Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« July 2009 | Main | September 2009 »

August 28, 2009

Malware Via Phony Invoice Permalink

The following malware delivery email is a little confused, but I doubt that will stop many recipients from opening the Dc784ffb2.zip attachment, which VirusTotal says is caught by only 30% of AV products. The confusing part is that the forged From: address indicates sharp.co.jp, while the body of the message...well, see for yourself:

Hello!

Thank you for shopping at our internet store!
We have successfully received your payment.

Your order has been shipped to your billing address.
You have ordered HP KQ246AA.

You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.


We hope you enjoy your order!
Sonystyle.com

The product number mentioned above is a Hewlett Packard item (camera). Although sonystyle.com doesn't carry that item, recipients will be curious enough to try to open the attachment to investigate what's going on. That's at the root of any unsolicited email message: to trick the recipient into acting for the benefit of the sender. Anyone who double-clicks that ZIP file will have handed over to unknown crooks the keys to their computer kingdoms.

Posted on August 28, 2009 at 10:26 PM

August 23, 2009

The Oldies Keep Coming Permalink

Just a few days ago I wrote about old-fashioned web beacons surfacing in a spam message I saw. Today, a half-hearted attempt to disguise hash busting text found its way into another spam. The part of the spam intended to be viewed by the recipient was almost all images (with visible instructions on how Outlook users can download images in the email if they were blocked — Yah!). Below the tiled image group was a bunch of what appeared to be white space. White, that is, until you selected it. Here's a small segment in actual size:

Hash text intended to be invisible

The text is set to 6-point font with a white color. Like albino ants in a snow storm. A good chunk of the text is Ebay user agreement legal verbiage. Then there is a <style> HTML element whose content is an enormous list of random words in numerous languages, number groups, and gibberish (nnggttff is a popular gibberish group).

As far as I can tell, the spam is trying to sell a work-from-home scam to mothers with young children. No Employees, No Stress, All Profit, it promises. Unfortunately, it's talking about the sender.

This turd-bomb was sent by a long-time spammer who thinks he's in the email marketing business. He surfaces regularly, and you can read some salient points here. The home page of the recently-minted domain used in the pitch I saw has the same email marketing bullshit image described in the link above. If you had a Buzzword Bingo game card for the "email marketing" category, you'd win before finishing the first paragraph.

I was happy to see that a large block of IP addresses (different from the blocks described in the link) surrounding the one I saw is already on many blocklists. A lot of spam filters won't even get to analyze the hash-busting text because the message will be sidelined or trashed.

Let's hope.

Posted on August 23, 2009 at 05:02 PM

August 21, 2009

Phish Are Jumpin' and the Rotten is High Permalink

A couple of days ago, I was thinking to myself that I hadn't seen much in the way of phishing email come this way recently — or at least phishing messages that made it through my primary bit-bucket filter. Heaven knows what's in all those thousands of misaddressed messages aimed at my other domain each day. But, as people who live in changeable weather cities say, "just wait a minute and it will [whatever-it's-not-doing-now]".

Each of the three messages can serve as a prototype of different types of phishers. All may be first-timers trying to make a quick buck. Only one of them has any sense, limited though it may be.

Exhibit A is a PayPal phishing message written by someone whose English is, well, less than stellar. Claiming to be alerting me about a message concerning my PayPal account (Subject: You have a new message alert to view in your account !), the message body begins inauspiciously:

Departament Of PayPal

FAIL!

Exhibit B attempts to get the attention of Bank of America customers with the following:

Subject: BankofAmerica Account blocked

The message body of this HTML-formatted message begins with a Bank of America image fetched directly from the bank's server. But then the sending software failed this crook, leaving out almost all of the rest except for notice of the bank being an Equal Housing Lender. No links. No URLs. In other words, this guy is technically challenged. He assumes computers always do what you think they should do. Why bother with an innocuous test run to make sure it's working before sending out huge batches?

FAIL!

Exhibit C is an Amazon.com phish. I suppose I have to give credit to the crook for following the phishing kit instructions to the letter. He didn't screw with the well-written text, which includes one of those double mind-bend tricks of putting potential blame on the recipient:

  • If you received this notice and you are not an authorized Amazon account holder, please be aware that it is in violation of Amazon policy to represent as an Amazon user. Such action may also be in violation of local, national, and/or international law.
  • Amazon is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft.
  • Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the full extent of the law.

This guy also went to the trouble of a double web site hijack. The first was to place a redirector page inside a legitimate French company's site. Redirection (via the old meta REFRESH tag trick) takes you to a compromised site of a Colorado-based metal art site.

Well, it will for most, but not Mac users. You see our crook followed some bad advice about how to redirect using hexadecimal numbers for numeric IP addresses. Macs (at least in Firefox and Safari) don't do those types of URLs, so the redirection fails. Also, the URL, in both hex and decimal equivalents quickly got onto the phish blocking services employed by modern browsers.

FAIL!

So, phishing kids, leave crime to the real criminals. And be sure to tell your dorm-mates that phishing is best left to the professionals.

Posted on August 21, 2009 at 11:03 AM

August 20, 2009

Web Beacons Live On Permalink

I thought web beacons — images in an HTML-formatted email message whose src attributes include a URL coded with the recipient's email address — were ancient history. The purpose of such a beacon, especially if it is embedded so that the recipient doesn't even know it's there, is to verify that the email address is not only active, but that the message got through and the user actively opened the message. IOW, the address is alive.

When I see from my own server's stats how many thousands of messages daily are either misaddressed or are probing for life (the "Dictionary Attacks" category), perhaps some spammers finally want to clean up their lists to help improve deliverability. I mean, after awhile, the lists get so screwed up that truly valid addresses must become a minuscule portion of the list. Even with botnets and such, the cost-effectiveness of incessantly mailing to less than 1% good addresses has to erode. Are spammers feeling the pinch of these economic times? Well, one can dream.

In any case, here is the HTML source code of a sample (Subject: welcome) I saw today:

<html>
<head>
<title>Beautiful woman</title>
</head>
<body>
[removed]An!!!<br>
<IMG SRC="http://counter.[removed].net:8888/AD.png?eid=[removed]@dannyg.com&pid=gao" HEIGHT="0" WEIGHT="0" BORDER="0">
</body>
</html>

Short and sweet. A tad of gibberish with the email address account name in visible text. Then a zero-sized image that pings a Chinese server along with the email address. Anyone receiving this message in a browser or email client whose settings allow display of images will have his or her address thrown into the valuable pool of valid email addresses.

I was thrilled when Apple added an email preference choice to eliminate loading remote images in the latest iPhone OS 3.0 upgrade. I suspect most smartphone users don't think about the consequences of unfettered HTML-rendered email. If they received the message above, they'd open it, shrug their shoulders at the gibberish, and delete the message. In the meantime, their addresses will have been added to the "live suckers" list. Hope your smartphone has a full battery charge, because the spam's a-comin'.

Posted on August 20, 2009 at 11:23 AM

August 12, 2009

Bogus Microsoft Lotto with .doc Attachment Permalink

This is the 500th Spam Wars Dispatch blog posting. That's a lot of spammy crap to have written about. Phew!

And it continues. This time it's a variation of the allegedly Microsoft-sponsored lotto. The delivered email body is pretty plain:

From: Microsoft Corporation
Subject: CONGRATULATIONS YOU WERE SELECTED

This is to inform you that your email address have been selected among the 25 winners for this years Microsoft Email Lottery Award.

Download the Attachment and follow the instructions on how to claim your price.

Congratulations

Microsoft Corporation

The attachment is an MS-Word file named MSELOTTO.doc. Now even a file bearing the .doc filename extension can contain bad stuff, so I wasn't about to investigate the file head-on. I first ran the unopened file through VirusTotal, where no antivirus system recognized the file. That still didn't satisfy me, so I used another way to safely inspect the file's contents to avoid running any embedded macros or executables.

Here is an unformatted copy of the text in the document (presented here to eliminate the risk of you opening the file if you receive a copy):

[image of the British flag]
[Wikimedia image of a coat-of-arms]
[South African National Lottery logo]

FROM: THE DESK OF THE E-MAIL PROMOTIONS MANAGER INTERNATIONAL PROMOTIONS/PRIZE AWARD DEPARTMENT, MICROSOFT CORPORATION WORLD LOTTERY UNITED KINGDOM.61-70 SOUTHAMPTON ROW BLOOMSBURY LONDON UNITED KINGDOM WC1B 4AR.
 
REFERENCE NO: 475061725/09
BATCH NO: 705649092/188
WINNING NO: GB8701/LPRC
WINNER: NO17
 
ELECTRONIC EMAIL AWARD WINNING NOTIFICATION AWARD PRESENTATION CENTER: UNITED KINGDOM
 
DEAR WINNER,
 
MICROSOFT CO-OPERATION MANAGEMENT WORLDWIDE ARE PLEASED TO INFORM YOU THAT YOU ARE A WINNER OF OUR ANNUAL MS-WORLD LOTTERY (MEGA JACKPOT LOTTO PROGRAMME) CONDUCTED ON 13th Of August 2009
 
YOUR PERSONAL E-MAIL ADDRESS OR COMPANY EMAIL WAS ATTACHED TO THIS YEAR’S MSEL. WITH SERIAL NUMBER 7741137002 DREW THE LUCKY NUMBERS 5-13-33-37-42, AND CONSEQUENTLY WON IN THE FIRST LOTTERY CATEGORY. YOU HAVE THEREFORE BEEN APPROVED FOR LUMP SUMS OF 1,000,000GBP (ONE MILLION GREAT BRITISH POUNDS) PAYABLE IN CASH CREDITED TO FILE REF NO: ILP/HW 475061725/09 THIS IS FROM TOTAL PRIZE MONEY OF 25,000,000GBP, SHARED AMONG THE TWENTY-FIVE (25) LUCKY INTERNATIONAL WINNERS IN FIRST AND SECOND CATEGORY.
 
ALL PARTICIPANTS WERE SELECTED FROM WORLDWIDE A COMPUTER BALLOTING SYSTEM THROUGH OUR MICROSOFT COMPUTER BALLOT SYSTEM DRAWN FROM 21,000 NAMES, 3,000 NAMES FROM EACH CONTINENT (CANADA, ASIA, AUSTRALIA, UNITED STATE, EUROPE, MIDDLE EAST, AFRICA AND OCEANIA, AS PART OF INTERNATIONAL "E-MAIL" PROMOTIONS PROGRAMME, WHICH IS CONDUCTED ANNUALLY FOR OUR PROMINENT MS -WORD USERS ALL OVER THE WORLD TO ENCOURAGE THE USE OF INTERNET AND COMPUTERS WORLDWIDE. 
 
YOUR FUND (CERTIFIED CHEQUE) HAS BEEN INSURED WITH YOUR REF NO: ILP/HW-475061725/09 AND WILL BE READY FOR TRANSFER AS SOON AS YOU CONTACT YOUR CLAIM AGENT DR OSWALD MATTHEW. YOUR E-MAIL ADDRESS SHOULD BE USED IN ALL CORRESPONDENCE WITH YOUR CLAIMS OFFICER, PLEASE NOTE THAT, YOU ARE TO CONTACT YOUR CLAIMS OFFICER VIA EMAIL OR TELEPHONE AS WE ARE PROMOTING THE USE OF E-MAIL. ALSO YOU HAVE THE RIGHT TO CALL HIM TO CONFIRM YOUR WINNINGS AND GOVERNMENT TAX PAYMENT THAT IS ALL, AS HE WILL PROVIDE YOU WITH THE NECESSARY DETAILS ON HOW TO CLAIM YOUR PRIZE. AS PART OF OUR SECURITY PROTOCOL YOU ARE TO QUOTE THIS SECURITY CODE MSW/DEC/XX09 TO YOUR CLAIMING AGENT. THIS IS TO PREVENT SCAM.
  
CONTACT YOUR CLAIMS AGENT OFFICER IN UNITED KINGDOM.
NAME:  DR. OSWALD MATTHEW
EMAIL: claim@mselotto.com
PHONE: +44703[rest of mobile number removed]
  
NOTE: IN ORDER TO AVOID MISTAKES, PLEASE REMEMBER TO QUOTE YOUR REFERENCE AND BATCH NUMBERS AND YOUR SECURITY CODE OF MSW/DEC/XX09 IN ALL CORRESPONDENCES WITH YOUR CLAIMS OFFICER. DO NOT REPLY ANY OTHER MAILS LIKE THIS ON NET, AS THEY ARE A LOT OF SCAM ARTIST OUT THERE PRETENDING TO BE US.YOU MAY SEE MAILS LIKE THIS DO NOT REPLY. DO CONTACT YOUR CLAIMS OFFICER, DR. OSWALD MATTHEW IN UNITED KINGDOM.  YOU WILL BE ASKED TO PROVIDE SOME DETAILS AND AS WELL LET YOU KNOW THE COUNTRIES OF THE PAYING CENTRES AND ALSO TO ENABLE THE OFFICE PROCEED WITH YOUR WINNING CERTIFICATE AND FILE KEEPING.
 
CONGRATULATIONS, ONCE MORE FROM THE ENTIRE MANAGEMENT AND STAFF OF MICROSOFT CO-OPERATION TO ALL OUR LUCKY WINNERS. THANK YOU FOR BEING PART OF THIS PROMOTIONAL LOTTERY PROGRAM. OUR SPECIAL THANKS AND GRATITUDE TO ALL THE ASSOCIATES FOR ALLEVIATING POVERTY ROUND THE WORLD.
 
SINCERELY.
MRS ANNE ROSANNE

[Pennsylvania State Lottery winner with novelty check]
[Generic image of bundles of $100 bills]

             LOTTERY SPONSORS: CHIEF SPONSORS;
 
MICROSOFT CORPORATION UK,             MICROSOFT CORPORATION AFRICA,
MICROSOFT CORPORATION USA,           MICROSOFT CORPORATION ASIA.
 
 
Past winners
[tribuneindia.com photo of U.S. Powerball lottery winner]
[Michigan lottery winner photo]
[Photo of two middle-aged men embracing, loaded from International Federation for Information Processing web site for their 2003 meeting]

The method I used to view the file's content allowed me to see the URLs for all the embedded images — in other words, to see whence they were being ripped off. It would seem incongruous to me to think that someone holding a novelty check for a $349 million (clearly visible) Powerball lottery win would be representing a past Microsoft lotto winner. And all I won was a stinkin' million pounds? Pffft!!

Alas, I'll probably be writing about yet another 419 scam for my 1000th Dispatch.

Posted on August 12, 2009 at 11:37 PM

August 11, 2009

Secret Shopper Sloppy Spammer Permalink

I love, love, love it when a spammer wastes his own money. When he hires a botnet to spew his deceitful trash and the software misfires to eliminate any way for recipients to respond — well, I dance a little jig in my chair.

Here's the spam message that got me tapping my toes:

From: Danny Goodman
To: Danny Goodman
Subject: 364$-801$ per work day.

Our company(WA Surveys) is proud to inform you that we now have one secret-shopper position available.
This is a part time position as it doesn't take more then one hour to evaluate a store.
Your commission for each evaluation is $100 and you can receive assignments on daily basis.

If you are interested in working as a secret shopper for our company you can request more information at {_MAILS_0}
Thank you,
WA Surveys Inc.

That curly brace thing near the end is a placeholder, where the software running on the botnetted PC is meant to insert an email address where the recipient is supposed to respond (this is an HTML-formatted email message, and the text is surrounded by a mailto: URL link pointing to the same placeholder string).

Headers of this message are forged up the wazoo. I take that back: the MIME-Version: and Content-Type: fields are correct (an inside joke for header-literate readers).

I normally remove the names of offenders from my dispatches because readers might be curious enough to hunt down their web sites (whose traffic ticker would increment by one as a result). A Google search for WA Surveys Inc reveals everything you need to know on the first page of results. In fact, Better Business Bureau listings tell all that you need to know. Let me put it this way, when the BBB shows a company's Industry Classification to be Ponzi Schemes, Secret Shopper, that can't be good. Read a regional BBB's report on WA Surveys here and the BBB's F rating on the company here.

If you worry that a friend or relative might be taken in by these bogus Mystery Shopper offers, the BBB pages offer some good advice.

Posted on August 11, 2009 at 04:18 PM

August 05, 2009

Snail Mail Deceptions Permalink

My focus here for years has been on spam of the electronic variety. But a piece of snail mail crossed my desk today that deserves comment because it points to the fact that consumers have to be wary of any offer that comes their way.

Even in this electronic age, I still subscribe to several dead tree magazines. I received an envelope offering a renewal to one of the magazines to which I have subscribed for many years. But unlike previous legitimate subscriptions renewals, this one came from a third party calling itself Publishers Billing Exchange, Inc.

Over the years, I've seen warnings by many of my publications advising that legitimate renewals are mailed out directly by the publisher. But I'll bet that many subscribers don't pay attention to those warnings. And this third-party offer looks very credible, nay, reminiscent of renewals coming direct from some magazines. There is a toll-free phone number to call for customer service, and an offer to let me make two monthly payments of $19.98 to cover the $39.95 subscription. They tell me I can "lock in at one our lowest rates."

Uh huh.

I then spent some time with the fine print on the back of the form. If you've ever had a subscription to a print publication before, you are probably aware that the traditional way of handling cancellations is for the publisher to refund a prorated amount for unmailed issues. But not this outfit. Get this:

All offers are fully cancelable by calling our toll free number within 168 hours from the time the order is placed. After that, in most cases, cancellations will not be accepted. If a cancellation is accepted, it will be subject to a $20.00 processing fee.

Yikes!

This outfit must pray that recipients of this email piece don't have an internet connection. Anyone doing a Google search on the company name will get an eyeful.

Here and there, the mailing piece has some mild disclaimers, yet also calls itself a "clearinghouse" — intentionally (IMHO) to be confused with Publisher's Clearinghouse. I suspect these mailing pieces have been through an army of lawyers who know how to slice cheese with nanometer precision to stay just within FTC guidelines.

Caveat subscriber.

Posted on August 05, 2009 at 11:08 PM

August 04, 2009

Liar's Roundup - Part Four Permalink

I still have some pent up steam for one final scameroo.

I've recently posted ad nauseam about 419 lottery scammers invoking brand names as a way to legitimize the lure. This one abuses Microsoft (how mundane), but makes the whole thing short and sweet. And the P.S. line is a hoot:

From: DAVID WEBBS
Subject: Your Email ID has Hit The £1 Million Windows Live

Your email has just won the sum of £ 1,000,000 :00 GBP
Your e-mail address attached to:
Ticket Number: 8603-775-6738
Batch: 08/09/83XS
Reference Number: Ref: UKLT/37622-09.
WINNING NUMBERS: (13)-(43)-(06)-(15)-(02)-(40) bonus # (09)
WINNING DATE: 08TH JULY 2009
For Claims,Contact:
Name: Bar. DAVID WEBBS
Email: [removed]@gmail.com
Tel: +44 702 404 [removed]
PS: THIS IS A VALID COMPUTER GENERATED LETTER AND DOES NOT
REQUIRE ANY SIGNATURE.
========================================

It's so comforting to know from this stranger that his message is a "valid computer generated letter". Otherwise I might think it was a fake. Whew!

BTW, this crook has more than one gmail account with variations of his name as user ID. He sent me two messages that each displayed a different reply address. They can afford to give away millions, but have to use a free email account to do so. But damn, both messages had the same winning number, so I can collect only one prize.

And double damn, I've just revealed the winning number. Step back, claim jumper!

Posted on August 04, 2009 at 06:45 PM
Liar's Roundup - Part Three Permalink

Everyone loves a mystery. And how can you resist earning $900 a week being a Mystery Shopper?

Easily, I hope.

The lies for this one start, as usual, in the headers...even if you don't dig into the source code. These crooks begin by forging my own address as the From: field:

From: Danny Goodman
Subject: Re: Secret Shopper [$900/week]

Originating from yet another botnetted computer (in Brazil this time), this message talks a pretty good game. It's way too long to repeat here, but it starts out as follows:

-Thank you for your interest in the Mystery Shopper position.
-Our company conducts surveys and evaluates other companies in order to help them achieve their performance goals.
-We offer an integrated suite of business solutions that enables corporations to achieve tangible results in the marketplace.

-We get hired by other companies and act like customers to find out how they are handling their services in relation to their customers.
-Mystery Shopping is the most accurate and reliable tool a business can use to gather information regarding their actual customer service performance at the moment of truth.
-This moment of truth is not when the staff is on their best behavior because the boss is around - it is when they interact with customers during their normal daily routines.

-This is where you, the Mystery Shopper, come in.
-You pose as an ordinary customer and provide feedback of both factual observations (ex...the floor was free of debris)
and your own opinions (ex...I felt that the temperature in the establishment was too cold).

I didn't know I had inquired about a position (because I had not). Despite sounding pretty professional, the message provides no corporate identity. The contact email address is a gibberish user ID at gmail.com.

Except for a gross misspelling near the end, the body of this long message is reasonably well-written. I did, however, have a laugh at the list of:

-Qualities of a good Mystery Shopper:
* Is 21 years of age or older
* Loves to go shopping
* Is fair and objective
* Is ON TIME
* Is very observant and able to focus on details
* Is fairly intelligent
* Has patience
* Is detail oriented
* Is practical
* Types well
* Is trustworthy
* Explains well in writing
* Is discreet
* Loves to learn
* Handles deadlines
* Has full internet access (at home or at work)

How many job ads do you see where they demand that applicants be fairly intelligent?

So, you may ask, what's the scam here?

If you apply, you will magically be accepted. And then you'll have to send money for a starter kit. And that'll be the end of it. You'll get no starter kit. Your money (and perhaps your credit card data) will be gone.

Adios.

So long I met ya.

Catch me if you can....

Posted on August 04, 2009 at 06:25 PM
Liar's Roundup - Part Two Permalink

This next one is depraved. It's a common trick of 419 schemers to prey on the faith of God-fearing folks. This message invokes God, Christ, Christians, and the Bible so many times, you'd think it was coming from a televangelist on Sunday morning.

Dearly Beloved in Christ,
Atos Medical B.V.Postbus 475 7200 AN
Zoetermeer Netherlands.
Hospital.
Dear Friend,


It is by the grace of God that I received Christ,Having known the truth, I had no choice than to do what is lawful and right in the sight of God for enternal life and in the sight of man for witness of God?s mercy and glory upon my life. I am Evangelist Mrs Rebecca Van Horn, age 53 and the wife of Mr Dan Van Horn,i am from Netherlands, my husband worked with the Chevron/Texaco for twenty years before he died in the year 2003.We were married for twenty-nine years without a child.
My Husband died after a brief illness that lasted or only four days. Before his death we were both born again Christians. Since his death I decided not to re-marry or get a child outside my matrimonial home which the Bible is against. When my late husband was alive he deposited the sum of US $18.5million dollars.(Eighteen Million Five Hundred Thousand U.S. Dollars) with a Security and finance Company in ENGLAND.Presently, this money is still with the Security and finance Company and the management just wrote me as the beneficiary to come forward to sign for the release of this money or rather issue! That somebody to receive it onmy behalf if I can not come over.Presently, I'm in a hospital in Netherlands where I have been undergoing treatment for cancer of the breast and Pneumonia. I have since lost my ability to talk and my doctors have told me that I have only a few weeks to live. It is my last wish to see this money distributed to charity organizations anywhere in the Wor! ld.
I want a person that is God fearing that will use this money to fund churches, orphanages and widows propagating the word of God and to ensure that the house of God is maintained. The Bible made us to understand that blessed is the hand that giveth. I took this decision because I don't have any child that will inherit this money and my !husband relatives are not Christians and I don't want my husband's hard earned money to be misused by unbelievers.I don't want a situation where this money will be used in an ungodly manner.I am afraid since so many things are happening in the world now,like:hurricanes,earthquakes, bird flu and the Innocent and homeless people of the Tsunami disaster.I just want you to be open minded and help me so that my funds can make a great change in the affected people's lives. Hence the reason for taking this bold decision. I am not afraid of death hence I know where I am going. I know that I am going to be in the bosom of the Lord.Exodus 14 VS 14 sa
Note: I anxiously wait your response on my email address below:

Yours in Christ,
Mrs Rebecca Van Horn
I anxiously wait your response

Although there was no email address in the message, the Reply-To: header was to a yahoo.co.jp (Japan) address. Anywhere a crook can get a free email account, he or she will do so.

Our sickly Mrs. Van Horn (shouldn't that be van Horn?) may have only a few weeks to live, but from her hospital bed she figured out how to send this message through a computer based in China. That morphine drip is killer!

First, she wants to you to dig deep into your Christian heart to help her. But in the end, you'll be digging deep into your retirement fund to pay for fees, taxes, storage costs, documents, lawyers, bribes, and mis-directed shipments in the hope of getting your greedy hands on the cash. Except there is no cash. Except for the money you've wired Mrs. Van Horn and her associates.

Posted on August 04, 2009 at 06:10 PM
Liar's Roundup - Part One Permalink

Time to vent on four different scams I've seen recently in the spamosphere. All of these are intended to deceive recipients in one way or another. Those that try to make it appear as though they're CAN-SPAM compliant — but are definitely not compliant — deserve even more lashes.

First up is an email that displays the following information in your inbox:

From: Staples
Subject: Grand Opening Celebration! Super Savings!

If this showed up in your inbox and if you've ever shopped at a Staples office supply store (real or virtual), there's a good chance you'd believe this came from that company, advertising a new store opening near you. Any former shopper might believe that somewhere along the line he or she gave up an email address in the course of a transaction.

Oh, you'd be so wrong!

Here's what you get instead:

Come join Shop'N'Save[removed].com for our Grand Opening Celebration!

www.shopnsave[removed].com

Save 30% on our entire inventory with your Special Savings Code below!

We offer a wide selection of Quality Products at Great Prices.

&nb sp;Bath & Body Products

&nb sp;Electronics

&nb sp;Jewelry

&nb sp;Toys & Games

&nb sp;...And More!

www.shopnsave[removed].com

Your Special Savings Code is: 1025Gwem

Enter this code at checkout to receive your savings!

sales@shopnsave[removed].com

21 [removed] Dr
Ringoes, NJ 08551

If you would like to be excluded in the future from our mailing list,
just click here and send us an opt-out request email.

This was an HTML-formatted message, and both the street address and opt-out line were formatted in a size 1 font. Now, those two pieces of info are supposed to make the message look legally compliant with U.S. law. But the headers are forged to the hilt. The message also came through a botnetted PC on a DSL connection in Chile. The link tied to the opt-out request is a suspiciously phony-looking excite.com address.

BTW, those "&nb sp;" things are incorrectly formatted non-breaking space characters. In an HTML page put together by someone other than a doofus, those characters only generate a space character.

One final insult to unsuspecting recipients who probably have various default settings in place in their email viewers, the HTML includes a JavaScript script that reports to a stats counting outfit about how many recipients opened the message. The act of opening the message in a script-enabled browser verifies the identity of this particular email spew to Central Control. Somebody's getting paid for your having opened the message.

If you think that just deleting a piece of read spam doesn't contribute to the spam economy, wrongo!

Posted on August 04, 2009 at 05:50 PM