Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« April 2008 | Main | June 2008 »

May 29, 2008

Phone Phishing Permalink

I've heard of this before, but I don't like to report stuff unless I see it for real on my email server. Here's the entire message (last four phone number digits blocked by me):

From: Synergy Bank
To: dannyg@dannyg.com
Subject: Alert

Reach us urgently, call (800) 507-xxxx .

Aside from the awkward English, there are plenty of clues inside the message source that this is bogus. Most notably, I doubt that a New Jersey bank would send "personalized" email from a computer on a San Diego Cox.net connection. Second, the body of the otherwise simple message is base64 encoded, a technique generally used to confuse spam-sniffing content filters.

I'm not going to call the phone number, even though it appears to be a U.S. toll-free number. None of the toll-free phone number reverse lookup services I checked could tie the number to a known business. Although the practice has been banned by the FCC, crooks can still cause calls to toll-free numbers to be rerouted to international or other fee-based calling systems—creating charges that get put on the caller's bill. Recovering the bogus charges from the phone company is a nightmare, so I don't even want to get started.

But even if calling this number doesn't add fees to my phone bill, I suspect that the voice or recording on the other end of the line will demand personal identity information from me. It's simply another way to phish...without a web site.

If you were to receive a message like this, and by chance you had an account with the "sender," don't trust the emailed phone number any more than you would trust a clickable link in a phishing message. If you're a customer of that bank, use contact phone numbers on statements or listed at the bookmarked web site where you do your online banking to confirm the contact request. They'll tell you that they didn't send you the message, and you can get on with your life.

You might think that a toll-free number would be easy for law enforcement to trace and raid the miscreant's home Eliot Ness-style. But unless this turns into a widely spread scam, the target is probably too small potatoes to start investigating and building a case. Keep an eye out for more of this—what does one call it?—phphishing.

UPDATE (30 May 2008): As Kevin reminded me, the above is a variation of voice phishing, or vishing. The term originated from phishing schemes that use the telephone for all parts of the scam, including initial contact. Crooks could invade inexpensively (or freely with a hack or two) from outside the target's country with the help of Voice Over Internet Protocol (VOIP) services.

Posted on May 29, 2008 at 09:05 AM

May 19, 2008

Love Hurts Permalink

Just received a new installment of a Storm (or Storm-like) spam, supposedly from someone who is fond of me:

Subject: Thinking Of You All Day

With Love http://[numeric].[ip].[address].[removed]/

The destination is a page that automatically downloads iloveyou.exe. The file should be named ilove2pwnyou.exe.

Posted on May 19, 2008 at 05:07 PM
Disaster Charity Spam Permalink

Our planet has many ways of reminding us how small-minded we humans can be while we pay undue attention to ideologies and arbitrary dotted lines on maps. A shifting fault line or a swooshing patch of atmosphere demonstrates to those immediately affected by the disaster what is really important to a citizen of Earth. Thanks to today's instant media, others around the world get to see what's happening, even from remote locations.

The natural desire to help those in need remains strong. Every major disaster triggers an outpouring of humanitarian aid from individuals who feel they should "do something" to help, even if just to send some money for relief work.

Waving that money in the air is like waving a raw steak in the middle of a tiger preserve. The aroma will attract any creature with a "nose" for the scent. In the case of dangling donation money, scammers are ready to pounce on potential donors. And spam is an easy way for scammers to reach potential targets in high volume, in record time, and at a cost approaching zero.

Anyone who responds to a solicitation for disaster relief donations from an unknown organization is just begging to be scammed. It's not uncommon for scammers to set up bogus organizations or "funds" with names that reference a specific in-the-news disaster by name. Each disaster yields hundreds of web site domain name registrations—with names referencing the disaster. It all sounds very grass-rootsy ad hoc and kosher, but I wouldn't trust a single one of them that solicits by spam.

If you have donated in the past to a legitimate charity, you may receive an email from that charity tied to a specific recent disaster. Scammers can hide behind these types of appeals, as well, forging the From: field of a message to make it look as though the message comes from a well-known and trusted charity. If the message contains a link or URL, don't believe it, or click it. To make a donation, visit the site preferably by a previous bookmark; or use your favorite search engine to locate the legitimate site.

For major disasters, you can check with the web sites of your local radio and TV stations, as well as cnn.com (the Impact section), where approved charities are listed. If you want to check the credentials of a particular U.S. charity, you can look it up in the Better Business Bureau National Charity Report Index, a handy resource to bookmark for future reference.

Taking advantage of people with good hearts who want to help those in desperation is pretty damned low. It compounds the disaster by not only scamming good people out of hard-earned money, but also preventing that money from helping the primary victims. What really aggravates me is that it's the scammers who sleep soundly at night. Sheesh!

Posted on May 19, 2008 at 03:10 PM

May 16, 2008

It Must Be Phriday Permalink

I don't need a calendar to tell me it's Friday. Phishers let me know by their increased volume on that day (for me anyway). The Friday ones link to hijacked web sites, usually European ones whose owners are just closing up shop for the weekend. It will be Monday before the owners even know they've been hosting criminal activity—by which time the damage will have been done.

Posted on May 16, 2008 at 08:55 AM

May 13, 2008

Sometimes I Simply Don't "Get" Spammers Permalink

I'm sure that big-time spammers ("mainsleaze" in the anti-spam trade) believe they are outstanding marketers. That's hard to reconcile with a piece of spam I saw this morning.

It claimed to come from Dilun. At first I thought it was a poor attempt to replicate the name Dillon, but upon further investigation, it is apparently a name found in Asian countries.

Using the Subject: line as a grabber, this spammer went for the jugular:

Subject: You have been caught spamming

This is one of those "impending doom" openers that is intended to get the recipient to open the message immediately—to really put him or her on the defensive.

The message body, however, is pure spam material:

Jessica Alba caught in embarassing situations on camera http://www.[Removed].com/

It's unclear to me how the spammer expects the recipient to react to the mind bend that occurs between seeing the Subject: line in the inbox and what appears to be a porn type of solicitation. Is the recipient supposed to be assuaged by the discovery that the spamming accusation was false? It's a real head-scratcher to me.

Okay, so let's say the recipient wasn't put off by the overt lie that tricked him into opening the message, but he's interested in seeing the purported "embarassing [sic] situations."

Whenever I see links to porn or pop culture photos, I usually suspect a malware installer at the destination. The spamvertised domain is so fresh that it doesn't even show up in whois yet, generally indicating that it's just temporarily parked, and will go away in a few days when the registrar discovers that it hasn't really been paid for.

I used one of my software tools to visit the site without a browser to see if the page's source code revealed any malware downloading going on. I'm able to make the server believe I'm doing this with Internet Explorer 6 for Windows to make sure I get the royal (as in "royally hosed") malware treatment.

It turns out that the spamvertised web site is only for an herbal penis enhancement med. That's the third time this spammer has screwed with the target's head. How receptive will someone be by the time he reaches this site?

BTW, I'm really glad I saw the page only in HTML source code form. There are apparently some testimonials on the page with Before and After photos. Excuse my clinical response: ew, Ew, EW!

Posted on May 13, 2008 at 09:04 AM

May 12, 2008

Why "Home Business" Spam Sticks in My Craw Permalink

I know that I preach consent over content when it comes to identifying spam. Automated email of any kind sent to my inbox without my prior consent is spam. Period. So why am I singling out the content of a particular class of spam? Unfortunately, some spam gets through server filters, and enough recipients keep reading and responding to the crap that it keeps spammers in business. For less-spam-sensitive email users out there who haven't received a dose of Email Safety 101, content matters because they read the junk that hits their inboxes.

And that's where the "home business" spam category comes into play. For decades before email ubiquity, the "home business" ploy was advertised heavily in magazine classified ads and even on street light poles. It wasn't too many months ago that I saw an envelope stuffing business proposition duct-taped to a left turn lane traffic light pole near my home (bound to be seen by at least the driver of the first car waiting for the interminably slow green arrow). Email simply allows notices to be duct-taped to millions of computer screens around the world in an instant.

What irks me most about propositions in this category is that they prey on the recipient's belief in the American Dream. Although the precise definition of "American Dream" is hard to pinpoint, in its widest sense, it represents an opportunity to improve one's prosperity, even if it means some hard work in the process. Someone who earns a fixed salary, is under-employed, or is unemployed is an easy target for hucksters who dangle before his or her eyes visions of extra income or freedom from the shackles of the current job rut.

With such a huge target market for the Dream—who doesn't want to get ahead?—it's up to the advertiser to get the recipient's attention. In the email inbox, the main attention-grabber is the Subject: line. The success of the Subject: line's appeal is measured by how many recipients open the message. Pre-email, a printed advertising piece's headline was the "grabber." Direct mail consultants and professionals exerted enormous energy on perfecting just the right headlines that did the best job of engaging recipients.

I was reminded of this the other day when I happened upon a message in my server "spam suspects" folder whose subject line was:

Subject: Danny: IS THE LIFE OF A CHILD WORTH $1 TO YOU?

My first thought was that Sally Struthers had begun spamming for her charity. But, as I'll show you in a moment, the message had nothing to do with children or the poor. The disconnect between subject and message content was so enormous, I was curious to see if the Subject: line had been used much elsewhere, especially in charity appeals. What turned up in the Google search instead were dozens of links to collections of the most effective advertising headlines, where this exact headline appears as a way to tug at the recipient's heartstrings.

Now to the message content associated with "the life of a child." Because my "spam suspects" are gathered together only in their source code form, I make it easy on myself to scan the message body's contents (and headers, for that matter). This message was presented in HTML format only, and consisted of a single image, surrounded by a link. There was no identifiable text, but the domain of the link ended in the letters "mlm."

MLM is the acronym for "multilevel marketing." You can read the Wikipedia entry for an overview on the subject. MLM is not inherently a bad thing. Some well-known brand name MLM companies have passed Federal Trade Commission scrutiny in the United States. But less-scrupulous MLM outfits out there have given the FTC plenty of enforcement work over the years. My sense of the matter is that as long as end users receive a product or service commensurate with the money paid and if individuals in the selling chain are treated fairly and honestly, then there isn't much to worry about.

The problem, however, is that, as history has proven, those promoting MLMs aren't always the most forthright. There are tons of weblogs on the subject, and plenty of public comments from victims who tried to become part of a network (or "downstream") only to find that it was either way too much work or even impossible to make a meaningful stab at working as promoted by those selling the Dream. Massive flame wars then ensue between those who sell MLM systems and those who believe it's all a load of crap.

Getting back to the spam message in my "suspects" folder, the spamvertised domain name is registered to an individual whose stated address is a Chicago hi-rise residential building (I used to live not far away in another building). The email address of the supposed registrant referred to a domain registered in the British Virgin Islands.

I was looking at this message about a week after it had been sent. After seeing that retrieval of the lone image was not coded with any identifiers, I viewed only the image to see what this sender was up to. I expected the worst, and was amply rewarded:

Look familiar? Here's the prototype from the originator of the look and cartoon character (currently John Wiley & Sons, one of my publishers [noted for disclosure purposes]):

Draw your own conclusions about the originality of the advertisement. Irrespective of the look-and-feel, the content fails CAN-SPAM requirements for identification and opt-out provision.

The ad, itself, promotes something by "Mister X." Oooh, mysterious. Sounds to me like yet another advertisement for somebody's "system" that promises you riches. Whenever somebody attempts to sell you a system for making money, rather than selfishly using the system to clean up for himself, it means that there is more money in selling the system than in using it. It reminds me of the outfit that uses cable television news programs hourly to advertise owning precious metals. The "sure thing" is acting as the broker for the gold coins, not holding them during the ups and downs of the market.

Too many of the internet-based "home business" opportunities sell information that instructs buyers to sell information that instructs the next generation of buyers to sell information that instructs buyers.... If not necessarily pyramidal in shape, the scheme is certainly reminiscent of the legendary keester bird: an avian species that flies in ever smaller circles until it flies up its own butt and disappears from the planet.

Along with your money. And Dream.

Posted on May 12, 2008 at 05:17 PM

May 11, 2008

What Happened to Inga? Permalink

My email address has been used fairly heavily today in the From: field of various medz, watches, and porn spam because I've been getting a fair amount of automated backscatter berating me for sending spam. Idiot mail server admins!

One of the backscatter messages, however, was a vacation notice from the mailbox of a woman named Inga at a Latvian computer company. In other words, the spam message (From: Most Trusted Replica <dannyg@dannyg.com>; Subject: Watch in the mail today) got through whatever (if any) filters at her company, and was delivered to her mailbox. That insertion triggered the vacation response.

Her notice advises that she'll be on vacation from Monday, October 8 through Friday, November 2. Looking back in the calendar, I see that those days and dates align with 2007.

Oh, dear.

So many questions come to mind:


  • Did Inga never return from vacation?

  • Was Inga fired while she was on vacation?

  • Has Inga failed to turn off her vacation notification?

  • If so, hasn't anyone in her company gotten one of these bouncebacks?

  • If she's no longer at this computer company, why hasn't her account been deactivated?

And, most importantly:

  • How does someone working at a six-year-old company—not one of its executives listed at the web site, mind you—score four weeks of vacation?

(Written begrudgingly by someone who has taken less than five weeks of vacation since 1981.)

Posted on May 11, 2008 at 11:14 AM

May 07, 2008

The "Fedex" 419er Permalink

I hate it when crooks exploit unsuspecting computer users' trust in things like well-perceived brand names to siphon off money and personal information. Imagine such a user seeing the following Subject: line in his or her inbox listing:

CONTACT_FEDEX_FOR_THE_DELIVERY_OF_YOUR_FAMILY_VALUABLES.

That lure immediately plants FedEx in the recipient's mind. It's also certainly enough to get most recipients to open the message. The message reads (some numbers obscured by "#"):

Dear Friend,
I did not hear from you since for your Confirmable check of $1.2m USD,
which i kept for I went and
deposited it with FEDEX EXPRESS,
so contact them.
P.R.O: Dr.MARK WHITE
Email: fedexcouriercompany##@yahoo.co.uk
FAX: +229 99782-####
I paid for the delivering Charges except their Security Keeping
Fee of $185 USD which they said no because they don't know
when you will contact them in case of demurrage.so you
are to pay the $185 as soon as you contact them.
Regards,
Mr John Mike

Old hands at 419 scams, of course, will instantly recognize the dozens of signals and mistakes that shout this offer's scamminess (if, in fact, they even had to get this far).

Depending on the "freshness" of the email addresses receiving the above missive, it wouldn't surprise me if a comparative email newbie would be taken in by the "fedexcouriercompany" part of the email address—not recognizing a British yahoo email account on its face.

Incidentally, the phone number country code points to Benin (in western Africa for the geographically-impaired). Not coincidentally, FedEx is known there as FedEx Express, so the reference in the message is not a mistake, per se.

Anyone responding to this scam, and willing to wire $185 to the scammer will have taken the bait (cue sound of deep sea fishing line whirring out of the reel as a marlin tries to flee for its life). An endless sequence of demands for wired payments to settle additional fees, taxes, and bribes will ensue.

The sad part is that even if just one recipient wires $185 to this guy and not a penny more, the scammer will have made more than enough to profit from the mailing.

Posted on May 07, 2008 at 04:30 PM

May 05, 2008

Botnet Vigilantes Permalink

An opinion piece over at eweek.com correctly advises against using bot infestation techniques to plant bot-cleaning software on PCs without their owner's knowledge. A given PC's assemblage of good and bad software is so unpredictable that even a well-intentioned bot zapper could irrevocably screw up someone's computer and data. Cue the Lawyers.

It reminded me of my most recent visit to the dentist, a young woman who took over the practice from the original owner. She knows I, um, dabble in computers, and asked a question or two about what she should do to upgrade her office systems. After I dashed her first, stylish hopes—no, you shouldn't run a dental office on a MacBook Air—she tried to compare my consulting rates against her current IT consultant. I think she was looking for a possible tradeout situation: dental care for computer care. But two things immediately came to mind:

  1. Things can go horribly wrong with computers and data used by office staff when the IT guy isn't there full-time.
  2. She uses very sharp steel instruments on my body.

In the end, we decided to keep it as a purely doctor-patient relationship. There is a broader lesson there.

Posted on May 05, 2008 at 10:28 AM

May 02, 2008

A Spammer By Any Other Name... Permalink

My email client suspected something was fishy (not necessarily phishy) about a message from a marketing communications company, and sidelined it into the Junk folder. If my email client were a guard dog, I'd pat it on its head and give it a Milk-Bone.

The Subject: line was as follows:

Subject: Intel aims to serve SMBs with new portal

In case you're not familiar with the acronym, SMB stands for small and medium-sized business. The From: field in my Junk folder listing showed an email address that implied it had something to do with IT and was a newsletter of some sort. The combination of "Intel" in the Subject: line and an IT newsletter in the From: line added up to a credible combo.

But I've seen plenty of bogus listings in my in-box from unknown senders...you know the kind I mean where the Subject: line content happens to be spot-on to something of technical interest to you, and when you open the message you're greeted with the latest erectile dysfunction product promotion. My spam radar's sensitivity was set to 11.

Imagine my surprise, then, when (after checking the message's source code for any nasties) that the message was, in fact, a kind of IT-related newsletter. The source code revealed that the download of one of the images in the HTML-formatted message was a tracking image. Although the URL for the image was not tied to my email address, it did reference this particular daily (sigh) issue of the newsletter. That can serve as a hit count to let the sender know how many recipients got as far as opening and viewing the entirety of the message. Fortunately, my email client has image retrieval turned off, so my view won't count.

This newsletter was fairly typical of a traffic-generator. Five one-paragraph summaries (of incredibly dull and bland stories) ended with links to the company's web site for the full stories.

Not that it makes any difference to my regarding this message as spam, but it was CAN-SPAM compliant. It was sent through the company's email server and had full identity and opt-out facilities at the end of the message (the company is located outside the U.S.). I normally wouldn't have given this message a second thought but for what I saw as disingenuous statements in the identity section:

[Removed] USA is an email publication devoted to bringing you the latest news from the US small and midsize business community. It is published free of charge by [Removed].com and distributed to subscribed readers. If you are not a subscribed reader, please use the link below to be removed from our mailing list.

So, let me get this straight, oh newsletter sender: You claim to distribute this thing to subscribed readers. But if I received it, I may not be a subscribed reader and need to remove myself from your list of subscribed readers?

I just heard a small "pop" inside my head...I think part of my brain exploded.

My choice is clear here. I won't opt-out from this list. I'll just have my email server quietly delete future messages from this sender as my small way of helping dilute the effectiveness of the "list of subscribers" that he'll eventually try to rent to others.

Now where's that aspirin?

Posted on May 02, 2008 at 09:06 AM