I received a mail from one of my clients tonight about a notice she received, supposedly from her “email service provider”. The subject of the mail read, “The settings for the firstname.lastname@example.org mailbox were changed”. Being that I am the only one that can change settings on my client’s email server, I knew there was something wrong.
Turns out that this is a scam that has been going around since at least October of 2009. A quick Google search turned up an article on the Symantec site that gives all the details. Basically, the details are as follows:
Subjects: (one of the following)
- The settings for the [TARGET EMAIL ADDRESS] mailbox were changed
- A new settings file for the [TARGET EMAIL ADDRESS] has just been released
- For the owner of the [TARGET EMAIL ADDRESS] e-mail account
- A new settings file for the [TARGET EMAIL ADDRESS]
Dear user of the [TARGET DOMAIN] mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox ([TARGET EMAIL ADDRESS]) settings were changed.
In order to apply the new set of settings click on the following link:
http://[TARGET DOMAIN]/owa/service_directory/settings.php?email=[TARGET EMAIL ADDRESS]&from=[TARGET DOMAIN]&fromname=tslreplenish
Best regards, [TARGET DOMAIN] Technical Support.
The one thing that isn’t visible in the example above is that the link in the email points to a different address than what is visible in the email. This is a classic low-tech trick used by spammers to hide the true location.
Domains observed in this campaign include the following:
okqwah.com.pl – this is the domain encountered last night, I’m sure there will be a wide variety of them to follow.
What to do if you get an email like this
- First and foremost, do NOT click the link in the email.
- Notify your web host and/or site manager (My clients should always let me know when they’ve received this kind of email.) I also request that they let me know if they have clicked the link. In the event that it’s not something that’s been identified before, we need to make sure it’s not being generated from an infected file on the server.
- Change your email password, regardless of your prior actions… it was probably time to change it anyway.
- Delete the email from your email client and/or mail server.
When in doubt, ask! I would never send such a mail to a client without my personal contact information. I normally conduct such changes while on the phone with my clients, so an email like this should automatically raise red flags.
Thankfully, my client knew better than to click a link in an email like this, and automatically forwarded the email to me to research. If you don’t have someone like me helping to manage your business on the web, you may want to consider contacting me. This is exactly the kind of information that is easily obtained through any one of my telephone consulting lines.