Email Graphic

The E-mail De-activation Scam

Posted on by Eric Niewoehner

Ever get a notification that your e-mail account is about to be de-activated? Is it for real or a scam?

The Scam

You receive an e-mail saying your e-mail account is about to be de-activated. Click the link below if you wish to keep your account active.

Sample email de-activation scam

The scam is amplified further by the fact that the most common way it is presented is over a user’s cell phone. Cell phones are not designed to present information as extensively as a desktop PC. To solve this problem, you are best using a PC with your e-mail program. An e-mail program, such as Thunderbird, will present an extensive range of information regarding source data. Another option is to use your provider’s web mail service. The objective is to “View Source”, or to expose the “header” of the email message which will indicate the route it traveled to reach your e-mail account.

Analysis

Bring up the message on your PC.

In this case, hovering over the link presented the following URL in the browser. You can find this information in the lower-left corner of your browser window. In this case, it presents the following:

Sample URL Pointer
Sample URL Pointer

This is not easily done on your phone. “Hovering” is a bit of trick on a smartphone screen, but is simple to do on your PC by simply moving your mouse-pointer over the link without clicking on it.

How can you verify if a URL is bogus or not?

The URL is a play on “words”, search results readily presenting links to a musician by the name of Howard Jones. It is doubtful you will find anything about howrad6jones . Looking up the domain in WHOIS, the registrant is masked (private or incomplete). As regards the masking, the registration information is not clear about the nature of the masking. The registrant did not provide contact information.

  • First simple test — does the URL have anything to do with your email provider?
  • Second, who owns the URL? You can verify URLs by looking it up in WHOIS. In doing so, the registrant is masked (private or incomplete).
  • Third, note that the URL is a play on “words.” howrad6jones is strangely similar to “Howard Jones”, a well-followed musician.
  • Another red flag is that the domain was recently registered last May

Interestingly, the URL was non-responsive.

ping howrad6jones.com
ping: howrad6jones.com: Name or service not known

Most likely, as of the time of this writing, the URL has already been disabled. That’s good news. But most scam artists will only have an active URL for a very short period of time before creating a new one. They either got caught or used the link just long enough to get some payback from the scam.

Now, moving to the message itself, the e-mail “header” produces an interesting result. A “header” is the part of the email message that you typically do not see. It contains all the routing information, recording from where it was sent and through whom it was directed. One thing you can see is that the “Reply To” address is t.gr@fulcrumvp.com1. Once again, it is another indicator that the message had nothing to do with the email provider. It is important to note that the reply -to address may mean nothing because the purpose of the message is to get the user to click the link, not reply to the message. The reply may simply go to the ether or to some poor soul who has no idea their e-mail is being used for fraud.

But what about fulcrumvp.com? WHOIS indicates that it is registered through Perfect Privacy LLC in Jacksonville, FL. This is another red-flag – a proxy registration. Good luck reporting the abuse. I seriously doubt that t.gr exists. But the domain registration has been around since 2006. There is a website for FulcrumVP and it focuses on defense issues. They also have a LinkedIn account. At this juncture, it looks like the Reply-To address is a ruse, using a legitimate business operation as a cover. But it does not say a lot about a company that has to hide its registration data.

[Note — in the few days in which this incident was identified, researched, and written, the FulcrumVP domain does not appear in the search results, is not present in LinkedIn and Network Solutions indicates the site is temporarily not available.]

The routing shows that the message was transmitted through the Google Cloud (35… IP address series).

Received: from [10.88.0.4] ([35.229.200.231])

The 10.88 series address is inconclusive because it is “private”, but they are usually allocated to large operations like major corporations, government or cloud centers for internal operations only. More than likely, this is an e-mail handler for Google.

In essence, this is a well done scam message. It appears that they have button-hooked FulcrumVP’s e-mail credentials to enable an “authenticated” trace, a digital signature that can effectively by-pass Spam filters. Digital certificates are used to verify that e-mail messages originate from verifiable sources, so in this case FulcrumVP is presumably a legit operation that utilizes Google mail services, whose credentials are used to validate the message that is dropped into your Inbox, by-passing spam filters.

The name servers for FulcrumVP belong to RACKSPACE.COM. Rackspace appears to be a legitimate operation. They at least have a phone number and their domain contacts are openly provided. And their website is quite extensive, advertising a wide range of cloud services. So, as a last resort, we can go back to Rackspace if we wish to issue a complaint.

So back to Perfect Privacy LLC. The Jacksonville Chamber of Commerce does not present very flattering information about the company. A very poor rating and two comments specifically mention hacking. But the comments stem from 2018 to 2020. Another information site notes the LLC has been operating since 2004. There are two different addresses listed for the company, both showing a modern corporate office building: 12808 Gran Bay Parkway and 5335 Gate Parkway.

Fulcrumvp is still pingable:

ping fulcrumvp.com
PING fulcrumvp.com (205.178.145.65) 56(84) bytes of data.
64 bytes from vux.bos.netsolhost.com (205.178.145.65): icmp_seq=2 ttl=242 time=36.4 ms

Here we get another clue. The responding DNS server is netsolhost.com. The IP address is owned by Network Solutions. AND – their address is listed as 5335 Gate Parkway. So Network Solutions and Perfect Privacy are the same thing?

Solving This Problem

  1. Write your state and US representatives and request that proxy registrations become illegal. Since many domains are registered by individuals, masking contact information is understandable. But hiding the owner of the domain masks accountability.
  2. Don’t use your phone to follow links in messages. Phone screens are quite small and do not present the information you need to readily see if a message is a scam or not. Reserve all link-associated inquiries to your PC. If you receive a link in a text message and it involves your bank or another important site, go directly to that site from your PC and see if the notification appears.
  3. If you do not have a PC and must use your phone, simply do not respond to the message as a rule. Otherwise, you can always go to your e-mail provider using your browser, access your account, and see if a corresponding message is in your notifications (they would usually tell you if you are about to be deactivated).
  4. If you have not done so already, register a domain for yourself or your own family. With it you should have the privilege of creating dozens of e-mail accounts and you can use these e-mail accounts to more effectively identify rogue messages. You can read more on this subject.
  5. Associate one of those accounts with your provider. So all the e-mail you receive should only come from that provider. You can fine-tune the account where it will only accept messages from the provider’s domain. This does not guarantee you will not get spam, but it will dramatically reduce the probability.

Another Vote for Scoring

In my other postings I have mentioned “scoring2” as one means of improving e-mail and messaging security. As you can see from this case, a message got into an Inbox that would have received a very bad score. Yet the e-mail filter seems to lean heavily on whether a message is “authenticated” through the digital certificate in the header. Scoring would have exposed the message as a fraud.

  • Domain registration is masked
  • URL pointer did not match e-mail provider’s domain
  • Reply-to utilized a different, unrelated domain
  • URL name was a play on words (possibly a good application for AI to determine this)
  • Message itself used bad grammar

Suggestions to email software developers: a simple score, added to the Smartphone screen, can assist the user in determining if a message is a risk or not. It does not mean it is censored, trashed or sent to the Spam folder. But it can at least inform the reader.

© Copyright 2024 to Eric Niewoehner

Comment (Subscribers Only)
Subscribe
Read More Tech Blogs
Home » Technology » Tech Blogs » The E-mail De-activation Scam
Tags: , , , , , , , , , , , , ,
  1. Actual name has been changed to guard confidentiality. ↩︎
  2. I utilize scoring in determining legitimate websites. ↩︎