| |

email spam scam may take in the unaware

Editorial Staff

The email below has come to our attention today. using a landing page at mybluemix[dot]com and a (perhaps spoofed) address at the domain masew.ml, the scam has characteristics that instantly give it away to the alert but will trap the unwary.

*Important Notification: [email address redacted] Mailbox Termination on Progress*

[domain redacted] Account Maintenance Report!

Deαr [same email address]

Your E-mαil αccount is currently not uρdαted on our new server, we recommend you
to uρdαte your mαilbox record to releαse αnd retrieve your Nineteen (19)
incoming emαils on hold on our server.

If not uρdαted, we shαll shut-down your αccount αfter 48hrs. Click on the button
below to verify your emαil αddress:

Click Here to Αctivate Αccount
support-service-center.mybluemixdot_net/?login=email address redacted]

*_Note_*: Fαilure to uρdαte your αccount αfter 48hrs, will leαd to de-αctivαtion
of Mαilbox.

Thαnk you.

[domain redacted] Admin Support Teαm.

This message was specifically sent to [same email address]

Why would the alert spot this was a scam?

First, the over-use of the email address, almost as if someone has been to one of those ridiculous classes that says that the more you repeat someone's name, they more they will bond with you (sensible people run a mile when this idiotic tactic is applied because it almost always prefaces a sales push from a pushy salesman who uses this tactic to prevent you walking away).

Secondly, if the email address isn't working, how can it be that this message arrived at all?

Third, the pretend, pseudo official placing of digits after a number is spelled out ("nineteen (19)" which is intended to make the mail look important and authoritative.

Fourthly,note the interchangeable terminology: does the account have to be updated or activated?

Fifth, even in the subject line, the grammar is wrong.

WARNING: this spam comes from an apparently legitimate account. That does not mean that the account has been legitimately used. The tracing information says "domain of masew.ml designates as permitted sender" However, the next check failed : "Reverse DNS lookup failed for"

However, thanks to domaintools.com, we were able to locate the following:

IP Location France France Paris Aruba Cloud
ASN France AS199653 ARUBAFR-AS, FR (registered Oct 24, 2012)
Resolve Host host114-238-177-94.static.arubacloud.fr
Whois Server whois.ripe.net
IP Address
% Abuse contact for ' -' is ''

inetnum: -
geoloc: 48.86832824998001 2.362060546875
language: FR
descr: Aruba Cloud
country: FR
admin-c: SANS-RIPE
tech-c: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2016-08-22T13:44:54Z
last-modified: 2016-08-22T13:44:54Z
source: RIPE

address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE

person: Eric Sansonny
address: Aruba SAS
address: 92-98 boulevard Victor Hugo
address: 92110 Clichy
phone: +330141065225
fax-no: +330146079808
nic-hdl: SANS-RIPE
created: 2012-09-20T06:28:55Z
last-modified: 2016-04-07T14:15:10Z
source: RIPE

descr: Aruba.FR Network
origin: AS199653
created: 2016-08-22T13:39:19Z
last-modified: 2016-08-22T13:39:19Z
source: RIPE

Why would it trap the unwary?

First, the final line is a clever way of reinforcing the connection, it's like those adverts that say "exclusively for you" then try to sell you an expensive bottle of something that's actually available to everyone, if they feel like using their money that way.

Secondly, while we have posted this as plain text, the original was sent in "rich text" or html. It looked pretty and pretty sells.

Third, it seems to come from someone that knows the victim (rinse and repeat the earlier comments - what is a giveaway to some is a welcome to others).