Warning: Correspondence from “Harcourt Management LLP”

If you have received any faxed correspondence from “Harcourt Management LLP”, in relation to a supposedly unclaimed inheritance, Bin it. It is a scam.

I see loads of people online asking questions as to the legitimacy of this fax. It is a fake. Key words to check:

  • Edward Baach JD
  • Harcourt Management LLP
  • Harclaw
  • HarclawLLP
  • Gilmoora house
  • Fax +44 207 806 8315
  • Edward@harclawllp.com
  • Ph +44 742 403 1888
  • edbaach2020@gmail.com
  • www.harclawllp.com
  • info@harclawllp.com
  • charituiti@mail.com
  • Mark Dewing of 89 Nile Road, Bunbury, Western Australia as the registrant of www.harclawllp.com

Don’t communicate as per the directions on the fax. They will ask you to fly over to London to sign paperwork and from there, who knows but it will end badly.

Scams are getting more and more sophisticated. They are getting tricker to detect and look more convincing.

I have personally received such a scam this week and after research online,  I can see that this scam is just starting to occur and is more widespread than I thought.
It is for this reason, I am bringing this to your attention and am going to tell you how I confirmed it is a scam.

Always remember,

If it is too good to be true, it’s likely not true!

That should be your first test. Is what you have received bordering on the unlikely, unbelievable and unfathomable?

At our office,  we have received a fax. (Not an email, a fax). It is directed at me and refers to very real family heritage in the UK.
It promises big rewards and no risk (First test fail!).

It is a directed attack. They have the correct name, correct fax number and correct family lineage.
They have done some research.

Please refer to this image (A copy of the fax). See if it fails your first test.

I am on a number of historical websites, my name is on our Business website and so is the business fax number. This could still be a real fax offer.
So why do I suspect it is not real? Lessons for you to use in any scam that comes your way!

I will mark items on this list which can be checked by an IT person. Not all of this will easily be reviewed by a non IT person.

Firstly, Why did I get this fax? Why not my Father, Cousins, Uncle’s? Surely someone else other than myself would be in line to receive any money before me?

  • Locating the website on the paperwork (harclawllp.com), emailing the email addresses on the website, many of the emails bounce (mailbox unknown). A real company would not let their info@ email address bounce.
  • Looking at the registration for the website, it was registered 28 days ago. The website has stamps on it from 2011 (IT Help required)
  • Looking at the web html code in their website, I can clearly see that the website has been ripped from someone else website and had the text changed. (IT Help required)(From the source code, it seems the design was a template taken from www.18carltoncrescent.co.uk/areas_of_work)
  • The lady justice logo on the fax looks grainy, not at all professional.
  • The fax changes through a few fonts on the fax. Not professional.
  • No mention of where the deceased person concerned actually worked or what the Top insurance agency was.
  • The fax comes from the UK and the stamp on the fax confirms this however, the fax report printed at the printer showed an Australian number.
  • The website was registered by someone in Western Australia. (IT Help required)
  • The western Australian registrant comes up in Google as hosting other scam sites
  • Looking up the law society in the UK (in Google), Harcourt Management LLP does not exist. ( https://www.hg.org/firms-united-kingdom.html )
  • Googling Edward Baach JD, he does not exist (At least not as a barrister or solicitor)
  • Reputable business rarely communicate via a gmail account. Especially when they have business addresses @harclawllp.com
  • Mixing Gmail and harclawllp.com email addresses on the same fax looks bad
  • Gmail account with “2020” in the email address looks wrong for a business.
  • Overuse of exciting logos barcodes, rubber stamps and watermarks.
  • There are two different contact phone numbers on the fax. Googling brings up neither. Law firms would advertise their numbers.
  • The website is very sparse. It was very recently registered https://domain-status.com/archives/2018-4-10/com/registered/108
    https://www.whois.com/whois/harclawllp.com  (IT Help required)
  • There is no online mention or obituary for Arthur Jenkin. Being such a wealthy person, surely there would be something in a newspaper.
  • There is no reference to a person of this name, in London or working for any energy company. (In Google)
  • My family name in the fax is in bold, it has an unusual amount of spaces after it (looks like a mailmerge).
  • LinkedIn found the company name https://www.linkedin.com/company/harcourt-management-limited/?originalSubdomain=au – they are in real estate, not law
  • Searching more for the company https://beta.companieshouse.gov.uk/search?q=harcourt+management+LLP, https://beta.companieshouse.gov.uk/company/06682592 , the address that comes up does not match
  • Emailed Golmoora house (Address on the Fax), they say there is no tenant of that name
  • Googled and found others online trying to establish of this guy was a scammer
  • I Emailed the staff listed on the website staff page (using secondary contact information I found from google). Each one said they did not work there and their images and credentials are being fraudulently used.
  • Clicking Edward Baach JD on the website goes to a William Baach ?
  • This fax was Highly confidential yet faxed to a business with 12 people to read it before it got to my desk … how could he expect a fax to be a secret?
  • The servers for the website are in Russia https://db.aa419.org/fakebanksview.php?key=129289  (IT Help required)

Harclawllp.com is a 28 days old domain, situated in Russian Federation. The domain is linked to the IP address 77.222.62.67.
Registration details show that it was registered on 10 Apr 2018 through pdr ltd. d/b/a publicdomainregistry.com and will expire on 10 Apr 2019.
The site returns a status code of 404. The site is being served through nginx/1.9.12.

So, without a doubt this is a scam. I played along. I emailed the Harclawllp.com address only to be told, please use gmail.
I reviewed the email header (IT Help required) and noted that they are using an email platform called Zoho, it is hosted email in UK. It is often used for spam attacks.

I then made contact via google Gmail. I reviewed the email header (IT Help required) and noted that google lists the email being from a Russian address and also that webmail was used to send it.

This just further adds evidence to this being a huge scam.

The person replying was doing so in broken English. I would suspect that this is not how a lawyer would respond.
In the Communication with the remote person, they tried to put the pressure on to allow them to sign documents in my name, documents unseen.
They also wanted my banking details. They then want me to fly to the UK next week to meet with him. (All designed to put pressure on me and stop me thinking clearly).

I asked the person if family living in London can meet with him as my proxy, he said no, although the fax stated he only came to me due to my last name. Weird. Surely a local “Jenkin” would be better.
He has now tried to convince me to setup my own Gmail as it is more confidential.

I am still in communication and gathering as much detail as I can for a Police case.

I have taken this a lot further than the average person however, this has become the classic example of what to look out for.

Hopefully this will help you all be careful with scams and be able to detect them early, else after further research, determine that they are a scam.

Always remember,

If it is too good to be true, it’s likely not true!

 

 

 

HP laptop with Random beeps

We have a laptop which randomly beeps. Three beeps. We have solved the problem but in case others have it, here is the description.

It is a HP EliteBook 9480m running Windows 7 (but that is not relevant).

We had HP change the Battery, Keyboard, mainboard and more. Still beeps. Booted into Safe mode, beeps.
Run all kinds of HP diagnostics, nothing appears to be wrong. Imaged the contents to another EliteBook 9480m laptop. It does not beep.

Back to the beeping laptop, uninstall any HP software (It was a fresh Windows install). Still beeps.

Tested the beep character at the command line, it sounds different. Tested the beep through the sound card, it sounds different. It sounds like a BIOS default beep.

Disable the Beep device and the sound card. Still beeps.

Started to listen to where it was coming from, there are no speakers near there.

It was the hard disk. If you listen very carefully you could hear a short mechanical sound and then Beep. The beep sounds so much like a BIOS beep, we were totally onto the wrong track. Does the hard disk have a tiny speaker ? Doubt it. I suspect the arm in the hard drive is making a noise that sounds like a beep.

how weird.

Now I look online knowing this and find many others point to the hard disk.

I guess after the fact, it is always easier to google and find answers, knowing the final fault 🙂

 

 

Tags: , , ,

Exchange 2010 EMC not opening “The WinRM client cannot complete the operation within the time specified”

When I open the Microsoft Exchange EMC on a server, the following error message displayed.

Initialization failed

The following error occurred when getting management role assignment for ‘domainname.local/MyBusiness/Users/SBSusers/Administrator’:

Processing data for a remote command failed with the following error message: The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled. For more information, see the about_Remote_Troubleshooting Help topic.

Click here to retry

There are no additional errors in the Eventlogs. The server is running Exchange 2010 SP2. No proxy configured. Windows update is up-to-date. Windows firewall is off.

Exchange is still functioning but there is no management of the service.
The first lead I found here, suggested antivirus.

https://social.technet.microsoft.com/Forums/exchange/en-US/a675a48e-75a3-43c7-b99b-ec86527adb1d/emc-initialization-failed-with-winrm-error-exchange-2010-sp2?forum=exchange2010

As the site is using Trend Micro Worry Free Advanced, I opened the TMWF console, created a new Server container, dragged the server into it from the old container, refreshed the client on the server and can now access the EMC.

Now that I know what caused it, looking over the Trend Knowledge base reveals http://esupport.trendmicro.com/Pages/Unable-to-access-Exchange-2010-Management-Console-.aspx

The issue of not being able to open the Exchange Management console can occur when there is no Internet Connection after a server restart.
This can affect any server coming up without an internet connection as the default configuration of the virus software on the server is configured to look at the internet before allowing connection to the EMC
You can change this behaviour by following the steps in the Trend KB article.

The issue occurs because the Proxy hooks the Exchange 2010 management console query URL and it fails to get score from the Internet because there is no connection.

To resolve the issue:

  1. Ensure that the Exchange Server has Internet connection.
  2. Log on to Worry-Free Business Security (WFBS) web console.
  3. Go to Security Settings > Add group.
  4. Under Group type, select Servers.
  5. Specify a name for the group.
  6. Click Save.

Note: The created group will have the default settings if the Import settings from group check box is unticked.

  1. Disable the Web Reputation and URL Filtering feature for the newly created group.
  2. Go to Security Settings, then select the new group.
  3. Click Configure.
  4. Select the Web Reputation tab and unmark Enable Web Reputation for In-Office and Out-of-Office.
  5. Click Save.
  6. Select URL Filtering and unmark Enable URL Filtering.
  7. Click Save.
  8. Move the Security Agent of the Exchange 2010 Server in the previously edited group.
  9. Go to Security Settings and select the server group where Exchange Server 2010 is listed.

Note: This step refers to the Exchange Server Client/Server Security Agent and not the Messaging Security Agent.

    1. Drag and drop the selected Exchange Server to the group you created.

 

Tags: , ,

Should I tell someone about eCrime ??? YES !!!!

I know that I am in Australia and my experience might not reflect other countries, but I say yes. If you have had an eCrime committed against you (not your general virus or malware) then REPORT IT!!!

The more you report, the more the problem is taken notice of, the more investigation happens.

My post today to Facebook

A win for the good guys.

We had a business client scammed out of a large amount of money through an email.
We pursued it. We recommended and assisted in filling in the eCrime report.
We pushed it along. The police told the client, nothing will come of this. The client also felt that they were banging their head against a wall.
Well, today they receive notification that the money is about to be transferred back.
We helped chase the criminal through the Czech republic and into Spain.
Now, the person is cornered and my client has been offered a chance to be there in court and be a part of the process.

Reporting eCrime is the smart choice ! Things can happen !!!

Tags: ,

Microsoft Access Runtime 2007 error 2950 yet Database location is trusted ???

An error 2950 normally means that your database is in an untrusted location on your hard drive. (not always … but normally).

Refer https://support.microsoft.com/en-us/kb/931407

You can normally fix this with a registry edit e.g.

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\Trusted Locations\Location0]
AllowSubFolders (REG_DWORD) = 1
Path (REG_EXPAND_SZ) “C:\Your Path\Your Program\”

(Location0 can be any key name you like).

What do you do if this does not work and the dreaded 2950 error continues?

a) Look for an error in your macro/vbs code in your access file. There is loads of information online on how to sort this out.

b) Look for other resources you need. (What ???)

I know it sounds fairly obscure however, here’s an example from my own troubles with “2950”

I copied the database into C:\Windows as that is trusted.

I double clicked the file and it went looking for Excel.exe and could not find it and then gave the 2950 error. I never saw the Excel.exe error when the Access file was in it’s original location.

I downloaded the Ms Excel Viewer and renamed the viewer executable to Excel.exe and then ran my Access file. Not only does my database now open, but all the macros run. I put the file back into the original trusted location and still no error 2950.

All this time my Access database was looking for Excel. Now it works.

Never underestimate what your Access file is looking for. 2950 does not always mean your program is in an untrusted location !

 

Tags: ,

New Encryption Virus: Ransomware : CryptoWall v 4.0

WARNING: New very dangerous virus that can cripple your business
 Summary of things to do:

 

  • Don’t open attachments in emails you are not expecting (at work and home)
  • Pass this warning on to others, teach them the same practices you follow.
  • Do not visit websites you do not know or trust
  • Do not trust Word (Doc), Adobe (PDF) and other email attachment files
  • Do not forward unusual emails onto other staff members
  • Do not ignore weird popups or things that are running slow or behaving a little “strange”
  • If you start finding files on your system come up as “Corrupt” call your IT!
  • If you start seeing files on your own machine, that are having their names changed or can no longer be opened, unplug your machine from the network immediately and call your IT
  • Make sure you have a backup that is removed from your network daily. It must be powered down and not plugged in. (Dropbox, SkyDrive and the like do not count)
  • Ask your IT to block .JS, .CHM, .EXE and other known attack files from coming in via email (if you have this feature available).

 

A new Ransomware dubbed “CryptoWall 4.0” has been found.
This new virus circumnavigates current antivirus and has new Features such as Encrypted File Names.
CryptoWall continues to use the same e-mail and website distribution methods as previous version.  The samples we analysed were pretending to be a resume inside a zipped e-mail attachments.
These resumes, though, were actually JavaScript (.JS)  files that when executed would download an executable, save it to a temporary folder, and the execute it.

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions.  From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

We have passed along a sample of this virus to Antivirus companies and they are working towards a solution.

This virus first reported on the Bleeping computer forums
For those that want more technical detail:
When installed CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair.
It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives.
Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.

 The more people you pass this blog to, the more you can help stamp out these types of threats. Reducing the likelihood of this virus being triggered, reduces the virus writers payday.

 SAVE THE DAY, REDUCE THEIR PAY DAY!