Let’s Play… Scam Or Not?

Spammers and scammers are flooding the mail system with fake messages that are, for instance, “from DHL”. Just by sending out an enormous amount of messages, they will inevitably hit somebody who’s actually waiting for a DHL package and possibly get the scam rolling.

Some people leap to the conclusion that there must be a data breach somewhere, because it seems so unlikely that a scammer would target them just while they’re waiting for a package — but it’s just a numbers game. Nobody is really targeted. And you can usually tell that it’s a scam mail, since DHL has SPF, DKIM and DMARC set up, so the From address is usually something nonsensical and definitely non-DHL-ey.

But yesterday I got this email:

And, yes, I’ve ordered a new laptop from Lenovo, and it is a Thinkpad X1 Carbon Gen 10, and it is currently being shipped by UPS. So surely this can’t be a scam, can it?

But message is from notifications@lenovo-eu.narvar.com. Which is… er… not Lenovo, or UPS. The MAIL FROM is @spmailtechno.com. Which is something else again. And the Reply-To header says noreply@lenovoeu.be:

Which… doesn’t seem to exist?

The link to track the package does not point to UPS, either, but to:

etc. And clicking on that link and opening it in Firefox gives me:

So this is totally a scam, right? Somehow? No matter how unlikely? Or has there been an actual data breach at Lenovo or UPS or somewhere?

But nope — the order number is actually my order number, and following the link eventually takes me to https://tracking.narvar.com/lenovo-eu/. Which Lenovo wants me to look at instead of the actual UPS tracking page, for some… strange reason:

OK, the reason isn’t so strange after all: Lenovo just wants to push more ads at me while I’m reloading the tracking page, and they can’t do that on the UPS tracking page.

Nice going, Lenovo — you’ve chosen a system to communicate with your customers that makes it virtually impossible to say whether the customers are being scammed or not.

*slow clap*

3 thoughts on “Let’s Play… Scam Or Not?”

  1. This is unbelievable! When it comes to spam and phishing we’re doomed – it seems everyone is teaching their users to get phished now. Why would Lenovo do this? Why is everybody doing ads now? Why do they even need to do this, you already bought an actual, physical product from them, didn’t they make enough money on that already?

  2. A popular thing in larger companies these days is to pay for another company to send fake phishing emails to the employees, to teach us to report real phishing emails.

    If I was to try and phish somebody today, I would definitely pretend to be a anti-phishing training company tasked with training users, and then making them jump in my ruse.

    Coming up with the original business plan and executing it is not bad either – the more phishing, the more training needed, so let’s throw money at the company providing the training, they definitely have no incentive to keep phishing going…

  3. Same experience here! Thanks for the post. I want to add that Lenovo has to get rid of UPS delivery!! the service is a headache!!

Leave a Reply