Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« January 2009 | Main | March 2009 »

February 27, 2009

419er Lacking Basic Training Permalink

There certainly isn't any money in trying to teach potentially gullible email users how to protect themselves. Maybe I should switch to the Dark Side, and teach crooks (for big buck$, of course) how to present themselves credibly in their pitches to the unwary. I could have saved the stupido 419er described here from wasting his time and money on a campaign doomed to failure for want of two simple fixes.

The goals of a 419 email message include enticing the recipient into opening and reading the message first of all. From there, the message needs to draw the recipient into a believable scenario with a huge potential payout in the end. Once the sucker is on the hook, the 419 machine takes over with a time-tested and well-orchestrated plan that causes the gullible (often very well educated people at that) to wire thousands after thousands of dollars to a Western Union office in some other country.

Mistake #1 from today's crook (using the name Tom Nelson) is to use a very spammy Subject: line that does not connect with the feigned seriousness of the body:

Subject: Thought you might be interested

The body goes on to imply that this is the second notice (uh huh) that I am a beneficiary of $25.3 million from some dead guy. There is no connection between the chummy Subject: line and the urgency to get megadough headed my way. Nelson is withholding the name of the "Deceased," but I supposedly have the same surname.

And that's where this jerk goes haywire again.

If this message is intended for my personal attention (as indicated at the start of the body), why is it addressed to 999 email addresses in plain view in the To: field of the message? This prestigious group of 999 have email account names between damito2772 and Dean, conveniently arranged in alphabetical order. Since many of the account names consist of both first and last names that aren't mine, all 999 of us don't share the same surname.

This guy is following the wrong directions:


  1. Load gun.

  2. Aim at foot.

  3. Fire.


Posted on February 27, 2009 at 05:16 PM

February 22, 2009

Spammers and Obama Permalink

It was obvious during the height of election-time Obamania that malware distributors would invoke Obama as a way to trick email recipients to opening infectious attachments or clicking through links whose destinations were just as dangerous. That medz spammers would also use Obama is not unexpected.

It just feels rather creepy.

I saw medz spams with the following bait:

Subject: Support Obama, buying from us
Subject: Barak [sic] caught nude

These were just two of a series that had a wide variety of Subject: lines. Nearly every one I saw had a different spamvertised domain name, all registered and hosted through Chinese companies (I'm still not convinced there isn't an American behind the whole thing). As in earlier campaigns reported here, the domain names are composed of two English words that have no relation to each other.

The format for the messages that arrived overnight included three lines of text and a URL. The three lines of text were pulled from a laundry list of interchangeable, generic marketing messages. Here is a sampling from ten messages (items repeated have the number of times they appeared in parentheses):

  • Always quick response and quick shipment for you. (5)
  • Amazing quality and speed of service whenever you want 24 hours a day, 7 days per week. (2)
  • Choose our huge company with absolute superb service.
  • Most of our customers become regular ones thanks to our service and price level. (2)
  • Online company with the rich history and unstained reputation. (3)
  • Our delivery is always made within short timelines to the joy of our clients.
  • Our main function and main advantage is to save your money on our products.
  • Our support team will surprise you with the quickness and competence.
  • Private, secure, convenient - these are the words of our customers!
  • Really fast and prompt delivery in combination with the best online prices. (5)
  • We guarantee total confidentiality and a good service to our clients.
  • We have a wide range of the popular brands, come and check it yourself!
  • We have no hidden fees and we welcome you make profitable purchases!
  • We have top-quality products for surprisingly low cost. (2)
  • We will ship faster than anybody else to the point you indicate.
  • Well-being of our clients is extremely important for us. (2)

As each email message is composed, the sending (botnetted) computer plugs in the three statements at random. Occasionally, of course, random means that the same statement gets repeated more than once in the same message.

Yawn.

Posted on February 22, 2009 at 06:24 PM

February 19, 2009

419ing Within One's Means Permalink

When President Obama announced his mortgage rescue plan yesterday, he urged American consumers to start living within their means. That generally means lowered expectations. Seemingly in response to that, today's 419 scammer has lowered the order of magnitude of how much free money is promised to come your way if you just contact Barrister George Emmanuel at his hotmail or gmail account. Instead of lofty tens of millions of dollars, the "within your means" payout is $600,000:

DEAR FRIEND
CONGRATULATIONS.
I'M HAPPY TO INFORM YOU ABOUT MY SUCCESS IN GETTING THOSE FUNDS TRANSFERRED UNDER THE CO-OPERATION OF A NEW PARTNER FROM PARAGUAY. PRESENTLY I'M IN PARAGUAY BUT BY NEXT WEEK I WILL BE IN CHINA FOR INVESTMENT PROJECTS WITH MY OWN SHARE OF THE TOTAL SUM.
MEANWHILE,I DIDN'T FORGET YOUR PAST EFFORTS AND ATTEMPTS TO ASSIST ME IN TRANSFERRING THOSE FUNDS DESPITE THAT IT FAILED US SOME HOW.
NOW CONTACT MY LAWYER, HIS NAME IS GEORGE EMMANUEL ON HIS E-MAIL ADDRESSS: [removed]@hotmail.com ASK HIM TO SEND YOU THE TOTAL SUM OF $600.000.00 WHICH I KEPT FOR YOUR COMPENSATION FOR ALL THE PAST EFFORTS AND ATTEMPTS TO ASSIST ME IN THIS MATTER. I APPRECIATED YOUR EFFORTS AT THAT TIME VERY MUCH. SO FEEL FREE AND GET IN TOUCH WITH MY LAWYER AND INSTRUCT HIM WHERE TO SEND THE AMOUNT TO YOU.
PLEASE DO LET ME KNOW IMMEDIATELY YOU RECEIVE IT SO THAT WE CAN SHARE THE JOY AFTER ALL THE SUFFERNESS AT THAT TIME. IN THE MOMENT, I AM VERY BUSY HERE BECAUSE OF THE INVESTMENT PROJECTS WHICH ME AND THE NEW PARTNER ARE HAVING AT HAND.
FINALLY, REMEMBER THAT I HAD FORWARDED INSTRUCTION TO THE LAWYER ON YOUR BEHALF TO SEND YOU THE MONEY AS SOON AS YOU REQUEST FOR IT.
SO FEEL FREE TO GET IN TOUCH WITH GEORGE EMMANUEL HE WILL SEND THE AMOUNT TO YOU WITHOUT ANY DELAY,BEAR IN MIND THAT THE $600,000.00 WAS IN CONFIRMABLE BANK DRAFT
REGARDS,
MR KELLY TROTTER.
GEORGE EMMANUEL EMAIL; [removed]@hotmail.com or [removed]@gmail.com

With this payout being much lower than in the typical 419 tall tale, it means that our scammer has also set his sights lower. He can't expect to suck more than a low five-figure sum out of even the most gullible. In truth, I'd bet he'd be thrilled to get even just a couple grand out of anybody. Anybody? Bueller?

Posted on February 19, 2009 at 12:24 PM

February 16, 2009

Dear Spammer: Thanks for the Tip Permalink

In what I presume to be a medz spam ("relief" and "substance" are some of the very few words in the message), there is a long gap of carriage returns, followed by hash-busting text that is clearly labeled by the spammer:

-- Ignore all Below This Line Random Gibberish :) --

"Unless we're willing to rethink today's Internet," says Nick McKeown, a Stanford engineer involved in building a new Internet, "we're just waiting for a series of public catastrophes."

What a new Internet might look like is still widely debated, but one alternative would, in effect, create a "gated community" where users would give up their anonymity and certain freedoms in return for safety. Today that is already the case for many corporate and government Internet users. As a new and more secure network becomes widely adopted, the current Internet might end up as the bad neighborhood of cyberspace. You would enter at your own risk and keep an eye over your shoulder while you were there.

Nothing says "respectability" like "random gibberish."

Posted on February 16, 2009 at 10:28 AM

February 12, 2009

419er Dishing Out "ATM Cards" Permalink

Maybe today's 419er is trying to make a connection with a gullible recipient by coming up with more and more complicated schemes. With the following one, there is supposedly a just-shy-of-one-million-dollar ATM card with my name on it. But there is this restriction that I'll be able to withdraw only $1500 per day on it — that's nearly two years of visiting an ATM machine, 7 days a week.

From: "Ms.Martina Basil.Foreign Payment Office."<[removed]@finance.org>
Subject: Your funds are now in atm card, contact the payment center director.

Dear Beneficiary,

we are hereby directed to pay you ,your "compensation funds" of
$985,000.00usd., through ATM master card payment and also through our
swift card payment center, this atm payment card center will
process,issue and send you a global ATM master card which you will use to withdraw your money in any atm machine worldwild, but the maximum is one thousand, five hundred united states dollars per day. so, you are now directed to contact our (ATM card) payment department officer ( Dr. James Udo,) the Director who is in position and incharge to release your ATM master card, and also forward the below information to them for processing.

1. Your full name
2. Address where you will like it to be sent.
3. Private phone and fax number
4. Your age.
5. Occupation / postion.
6. Attached / scanned copy of any identification of yours.

Contact person ; Dr. James udo
department ; ATM master card payment
email: [removed]@msn.com

Director, ATM master card payment department,OCEANIC BANK International
Plc Meanwhile, you hereby advised to put a STOP to any further
communication with any other person(s) or office(s) to avoid any hitches in processing and receiving your payment.

Also note that because of fraud and impostors, we hereby issue you our
code of conduct, which is (ATM-867) so you have to indicate this code when contacting the ATM master card payment center.

Sincerely,
Ms.Martina Basil.Foreign Payment Office.
(Directress Ministry Of Finance.)

So, is this get-rich-slowly gimmick supposed to make it appear more legitimate to those wary of get-rich-quick scams? One thing is for sure: with the (non-existent) funds locked up in an ATM card (also non-existent), the sucker who bites for this one can't beg to get the inevitable processing, handling, taxing, and bribery fees deducted from a big stash.

I'm sure our crook would be thrilled to get the equivalent of one day's withdrawal wired to him via Western Union.

Posted on February 12, 2009 at 10:05 PM

February 06, 2009

From the Federal Reserve. Uh huh. Permalink

I've seen a few of the following fly by:

From: "FEDERAL BANK" <administration@fedreservesystem.us>
Subject: Attention: Important
    FEDERAL RESERVE BANK

Important:
You're getting this letter in connection with new directions issued by U.S. Treasury Department. The directions concern U.S. Federal Wire online payments.

On January 26, 2009 a large-scaled phishing attack started and has been still lasting. A great number of banks and credit unions is affected by this attack and quantity of illegal wire transfers has reached an extremely high level.

U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation (FDIC) in common worked out a complex of immediate actions for the highest possible reduction of fraudulent operations. We regret to inform you that definite restrictions will be applied to all Federal Wire transfers from February 6 till February 13.

Here you can get more detailed information regarding the affected banks and U.S. Treasury Department restrictions:

http://ustreasury.[removed].us/37119815/secur~12724/wire/


    Federal Reserve Bank System Administration

I'll bet you thought that the Federal Reserve would send out emails in, um, English.

Although this might appear to be a phishing scam intended to get you to input some of your tasty identity info, it is, in truth, a lure to an adult site. Having safely checked the source code of the URL in the message, I can tell you that it uses HTML and a bit of JavaScript to begin displaying a stylized U.S. flag, but then shifts to a portal image identifying adult content in the offing. A link from there takes you to another site, whose GoDaddy-registered domain is hidden behind a Domains by Proxy veil.

It's perhaps interesting that this message is supposed to appeal to those who customarily do wire transfers. Is that how one must pay for the porn site? I'm not about to visit to find out.

I did get a chuckle out of the bogus From: address in the message. A U.S. Government agency using a .us top-level domain. That's rich. Oh, and by the way, that domain, which was originally registered to a Russian address, has been suspended.

Posted on February 06, 2009 at 09:57 AM

February 04, 2009

Bots are Jumpin' Permalink

Yeow! Botnet-sent spam has jumped through the roof here in the last couple of days. Most of it is promoting medz and sex chat. The ecrush and ekiss junk is still also in full spew.

Content filtering isn't very effective because the content is minimal and changes with nearly every message. A good blocklist that tracks botnets is about the only defense on the server.

One telltale sign of the medz spammer hearkens back to a domain name technique I saw used a couple of years ago. The spammer registers a series of domain names that consist of different combinations of two words from what appears to be a fixed list. Sometimes one of the words stands out—in the recent flood, the word that I see often is lith. The domain names are lith-this or that-lith, all registered with presumably phony Chinese owners. Through my spam-ESP, I'm sensing that an American is behind the whole thing.

I've now seen the lith spammer branching out into French and German spam messages. Could this search for customers in other languages mean that the faltering economy is hitting spammer business, too? Well, one can dream.

In the meantime, Microsoft can claim that their malware removal tool is eliminating lots o' bots, but from this current flood, I'd say the botnets are winning.

Posted on February 04, 2009 at 08:42 AM