« Attack of the Dictionaries! | Main | Phishers Giveth »

August 13, 2006

How smart is it to blast out phishing spam nationwide (if not worldwide) when the only possible customers of the financial institution being targeted are in the Texas Gulf Coast region?

I got a typical "error in your billing information" phishing message purporting to come from the Texas Dow Employees Credit Union. I checked out their real Web site, and they claim to have 93,000 customers in the gulf coast region (in and around Houston).

The chance of one of these messages reaching the inbox of a TDECU customer has got to be less than miniscule (if, as a California resident, I'm on the target list). Subtract from that the number of recipient customers who (I hope) smell a rat and won't respond. Better still, as I was composing this blog entry, the owner of the hacked site with the phony page shut it down (within minutes of reporting!).

What I like, in a way, about this kind of phoolish attempt (like the ones that get sent through email systems that tag the Subject: line as SPAM or PHISHING before the recipient sees them) is that somewhere along the line, the individual who caused the message to be sent had to exchange something of value to get the message out—usually through botnets these days. It may not be a high expense, but these guys are working on low margins and very low response rates. If a phishing run yields no account names and passwords, the "investment" was a failure.

My biggest wish in the spam world is that spamming, phishing, and other criminal activity no longer pays for itself and the word spreads among the crooks (and wannabe crooks). When the crooks contribute to their own failure through stupidity, who could ask for anything more?