Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« March 2008 | Main | May 2008 »

April 22, 2008

A Degree From Botnet University Permalink

Over the last 36 hours, I've been pummeled by diploma spam. Except for differences in line spacing and presentation format of the response phone number, they've all had the same message body:

BA BSc MA MSc MBA PhD
Within 4-6 weeks!
No Study Required!
100% Verifiable!
These are real, genuine degrees that include Bachelors, Masters, MBA and Doctorate Degrees. They are fully verifiable and certified transcripts are also available.
Just call the number below.
+1-206-3090-336
Regards

Subject: lines are from a range that includes the following:

  • Achieve Masters very fast
  • Get your Bachelors
  • Get your PhD
  • Eradicates classrooms and traveling call now

The phone number, like those used in hundreds of similar schemes over the last few years, is to a Seattle-based voicemail service. You leave your phone number; the crooks contact you; you give up money and/or credit card data in return for nothing (less than nothing, actually, when you consider the loss of your credit card).

Lest you believe that because the phone number is in the U.S. and because the spam messages are not CAN-SPAM compliant that law enforcement should have an easy time pursuing this scam, you'd be sorely mistaken. Look at the different formats used for the phone number:

  • +1-206-3090-336
  • +1 206 309033 - 6
  • +1(206)309-0336
  • +1 206 30 - 90 - 33 - 6
  • +1/206/3090/336

This job, my friends, originated from outside the United States. Americans targeting Americans simply don't write long-distance phone numbers with the +1 prefix—sometimes 1- but never +1. Additionally, only the third number in the above list is in a number grouping that would be familiar to North American phone users. Outside North America, anything goes, where not all numbers within a given country necessarily have the same number of digits.

Each of the messages I've seen originated from a different IP address scattered around the world. They have all the hallmarks of spam being sent through bots running on infected PCs, much like the medz and porn spam that pour out of botnets with the unrelenting torrent of a Niagra Falls.

Even if you were to receive a diploma from this offer, I don't think that listing an MBA from Botnet U. (the fighting Command-And-Controllers!) would look so good on your resumé. Nor is your potential employer's HR department going to dial up Minsk for your transcript.

Posted on April 22, 2008 at 12:10 PM

April 19, 2008

More Oprah Abuse? Permalink

Even since the 1950s, the phrase "As seen on TV" has been the pitchman's mantra. For some reason, having appeared or been mentioned on television is supposed to bestow magical authentication and nearly mythical properties.

In decades past, I was seen on TV...a lot. A bit on PBS ("The New Tech Times") and co-host of a weekly San Francisco Bay area live call-in computer show on an independent San Jose station. I can tell you from firsthand experience that appearing on TV does not guarantee stardom, fame, wealth, or, sadly, groupies clamoring for your bod.

Some TV personalities have had all the right angles, the "It" factor, perseverance, chutzpah, or whatever to make it big on TV. Anything they say they like while on the air gets the green light to the Big Time. Oprah Winfrey is a goddess in this realm. Ya gotta hand it to her.

As such an influential person, whether she's handing out cars or tears, her name on an endorsement is Solid Gold. And for actual paid endorsements, I'll bet she charges Solid Platinum.

Spammers know the value of Oprah's name. They have abused her name for years and years. I've written about this before (here and here). But today I saw a spam message that upped the ante on Oprah abuse.

I am not a daily Oprah watcher, so I don't know whether she actually endorsed drinking green tea as a healthy or weight-reduction-inducing beverage. Even if she did, I doubt very strongly that she referred specifically to the potion described in the spam I received.

I also have strong doubts that the large photograph of the sunglass-wearing woman in the spam's self-enclosed image is Oprah (product name partially obscured):

Fake Oprah advertisement

There is a real picture of Oprah, although quite small, at the bottom of the ad (it's a cover of her magazine, along with additional suggestive broadcasting logos). I believe that smaller picture was inserted to suggest subliminally that the bigger picture is also Oprah—when it could be the marketing manager's momma for all I know. There's no way that a genuine endorsement would use a photo of Oprah covering so much of her face that she could hide her tells at a poker tournament. If someone can point me to a genuine source of the larger image attributing it to the real Oprah, I'll gladly retract my statements.

In the meantime, if I were the spammer sending out this message, I'd keep an eye out for a letter from Oprah's people. Unlike most spam that relies on unsubstantiated assertions (aka misleading suggestions), this one appears to be CAN-SPAM compliant, complete with the identity of the sender in the same state as Oprah's operations. You can't possibly want to mess with Oprah.

I continue to dream that Oprah will use the platform of her TV show to educate her audience—I believe among the ones most susceptible to the tricks of spammers and scammers—how to recognize a scam when they see one. I could help her muster quite an army of scam-fighting computer users who typically don't visit the security-related web sites that we spam-watchers do. There is a huge audience out there that needs to get the message now.

Notice that I intentionally obscured part of the spammed product's name and logo. I don't want the spammer to start a new campaign blaring: "As seen on spamwars.com!"

Posted on April 19, 2008 at 01:55 PM

April 10, 2008

419 Phunnies Permalink

Daniel Koko contacted me today to let me know I can collect some funds by contacting his secretary, Nelson Mbongo. I don't think it will be worth my time, because the amount isn't very enticing:

I WANT YOU TO CONTACT MY SECRETARY ON THE INFORMATION BELOW AND RECEIVE YOUR COMPENSATION OF $1.5 US DOLLARS FROM HIM

In case I didn't read that right the first time, he reiterates it later in the message:

ASK HIM TO SEND YOU THE TOTAL SUM OF$1.5 US DOLLARS CASHIER'S CHEQUE,WHICH I KEPT FOR YOU.

Hey, dudes, a buck-and-a-half won't buy me enough gas to get to the filling station.

Another 419 missive today continued with the "M-whatever" theme. The sender called herself Mrs. Wilf Mbang. I know what a milf is, and "bang" has something to do with it. Maybe the "W" stands for "wife." But anyone responding to her offer to assist with exporting six million of her incarcerated hubby's dollars will be the one who gets screwed.

Posted on April 10, 2008 at 04:03 PM

April 08, 2008

Storm Doesn't Need No Stinkin' Holiday Permalink

Recently synchronized with events such as Thanksgiving, New Years, St. Valentine's Day, and even April Fool's Day, a newly released email lure to malware-loading sites started arriving today under the guise of mash notes for the lovelorn. The email messages looked like the following:

Non-holiday Storm email message.

A number of variants to the Subject and body have been reported, but all along the same lines. This time, however, the links are to domain names, rather than numeric IP addresses.

If you click on the link, you are delivered to a page that looks like the following:

Non-holiday Storm web page.

Those who would be fooled into clicking on the big image or the link probably wouldn't get the joke being played on them—that the image is essentially transmitting its Storminess in neon lights. Instead, the potential victim might truly believe that the image is, rather, a video player, like the kind you see at You Tube.

The entire image is a link to one executable file (i.e., clicking on the "Play" button art is no different than clicking anywhere else on the image), while the text link is to a similar file with a slightly different name. Loading either file on an unpatched Windows machine is the same as enlisting your PC into the botnet army.

It's hard to convince recipients that they really don't have a secret admirer. If I had my way, anyone about to click on the email link would have a gigantic Monty Pythonesque claw hammer come crashing down on their heads.

Fake love hurts for real.

Posted on April 08, 2008 at 08:02 PM

April 05, 2008

It Didn't Work For Nixon, Either. Permalink

Today's episode of "The Life and Times of a Dead Nonexistent Multimillionaire" (aka 419 spam) is an incredibly detailed (aka wordy) fantasy, complete with intrigue of the inner workings of the private banking world. The tale refers to brand names you may have heard of (Bank of England, where the author claims to work) and names you haven't heard of, but sound believable (Mayfair Securities Co.).

This is a private matter, of course, so our friendly bank employee doesn't want you trying to contact him through official phone lines or email:

My official lines are not secure lines as they are periodically monitored to assess our level of customer care in line with our Total Quality Management Policy.

Use his Gmail account instead, he tells us.

Unlike some other appeals I've seen recently, this one even explains why the message I received was also sent to others exposed in plain view in the To: field.

We have scanned every continent and used our private investigation affiliate companies to get to the root of the problem. It is this investigation that resulted in my being furnished with your details as a possible relative of the deceased. ... What this means, you being the last batch of names we have considered, is that our dear late fellow died with no known or identifiable family member.

The batch that included my address had exactly 1000 addresses in it, alphabetized by email account name from ctwq to daroth. His investigation must have been very thorough, because my batch included 127 email accounts named customerservice, very fine individuals, indeed.

Our tale's author, however, probably wasn't even born yet when Richard Nixon, jowls aflappin', famously told the world in a televised speech that he wasn't a crook. Our storyteller repeats a bit of history with this tidbit (emphasis mine):

You may not know this but people like myself who have made tidy sums out of comparable situations run the whole private banking sector. I am not a criminal and what I do, I do not find against good conscience, this may be hard for you to understand, but the dynamics of my industry dictates that I make this move.

Just as when an unsolicited email message declares that it's not spam, anyone offering you a shady deal while professing that he's not a criminal...well, you get the picture.

There is one exceptionally true statement within the whole of this tall etale: He definitely does not find what he's doing to be "against good conscience."

It's easy when he has none to start with.

Posted on April 05, 2008 at 09:21 AM