January 03, 2006New Year/Old Tricks
While we await a possible flood of viral activity predicted for January 6, I thought I'd offer an observation or two about phishing activity over the Christkwanzukkah/New Year's holiday period.
As usual, there were quiet and not-so-quiet days in the ol' inbox. I expected far more at the beginnings of each holiday weekend on the supposition that phishers would like to spread as much as possible when phishing reporters may not be at their desks, and technical support staffs at hacked Web sites or ISPs would be at skeletal levels. Most of the activity monitored here, however, came at the tail end of each weekend. Response times to my reports (holidays, schmolidays) were only slightly longer than normal, so it appears that the ISPs I reported to had not OD'd on egg nog.
I wrote off as a fluke something else I spotted the other day. But when the same technique surfaced again today, it may be something that one of the phishing gangs is trying.
If you've looked at the source code of enough spam, you will have certainly seen HTML email that includes a text-only version consisting of seemingly gibberish words and phrases, if not verbatim extracts of classic literature. Spam Wars describes these in more detail, but the primary purpose is to improve deliverability of the message in the hope that content-oriented spam filtering might make the message appear legit, covering the more spammy aspects of the HTML version.
I've seen at least two phishing messages that include such a text-only message portion. Here is the section from one today:
Darin, the friend of Darin and panics with cheese wheel beyond.And admonish the dark side of her squid.ocean find lice on dilettante of pig pen.beyond haunch negotiate a prenuptial agreement with behind diskette.
Not exactly Hemingway, to be sure, and perhaps on some distant planet, this verbiage would fool a Bayesian spam filter.
What's puzzling to me, however, is why the phisher thinks such a trick is necessary. If the recipient has an account (this one is for eBay), the forged From: address will more than likely get the message into the inbox because the recipient will have whitelisted anything coming from ebay.com. If the spam filtering system is smart enough to recognize that this message originated from a Hungarian email server, then this little bit of trickery won't help.
Perhaps it's a sign that phishers believe they need to improve their deliverability because they're not getting the same level of response as before. That would be a good sign, indeed. Today's eBay phisher might actually improve the response rate if English were used in the message's Subject: line, rather than this thesaurian exercise:
Subject: NOTICE: eBay Obligatory Verifying - Update User Information
Here we are, in 2006, with phishers still at it, making life miserable even for those who know not to be phished. One of the financial institutions I use online has implemented a new login procedure to show me that the site I'm logging into is real. That's assuming, however, that I would recognize the absence of this new procedure as being indicative of a fraudulent site (I foresee a phisher offering "convenience" by letting a user click on a bogus link for "express login"). In the meantime, the real login process now takes twice as long for every user.
Let the spirit of the season continue onward: Humbug!Posted on January 03, 2006 at 01:18 PM