably legitimate – but only technically.
---------- Forwarded message ---------- Return-Path: <firstname.lastname@example.org> Received: from <cambridge server> (<cambridge server> [<IP Address]) by <cambridge server> (Cyrus v2.3.14) with LMTPA; Tue, 27 Jul 2010 15:08:46 +0100 X-Sieve: CMU Sieve 2.3 X-Cam-AntiVirus: no malware found X-Cam-SpamScore: sss X-Cam-SpamDetails: score 3.9 from SpamAssassin-3.3.1-960172 *1.0 RCVD_IN_MAPS_DUL RBL: Relay in DUL, *http://www.mail-abuse.com/enduserinfo_dul.html *[<ip address> listed in rbl-plus.mail-abuse.ja.net] *1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT *[<ip address> listed in bb.barracudacentral.org] *1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from [<ip address>] (port=58021 helo=fst-recruitment.bphosting.us) by <cambridge server> (<cambridge server> [<ip address>]:25) with smtp (csa=unknown) id 1Odkpk-0001eX-fs (Exim 4.72) for <email address> (return-path <email@example.com>); Tue, 27 Jul 2010 15:08:46 +0100 Received: (qmail 14174 invoked by uid 0); 27 Jul 2010 13:58:56 -0000 Date: 27 Jul 2010 13:58:56 -0000 Message-ID: <firstname.lastname@example.org> To: <email address> From: Julia Preston <email@example.com> Subject: Great Summer Job Opportunity Dear Student, I would like to invite you personally to become a part of our team. In the time of crisis more companies are downsizing, moving overseas and outsourcing many of their positions. Because of this, a brand new opportunity has come about. We are looking for people to work as professional distance-based typists. If you’re eager to use your skills to make some additional cash, then you might want to consider a home typing position. No experience is needed. Our requirements for distance-based typists are: -Computer with Internet access. -Good Typing Skills. -Basic Internet knowledge. -Basic Computer and Typing Skills. You will not have to devote full time hours. These assignments can be done on your time. They may be done in Internet cafes or where ever you can get Internet access. All data entry operators work from home and are independent contractors. You typically set your own hours and work from home on projects that are enjoyable! Average monthly earnings start from $1000 to $3000 or more. If you are interested just reply to my email! Best Regards, Julia Preston Regional Recruitment Manager —————————– According to Electronic Commerce Law I would like to inform you that this email message might not be requested by you. If you prefer not to receive any e-mail from me in the future, please reply with “UNSUBSCRIBE” in the subject line.
So, we’ll look at this in two ways: first, why it might be legit and second, why it’s still not a good idea to get involved.
The legitimacy of the message stems mainly from the fact that it wasn’t sent using illegal methods. It doesn’t appear that any servers were hacked and it isn’t an obvious forgery. The ‘return-path’, ‘reply-to’ and ‘received from’ domains all match up, the message appears to have been written by a native English speaker – there’s no slightly off syntax or spelling and the mistakes that ARE there are common, and the sender appears to have done at least some research about whether the recipients are students. My gut instinct tells me that there probably IS a job waiting for someone – data entry jobs are often done as ‘work from home in your spare time’ sorts of things.
So, if it’s legit, why not get involved? Well, as I said, there’s probably a job, but the only way you’ll make £1000 a month is if you never leave your computer or you’re a legendary typist! From a technical standpoint, let’s look at the message headers again; specifically the SpamAssassin headers that UCS attaches to messages:
* [000.000.000.000 listed in rbl-plus.mail-abuse.ja.net] * 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [000.000.000.000 listed in bb.barracudacentral.org]
The four numbers separated by full stops is, collectively, the IP address of the mail server that sent the message (I have obfuscated the ip addresses here as zeroes, but these would normally be non-zero numbers!). IP addresses are unique in the world and usually the first 3 sets of numbers identify the organisation that owns the machine. The fact that the IP address is listed in two blacklists (blacklists are lists of naughty ip addresses that good, wholesome computers shouldn’t be playing with), suggests that the company who owns the computer isn’t very careful about things like not allowing spammers to use their servers. A little internet research shows me that bphosting is listed in all sorts of spam blacklists, including the two that UCS uses, and that BP *may* stand for ‘Bullet Proof’ (meaning, ‘We don’t care if you block our IP address, or the hostnames of people who use our services, we’ll just make more tomorrow!). This isn’t looking good for our message sender, I have to say. So… I attempt to look for FST Recruitment hosted by bphosting. No luck. They have email, but no web site. This suggests to me that fst-recruitment isn’t really one of the top-end recruitment agencies in the world and probably doesn’t want to reveal too much about its business practices to anyone. I dunno about you, but I wouldn’t trust them. Along the same vein, they have a notice at the bottom of the message that pretty much says, ‘Look, we’re spammers, but we’re giving you an out, here! Just email us and tell us not to send you anything else and we will just pass your details on to the next spammer that wants our list! But we promise to stop emailing you.’
Again, just delete these sorts of messages. They’ll only break your heart! :(