Is that e-mail message legit? How a computer nerd analyzes it

Is that e-mail message legit? Common sense and technology both come into play.

My clients often ask my opinion on whether an e-mail message is legitimate or not. The message below, asking for credit card information and claiming to come from Register.com, was a doozy, and a lot can be learned from analyzing it.

First, it addressed my client, who is a Register.com customer, by name and was sent to an e-mail address associated with a domain registered there. Both my clients' name and e-mail address are publicly available. The message did not contain anything private such as an account number at Register.com.

[ LOGO HERE ]

We wanted to remind you that the credit card listed in your account is due to expire soon. Please take a moment to update your account information to prevent any lapse in your domain name registration or services.

Updating your credit card information is easy. Simply call 1.877.731.4442* today and our Web Consultants will be happy to help you.

We can assure you that your credit card information is safe with us. We're PCI compliant and maintain the highest security standards in the industry. Please call us today so that we can help you secure your services with Register.com.

As always, we thank you for your continued business.

Sincerely,
Sandy Ross
Director, Customer Service
* If calling outside the U.S. and Canada, please dial +1 902.749.5919

I left out the Register.com logo because I'm not sure of the copyright issues involved.
The logo looked legit, more on that later.

My gut reaction was that the message is a scam because:

  1. The domain name registration referred to in the message does not expire for two years
  2. The credit card on file does not expire for six months
  3. There is only a phone number

A company that registers domains for a living certainly can handle a simple thing like updating a credit card number on its Web site. I would expect a legitimate message to also include instructions for logging in to your account to update the credit card and a link, perhaps to this page, for doing so.

Voice phishing

Plus, this message fits a known pattern of scams that started appearing last year. In April 2006, Joris Evers of CNET News.com wrote:

"In a new twist on phishing, fraudsters are sending out e-mails that attempt to trick people into sharing personal information over the phone...the spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it...As a precaution, people should not dial phone numbers received in an e-mail message..."

The bad guys are hoping that a phone number won't raise the mental red flags that a link such as http://1.2.3.4 does. And, thanks to the latest versions of Internet Explorer and Firefox, even nontechnical computer users now have some measure of antiphishing protection.

This scheme goes by the names voice phishing, VoIP phishing and vishing. Voice over IP (VoIP) is included because the phone numbers use this technology rather than normal landlines. In part, this is because VoIP is cheaper, it may also be harder to track down the real owner of a VoIP phone number.

In his Security Fix column at WashingtonPost.com, Brian Krebs wrote in March of this year about an instance of voice phishing and warned "Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number..."

From who?

Many people make judgments about an e-mail message based on the from address. This is a big mistake. You can not trust the from address of an e-mail message. It is a trivial thing to forge. That's why I didn't bother to include it in the example.

I wrote about this before , but when even the aforementioned Brian Krebs gets this wrong, it needs to be stressed. A couple of days ago, an otherwise excellent posting of his about fake FTC e-mail messages, included this:

"If a message comes from someone you don't know, delete it. If it appears to have been sent from a friend or family member, reply to the message and ask for confirmation that the sender indeed meant for you to view that e-mail attachment."

You should treat all e-mail messages as if you don't know the true sender. Because, without evaluating the hidden headers, you don't. Repeat after me:

You can not trust the FROM address of an e-mail message.
You can not trust the FROM address of an e-mail message.
You can not trust the FROM address of an e-mail message.

Verifying the phone number

Checking the legitimacy of the phone numbers proved inconclusive.

At the home page of Register.com, clicking on Customer Support leads to the link for the Contact Us page, which lists eight different phone numbers. The e-mail message had two phone numbers, a toll-free 877 number and one in area code 902. Neither of these numbers appears on the Contact Us page.

A reasonable person would stop here and conclude the message is fake. But I continue.

A Web search on the toll-free number turned up some references to it in discussions about Register.com. On the other hand, the references were as far from official as can be, they were just made in passing by individuals griping about the company.

The search also turned up a link to this page at the Register.com Web site that does list the phone number.

So, it's legit? Maybe not. There is no date on this Web page, so it may be old. Register.com may have changed its phone number. And, if it is legit, why is it not on the main Contact Us page?

Techie stuff

These mixed signals led me to look under the covers, to examine the underlying header and source code of the e-mail message. Thunderbird, my preferred e-mail program, shows the source code with View -> Message Source.

The source code shows the true destination of the links in the message. Below is the source code for a link in the fine print at the bottom of the message.

To unsubscribe from Register.com marketing emails, please click
<a href="http://link.register.com/us/DWX065/8Z/ISNCO/QF7J4T/
YW5uZUBkZXByZXNzaW9uZmFsbG91dC5vcmc=/">
<font color="#000000">here</font></a>.

This link does go to Register.com. But that means nothing. It is not at all unusual for a scam e-mail message to include legitimate links. The only one that matters however, is the one the victim is directed to click on. In this particular case, all the links are irrelevant to determining the legitimacy of the message.

E-mail messages don't travel directly from the sender to the recipient. The header provides a bread crumb trail of the path taken by the message. It also offers clues to the real origin. Below is an excerpt from the header of this message.

Received: from [127.0.0.1] ([local])
  by bm1-11.ed10.com (envelope-from <DWX065-ISNCO-QF7J4T-H@register.bounce.ed10.net>)
    ...
Message-Id:

In one place it seems that the message was from e-dialog.com, in another it seems to have originated from a computer named register.bounce.ed10.net and passed through an e-mail server at bm1-11.ed10.com. Three different domains, and none of them Register.com.

Then too, there's that legitimate-looking logo mentioned earlier. The source code shows that it came from ed4.net. You can see it for yourself here.

Four different domains have their fingers in this message. Ugh.

Since the logo definitely came from ed4.net, I decided to focus on that. Its Web site belongs to e-Dialog. Public information about domain names is available from a system called WHOIS. A check of the WHOIS information for ed4.net at Network Solutions shows that the domain belongs to:
  e-Dialog
  131 Hartwell Ave.
  Lexington, MA 02421

This lends some credibility because it's neither hidden nor a post office box. I didn't bother checking if there really is such a company at that address. The domain ed4.net was first registered in 2000, which also lends it some credibility. Often the domain names used in scams are newly registered.

The underlying IP address for a Web site can be determined with a simple Ping command. In Windows, open a command prompt window at type "Ping www.ed4.net." Ping showed that the Web site resides at a computer whose IP address is 64.28.75.199.

Then, I plug this into www.ip-adress.com, which shows the physical location of an IP address. The Ed4.net Web site is in Waltham, Mass., and is registered to e-Dialog. Very legit looking.

But who or what is e-Dialog? Its site says it does e-mail marketing and its list of clients includes Register.com.

Finally, I check the return e-mail address, which is at custhelp.com. Who is custhelp.com? Names like this are often used in fraudulent e-mail messages. If the message legitimately came from e-Dialog, then why don't they handle the replies?

Needless to say, I go to www.custhelp.com to see if it's on the level. But there is no Web site with that name. Instead, I get redirected to www.rightnow.com. So, who is RightNow? They do "Customer Experience Software & Management: IVR, CRM, Sales Lead & Incident Management".

I give up.

Beats me if this messages is legit. If it is however, Register.com is making a big mistake by not displaying either of the two phone numbers in the message on its Contact Us page. Could they be that clueless? Either way, I wouldn't call the phone number. No need to take the risk.


Update November 13, 2007:According to Register.com this message is legit. Quoting them: "This email you received is in fact legitament. This email is generated and sent to you when your credit card information on your account is near or has passed expiring."


About the author

    Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

    He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

    Disclosure.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments