« Overdue Notices, Part 1.1 | Main | Interesting Apple Mail Phishing Protection »

July 28, 2011

Today's POS* has a strong stylistic reminiscence of the phony credit card overdue notices described here and here. The crook's English isn't so good, and he obviously doesn't have an English spelling checker.

The bogus message today claims to be about some kind of erroneous transaction at a hotel that entitles me to a sizable refund ($1944 in the copy I received, but probably different in other versions). If I fill out the attached form (a file named RefundForm043.zip) and take it to my bank, they'll return the money I never lost. At least I think that's what the tortured English is trying to tell me:

From: Reservation Departament <[removed]@mybookings.org>
Subject: Wrong transaction from your credit card in Madison

Dear client!

Transaction: Credit Card 49498_0M3f
On July 26th, 2011 Hotel made wrong transaction writing-down from your account for an overall amount of $1944.
For noncompliance of the service contract this Hotel was divested accreditation in Moverick Company.
For the return of funds please contact your bank and fill information in the attached form.
In the attachment you will find expense sheet with the sum of wrong transaction error of transaction.
As Company is not responsible for money transactions and acts as intermediary you can seize the court directly to return the funds from the Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Jennifer Oregel,
Manager of Reception Desk & Reservation Departament

Unfortunately, at this hour, the Trojan-laden attachment has extremely low coverage by antivirus applications (only 4 of 42 at VirusTotal's test). Recipients' greed for a free couple of grand may get the better of them...and the Trojan will do the same.

This message happened to really catch my eye because I went to college in Madison, Wisconsin, a city I'm truly fond of. I haven't been there in over ten years, so there was no other connection between the message and myself. But it does point to the fact that coincidences do happen frequently in the high-volume spam world. I suspect the template used for this malware bomb uses a placeholder for the city, and different recipients will see different cities in their versions. Although I have been around this country quite a bit, I can safely say that I have not been to the majority of cities. The spammer just got lucky this time, and I absolutely do not feel threatened that he or she is personalizing the message around my life's history.

I think it's good to be paranoid with respect to unsolicited email ("they" really are out to get you), but the chance that they're targeting you, specifically, is next to nil.

*Piece of you-know-what.