Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« February 2011 | Main | April 2011 »

March 30, 2011

iPad 2 Spam Permalink

A spam email message claiming to come from the UK Apple Store promises iPad 2 models at a discount. There is such a fever over this hard-to-find gadget that I worry that plenty of recipients of this message will fall prey to the scam.

Here's the message:

Subject: Apple iPad 2 is here!!! Get Yours Now





NEW APPLE iPad2 Wi-Fi 16GB: ................ $450
NEW APPLE iPad2 Wi-Fi 32GB:................. $550
NEW APPLE iPad2 Wi-Fi 64GB:................ $650
SHIPMENT:.................................................. Free
SHIPPING TYPE:............................FEDEX EXPRESS.

iPAD with Wi-Fi & 3GS (UNLOCKED):
NEW APPLE iPad2 Wi-Fi & 3GS 16GB:.................$600
NEW APPLE iPad2 Wi-Fi & 3GS 32GB:.................$700
NEW APPLE iPad2 Wi-Fi & 3GS 64GB:.................$800
SHIPPING TYPE:........................................................FEDEX EXPRESS.

· iPad 2
· Dock connector to USB cable
· 10W USB power adapter
· Documentation
· Cleaning/polishing cloth

iPad comes with 1 year of complimentary technical support. In
addition, your iPad, its rechargeable battery, and all included
accessories are covered against defects for a full year from the
purchase date by a limited hardware warranty.

Apple Store, UK.
Tel: +44704[removed]
Email: apple[removed]@live.com

To those who know and follow Apple, there are so many wrong things in this message that it's laughable. For example, neither Apple nor its individual stores would ever send an email of this type (no graphics, misspelling, and an overall design that retail advertisers would call "borax"). Individual Apple stores wouldn't have the authority or power to offer discounts or special deals on brand new items. Additionally, the phone number is to a U.K. cell phone, and the email address is at a free email account. Finally, if you study the message header, you discover that it originated from a hijacked botnet computer attached to Earthlink.

So, what's the deal here, you may ask? The deal is simple: You email or telephone this phony store your credit card info, your credit card is charged, and...well, don't sit on your doorstep waiting for the FedEx truck to drive up. It will never come.

Posted on March 30, 2011 at 09:45 PM

March 28, 2011

How Much is Your Email Address Worth? Permalink

I don't have a fixed dollar amount in mind, but I can tell you that a drug store chain here in the U.S. has determined it is worth them to pay me $4.00 to obtain my email address. That's what the coupon spit out by the CVS pharmacy cash register at today's purchase offered me.

This coupon, of course, was tied to the code number on my Extra Care card. Like many drug and grocery chains here in the U.S., CVS offers savings on various items when you belong to their Extra Care program and scan your card at the checkout. This means that they can track every purchase and gather a profile about my purchasing habits.

(I've always felt that type of data gathering to be creepy. I use the card numbers of a female friend of mine so that the accuracy of the collected data is suspect, as two separate households contribute to the data. And neither of the cards is in my name, yet we both get the savings.)

Now, I could have supplied one of my throw-away email addresses and collected my four bucks. I can pretty much guarantee that CVS will start emailing the hell out of that account. Instead, I elected to send a more important message: you can't buy my email address so you can send me coupons for mascara and laxatives.

I let my verbal response stand: "Not for four dollars."

Posted on March 28, 2011 at 05:47 PM

March 23, 2011

Clueless Password Confirmation Emails Permalink

Ninety-nine percent of my spamwars.com blog posts have to do with crooks trying to trick unsuspecting users into performing risky behavior. Today's tale, however, comes from a different angle: that of an unsuspecting web site owner putting users at risk through poor security practices of a third-party server software provider.

A well-meaning web site owner who sells downloadable material (the material is inconsequential, but I'm not talking porn here) needed help to manage subscriptions and updates and such. She found a $180 package of server software that is designed to do just that. I don't blame her at all; I'd probably want to do the same.

On the surface, the software package does things correctly. The signing-up process uses genuine affirmative consent (or in Direct Marketing Association-speak, double opt-in). The applicant receives an email message with a coded confirmation link. Only upon clicking that link does the membership truly begin.

Unfortunately, when a new member joins and confirms, the program sends out a welcoming confirmation email, thanking the new member for signing up. This thank-you also repeats the username and password for the membership account. In full. In the clear. Putting aside the fact that any Internet "tube" could be monitored by miscreants, what if I open this message from my iPhone over an unencrypted WiFi connection at a coffee shop? The guy at the next table with his laptop may be sniffing the WiFi comms and capture this login credential pair.

The software provider isn't trying to hide anything, I must mention. In fact, this "feature" is listed openly as a selling point:

E-mails the username/password to the customer after signup is completed

So, perhaps the blame meter should swing back just a bit to the site operator who put the software to use. She was probably so focused on integrating the membership mechanisms into her web site that she failed to think of the implications of this confirmation email. With any luck, this feature can be disabled or modified so that the password is not included in the message (I have advised her of the potential problem, and she was going to look into it).

This isn't the first time I've seen one of my login credentials come sailing back to me in an email. The only variety of such a communication that is acceptable is the kind that sends a temporary password that lets you log into a site so you can change the password in private.

Way too many Internet users fail to recognize the importance of keeping passwords private. That's why — to this day — I do not ever give a web site access to my email, Twitter, and (if I used it) Facebook accounts, no matter what kind of convenience is promised in return. Given the strong possibility that many users have one or two credential pairs across all of their logins (including shopping and banking sites), it's no wonder accounts get hacked all the time.

And when I see one of my passwords show up in an email message body, I go blogistic.

Posted on March 23, 2011 at 11:56 AM

March 13, 2011

Advance-Fee Fraud Threatens Arrest for Not Responding Permalink

Perhaps this is a sign that 419 (advance fee) scammers are finding it more difficult to lure suckers into their traps. The one I'm about to show you raises the stakes to play on fear of anything bearing the "Department of Homeland Security" name.

Like many 419 email tales, this one is confusing at times (probably pieced together from multiple messages) and frequently barely in English (even though it claims to originate from the U.S.). I'll try to consolidate the story so you can get the gist.

The pot of gold at the end of this rainbow is a supposed ATM card tied to $3 million. A Nigerian diplomat carrying the card on his way to hand it to me was detained at the Albuquerque, NM airport by something called International Homeland Security. For me to get the card, I must present a Clearance Ownership Certificate. If I don't have the certificate, I can contact someone at a post.com email address to obtain it. This, BTW, is the hook that puts gullible recipients into the crook's clutches. Once that contact starts, this guy will drain a sucker for all kinds of fees.

Peel away all the ATM, diplomat, and homeland security nonsense, and it's back to the traditional 419 scam: Somebody in Nigeria has to do something for me in order for the millions to get to me. Except there are no millions, and all the money will go in one direction: to Nigeria (or wherever).

What's truly different about this mailing is the threat of arrest for not coming up with the certificate. They claim that if I don't provide the certificate in five days, I'll be arrested for money laundering. By coming up with the certificate, they'll not only release the card to me, but will let the detained diplomat go free and the American government will not question me. They insist on this process because they are trying to quash scammer operations.

In case you're interested, here is the complete unedited 419 letter:

Subject: United States Department of Homeland Security.





Direct Phone:206-666-[removed].




We office of the international Homeland Security authority (HLS) hereby write to inform you that we caught a diplomatic Man called Mr.Monday Adama under the TNT courier from Nigeria at(ABQ-Albuquerque, NM,USA Albuquerque International Airport) here in USA with (ATM CARD REGISTRATION NUMBER:CVEL/OWN/9876 9999 02)And PACKAGE WEIGHT: 0.5KG contents of Three Million Dollars we scan into the card bearing your name.

Meanwhile, base on our interview to the diplomat he said that the ATM CARD belongs to you, that he was sent by one Mr.Frank Mike from tnt office in Nigeria under the instruction of presidency and authority of Nigeria to deliver the ATM CARD to your doorstep as a compensation funds Inheritance/lotto fund:

Now the diplomat is under detention in the office of (HLS) security, and we cannot release him until we carry out our proper investigation on how this ($3.Million Dollars)ATM CARD amount of money managed to be yours before we will release him with the ATM CARD PACKAGE. So, in this regards you are to reassure and prove to us that the ATM CARD you are about to receive is legal by sending us the Award Clearance Ownership Certificate showing that the ATM CARD is not illegal.

Note, that the Certificate must to be secured from the in Nigeria, why because that is the only office that will issue you the original Atm Card Clearance Ownership Certificate of this ATM CARD fund.

This is because the Atm Card fund originated from Nigeria. You are advised to forward immediately the Clearance Ownership Certificate if you have it with you or You Urgently contact back the sender of the diplomat which is (Mr.Frank Mike) from Nigeria to help you secure the Clearance Ownership Certificate so that your ATM CARD $3,Million Dollars Will be Released and Deliver to your Destination.

Below is the contact information of the person that sent the diplomat According to the Agent Diplomat: Mr.Monday Adama

Contact Name:Frank Mike

Contact Email :( frankmike@post.com

Furthermore we are giving you only but 5 working business days to forward the requested Atm Card Clearance Ownership Certificate. Please note that we shall get back to you after the 5 working business days. that if you didn‚t come up with the certificate we shall confiscate your ATM funds into World Bank account then charge you for money laundering by Arresting you, but if you forward the Atm Card Clearance Ownership Certificate in your name then we will release the agent Diplomat with your (ATM CARD PACKAGE) also gives you every back up on YOUR ATM CARD for the Delivery and America Government will not question you, and also we are working serious to put down scammers operation Contact Mr.Frank their Head person Urgent now.

Feel free to act on our instruction we are not aiming you or jail you we are making it batter for you to have your Atm Card legitimated with back up document for our law be fulfill and legalize. be rest assure your Atm Master Card are safe here at homeland security office until the Document procure from you.

Thanks for your understanding and co-operation

Yours Truly.

John T. Morton

Assistant Secretary

Department of Homeland Security

U.S. Department of Homeland Security

Washington, DC 20528,

Email: contacts@usa.com

As preposterous as this email message sounds, I can foresee some susceptible recipients freaking out at the threats. If you know of anyone who might get caught up in this type of extortion, please do your best to talk them out of it, or at least have them confirm with the real Department of Homeland Security that this is a hoax.

Posted on March 13, 2011 at 12:40 PM

March 09, 2011

From Microsoft...Or Is It? Permalink

I describe a highly unusual bulk email message I received claiming to come from Microsoft's Windows Phone 7 development group.

Posted on March 09, 2011 at 04:04 PM