Didn’t get the interview. Was it a real opportunity?

Am I really a target? Are the scammers just getting really good? Or am I just too suspicious?

Always nice to be solicited for a role you’d like. That hasn’t happened to me often but recently I got a call about a position. That was followed up with an email. Then another call. Then a few emails and calls with the first caller’s senior recruiter. All in the space of three hours or so. Everything was rolling along and… crickets after my last email. Was it me?

I don’t think so, but you be the judge.

The position I was solicited for was IT Manager. One requirement that I didn’t have was SCRUM Master certification. But, so long as the certificate was earned within six months of start date that would be acceptable. It’s not common, but I have seen positions that require a certification and will accept it being earned within a certain period after starting.

I tell the people I’m speaking with on the phone I need a little time to investigate the certification and see if it seems like something I can achieve in six months. They say fine, they’ll call back in an hour or so and see if I’m still interested.

At this point I’ve gotten the consulting company’s name, the organization they’re recruiting for, and time frame when the position is to be filled.

After a bit of web searching I find a number of training organizations offering online SCRUM Master Certification training at a range of prices. It’s affordable from my point of view so I’m thinking… commit. I really am looking for a new opportunity.

I also check out the recruiter’s domain to find out how long its been around. Surprise, surprise, it’s only a few months old. Red Flag #1. Then I check website of the customer they’re recruiting for to search for the position. The position isn’t listed. Red Flag #2.

Finally they call back and we talk about the position. I tell them I’ve found a trainer that looks like they have a good online training program set up and the course is affordable. As soon as I tell them the trainer I’m told, “no, that’s not such a good trainer.” Red Flag #3. I’m given another training company’s name and told I should register right away so we can provide proof to the employer I’m taking steps to have the certification by the deadline. “Right away”, Red Flag #4.

I tell them to give me a few moments to check out that trainer’s website. Wouldn’t you know, the trainer’s website is even newer than the recruiters. Red Flag #5.

At this point I really don’t believe this is legit and ask for a contact at the company they’re recruiting for to confirm with them the position is open and the certification requirement.

End of conversation. Sigh. It was nice to be recruited for a position I am well qualified for and points to the sophistication of the scam. It was tailored to my skills. Disappointing that it was only a scam to get my money for a certification training course that likely wouldn’t have provided any training.

This all happened several months ago. At this point the “recruiter’s” website is still up. Doesn’t look changed much. All boiler plate stuff. The training company’s website isn’t accessible. Clearly, be suspicious, ask questions and investigate the answers to keep yourself from being taken.

Anatomy of a Stealthy Phish

Targeting me or just a step up in the scammer’s tool quality?

Got an email from AUROBINDO PHARMA LIMITED asking to schedule an interview with me. Great!! I’m looking for work.

The email is from a GMail account though. So I ask to be contacted from the business email account.

Surprise, I get a follow up email that appears to be from Aurobindo Pharma Limited. Notice though I’m being solicited based on my resume but the “jobs” cover a wide range of positions.

And WHOIS, which can look up information about domain names, never heard of aurobindopharmaltd.com.

$ whois aurobindopharmaltd.com
No match for domain "AUROBINDOPHARMALTD.COM".
>>> Last update of whois database: 2021-12-22T08:15:49Z <<<

And there is no aurobindopharmaltd.com website as of this writing.

I’ve already found that the domain doesn’t exist. Getting email from that domain is therefore not possible. What’s going on? Time to examine the email header. This is what I found…

Guess what? The Return-Path/smtp.mailfrom domain is real. It is an actual business site related to sports. There’s some contact information on it and absolutely nothing to do with pharma.

As I understand it, Return-Path and smtp.mailfrom are the actual source of the email. The email originated from that domain. And that means the domain has been compromised. So I sent email to a site contact advising them what I’ve found and included the email header of the original phishing message.

What I wonder about though is the phisher’s follow up. Whoever was sending those messages seemed to want to convince me they were legitimate. Was it ME they were trying to convince? Or did they just have a better phishing tool and bots on compromised servers that enabled easily sending a message with a forged sender from a compromised server so the message isn’t from a GMail account?

I don’t know. This is the first time this ever happened to me. Actual attention to my initial response, replying and changing the message properties to be a more persuasive fake. Am I being spear phished? Don’t know, but what happened is intriguing.

Attractive deal? Check how long that website’s been around.

Was that vendor set up yesterday to try and take money from you today?

One thing that happens as advertisers get their algorithms into you is much more targeted advertising. Often times with a web link.

Ever wonder how long that website’s been around? Setting up shop, scamming money, and disappearing are tactics that have been around since scams. Long before the Internet. Checking how long a domain name has been around can help detect a scam.

One thing I do when I check advertising is check how old the domain name is. The domain name is the .com, .org, .gov, .net, etc., plus the word before it starting from the preceding / or ., whichever is closest before the .com. Examples like www.disney.com breakdown to domain name disney.com.

How old is the domain name disney.com?

The whois command reveals that information and more with 156 lines of output. The dates are among the first lines and are scrolled off the top of the screen. So scroll up to them to see them.

Substitute a function, called by the same name, that uses whois and grep to produce less output, and focused on dates and attributes like URLs. The substitute command returns 23 lines. These are the lines.

$ whois disney.com
   Updated Date: 2021-01-21T15:04:59Z
   Creation Date: 1990-03-21T05:00:00Z
   Registry Expiry Date: 2023-03-22T04:00:00Z
NOTICE: The expiration date displayed in this record is the date the
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
view the registrar's reported date of expiration for this registration.
Updated Date: 2021-01-15T16:22:12Z
Creation Date: 1990-03-21T00:00:00Z
Registrar Registration Expiration Date: 2023-03-22T04:00:00Z
Registry Registrant ID: 
Registrant Name: Disney Enterprises, Inc.; Domain Administrator
Registrant Organization: Disney Enterprises, Inc.
Registrant Street: 500 South Buena Vista Street, Mail Code 8029
Registrant City: Burbank
Registrant State/Province: CA
Registrant Postal Code: 91521-8029
Registrant Country: US
Registrant Phone: +1.8182384694
Registrant Phone Ext: 
Registrant Fax: +1.8182384694
Registrant Fax Ext: 
Registrant Email: Corp.DNS.Domains@disney.com

Easier to see only the dates and some other relevant info by customizing my own whois. I am sure it can be improved on, but for the time being this listing is the substitute whois in my .bash_aliases.

function whois {

        if [ $# -ne 1 ]; then
                printf "Usage: whois <domain.tld>\nTo use native whois precede command with \\ \n "
                return 1

# implemented code calls installation whois by full path 
        /usr/bin/whois $1 | grep -wi "date\|registrant\|contact 
## haven't tried outside Ubuntu
## a possibility to make this somewhat portable
## $(which whois) $1 | grep -wi "date\|registrant\|contact 

Now, for an advertisement that’s been showing up in my Facebook feed lately, there’s listncnew.com. Sells NEW laptops and Macbooks for $75 – $95!! I figured it must be scam but, for that price, worth the risk because could cancel the credit card transaction. Before I made the order I ran the domain name through my substitute whois to see when the domain was registered. It was created October, 2021, very new. I didn’t expect to get my order and didn’t. At least I wasn’t out the money and now have a way to look at whois data that limits the output to show only information relevant to me.

whois listncnew.com
   Updated Date: 2021-10-26T09:14:16Z
   Creation Date: 2021-10-26T09:10:35Z
   Registry Expiry Date: 2022-10-26T09:10:35Z
NOTICE: The expiration date displayed in this record is the date the
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
view the registrar's reported date of expiration for this registration.
 Updated Date: 2021-10-26T09:13:25Z 
 Creation Date: 2021-10-26T09:10:35Z 
 Registrar Registration Expiration Date: 2022-10-26T09:10:35Z 
 Registry Registrant ID: 5372808-ER 
 Registrant Name: Privacy Protection 
 Registrant Organization: Privacy Protection 
 Registrant Street: 2229 S Michigan Ave Suite 411 
 Registrant City: Chicago 
 Registrant State/Province: Illinois 
 Registrant Country: United States 
 Registrant Postal Code: 60616 
 Registrant Email: Select Contact Domain Holder link 
 Admin Email: Select Contact Domain Holder link 
 Tech Email: Select Contact Domain Holder link 
 Billing Email: Select Contact Domain Holder link

This is my first post in a while. Haven’t been routine releasing posts this year. There’s another five that have been hovering in edit for a while. Maybe I can get them out before the end of this year.

More phishing warning

Yeah, always talking about it because always getting examples to share.

Another picture to help avoid possibly painful mistakes.

This is my Inbox with only one message displayed.

See the mouse (the pointing index finger) is floating over the first column, the Sender. And beneath the finger is a black rectangular window with white text.

When the finger floats over the Sender that black window pops open and shows the email address the message is supposedly from. It is very obviously NOT the Apple App Store. Mark this message as SPAM and delete without opening!

Don’t even open it

Don’t get phished – take a test

How many times will you be fooled? Take the test and learn not to be.

Phishing is very common. I’ve written a number of posts cautioning readers and providing examples.

Today I came across something even better! An online phishing test hosted by Google. It presents you with messages and asks whether they are “real” or phishing.

It’s a test… so no messages are really real. But the messages do give you the opportunity to learn if you’d fall victim to phishing. And to learn how to avoid being a victim. Whether the message is phishing or not is explained and illustrated after you judge the message’s authenticity.

Fun. Try it.

Jigsaw | Phishing Quiz

Phishing, don’t get hooked!

Give yourself a Merry Christmas, don’t get phished.

I have posted about phishing before. Hopefully some of what I’ve posted or others have posted has been useful to you. I’m posting again because I got another phishing email just recently that, when I saw it in my Inbox, made me worry for a few moments. That’s because my Inbox shows the subject and the first words of the body of the email. So, what I saw in my Inbox was, “Update on Your Yahoo Account the password for your Yahoo account was recently changed”!

Immediate concern. I did not recently change my Yahoo password. And the sender column of my Inbox does not show the email address. It shows the sender name, in this case “Yahoo”. Have I been hacked? Fortunately, no. If I was in a rush and not paying attention though I might have given up my Yahoo credentials out of panic. So I’m posting again to remind myself, and anyone reading this, DON’T rush when you get an email about your accounts. Take the time to look them over and be certain of what you’ve gotten.

In this case the Inbox view said the email was from Yahoo. As soon as I opened the message it was clearly NOT from Yahoo.

From there, it’s all the usual stuff to know it’s fake. Hover over the link to go fix the “problem” and see the link doesn’t go to a Yahoo.com website.

Then last, I clicked on the link so you could see the webpage it goes to. And you see even though it tries to look like a Yahoo page it clearly is not a Yahoo site.

Please, don’t get hooked. There’s not enough info in the Inbox view to know whether this is something to worry about or not. Once the email is opened there’s two different opportunities to see it isn’t a Yahoo! message.

  • The “From:” is not a Yahoo! account.
  • Hover over the link and it clearly is not a Yahoo! URL.
  • And finally, if the link is clicked… the URL for the webpage definitely is not a Yahoo! URL.

Stay web safe and have a Merry Christmas.

PayPal scam

Illustrations to help you avoid the scam.

Another example of a scam email. It copies PayPal’s look to a T. The apparent email address service@intl.paypal.com is not the email address! The actual email address begins after the “<“. It is an indecipherable address and once you spot the “@” sign you see it isn’t @paypal.com. This isn’t a PayPal email.

Don’t click the button in the email that says “Log in Now”. It will go to a website that looks like PayPal but it’s not. If you enter your PayPal credentials to login then your PayPal account has just been compromised. Don’t do it.

We be scamming. Seems yes, but… maybe no?

Never seen this before.

I am unemployed due to COVID-19. Probably something that’s happened to many of you. I’ve also been searching for work continuously, continuously, since loosing my director of IT role. I have not gotten an offer on anything equivalent and have had periods of unemployment where I didn’t get responses for anything I applied to. The low point was when I was so desperate I applied for an hourly position at Dunkin Donuts and they didn’t call me back! I have gotten help desk roles and that position is what recently ended due to coronavirus.

Since I have been continuously searching for employment for years I’ve got accounts on all the major job boards, CareerBuilder, Monster, Beyond, Indeed, and many minor and regional ones too. And of course I use LinkedIn. My profile is here, Alan Boba. Message me if you need someone to manage your technology.

Recently I was very disappointed by the response I got back from an application, “Thank you but we’re not interested in you”. The position was very local to me which would have been great. And the IT Manager job description was one I would have written if asked to write one that was an exact match for my skills. I was really hopeful when I sent the application and very very disappointed when the rejection came. Not even a phone screen.

Next position I applied for on CareerBuilder I was presented with a message as soon as I completed the application, “would you like to instantly apply to these 26 matching jobs?” Typically I review job title and description, check the location and do some other review before applying for a position. This time I just hit “apply”. Right away CareerBuilder came back with a similar “instant apply” message and again I clicked “apply”. This kept happening. I kept clicking. I figured to be clicking until “matching jobs” ran out. They never did. I stopped clicking after instant applying to about 500 or so “matching jobs”.

Wouldn’t you know… next day I was getting invitations to online interviews. I was skeptical and cautious. The biggest and most immediate red flag was that all the “interviews” were with people using @aol.com and @gmail.com email addresses. No business emails. But hey, I didn’t have any real offers to reply to and who knows, maybe I’m just too suspicious and one of these was real.

One of them even said they were part of an agribusiness that was started in Australia and expanding in USA. The business is real and it even has two locations in the western US that were correctly identified in the chats.

I received a check by FedEx, almost $4,000! Ostensibly to buy equipment I would need for my office. A cashiers check though, not a check drawn from a business account. The letter that came with it is on plain paper, not office stationery. It doesn’t say what I should buy and doesn’t have a business name or address. Plus I am again directed to communicate with a non-business email account, @aol.com.

I’ve tried to validate the check’s bank routing number and two of the three routing number websites I’ve found recognize the routing number. I’ve also scanned the check front and back. No watermarks show up in either scan. And the check doesn’t have a stamp on it’s face with “valid for xxx days”. A stamp I’ve seen on every cashier’s and corporate check I ever recall handling.

For now I’m still thinking this is a scam. But I’ll play along because I’ve got the time and I’m unemployed. And who knows, maybe I am just too suspicious.

In case you’re curious and want to see what I’ve received so far, take a look at the letter and check that came in the FedEx package. It does cost money to send via FedEx. So unless a business’ FedEx account has been hijacked the scammers have spent some money to send me the check.

More phishing…

There’s more than one way to hook a fish.

Lets say you’ve become comfortable in your ability to recognize phishing email. You’re able to spot the strange “From” address hidden behind the reassuring “Billing Department” or “Customer Service” label that’s been applied. And even if that looks like it might be legit you know how to hover over links in the email and recognize something that says it came from Amazon should have amazon.com/ as the last part of the web address that comes before that very first single forward slash, “/”.

A business web address should always be https://businessname.com/maybemore or https://www.businessname.com/maybemore or https://businessname.org/maybemore and so on. The critical part of the address that tells you where the link will take you is between the paired // and the very first single /.

What do you do when everything looks legit? The “From:” doesn’t look strange, the subject isn’t alarming.

The message itself doesn’t try and make you panic. You can see the full email address and it looks legit. There’s no business website listed in the message but the part of the email address after the @ looks legit. And if you put the part after the @ into your web browser it does go to a legit website, in this case “equitybrands.com”.

Stop right now! There’s no contact info provided in the message. No corporate website identified. No contact phone or email provided. And there’s no info what this is about. Did you buy something and there’s a payment issue, forget to return something, detail about a pending refund…? There’s just nothing except a big blue “View File” button.

In case you can’t resist taking a peek at the “Payment doc.excel” file I did it for you.

It isn’t a regular Excel file because the last part of the file name would be .xls or .xlsx. Sorry but you do need to know that. Ignoring all this I clicked the “View File” button. It got me to the screen below.

If you haven’t got suspicious yet you should turn and run now.

There’s no identifying information for the company.

Why are you being asked for your email? It came to your email. Why is it asking for that now?

What password do you need to enter? Since your email is asked for it seems like a reasonable password would be your email password. Don’t!! Your email password is to get into YOUR email. Nobody else needs that.

Then there’s a conflicting statement at the bottom of this web page. See just below the “Submit” button? It says “Never submit passwords through Google Forms.” That’s because this phishing message is bringing you to a Google Form to collect your email and password. The criminal can’t prevent Google from showing you that warning on a Google Form but they’re hoping you won’t see it or will ignore it.

In summary, even if everything looks legit, if you’re asked to enter your email and password somewhere and you got there by clicking a link in an email DON’T DO IT!

Email and password are for you to get into your accounts. Don’t give them up at a website you got to by an email link.

Always go to the website your usual way and login. Then check your account to see if anything is needed.

If it isn’t a website you remember having an account at do not, do not, do not provide credentials to login. Call the business and ask what’s up!

Phishing, some examples

A guide to spotting email that is meant to deceive you.

Recently I received a number of phishing emails and shared some with family and friends so they could see examples and hopefully avoid any they might get.

After doing that I decided it would be good to share here too. And I went a bit further and made some (admittedly crude) videos to spotlight some of the indicators that an email is phishing.

The videos are posted on YouTube and I’ve embedded them here.

These were my first attempts at creating videos with effects and titles. Please try not to be critical of the production quality and instead focus on the information provided. You’ll find it useful if you do.

For those of you who might look and say, “They’re too tiny. I can’t see anything.”, after starting the video click in the lower right hand corner of the video window. It will enlarge the video.

This one was meant to get the victim to open an attachment. I may make a post and video of what happens if the attachment is opened. For the time being know that the video has tips to help identify it as phishing so we know better than to try and open the attachment.

This one claims there’s a problem with your Apple ID and has links that connect with a counterfeit Apple website. If you were to click the links and complete the forms you’d be giving away your Apple ID login information. Again there’s titles and effects to help identify the tells that make it apparent this isn’t from Apple.