Aker Kvaerner Fraud Attack
Jump to: DANGERS and SOLUTIONS
Article: Can a big company, Aker Kvaerner, be fraud-attacked by scammers?
Short Answer: Yes, it can. But there are ways to fight back. And Oil Offshore Marine is always on alert.
Long Answer: What follows is a case-study on how internet scammers try to fraud a company (name, trademarks, copyright, brand, credibility) by using, well... the same company's internet domain name. Continued below...
!!! This information is Oil Offshore Marine's Research Work and it is protected by exclusive copyright; you can of course read it but you cannot copy it without our written authorization. If you wish to take any information and use it for online websites or printed materials, all you need to do is send us an email and we'll authorize you, free of charge, to use it; we will issue a written authorization - lacking a written authorization from Oil Offshore Marine, you are simply breaking the copyright laws and you shall be liable to us for copyright infringement and any damages.
[Note: Oil Offshore Marine is a Leading Oil & Gas Recruitment Center. One of our divisions is constantly performing extensive research in internet-related areas: job scams, frauds, phishing, identity-theft, so that we detect all possible illegal activities regarding international companies and jobseekers. One of the pages where we inform the public about our research results is this: Beware Job Scams]
If you pay a visit to www.akerkvaerner.com (and if you don't already know who Aker Kvaerner is) you will see a nicely designed website, good layout, lots of content and information, and thus credibility.
Let's say you get an email from email@example.com [or from firstname.lastname@example.org]. You have every reason to trust the email (from email@example.com) was indeed sent by someone at Aker Kvaerner, right? You also have every reason to trust the email (from firstname.lastname@example.org) comes from someone having access to this email address, thus it must be a person employed by Aker Kvaerner, right?
Internet scammers have found a way to attack Aker Kvaerner. How, you ask? By using Aker Kvaerner's own domain name, that is, by using akerkvaerner.com. IMPOSSIBLE! you say. Well, Oil Offshore Marine shows you it is not impossible.
Job Scammers have put Aker Kvaerner under attack by illegaly using its domain name, akerkvaerner.com. How did they do it?
Let's analyze a situation (all supporting documentation - snapshots, can be found at the bottom of the page). Analyze each step below:
1. Someone (note, we don't say "an Aker Kvaerner employee") sends you an email from email@example.com.
2. In your Inbox, the email appears as coming from Aker Kvaerner, and the sender's email address is firstname.lastname@example.org
3. You open the email. Here's what you see:
""Subject: AK JOB OPENNING!!! From: "Aker kvaerner oil and Gas Company" email@example.com Date: Sat, August 11, 2007 6:37 pm To: undisclosed-recipients:;""
4. Now you may have some doubts if Aker Kvaerner sent you this email. How come did they sent the email to you. You scroll down and read the full email, such as this one:
""Aker kvaerner oil and Gas Company Human Resource Department
1 East End Square Warrington, SW1Y 4PD
Could you be the right person for this job offer? What if our
judgement was wrong? You might want to try your hands on it but
are only looking for professionals with exceptional expertise, highly spirited
individuals who are ready to take up a rewarding challenges in the
oil and gas industry.
Aker kvaerner,a well established and reputable oil/gas company with
rapidly growing wide network of outlets around the world, seeks to attract
resourceful individuals craving for a refreshing opportunity yet
characteristically possesses the skill and uprightness to excellently
METHOD OF APPLICATION
- All interested candidates should reply via mail with updated
- Interested applicants must specify job location.
- Only applicants who possess the required qualifications will be
short-listed whence consequently contacted.
All Resumes should be fowarded to:
Recruitment section Aker Kvaerner Company.""
8. It seems this email was sent from the Aker Kvaerner UK Office (Warrington, SW1Y 4PD) and there's a UK telephone number indicated. You then read the full email, and you notice that the sender requests CVs to be sent to firstname.lastname@example.org which is an email address from consultant.com domain, and not from akerkvaerner.com official domain, but since you look up and see that the email originates ""From: email@example.com"" you have no reason to doubt.
9. Think twice. Never ever will you see a good faith company, such as Aker Kvaerner or thousands of other ones, soliciting job applications to be sent at email addresses other than those held on its official domain name, such as firstname.lastname@example.org or email@example.com. Since the sender of the above email invites you to send your CV to and email address (firstname.lastname@example.org) held on a different domain name (that is, consultant.com) than Aker Kvaerner's official domain akerkvaerner.com, it means the sender of the above email is a job scammer.
10. But wait, you exclaim, have you - Oil Offshore Marine, forgotten that the email I got was sent from email@example.com and in my Inbox the very same email is shown to come from """Aker kvaerner oil and Gas Company" firstname.lastname@example.org""
No. We haven't. That's exactly the point. We are an Oil & Gas Career Portal, and on Beware Job Scams we have taught you how to recognize job scams, how to prevent identity theft, and how to keep yourself secure. Now it's time we taught you some IT-related stuff, too.
11. OK. Here we go. The email you got was sent from email@example.com and, in your Inbox the very same email is shown to come from """Aker kvaerner oil and Gas Company" firstname.lastname@example.org"". We just told you this is a job scam (even though the email originates from email@example.com), now were showing you a trick.
12. Open your Inbox, go to this particular email from firstname.lastname@example.org. Open the email. Now, on the top, look for a link/button that says "View Full Headers". Click on it. What do you see? Well you see some data that you might not properly understand at first sight, but we definitely guarantee you that this information is crucial. Why? Because it solves our case and proves that Aker Kvaerner is under fraud attack by job scammers.
13. Here is what you see: X-Originating-IP: [188.8.131.52]; Authentication-Results: mta132.mail.in.yahoo.com from=akerkvaerner.com; domainkeys=neutral (no sig); Received: from 184.108.40.206 (EHLO s87.loopia.se) (220.127.116.11); Received: from s27.loopia.se ([18.104.22.168]) (envelope-sender email@example.com); X-Authentication-Warning: s27.loopia.se: www set sender to firstname.lastname@example.org; From: Aker kvaerner oil and Gas Company email@example.com; Reply-to: firstname.lastname@example.org
14. Let's translate all these:
a) X-Originating-IP: [22.214.171.124] = this is the sender's IP address, which identifies the sender. 126.96.36.199 is a Swedish IP from Vastmanlands Lan, Västerås, the ISP (Internet Service Provider) being a Swedish company, Loopia AB. So the first claim, the one according to which the email was sent from Aker Kvaerner UK Office (Warrington, SW1Y 4PD) [look at no. 8 above], is dissolved.
b) Received: from s27.loopia.se ([188.8.131.52]) (envelope-sender email@example.com) = this means that the email came throught loopia.se, and envelope-sender firstname.lastname@example.org means that the email is "ordered" to show as if it was coming from email@example.com, though it was in fact not [coming from firstname.lastname@example.org]. That is why in your Inbox the email is shown to originate from email@example.com; this is not true.
c) Reply-to: firstname.lastname@example.org = this means that if you reply to the email you got, which, as we have shown, does not come from Aker Kvaerner, the reply action will send your email not to email@example.com, but to, you guessed, firstname.lastname@example.org. People behind email@example.com are most probably the same behind firstname.lastname@example.org => scammers.
15. So, to put all the pieces together: the email was not sent from Aker Kvaerner's email email@example.com, but from a fake email designed to fool you. If you reply with your CV, your reply will not be sent to Aker Kvaerner, but to a job scammer: firstname.lastname@example.org. What might happen next, check on Job Scams.
Why did all this happen? Because Aker Kvaerner de-activated or deleted the SPF record (see below for more explanations).
16. So what are the DANGERS for Aker Kvaerner or for a company experiencing the same (or a similar) situation? What are the SOLUTIONS?
a) Aker Kvaerner is under fraud attack
involving its domain name which can cause loss of credibility due to the fact the scammers can create email@example.com or firstname.lastname@example.org, etc.
b) Aker Kvaerner's business partners or other companies may get emails from Aker Kvaerner "employees" or "senior managment staff" [from emails such as email@example.com or firstname.lastname@example.org] can be sent completely false information regarding current or future projects, design or management data, sales, partnerships, updates, news or ... spam.
c) Aker Kvaerner's business partners or other companies may get emails from Aker Kvaerner "employees" or "senior managment staff" [from emails such as email@example.com or firstname.lastname@example.org] and be offered "business opportunities".
d) The scammers can also issue and send to media companies / newspapers / internet news portals false press releases which can hurt Aker Kvaerner not only by the news itself, but also by decreasing share price values.
e) The scammers might send false information regarding stock, share price, and so forth.
f) The scammers can also use
akerkvaerner.com to send spam, which will result in having the domain name akerkvaerner.com put on a gray list, and REAL emails coming from REAL Aker Kvaerner employees may be STOPPED from inbox delivery and put in spam/bulk folders, or simply deleted by spam filters and never get to the persons they needed to get to.
g) Jobseekers (knowing Aker Kvaerner or not knowing who Aker Kvaerner is) may be fooled into believing they are undergoing a recruitment process with Aker Kvaerner, and getting a job with Aker Kvaerner; subsequently they'll be put to pay "work permit fees" or "immigration fees" [ see the Job Scams information]. With their money lost and their identity lost, they may bring legal action against Aker Kvaerner.
We know it sounds scary. The fact is IT IS SCARY indeed. Allowing an outsider to have access to your domain.com (or .net, .us, .eu, etc) is just like allowing an outsider to use, without any restriction whatsoever, your name, address, brand and reputation. You wouldn't want to allow that, would you?
a) Make sure your company has a SPF (Sender Policy Framework) record up and running. See Open SPF for more details. ATTENTION! Make sure you test and re-test, check and re-check your SPF, in order to make sure that the SPF does not erroneously cause your outbound emails to fail.
b) Have your IT Department constantly monitor your online activities and train them to detect any illegal use of your online presence.
c) Have someone from your IT Department get in touch with Oil Offshore Marine for a full check on your online presence (including domain name, possible web-related problems, job scams where your company is mentioned without your knowledge, companies illegally claiming to recruit on your behalf, etc) regarding you, as an employer.
d) Always update yourself with the latest information from Oil Offshore Marine. In all cases, we need to destroy any illegal activities from early beginning and do not let them evolve to any similar case to Shell Fake Website or even worse.
Supporting documentation [click on numbers]: 1, 2, and 3
To read more information about Job Scams, please click here.