GFI does NOT require clients to verify their account details

The information in this article applies to:

  • GFI DownloadSecurity for ISA Server 6
  • GFI EventsManager 2010
  • GFI EventsManager 2011
  • GFI EventsManager 7
  • GFI EventsManager 8
  • GFI FaxMaker 2011 for Exchange/SMTP
  • GFI FAXmaker for Exchange/SMTP 12
  • GFI FaxMaker for Exchange/SMTP 14
  • GFI LanGuard 9
  • GFI LANguard Network Security Scanner 6
  • GFI LANguard Network Security Scanner 7
  • GFI LANguard Network Security Scanner 8
  • GFI LANguard Portable Storage Control 2
  • GFI LANguard Security Event Log Monitor 5
  • GFI LANguard System Integrity Monitor 3
  • GFI MailArchiver 2011 for Exchange
  • GFI MailArchiver for Exchange 2
  • GFI MailArchiver for Exchange 3
  • GFI MailArchiver for Exchange 4
  • GFI MailArchiver for Exchange 5
  • GFI MailArchiver for Exchange 6
  • GFI MailEssentials for Exchange/SMTP 10
  • GFI MailEssentials for Exchange/SMTP 11
  • GFI MailEssentials for Exchange/SMTP 12
  • GFI MailEssentials for Exchange/SMTP 14
  • GFI MailSecurity 2011 for Exchange/SMTP
  • GFI MailSecurity for Exchange/SMTP 10
  • GFI MailSecurity for Exchange/SMTP 8
  • GFI MailSecurity for Exchange/SMTP 9
  • GFI Network Server Monitor 6
  • GFI Network Server Monitor 7
  • GFI WebMonitor 2009 (Standalone Proxy Version)
  • GFI WebMonitor 2009 for ISA/TMG
  • GFI WebMonitor 2011 (Standalone Proxy Version)
  • GFI WebMonitor 2011 for ISA/TMG
  • GFI WebMonitor for ISA Server 3
  • GFI WebMonitor for ISA Server 4

Article ID: KBID002392

Query keywords: account details, phishing, scam

A variety of scam emails claiming to be from GFI and asking for verification of your account details have been sent to GFI clients. These spoofed messages, which deceptively appear to be sent from GFI, state that failure to comply with the instructions of the message will result in the suspension of the GFI user account.

These mass mailings are fake, and do NOT originate from GFI. Most of these emails are originating from emails infected with a W32/Mytob variant. Do NOT click on the link in such emails; it is best if you simply delete the message and advise network users to do likewise.

The fraudulent website where the users are directed to once fatally clicking the link, has been closed down.

A sample email is shown below:
-------------------------------------------------------------------------------------
From: support@gfi.com
To: user@domain.com
Sent: Wednesday, June 08, 2005 5:21 PM
Subject: *IMPORTANT* Please Confirm Your Account

Dear Valued Member,

According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.

www.gfi.com/confirm.php?email=user@domain.com

Thank you for your attention to this question. We apologize for any inconvenience.

Sincerely,Gfi Security Department Assistant.
-------------------------------------------------------------------------------------

The url that is launched when a user clicks on the link in the message does not link to a GFI website. The fraudulent url is hidden by the gfi.com url shown in the message body using the A HREF html tag as follows:

<A class="xxx.xxx.xxx.xxx/confirm.php?email=user@domain.com">www.gfi.co.uk/confirm.php?email=user@domain.com</A>

xxx.xxx.xxx.xxx would be the ip address of the fraudulent web site.

IMPORTANT: GFI clients are never requested to confirm their account details. If you have any doubts on the legitimacy of an email, please contact us at info@gfi.com.

For more information on phishing scams, and to report phishing attempts, one can visit www.antiphishing.org/.

gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.