Time for another Spam Showcase, this time a short one. Apparently, according to an email titled “Re: Congratulations” I’ve won what I can only guess is a large sum of money! Hooray, I no longer have to do the “used game store” rat race!
Well, that’s what I would think if this wasn’t obviously a piss poor spam email attempt! Time to take a look. Like I said, this is a super short one, but might be fun to tear apart.
You are to receive 2,852,000.00 in the Chevron Texaco Oil Promotion, Contact officialhelpdesk@outlook.de with your name and number to claim prize
Yep. Told you it was a short one. Super short.
Now, obviously, “Chevron Texaco Oil Promotion” makes no damned sense. What the hell is that even supposed to be? A contest? Are they giving me money in an attempt to like their product? Would they be giving it away as a publicity stunt? Who knows… It doesn’t matter, so long as I give them a name and a phone number that they can sell to someone else, I’d imagine.
Another thing to consider is that there is no denomination for this currency — it’s just a number. That’s all! It’s almost as if they aren’t even trying.
As for the sender info, this one is kind of interesting — while the email “reply to” is officialhelpdesk@outlook.de, the actual address the email was sent from was “Maritza Ruvalcaba – maruvalcaba@kern.org”
Kern.org actually redirects to a real school district, that of Kern County in California. More critically, it’s the website for the superintendent of schools. In a quick glance, I’m noticing I see no one by this name on the website, and a very quick general online search can’t seem to find anyone of note by this name who is associated with Kern county. I’d imagine it’s a valid address for a current or former employee, so I can only imagine it’s been properly hijacked through fishing or some form of general Trojan malware.
I verified the source, just to make sure, and it indeed looks to have come from one of their mail servers:
Received: from mxin06.kern.org ([206.227.0.19]:36714)
by gator4131.hostgator.com with esmtp (Exim 4.92)
(envelope-from <maruvalcaba@kern.org>)
id 1iP24p-000Onu-2W
for chris@xadara.com; Mon, 28 Oct 2019 05:16:43 -0500
Received: from mxin06.kern.org (localhost.localdomain [127.0.0.1])
by mxin06.kern.org (Proxmox) with ESMTP id 0AFB6C2A73;
Mon, 28 Oct 2019 03:07:51 -0700 (PDT)
Received: from mxout01.kern.org (mxout01.kern.org [206.227.0.25])
by mxin06.kern.org (Proxmox) with ESMTP id 38955C2A69;
Mon, 28 Oct 2019 03:07:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mxout01.kern.org (Postfix) with ESMTP id 2EBA4201A2;
Mon, 28 Oct 2019 03:07:49 -0700 (PDT)
Whatever the case. I decided I wouldn’t be a good citizen of the internet if I didn’t take the time to alert them to this via a method which would be fitting, and separate from the possibly compromised system — twitter!
If I get a follow up, I’ll let you know. Otherwise, I feel I’ve done my part.