Home Archive Fake Membership Confirmation Emails

Fake Membership Confirmation Emails

by Brett M. Christensen

Outline:
Links in emails supposedly confirming membership of a website or online service actually lead to a trojan


Example:

Dear Member,

Thank You for Joining Resume Hunters.

Account Number: 99484233616
Temp Login ID: user2726
Temorary Password: ty408

Please keep your account secure by logging in and changing your login info.

Follow this link, or paste it in your browser: [Link to malicious website removed]

Thank You,
Technical Services
Resume Hunters

 

Greetings,

Here is your membership info for Ringtone Heaven.

Confirmation Number: 868414332499
Your Temp. Login ID: user3355
Your Temp. Password ID: ve415

Please keep your account secure by logging in and changing your login info.

This link will allow you to securely change your login info: [Link to malicious website removed]

Enjoy,
Technical Services
Ringtone Heaven


Detailed Analysis:
Since June 2007, a series of fake eCard notification emails have been hitting inboxes around the world. Links in the emails lead to malicious websites that can install a trojan on the user’s computer. In August 2007, the criminals responsible for the fake eCard messages changed tactics a little and began distributing bogus membership confirmation emails like those included above.

The emails supposedly contain temporary login details for a website providing a service such as resume listings or ringtone downloads. The recipient is urged to secure their account by logging on and changing their login details. However, the login link in the email actually points to a website that attempts to use a Windows vulnerability to install a trojan. It may also attempt to trick the visitor into manually installing malware components. The bogus web page may contain a message similar to the following:

If you do not see the Secure Login Window please install our Secure Login Applet.

If the visitor clicks on the “Secure Login Applet” link, a trojan will be installed on his or her computer. Once installed, the trojan may then download other malware components from the Internet.

Like similar malware emails, the message tries to make the recipient curious enough to click on the link without due caution. Recipients may be concerned that they have been signed up for an unwanted service without their knowledge or permission and therefore click the included link in the hope of rectifying the issue. Or they may believe that they have been given a free membership as a gift or by mistake and click on the link to access their new “service”.

As well as the two shown above, the trojan emails offer a variety of other bogus memberships as bait including access to MP3 websites and online dating services. The bogus links in the messages are usually shown as IP addresses rather than normal website addresses. They have a range of subject lines, including the following:

  • Membership Support
  • Dated Confirmation
  • New Member confirmation
  • Member Details
  • Poker World

The perpetrators of this ongoing malware attack may well change tactics again at any time. Internet users should be very cautious of, not only supposed eCard notification emails and the fake membership messages discussed here, but also any other unsolicited emails that ask them to click an included link. It is also vitally important that all Windows users ensure that they have the latest security updates installed and use a firewall along with anti-virus and anti-spyware scanners.


Last updated: 22nd August 2007
First published: 22nd August 2007
By Brett M. Christensen
About Hoax-Slayer

References
Postcard From a Family Member Malware Email
Zhelatin/Storm changes yet again
Morphing ECards
Malicious eCard Emails Continue

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer