« 419er Fails to Win Me As a Friend | Main | Lottery Scammer With a Web Site »

September 25, 2009

Rub-a-dub-dox, Three crooks in my inbox.

If only there were just three!

First up is a phisher whose email Subject: line caught my eye, but for reasons probably unknown to the sender:

Subject: Dear Abbey Customers Upgrade

When I first saw this, I was unaware of a UK financial institution called Abbey. Instead, my brain connected "Dear Abbey" with the late Abigail Van Buren's newspaper advice column, "Dear Abby" (still being written today by her daughter). Misspellings are so common in spam, that the "Abbey"/"Abby" differential was insignificant. In any case, the context of a newspaper column notifying people of a customer upgrade caused my brain to do a backflip.

Once I figured out what Abbey was, the rest of the picture fell into place. This was just another run-of-the-mill phishing scam aimed at grabbing login credentials from Abbey customers. Why the phisher is bothering spewing this missive to a [very poor quality, I can assure you] list of email addresses worldwide is beyond me. The message I received was among a batch of 50, whose addresses were itemized in the To: header field (don't get me started). Had this crook really done his homework to target likely candidates, I'd expect to see more than just the one .uk country code top-level domain address. (Not that everyone in the UK has an email address with that ccTLD, but just 2% of this batch?)

Whenever a phishing attempt arrives on my server aimed at tricking customers of highly regional financial institutions nowhere near me, I assume that the originator is a phishing newbie. Results from such campaigns sent far and wide can't possibly pay for themselves, no matter how cheap it is to buy the phishing kit, rent the addresses, buy cycles on a botnet, and perhaps even pay for a hacker to break into a legitimate web site to host the phishing site. Unfortunately, those who sold the raw materials profit regardless. And the spamonomy continues to flourish.

My second crook du jour is pulling the lottery-based 419 scam. Invoking two well-known computer-related companies, this attempt was signed by a Lawrence McDonald, who claims to be a Public Relations Officer.

On its way to tell me I've won a million pounds (oddly printed as $1,000,000 (One Million ) Pounds Sterlings), this prototypical lottery message begins:

Subject: EMAIL LOTTERY ANNOUNCEMENT...

TICKET NUMBER:008795727498
SERIAL NUMBER: MIC-AOL/8303-09
LUCKY NUMBER: 04-18-35-38-53-46 (12)

Dear Sir/ Madam,

The prestigious Microsoft and AOL has set out and successfully organized a sweepstakes marking the year 2009 anniversary we rolled out over $400,419,864 USD. for our end of year Anniversary Draws. Participants for the draws were randomly selected and drawn from a wide range of web hosts which we enjoy their patronage.

I don't care if you are freakin' Microsoft and AOL, no entities (except governments) are handing out 400 million bucks in 2009.

Suckers who fall for this 419 message are supposed to contact a Michael Goldfine. He has a (free) AOL email address, thus lending a shade of credibility to the AOL connection with the bogus lottery. One can also reach Mr. Goldfine by phone at a number that happens to be a UK mobile phone number.

BTW, if you want to educate and entertain family and friends who might be susceptible to these lottery scams, just take something from the email message that is supposed to be unique — like the "ticket number" — and toss it at Google. The results show that this is one darned lucky ticket number, having been the winning ticket for at least the past two years.

Crook Number Three for today is spreading malware via an age-old trick:

Subject: Thank you for setting the order No.475456

Dear Customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.

Attached to this message is a .zip file (invitingly named open.zip), weighing in at a lightweight 14.05 KB. How harmful could a 14K file be? Maybe the file really is just an invoice and label. OH NO YOU DI'NT! Running the file through VirusTotal reveals that it's a backdoor Trojan capable of subsequently loading anything its commander and controller wants.

This "we're shipping you something expensive that you didn't know you bought" tactic is the quintessential trick aimed at getting an unsuspecting recipient to act on the sender's behalf (and to the recipient's detriment). The recipient fumes upon reading the message — "Hey, I didn't order that thing!" — and will double-click that attachment before the full release of adrenalin has reached all extremities. Even if the user has antivirus software installed, and the invading malware is stopped in its tracks, the recipient is still left with an uneasy feeling. "Is someone out there racking up credit card charges?" "How can I check with the company about this order?" And so on. You have to get a few of these under your belt before your eyes just roll and your adrenalin doesn't even drip out its glands.

This crooked threesome didn't arrive in a tub, but their messages are going into one here. It's labeled Trash.