English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Spam money lenders: data theft, Trojans and other special features of ‘cheap’ loans

Contents

Nowadays banks and other credit institutions make big money from offering cheap loans. Millions of people worldwide prefer to buy goods and services on credit, agreeing to pay considerable sums in interest to various money lenders.

But is not always easy to get a loan - potential borrowers must confirm their ability to meet the established monthly payment. Other terms and conditions may vary by country or the specific requirements of a financial institution. As a rule, the toughest conditions are imposed by the big banks. Small organizations and private money lenders often have fewer restrictions, and use higher interest rates to compensate for accepting higher-risk clients. However, since they struggle to compete with the scale of marketing campaigns available to big multi-national banks, they resort to electronic mailings. Quite often, these messages serve as a cloak for unscrupulous organizations whose services turn out to be far more expensive than advertised, as well as typical Internet scams.

 

The dangers of loans offered in spam mailings

Any attempt to take advantage of a credit offer contained in a spam mailing may prove costly – and the problems can start as soon as you read the initial offer. Let’s have a closer look at the threats that unsolicited credit-related emails may pose.

  1. Phishing is an attempt to steal user’s financial data with the help of fake web pages imitating official application forms from well-known banks. Whenever a user enters personal information on a phishing site that data ends up in the hands of the fraudsters. The latter, in turn, use it to take out a loan in the name of the victim. The fraud is only uncovered much later, when the lender starts legal proceedings over the default in loan repayments.
  2. Voluntary provision of personal data to third parties. In this case, in order to collect information about the victim, the scammers use various plausible excuses (for example, offer their assistance in obtaining a loan) rather than fake pages. As a result, they may wangle important data – including financial information – out of the user. Even without a password to the online banking system or a three-digit card verification value (CVV), the user’s passport or contact details can be enough for fraudulent use such as drawing up false documents.
  3. Malware attachments. Quite often the scammers spread malware which imitate credit application forms or approved credit agreements. Typically, malicious programs are zipped and masked under harmless files, for example, using a double extension. Any attempt to open the "contract" may lead to system infection and the loss of data stored on the hard drive.
  4. Spamming the email box. A response to a spam email, even made without any intention to use the services offered in the advertisement, tells the spammers that the email address really exists and is actively used (some spammers send messages to randomly generated address lists). As a result, the number of advertising messages sent to the ‘exposed’ email box will increase significantly.

In this article we will describe typical spam messages containing credit offers and analyze their main components.

 

Main characteristics of the emails

Credit spam is distributed worldwide. Regardless of the language, messages of this type are very similar. Of course, there are some variations from country to country, but these are mostly related to the economic situation and credit legislation in these places.

The subject of the email

The heading of the email containing a credit offer is usually a clear indication of its content. In fact, it is a business proposition so the subject of the message gives a brief account of the key information.

The most common English-language headings contain the phrases urgent loan, get a loan and the loan offer, very often featuring the interest rate. German-language headings have even fewer words; everything is clear and concrete without any unnecessary details: Darlehen / Kredit / Finanzierung Angebot.

 

The From field

Credit spam mainly arrives from addresses registered on free email services. Spammers can hack users’ mailboxes and substitute hacked addresses in the From field as well as automatically generating them in large quantities without worrying about the possible disclosure of their identity or addresses being blocked by anti-spam filters.

The From field may contain an individual name - which most likely is unknown to the recipient (Paul) - or a name and a surname (Jerry Brown, Kim James) or the name of the financial organization which allegedly sent the email. Quite often the sender's name is substituted by the word "credit" or a phrase containing this word (LOAN SERVICE, KREDIT). Sometimes the From field contains a random selection of letters and numbers generated automatically which is one of the common features of all spam.

 

The content of the email

The text of the credit message can be both informative and detailed and very short just asking to send a reply to the indicated address if the recipient is interested in the offer.

 

All the emails have common features that are typical both for this type of unsolicited correspondence and spam in general.

The form of address

Credit spam almost never addresses itself to an individual reader. Instead spammers use brief impersonal greetings such as “Good day”, “Guten Tag”, “Hallo”, “Ich grüße euch”. Another common trick is to address the recipient as a potential client: “Dear Client”, “Dear Valued Client”, “Sehr geehrter Kunde”. The use of the recipient’s real name is highly unlikely.

The promises

Credit spammers want to attract potential clients by promising them large sums of money (sometimes up to several million in cash) which can be granted in a short period of time (from several hours to a couple of days) without any pledge or guarantors, or any certificate of income and a minimum number of documents. Some creditors even claim that there is no problem if previous attempts to get a loan from a well-known bank ended in failure.

Spammers like to use aggressive advertising. They often highlight important phrases visually (in a different font or color) for heightened psychological impact: for example, to make recipients believe that they badly need a loan and have to get one immediately. Previous unsuccessful applications are explained away as unfair errors, whereas now everyone is happy to help.

 

The authors of spam messages do not always give out money themselves. Sometimes they act as intermediaries. They promise to forward the user’s application to several banks, suggesting strong competition will lead to highly favorable terms even if the sum of money is merely enough to buy a new sofa.

Spammers offer not only cash loans but also credit cards with generous credit limits, backed up by well-known banks. However, such offers often conceal a phishing attack.

 

Sometimes the user receives a message like this: "Your loan has been approved, the assigned number is ***, you may pick up the money by sending us the details of your bank account to which the sum will be transferred." The authors’ idea is simple: recipients will be interested in a loan (even though they probably never applied for a loan in the first place) which is offered without going through the standard paperwork, and will send their bank account information to the fraudsters.  

 

Geographical peculiarities

German-language credit spam has a very specific feature. Germany has a specialized financial institution called SCHUFA. It is one of the world’s largest credit bureaus, and it accumulates information about every bank account in the country as well as loans and other debts. SCHUFA uses this data to assess the reliability of any individual, and it is here that German institutions seek advice before deciding whether to grant a loan. Therefore, if a person already has a large unpaid loan, he stands little chance of getting a new one.

 

Officially, all decisions on loans, all inquiries and inspections must pass through this organization. However, the German-language credit spam offers the borrower any sum without a SCHUFA certificate, i.e. bypassing the reliability test. It means that any person can get a loan, even someone who was earlier turned down by the bank. These offers usually come from foreign companies and rely on the fact that the loan will be drawn up outside of Germany in compliance with different, less rigorous laws.

 

Spammers often try to hide offers made without the SCHUFA certificate. For example, the email may be designed to look like a newsletter in which one piece of news describes the consequences of obtaining credits without the SCHUFA certificate. The message contains a link to a story which resembles a small analytical article. However, below it on the same page is a link leading to credit offers without SCHUFA approval.

 

Links

These messages often contain short links to the pages where the recipient can fill in a credit application form. The email promises that soon after the manager will call the potential client on a number submitted via the application form, and the process will continue in person. Typically, these links vary from email to email and redirect the user to the sites specifically created for promotional purposes.

 

The links may also lead to popular online services visited by many users. Sites like YouTube contain huge numbers of adverts like this. When ordering spam mass mailings, companies often make commercials to promote their services and upload them onto YouTube. Then they send emails containing the link to the video to a large number of users. This example (see below) introduces a loan company and provides the details of its favorable credit terms.

 

Feedback

To get in touch with the lenders and find out more about the services the recipient is usually invited to choose between the following options:

  • to reply to the message;
  • to reply to a different address (supposedly personal and with a free email service such as Yahoo Mail, Hotmail, Gmail, etc.);
  • to fill in an online application form with a contact phone number (and sometimes passport data);
  • to call a number (often mobile) specified in the email.

The second point on the list does not inspire great confidence in the email address, while the last suggests that the lender does not have an office which casts doubt on the quality of its services.

Attachments

Credit emails often include additional attachments. This can be an Adobe PDF or Microsoft Word file containing an advert about the credit organization on behalf of which the email was sent, a detailed description of the offer and the terms of the loan as well as contact information. Sometimes these attachments just contain a credit application form where recipients are asked to enter their personal information such as their phone number, their email address and even their passport details.

 

Please remember that opening text documents from an unfamiliar sender is risky because they may contain a virus that is launched with the help of macros (so-called macro viruses). Therefore, we strongly recommend users perform an antivirus scan of any unknown file before opening it, even if it is a text document.

An attached ZIP archive is even less trustworthy as it often contains malicious software imitating a text or a graphic document. Especially suspicious are the emails which do not contain anything at all (not even advertising text) but an attached archive. Here the only thing that identifies the credit offer is the heading of the email. The authors of such messages just hope the recipient will open the attachment for more information.

 

The above example shows an email with an attached archive containing a malicious program detected by Kaspersky Lab as Trojan-PSW.Win32.Tepfer.pate. It is designed to steal confidential information, specifically the data for managing bank accounts. During startup of the computer this malicious program searches for the necessary information in the system files and the registry and, if successful, sends the harvested data to its "owner."

Who offers the credit?

Credit spam is sent on behalf of several categories of lenders:

  1. An allegedly official credit institution

These messages contain eye-catching adverts with a company logo. The lenders provide their contact details - a registered address, phone numbers, an e-mail address (often registered on a hosting from a fly-by-night domain). The email often has an attached brochure duplicating the company’s contact information and offering more details about the services on offer. The recipient can apply for a loan by calling the indicated phone number or sending an email to the specified address (which may not be the same as the address of the sender of the initial email).

 

  1. Credit brokers

The senders of unsolicited emails often introduce themselves as mediators who can help the recipient secure a loan. These organizations undertake all the paperwork and usually have a working relationship with certain creditors. They are actively looking for potential clients for their partners and work for a commission which is typically included in the credit rates. In this case the client risks being lured into a disadvantageous dealing and overpaying for the loan.

 

  1. Individuals

As a rule, a credit offer from a private person begins with the introduction of the sender and looks something like this: "I ​​am Mr. So-and-So, a private investor. I give out loans at a low interest rate. If you are interested in my offer, contact me via email, provide your personal information and specify the sum of the loan and the interest rate". This is one of the most common types of credit spam, but regardless of the language in which it is written, the creators of the emails adhere to the above template.

 

Private lenders send their offers around the world duplicating the text of the email in different languages. The text of the email is usually translated from English using Google Translate or similar services. As a result, the words and sentences in the text do not agree grammatically and stylistically but the meaning can be understood by the phrases like "the loan to anyone who needs it".  The means of contacting the potential lender is also clear from the context: "Send your request to ххххх@live.com" or "Please send back the information if you're interested in the offer"

 

  1. Charitable organizations

Some senders introduce themselves as charity or Christian organizations that help the needy. Such messages may contain quotes from the Bible to look more convincing.  

 

  1. Anonymous senders

Completely impersonal messages with the text like "giving out money" or "We offer credit" are also very common. Apparently, the recipient will learn who "we" are and what the terms of the loan are when taking the risk of replying to this dubious offer.

 

  1. Well-known banks

An email allegedly written by a representative of one of the famous banks should put a recipient on guard: respected banks would not damage their reputation by advertising services via spam, nor send credit offers to people who have never been their clients. As a rule, these are phishing messages. The fraudsters include a credit application form or a link to it in the email. If recipients swallow the bait and fill in the form, their personal information will go directly to the fraudsters. The phishing page may well contain the logo of the bank on behalf of which the email has been written and look like a section of the official website of the bank. However, the recipient should pay attention to the sender’s address and the link in the address bar of the browser on the page with the application form - most likely they will have nothing to do with the official details of the bank.

 
An example of a phishing page

  1. Lenders from social networks

Spam distributed via popular social networking sites such as Facebook, LinkedIn, etc. is worthy of special mention. In this case the unsolicited advertisement is sent to the user in the form of a personal message from an unknown contact and the users receive a new message notification on the email address associated with their social network accounts. The content of these personal messages is nothing but spam, featuring everything discussed elsewhere in this article.

 

Protective measures

It is not difficult to avoid the dangers posed by credit spam.

First of all, don’t leave your personal information on dubious sites or fill in HTML forms delivered from unknown senders, especially if your computer is not protected by an antivirus program which can promptly identify a fraudulent link and block it. Do not offer your personal data to third parties when entering into correspondence with an unknown person, especially if you are asked to send a reply to some different address from the sender’s address. Ignore any excuses about confidentiality or similar claims that your correspondent makes by way of explanation.

Secondly, do not run executable files or open attachments, especially archives and office documents (in extreme cases, only do this after getting a safety verdict from the antivirus program). Spam does not offer anything of genuine use to most people, but it does provide a valuable cover for malicious programs imitating Office documents in the hope of forcing its way onto your computer.

Finally, it is never a good idea to enter into correspondence on financial issues with unknown companies and private lenders. Anybody circulating an offer on the off-chance and hoping that someone might respond is unlikely to be a legitimate, reputable financial service provider. There is no profit in organizations with legitimate income offering loans at “extra low interest” if they can invest the money at a genuine financial institution with higher rates and far greater security. The low interest on offer is, most likely, a misleading figure; once they are signed up, borrowers will discover significant extra costs in the small print – if they ever see the money at all. 


1 comments

omega replica

2014 Apr 14, 14:41
0
 

breitling replica watches

There is no second thought to the fact that {replica watches} is truly a symbol of class and elegance in the global watch market. It has given the world some truly luxurious watches which continue to capture the hearts of millions of people across the globe. People feel extremely proud to own a
{replica watches}. This goodwill has been earned over the years through innovation and supreme expertise in making every single watch. Most of the watches made by Rolex are popular and set a benchmark for others. However, one of the watches that is an example of true craftsmanship is {breitling replica watches} Perpetual Datejust.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Author

Analysis

Blog

Source